OpenSSH 10.0 Released: New Protocol Changes and Key Security Improvements

The OpenSSH team has announced the release of OpenSSH 10.0 on April 9, marking an important milestone for one of the most widely-used open-source tools in secure communications.

With significant protocol changes, security advancements, and new features, this version aims to provide enhanced protection and functionality for users worldwide.

Key Security Improvements

The OpenSSH 10.0 release introduces several security updates to bolster protection against evolving threats:

1. Removal of Weak DSA Algorithm: Support for the outdated and vulnerable DSA signature algorithm has been fully eliminated. This completes the deprecation process that began back in 2015, ensuring OpenSSH aligns with modern cryptographic best practices.
2. Enhanced Key Exchange Mechanisms: OpenSSH 10.0 replaces finite field Diffie-Hellman (modp) key exchange methods with Elliptic Curve Diffie-Hellman (ECDH) by default. This adjustment significantly improves key agreement performance and security while removing legacy methods.
3. Post-Quantum Cryptography: The mlkem768x25519-sha256 hybrid algorithm is now the default for key exchanges. Designed to withstand quantum computing attacks, this algorithm ensures that cryptographic protocols remain future-proof and resilient.
4. Runtime Isolation of Authentication Code: OpenSSH has introduced a modular approach by separating the user authentication phase into a new binary called sshd-auth. This reduces attack surfaces and enhances memory efficiency by unloading authentication code post-authentication.

Notable Protocol Changes

OpenSSH 10.0 also makes adjustments to its protocol behavior that may impact user configurations:

• Version Number Refinements: OpenSSH now reports its version as “SSH-2.0-OpenSSH_10.0.” This change might cause issues for software relying on outdated version-matching patterns.
• Session Control Adjustments: Tools such as scp and sftp now pass “ControlMaster no” to disable implicit session creation, streamlining configurations for unexpected behavior.
• FIDO-Based Key Enhancements: Improvements allow better compatibility with newer FIDO tokens, including those that return no attestation data, enhancing usability across modern systems.

New Features and Bug Fixes

The new version also brings features tailored for improved usability:

1. Configuration Matching Enhancements: User-specific configurations now support new matching criteria, such as Match version or Match sessiontype, providing finer control over ssh/sftp connections.
2. AES-GCM Cipher Preference: OpenSSH now favors AES-GCM over AES-CTR for secure data encryption while retaining ChaCha20/Poly1305 as the highest-priority cipher.
3. Systemd Socket Activation for ssh-agent: The ssh-agent now integrates with systemd-style socket activation, simplifying service management for Linux users.

Bug fixes further improve robustness and reliability, addressing issues like configuration parsing errors, X11 forwarding performance, and key signature compatibility with specialized hardware tokens.

The OpenSSH team expressed gratitude to its global community for contributing code, reporting bugs, testing snapshots, and donating to the project. Their support continues to drive the development of this vital tool.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!