OpenSSH 10.1 has been released with a range of improvements and bug fixes that enhance its security, performance, and usability. The release includes deprecation of SHA1 SSHFP records due to known weaknesses, as well as changes to DSCP marking (a.k.a IPQoS) handling to improve interactive traffic prioritization. Additionally, the release addresses various security issues, including disallowing control characters in usernames and relaxing validity checks for literal usernames.

OpenSSH 10.1 released

OpenSSH 10.1 has been released, and it is now available for download from the official mirrors listed on the OpenSSH website. This latest version offers a range of new features, improvements, and bug fixes.

One notable change in the upcoming releases of OpenSSH is the deprecation of SHA1 SSHFP records due to their known weaknesses. A future release will ignore SHA1 SSHFP DNS records and use SHA256 instead, which has been supported since OpenSSH 6.1 (released in 2012). This ensures that all SSHFP records used by OpenSSH are cryptographically secure.

Another significant change is the addition of a warning when negotiating a non-post-quantum key agreement algorithm. This warning has been included to mitigate "store now, decrypt later" attacks and can be controlled using a new WarnWeakCrypto option in ssh_config.

The handling of DSCP marking (a.k.a IPQoS) has also undergone major changes. The default DSCP values have been revised, and the way these values are used during runtime has changed. Interactive traffic is now assigned to the EF (Expedited Forwarding) class by default, while non-interactive traffic uses the operating system's default DSCP marking.

Other notable improvements include:

• ssh-add(1) will automatically remove certificates shortly after they expire.
• The experimental support for XMSS keys has been removed.
• Agent listener sockets have been moved from /tmp to ~/.ssh/agent for both local and forwarded agents.
• A new flag -U has been added to suppress automatic cleanup of stale agent sockets when starting ssh-agent.

This release also includes a minor security fix, which disallows control characters in usernames passed via the command line or expanded using %-sequences from the configuration file. Additionally, it relaxes validity checks for usernames supplied as literals (i.e., without any % expansion characters) through configuration files.

New features include:

• SIGINFO handlers have been added to log active channel and session information.
• sshd(8) now logs enough information to identify the certificate being denied for user authentication.
• Support has been added for ed25519 keys hosted on PKCS#11 tokens.
• A new option RefuseConnection has been introduced in ssh_config, which terminates ssh(1) with an error message that contains the argument.

Bug fixes include:

• A mistracking issue of MaxStartups process exits has been fixed in sshd(8).
• Delay issues on X client startup have been resolved when ObscureKeystrokeTiming is enabled.
• The maximum size of supported configuration in sshd(8) has been increased to 4MB.

Portability improvements include:

• SSH_TUN_COMPAT_AF is now used on FreeBSD to resolve issues with IPv6 message sending.
• The nlist function presence is checked before attempting to use it instead of relying on the presence of the nlist.h header.
• System header files have been filled in for missing common headers that are not present on certain platforms.

Download

The source code for OpenSSH 10.1 is available for download at this location. For more information, visit the OpenSSH website. Bugs can be reported here.