But it’s important to remember that SSH is a lot less fucked overall than the VPN situation was. People mostly grok SSH. SSH mostly doesn’t negotiate BF-CBC.
I disagree! SSH is not great! Because it doesn't need to support every browser on the Internet, new crypto percolates through the ecosystem much faster than it does in TLS. But it's still a janky protocol with dumb options, and a Noise-based no-negotiation alternative that fulfilled the same interface would indeed be super useful.
I don’t think we actually disagree; I said “a lot less fucked” not “great” :) you can get real AEADs with Ed25529 in SSH easily; and some of the dumb options problems may still apply with Oxy, depending on what you’re taking about.
I have been using tinysshd for a number of years and I am hooked. Keen to experiment, I have also been using ed25519 keys instead of rsa since this option was added to openssh. No one told me to use tinysshd or ed25519 keys. As someone else pointed out, it seems like most "guides" on ssh, even ones written after ed25519 was added, still advocate rsa keys.
