Openssh Release 10.0

Altus Intel
Altus Intel
  • Date Time

OpenSSH has recently released version 10.0, which includes updates and changes to enhance the SSH 2.0 and SFTP protocols. The main changes in this release are as follows:

  • Remote support for digital signatures based on the DSA algorithm has been removed due to its outdated security level. The costs of continuing to support this unsafe algorithm did not justify its usage, and its removal will encourage the discontinuation of DSA support in other SSH and cryptographic libraries. Use of DSA keys had been stopped by default since 2015.
  • SSHD has been divided into separate executable files in this new version. The SSHD-Session process, which handled session-related tasks, has been separated into a new process called SSHD-Auth. This change allows for better isolation of authentication-related data, enhancing security and reducing memory consumption during authentication.
  • Hybrid keys of Mlkem768x25519-SHA256, combining X25519 ECDH and ML-KEM (Crystals-Kyber algorithm) standardized by NIST, are now used in SSH by default, providing resistance against key selection attacks. ML-KEM utilizes lattice-based cryptography methods with consistent solution times on both ordinary and quantum computers.
  • Support for substitution “%-token” and environment variable expansion has been added to SSH_CONFIG directives SETENV and User.
  • The addition of “Match Version” expressions in SSH_CONFIG and SSHD_CONFIG allows for configuration settings based on the version of OpenSSH being used. For example, to target OpenSSH 10, “Match Version Openssh_10.*” can be specified.
  • Expanded support for expressions in SSH_CONFIG includes “Match SessionType” to differentiate between interactive sessions, command executions, SFTP subsystems, and tunnels or traffic redirection. Additionally, “Match Command” and “Match Tagged” expressions have been added for more targeted configurations based on command line input.
  • Masks can now be used in file paths specified in SSHD_Config directives AuthorizedKeysfile and Authorizedprincipalsfile.
  • The VersionaddenDum option has been added to the SSH client, allowing arbitrary text to be appended to the version number line (previously available only for the SSHD server).
/Reports, release notes, official announcements.

© 2025 - Altus Intel