Back to Home

OpenSSH 10.3: security patches and new features

OpenSSH 10.3 focuses on vulnerability patches in ssh and sshd, including %u substitutions and authorized_keys. Added IANA support in agents, new configuration options and PKCS8 for ED25519. The release enhances protection for production systems.

OpenSSH 10.3 released: vulnerability fixes and SSH agents
Advertisement 728x90

# OpenSSH 10.3: Key Security Fixes and New Features

On April 2, 2026, OpenSSH 10.3 was released—a stable release of the SSH 2.0 client and server, and SFTP. The update focuses on fixing bugs and vulnerabilities discovered since version 10.0. It includes updated components, added patches, and new configuration options. The previous 10.0 release introduced the post-quantum algorithm mlkem768×25_519-sha256 and removed DSA support.

Version 10.3 strengthens protection against exploiting configuration errors and improves key handling. Developers fixed issues in ssh, sshd, and scp, adding support for IANA protocols and diagnostic tools.

Critical Vulnerability Fixes

Key changes focus on security. Here are the main patches:

Google AdInline article slot
  • Fixed a vulnerability in ssh where user name checks with %u substitution in Match exec allowed executing shell commands. Special character validation now occurs before substitutions in ssh_config.
  • In sshd, fixed matching of authorized_keys principals="" with names in certificates containing commas. Certificates with empty names no longer match such options.
  • In scp, with -O without -p for root-owned files, setuid/setgid flags are cleared after loading.
  • In sshd, fixed ECDSA handling in PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms: now only explicitly specified algorithms are accepted.

These fixes prevent privilege escalation and unauthorized access through configuration.

SSH Agent and Protocol Improvements

Added compatibility with draft-ietf-sshm-ssh-agent:

  • Support for IANA codepoint in ssh and sshd when interacting with agents (@openssh.com retained).
  • 'query' extension in ssh-agent to check supported features. The ssh-add -Q option requests the list of extensions.
  • The RevokedKeys directive in sshd_config and RevokedHostKeys in ssh_config now accept multiple files.

ssh added the escape command ~I and options -O conninfo (connection info), -O channels (open channels).

Google AdInline article slot

New sshd Configuration Options

sshd_config capabilities have been expanded:

  • PerSourcePenalties with 'invaliduser' for delays (default 5s) on logins with non-existent users. Supports fractional values.
  • GSSAPIDelegateCredentials to control delegated credentials from the client.

ssh-keygen now supports writing ED25519 keys in PKCS8 format. Added support for ed25519 signatures via libcrypto.

These changes simplify administration and monitoring in production environments.

Google AdInline article slot

Key Points

  • Critical patches for %u in ssh_config and principals in authorized_keys minimize exploitation risks.
  • New IANA support in agents ensures compatibility with emerging standards.
  • Diagnostic options (-O conninfo, -Q) speed up connection debugging.
  • sshd_config extensions (RevokedKeys, PerSourcePenalties) provide more granular access control.
  • PKCS8 format for ED25519 simplifies integration with modern crypto libraries.

The scope of these updates makes OpenSSH 10.3 a must-update for enterprise servers and clients. Test in staging before deploying.

— Editorial Team

Advertisement 728x90

Read Next