OpenSSH 10.4 Tightens Protocol Rules and Adds Post-Quantum Testbed

OpenSSH 10.4 patches eight security flaws in sftp, scp and sshd while enforcing stricter transport rules that prevent memory exhaustion during key re-exchanges. It also introduces experimental ML-DSA 44 + Ed25519 post-quantum signatures for testing. Admins must review configs before upgrading.
OpenSSH 10.4 Tightens Protocol Rules and Adds Post-Quantum Testbed
Written by Sara Donnelly

Systems administrators who run SSH across data centers, cloud fleets and edge devices received a fresh batch of patches Sunday. The OpenSSH project released version 10.4 on July 6, 2026, addressing eight security issues while hardening the transport layer and introducing an experimental hybrid post-quantum signature scheme.

The update arrives at a time when remote-access tools face steady pressure from both opportunistic attackers and well-resourced adversaries preparing for quantum computers. Operators should review configuration files before deployment. Some behavioral changes will break older or non-compliant implementations.

Protocol enforcement takes center stage.

Previous versions allowed a malicious peer to send non-key-exchange messages during post-authentication rekeying. Those messages accumulated in buffers. Memory consumption grew until the connection closed or hit internal limits. The new code follows RFC 4253 Section 7.1 more strictly. It disconnects any peer that violates the rule. Marko Jevtic reported the weakness. (OpenSSH release notes)

Similar logic now applies to both client and server. The change reduces attack surface. It also risks dropping legitimate but outdated peers. Administrators running heterogeneous environments will want to test first.

Two file-transfer flaws drew attention from the Swival Security Scanner. In sftp(1), a command such as “sftp host:/path .” could be steered by a malicious server to an unexpected local path. The scp(1) issue surfaced during third-party copies. A rogue server could write files into the parent directory of the intended target. Both problems are fixed. (Help Net Security)

Inside sshd(8), the internal-sftp subsystem used to truncate long command lines after the ninth argument. Security-relevant options placed later simply vanished. That silent failure no longer occurs. Another regression allowed DisableForwarding=yes to be overridden by PermitTunnel=yes despite documentation to the contrary. Huzaifa Sidhpurwala of Red Hat and Marko Jevtic each spotted the mismatch independently.

GSSAPIAuthentication, disabled by default, could trigger a pre-authentication denial-of-service condition. The attack bypassed MaxAuthTries yet still incurred penalties under PerSourcePenalties. Manfred Kaiser of milCERT AT (Austrian Ministry of Defence) reported it. The release also ensures minimum authentication delays are applied consistently. The Orange Cyberdefense Vulnerability Team flagged cases where those delays had been skipped.

On the client side, ssh(1) contained a use-after-free if the server altered its host key mid-reexchange. Zhenpeng (Leo) Lin of Depthfirst discovered the bug. Additional memory-safety problems, none believed exploitable, received attention across ssh, sftp and crypto modules. (CyberSecurityNews)

Beyond the fixes, the project added experimental support for a composite signature that marries ML-DSA 44 with Ed25519. The scheme follows the draft-miller-sshm-mldsa44-ed25519-composite-sigs specification. It remains off by default. Operators must explicitly list “mldsa44-ed25519” in HostKeyAlgorithms, PubkeyAcceptedAlgorithms and related directives. Keys are generated with “ssh-keygen -t mldsa44-ed25519”. The feature gives teams a safe way to test post-quantum readiness without disrupting production traffic. (OpenSSH release notes)

The wildcard pattern matcher received a complete rewrite based on nondeterministic finite automata. Exponential worst-case behavior that once plagued complex globs is gone. Configuration dump mode (sshd -G) now emits mixed-case directive names such as PubkeyAuthentication instead of all lowercase. Linux users with seccomp sandbox enabled will see failures to activate SECCOMP or NO_NEW_PRIVS treated as fatal. Previously the daemon logged an error and continued. Systems lacking those primitives should disable the sandbox at compile time.

But the bulk of the release consists of quieter improvements. The ssh-agent now enforces length limits on usernames inside key constraints to block potential runtime denial-of-service. Sftp-server refuses copy-data operations that read and write the same inode at once. Several one-byte out-of-bounds reads were eliminated. DNS0x20 case-randomized names no longer leak into CanonicalizePermittedCNAMEs processing. Ed25519 verification gained malleability and public-key validity checks even though SSH itself does not rely on those properties.

Crypto code also tightened bounds checking for large signatures and fixed an unreachable ECDSA order test for curves with cofactor other than one. All supported curves meet that condition, yet the check now exists. Config parsing and privilege-separation state handling saw major refactoring to improve serialization safety across sshd subprocesses.

These changes reflect years of incremental hardening. OpenSSH has long served as the default secure shell on millions of servers. Each release narrows the gap between specification and implementation. The post-quantum experiment signals awareness that harvest-now-decrypt-later attacks loom on the horizon. Quantum-resistant algorithms still carry performance costs and compatibility questions. The composite approach lets defenders gather operational data before full migration.

Distribution maintainers have already begun packaging 10.4. Enterprises should schedule updates during maintenance windows. Test automation scripts that rely on exact sshd -G output or lenient protocol behavior. Audit any custom Match blocks or GSSAPI configurations. And monitor logs for unexpected disconnects tied to the new transport rules.

The project thanked contributors, bug reporters and donors. Security issues should continue to be sent directly to [email protected]. With this release, the venerable tool takes another measured step toward both immediate safety and long-term cryptographic agility.

Subscribe for Updates

DevNews Newsletter

The DevNews Email Newsletter is essential for software developers, web developers, programmers, and tech decision-makers. Perfect for professionals driving innovation and building the future of tech.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us