.webp?#)
![Apple to Split Enterprise and Western Europe Roles as VP Exits [Report]](https://www.iclarified.com/images/news/97032/97032/97032-640.jpg)
![Nanoleaf Announces New Pegboard Desk Dock With Dual-Sided Lighting [Video]](https://www.iclarified.com/images/news/97030/97030/97030-640.jpg)
![Apple's Foldable iPhone May Cost Between $2100 and $2300 [Rumor]](https://www.iclarified.com/images/news/97028/97028/97028-640.jpg)
![Alleged Pixel 10 series wallpapers leak with vibrant colors and a strange new theme [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/04/pixel-10-wallpaper-leak-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
OpenSSH 10.0 Released With Protocol Changes & Security Upgrades
OpenSSH 10.0, a significant update to the widely adopted secure remote login and file transfer toolset, was officially released on April 9, 2025. This milestone version introduces substantial protocol changes, enhanced security features, and critical improvements to prepare for quantum computing threats. The most notable security enhancement is the implementation of the hybrid post-quantum algorithm […] The post OpenSSH 10.0 Released With Protocol Changes & Security Upgrades appeared first on Cyber Security News.
OpenSSH 10.0, a significant update to the widely adopted secure remote login and file transfer toolset, was officially released on April 9, 2025.
This milestone version introduces substantial protocol changes, enhanced security features, and critical improvements to prepare for quantum computing threats.
The most notable security enhancement is the implementation of the hybrid post-quantum algorithm mlkem768x25519-sha256 as the default for key agreement.
This algorithm provides protection against potential quantum computer attacks while maintaining backward compatibility with traditional cryptographic methods.
According to the release notes, this NIST-standardized algorithm “is guaranteed to be no less strong than the popular curve25519-sha256 algorithm” while offering better performance than previous defaults.
On the protocol front, OpenSSH 10.0 completes the long-running deprecation of the DSA signature algorithm, which began in 2015 when it was initially disabled by default.
This weak algorithm has been fully removed after repeated warnings over the past year, marking a significant step toward stronger security standards across the SSH ecosystem.
The release also modifies cipher preferences, now prioritizing AES-GCM over AES-CTR when selecting connection encryption methods.
The updated cipher preference list is now “Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR (128/192/256)”.
Protocol Changes
A major structural change affects the server component (sshd), where the user authentication code has been relocated from the per-connection sshd-session binary to a new dedicated sshd-auth binary.
This separation ensures that “the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection,” significantly improving security isolation.
Additionally, finite field Diffie-Hellman key exchange (the “diffie-hellman-group*” and “diffie-hellman-group-exchange-*” methods) is now disabled by default in sshd.
The release notes explain this change by stating that finite field Diffie-Hellman “is slow and computationally expensive for the same security level as Elliptic Curve DH or PQ key agreement while offering no redeeming advantages”.
For system administrators and power users, OpenSSH 10.0 introduces valuable configuration enhancements, including:
- New Match version support in both ssh_config and sshd_config, allowing configuration based on OpenSSH version patterns like “Match version OpenSSH_10.*”
- Added Match sessiontype support for ssh_config to differentiate between shell, exec, subsystem, or forwarding-only sessions
- Enhanced Match command capabilities for ssh_config, enabling configuration based on remote commands
- Support for glob patterns in sshd_config’s AuthorizedKeysFile and AuthorizedPrincipalsFile directives
Bug Fixes and Minor Updates
The release also addresses a security vulnerability in the DisableForwarding directive, which previously failed to properly disable X11 forwarding and agent forwarding as documented.
Users should note that this version introduces changes to scp and sftp, which now pass ControlMaster no to SSH by default, potentially affecting workflows that rely on automatic multiplexing.
With its robust security improvements and forward-looking cryptographic defaults, OpenSSH 10.0 represents a significant advancement for secure remote connectivity in an increasingly security-conscious computing environment.
OpenSSH 10.0 is now available for download from official mirrors. Users are encouraged to upgrade promptly to benefit from enhanced security features and improved functionality.
Application Security is no longer just a defensive play, Time to Secure -> Free Webinar
The post OpenSSH 10.0 Released With Protocol Changes & Security Upgrades appeared first on Cyber Security News.
