After six months of development, OpenSSH 10.3 has been released, marking another milestone in the open implementation of a client and server for SSH 2.0 protocols and SFTP. Some key changes include:
- A fix for a vulnerability in the ssh utility that could potentially allow an attacker to execute arbitrary shell commands by controlling the username passed. This vulnerability arises in systems using the “%u” substitution in certain configuration file directives.
- Security issue in sshd resolved due to incorrect mapping of authorized_keys principals=”” option to the list of names, particularly in situations where names contain the “,” character.
- Issue in scp where loading a file as root with the “-O” option and without the “-p” option would not clear the setuid/setgid flags.
- Fix in sshd for handling ECDSA keys in directives such as PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms to ensure proper acceptance of specified algorithms.
- Addition of support for identifiers defined by IANA and support for the “query” extension in ssh-agent specification.
- Feature to specify multiple files in RevokedKeys directive for sshd_config and RevokedHostKeys directive for ssh_config.
- Introduction of escape command “~I” in ssh to show current connection information, and options like “-O conninfo” and “-O channels” to display connection and channel information.
- Implementation of PerSourcePenalties directive in sshd to add delay in case of login attempts under non-existent users, with the ability to specify non-integer delay values.
- Addition of GSSAPIDelegateCredentials option in sshd to control acceptance of delegated credentials from the client.
- Support for writing ED25519 keys in PKCS8 format and implementation of the ed25519 digital signature scheme.
/Reports, release notes, official announcements.