OpenSSH 10.4 Available

After three months of development, the release of OpenSSH 10.4 has been published. OpenSSH is an open client and server implementation for working over the SSH 2.0 and SFTP protocols. The main changes in this release include:

  • Added experimental support for the combined digital signature generation scheme “mldsa44-ed25519”, which combines the post-quantum ML-DSA 44 algorithm and the Ed25519 elliptic curve-based algorithm. To enable support, specific directives need to be added and keys can be generated using a command.
  • Implemented a new pattern matching system for ssh and sshd, which is non-deterministic and not subject to exponential growth in computational complexity when using masks with many “*” characters.
  • Changed the behavior of Linux builds of sshd with filtering enabled system calls using seccomp, now leading to abnormal termination if not activated properly.
  • Updated the behavior of “sshd -G” option in configuration dumps to write directives using uppercase and lowercase letters.
  • Aligned the behavior of ssh and sshd with RFC 4253 to terminate connections when non-exchange-related messages are sent during key re-exchange keys.

Several security issues have also been addressed:

  • Eliminated a use-after-free memory access vulnerability in the ssh utility when accessing a malicious server.
  • Fixed a vulnerability in sftp that allowed the downloading of a file to another directory when accessing a malicious server.
  • Resolved a vulnerability in scp that allowed writing files to the parent directory when copying files between servers.
  • Fixed an issue in sshd when using the internal SFTP server implementation, preventing long command line sequences from being truncated after the 9th argument.
/Reports, release notes, official announcements.