So what person is running an SSH server and configuring it to use post-quantum crypto, but is using password Auth? Priorities are out-of-whack.

Not that this is a bad thing, but first start using keys, then start rotating them regularly and then worry about theoretical future attacks.

Those are completely disjoint threats.

A captured SSH session should never be able to decrypted by an adversary regardless of whether it uses passwords or keys, or how weak the password is.