OpenSSH 10.1 Released with Key Security Fixes and Enhancements

Image

On October 6, 2025, OpenSSH 10.1 was released, delivering important updates to the open-source client and server for the SSH 2.0 and SFTP protocols. This version follows the April 2025 release of OpenSSH 10.0, which introduced post-quantum cryptography by default and removed legacy DSA signature support.

Key Fixes and New Features

  • Security Fix: A critical vulnerability has been patched that could allow an attacker to inject shell commands by manipulating special characters in usernames or URIs used with ProxyCommand.
  • Input Sanitization: To prevent similar attacks, control characters are now forbidden in command-line usernames and %-sequence substitutions. The null character (\0) is also disallowed in ssh:// URIs.
  • PKCS#11 Support: ssh and ssh-agent now support Ed25519 keys stored in PKCS#11 tokens.
  • New RefuseConnection Option: A new RefuseConnection option in ssh_config allows for immediate connection termination with a custom error message, bypassing any connection attempt.
  • SIGINFO Handlers: ssh and sshd can now log detailed session and channel information upon receiving a SIGINFO signal.
  • Improved Certificate Logging: When sshd rejects a user's certificate authentication, it now logs detailed information to help identify the specific certificate causing the issue.
  • X11 Display Validation: sshd now validates the X11 display number against the offset defined in the X11DisplayOffset directive.
  • Performance Benchmarking: The unit test suite now includes performance benchmarks, which can be enabled during the build process.

Potentially Breaking Changes

  • Weak Crypto Warnings: ssh now warns users when a key exchange algorithm vulnerable to quantum computer attacks is used. This feature addresses the risk of harvest now, decrypt later attacks and can be disabled with the WarnWeakCrypto option.
  • IPQoS/DSCP Handling: The logic for IP Quality of Service has been revamped. Interactive traffic now defaults to the EF (Expedited Forwarding) DSCP class for better performance. The legacy ToS keyword for IPv4 is now deprecated in favor of DSCP.
  • Automatic Certificate Expiry: ssh-add now automatically sets a certificate's lifetime in ssh-agent to expire 5 minutes after its validity period, ensuring timely removal. The new -N flag can disable this behavior.
  • XMSS Key Support Removed: Support for the experimental XMSS stateful hash-based signature scheme has been completely removed.
  • Socket Path Change: Unix sockets for ssh-agent and sshd have been moved from /tmp to the more secure ~/.ssh/agent directory to prevent access from sandboxed processes.

#ssh #openssh #news