OpenSSH has announced the release of version 10.0, which features a comprehensive implementation of the SSH protocol 2.0 along with support for both SFTP client and server functionalities. This release introduces several potentially incompatible changes, such as the removal of the weak DSA signature algorithm, new handling for ControlMaster configuration in SCP and SFTP, and significant updates to the authentication and key exchange mechanisms. Notably, the code for user authentication has been separated into a new binary, enhancing security by isolating the authentication phase from the main connection process.

OpenSSH 10.0 also includes various improvements and bug fixes, such as enhancements to debug logging, fixes for X11 and agent forwarding issues, and a preference for AES-GCM over the older AES-CTR cipher. New features in this version allow for more granular control over configurations, enabling users to match specific session types, remote commands, and even versions of OpenSSH.

Additionally, the release incorporates a hybrid post-quantum algorithm for key agreement, reflecting a proactive approach to future security threats posed by quantum computing. The OpenSSH community has been acknowledged for its contributions to the project, and more information on how to support it through donations is available on their website.

The release also includes several bug fixes aimed at improving performance and security, such as addressing potential configuration overflow issues and refining logging mechanisms. Furthermore, the portability of OpenSSH has been enhanced with support for various platforms, including AWS-LC and Y2038 safe wtmp replacements.

In summary, OpenSSH 10.0 represents a significant update that prioritizes security, performance, and flexibility in SSH connections, making it a vital upgrade for users and administrators alike. As always, users are encouraged to report any bugs or security issues directly to the OpenSSH team for prompt resolution.

For further details and access to the release, users can visit the official OpenSSH website and download the latest version from the listed mirrors

OpenSSH 10.0 released

OpenSSH 10.0 has been released, offering a 100% complete SSH protocol 2.0 implementation with support for sftp client and server. The release includes potential incompatible changes, such as removing support for the weak DSA signature algorithm, passing "ControlMaster no" to ssh when invoked by scp and sftp, removing the code responsible for user authentication, disabling finite field Diffie-Hellman key exchange by default, and removing the implicit fallback to compiled-in groups for Diffie-Hellman Group Exchange KEX.

The release includes fixes for X11 forwarding and agent forwarding, a hybrid post-quantum algorithm, and a preference for AES-GCM over AES-CTR mode when selecting a cipher for connection. New features include the ability to match version, session type, and remote command types. Bug fixes include removing the assumption that sshd_config can fit in a socket buffer, preventing ObscureKeystrokeTiming mitigations, prohibiting comma characters in hostnames, and improving debug logging across sub-process boundaries. The release also includes improvements in debug logging across sub-process boundaries, requiring control-escape character sequences to be exactly two characters long, and preventing integer overflow in x11 port handling.

OpenSSH 10.0 released @ Linux Compatible