Cyber Security News

OpenSSH 10.0 Released: New Protocol Changes and Key Security Improvements

The OpenSSH team has announced the release of OpenSSH 10.0 on April 9, marking an important milestone for one of the most widely-used open-source tools in secure communications.

With significant protocol changes, security advancements, and new features, this version aims to provide enhanced protection and functionality for users worldwide.

Key Security Improvements

The OpenSSH 10.0 release introduces several security updates to bolster protection against evolving threats:

  1. Removal of Weak DSA Algorithm: Support for the outdated and vulnerable DSA signature algorithm has been fully eliminated. This completes the deprecation process that began back in 2015, ensuring OpenSSH aligns with modern cryptographic best practices.
  2. Enhanced Key Exchange Mechanisms: OpenSSH 10.0 replaces finite field Diffie-Hellman (modp) key exchange methods with Elliptic Curve Diffie-Hellman (ECDH) by default. This adjustment significantly improves key agreement performance and security while removing legacy methods.
  3. Post-Quantum Cryptography: The mlkem768x25519-sha256 hybrid algorithm is now the default for key exchanges. Designed to withstand quantum computing attacks, this algorithm ensures that cryptographic protocols remain future-proof and resilient.
  4. Runtime Isolation of Authentication Code: OpenSSH has introduced a modular approach by separating the user authentication phase into a new binary called sshd-auth. This reduces attack surfaces and enhances memory efficiency by unloading authentication code post-authentication.

Notable Protocol Changes

OpenSSH 10.0 also makes adjustments to its protocol behavior that may impact user configurations:

  • Version Number Refinements: OpenSSH now reports its version as “SSH-2.0-OpenSSH_10.0.” This change might cause issues for software relying on outdated version-matching patterns.
  • Session Control Adjustments: Tools such as scp and sftp now pass “ControlMaster no” to disable implicit session creation, streamlining configurations for unexpected behavior.
  • FIDO-Based Key Enhancements: Improvements allow better compatibility with newer FIDO tokens, including those that return no attestation data, enhancing usability across modern systems.

New Features and Bug Fixes

The new version also brings features tailored for improved usability:

  1. Configuration Matching Enhancements: User-specific configurations now support new matching criteria, such as Match version or Match sessiontype, providing finer control over ssh/sftp connections.
  2. AES-GCM Cipher Preference: OpenSSH now favors AES-GCM over AES-CTR for secure data encryption while retaining ChaCha20/Poly1305 as the highest-priority cipher.
  3. Systemd Socket Activation for ssh-agent: The ssh-agent now integrates with systemd-style socket activation, simplifying service management for Linux users.

Bug fixes further improve robustness and reliability, addressing issues like configuration parsing errors, X11 forwarding performance, and key signature compatibility with specialized hardware tokens.

The OpenSSH team expressed gratitude to its global community for contributing code, reporting bugs, testing snapshots, and donating to the project. Their support continues to drive the development of this vital tool.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement Research…

12 hours ago

Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced Persistent…

13 hours ago

More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads

The More_Eggs malware, operated by the financially motivated Venom Spider group (also known as Golden…

13 hours ago

RedisRaider Campaign Targets Linux Servers by Exploiting Misconfigured Redis Instances

Datadog Security Research has uncovered a formidable new cryptojacking campaign dubbed "RedisRaider," specifically targeting Linux…

13 hours ago

Hackers Abuse TikTok and Instagram APIs to Verify Stolen Account Credentials

Cybercriminals are leveraging the Python Package Index (PyPI) to distribute malicious tools designed to exploit…

14 hours ago

Regeneron to Buy 23andMe for $256M Amid Growing Data Privacy Concerns

Biotechnology giant Regeneron Pharmaceuticals has emerged as the successful bidder in the bankruptcy auction for…

14 hours ago