OpenSSH 10.3
9 hours ago
- #Software Release
- #OpenSSH
- #Security Updates
- OpenSSH 10.3 was released on 2026-04-02, featuring several potentially-incompatible changes such as removing bug compatibility for implementations that don't support rekeying, changing certificate principal matching to treat empty sections as never matching, and validating user/host names for ProxyJump options to prevent shell injection.
- Security fixes include validation of shell metacharacters in user names to prevent arbitrary command execution, fixes for certificate principal matching and setuid/setgid bit clearing in scp, and corrections for algorithm application and multiplexing confirmation issues.
- New features include support for IANA-assigned codepoints for SSH agent forwarding, implementation of the 'query' extension in ssh-agent, multiple file support in RevokedHostKeys directives, and additions like connection info escapes, multiplexing commands, and new penalty options.
- Bugfixes address various issues like configuration directive matching, crash and hang fixes, performance improvements, and corrections for FIDO/webauthn signature support, PKCS#11 key PIN entry, and logging message handling.
- Portability improvements include fixes for PAM authentication, support for linking different libcrypto implementations, and compatibility updates for older systems and libraries.
- A future deprecation warning indicates that support for SHA1 SSHFP records will be deprecated due to weaknesses in the SHA1 hash function, with SHA256 records becoming the standard.