OpenSSH 10.0 Released – New Tricks for Your Trusted Terminal Buddy
TL;DR: OpenSSH just hit version 10.0, and it’s kind of a big deal. With a bunch of security upgrades, smarter defaults, and a fond farewell to some old cryptographic baggage, it’s a good time to update your SSH toolkit. Whether you’re a sysadmin, dev, or just someone who loves a clean ssh connection, read on.
So… What’s OpenSSH Again?
If you’ve ever typed ssh user@server and felt like a cyber ninja teleporting into a remote machine, thank OpenSSH. It’s the open-source, secure-by-default SSH protocol implementation used on pretty much every Linux and Unix-ish box out there. It also includes goodies like sftp, scp, ssh-agent, and ssh-keygen.
Now, with version 10.0, it’s flexing even harder – and safer.
What’s New in OpenSSH 10.0?
1. Goodbye DSA, and Thanks for All the Keys
OpenSSH has officially removed support for the DSA signature algorithm. If you’re still using DSA keys… well, it’s time. This algorithm has been considered weak for a while (disabled by default since 2015), and now it’s finally getting the boot.
Tip: Replace those DSA keys with something modern like Ed25519 or ECDSA.
2. Hello, Post-Quantum Key Exchange
In a move straight out of a sci-fi novel, OpenSSH 10.0 makes mlkem768x25519-sha256 the default key exchange algorithm. This hybrid method combines traditional Curve25519 with post-quantum ML-KEM magic. Translation: it’s secure against today’s hackers and tomorrow’s quantum computers.
The future called – they want secure SSH too.
3. scp & sftp Get Less “Magical”
Previously, scp and sftp would sometimes create background control sessions without asking. Now, they’ll behave more predictably by default (ControlMaster no), which should reduce those “why is this still running?” moments.
4. sshd’s Got a New Roommate: sshd-auth
To tighten security, OpenSSH has split off the authentication logic into a new binary called sshd-auth. This means:
- Better memory isolation (less chance of a pre-auth exploit spilling into post-auth code).
- Slightly less memory usage (yay, efficiency nerds!).
- And for the curious: log messages might now come from sshd-auth.
It’s like moving the valuables out of the front hallway and into a locked vault.
5. Diffie-Hellman Key Exchange Gets Benched
Remember those old-school DH key exchanges (diffie-hellman-group*)? They’re now disabled by default on the server side. Why? Because they’re slow, resource-heavy, and not as secure as modern options like ECDH. Clients can still use them – but they shouldn’t.
If your server suddenly stops accepting connections after upgrading, check your KEX algorithms.
6. More Config Power with Match Enhancements
SSH configuration files just got more powerful with new Match conditions:
- Match based on OpenSSH version (hello, Match version OpenSSH_10.*)
- Match by session type (shell, exec, subsystem, or none)
- Match by remote command
- Token and environment variable expansions
This is the kind of flexibility that makes your ~/.ssh/config file feel like a cheat code.
Bonus: Tons of Bugfixes
From improved debug logging and better X11 forwarding behavior to hostname parsing tweaks and smarter keygen handling, this release cleans up a lot of small things that could trip you up in day-to-day use.
Should You Upgrade?
Yes. Even if you’re not hosting a bank vault over SSH, staying current means:
- Better security
- Fewer bugs
- Cleaner performance
- Future-proofing (hello, post-quantum crypto)
If you manage systems or services over SSH, OpenSSH 10.0 is worth your attention – and a quick apt upgrade or yum update.
Final Thoughts
OpenSSH continues to be the quiet champion of remote access. It doesn’t make flashy headlines, but it’s critical infrastructure for developers, sysadmins, and anyone who talks to a server. Version 10.0 adds smart features and trims old fat, keeping it fast, lean, and secure for the decade ahead.
Stay connected – securely.Want to dive deeper? Check out the official release notes at: https://www.openssh.com