Software 44533 Published by

OpenSSH 10.4 has been released, delivering critical security patches for sftp and scp that resolve vulnerabilities allowing malicious servers to redirect downloads or write to unauthorized directories. This update also fixes a regression where DisableForwarding=yes failed to disable tunnel forwarding when used with PermitTunnel=yes, alongside enforcing minimum authentication delays to improve brute-force protection. A headline feature is the addition of experimental support for composite post-quantum signatures, which combines ML-DSA 44 and Ed25519 to future-proof key authentication. Additional improvements include a rewritten NFA-based wildcard pattern matcher to prevent performance issues and stricter transport protocol rules for key re-exchanges.



OpenSSH 10.4 released with critical SFTP fixes and experimental post-quantum signatures

OpenSSH 10.4 landed today, July 6, 2026, delivering critical security patches for sftp and scp along with the first experimental support for composite post-quantum signatures. If you download files from servers you don't fully trust, this update should be priority one.

The Swival Security Scanner came forward with two critical findings that ship as fixes in this release. For sftp, a malicious server could redirect a file download to an unexpected location when you run sftp host:/path . from the command line. SCP had a similar issue where remote-to-remote copies allowed a compromised server to write files one directory up from where you asked. Not ideal.

Server administrators have another housekeeping item to check. DisableForwarding=yes was supposed to override tunnel forwarding, but it didn't actually kill tunneling when paired with PermitTunnel=yes. The documentation claimed one thing and the code did another. Huzaifa Sidhpurwala of Red Hat and Marko Jevetic reported the contradiction independently. While PermitTunnel isn't on by default, anyone relying on DisableForwarding for strict enforcement had a false sense of security.

The release also addresses a brute-force defense gap. The Orange Cyberdefense Vulnerability Team found cases where the minimum authentication delay wasn't being enforced. That delay is your buffer against rapid guessing attempts. If it's not enforced, you're relying on rate limiting alone.

Blowfish

Post-quantum signatures get experimental support

OpenSSH has been marching toward quantum resistance since version 10.0 shipped in April 2025 with ML-KEM key exchange as the default. That move covered the handshake. This release is about the signatures.

Version 10.4 adds experimental support for a composite post-quantum signature scheme that combines ML-DSA 44 with Ed25519. The logic is belt and suspenders. If a quantum computer breaks ML-DSA, you still have Ed25519. If Ed25519 turns out to have a bug, you have ML-DSA.

This isn't enabled by default. You'll need to generate keys manually and opt in to the configuration.

ssh-keygen -t mldsa44-ed25519

Once you have the keys, add the algorithm to HostKeyAlgorithms, PubkeyAcceptedAlgorithms, and similar directives in your config files. It's experimental, so expect some tools in your stack to reject the new key format until they catch up.

Protocol hardening and other changes

The wildcard pattern matcher got a rewrite. The old regex-based version could hit exponential time complexity with crafted inputs. That's a recipe for denial of service in Match blocks, and the new NFA-based replacement eliminates the worst case.

Transport protocol enforcement tightened up as well. If a peer sends non-key-exchange messages during a post-authentication key re-exchange, the connection now drops. Previously, a malicious peer could flood buffers and waste memory until the system hit a limit. This brings OpenSSH into compliance with RFC 4253 Section 7.1.

Linux admins should note that sshd now treats seccomp sandbox failures as fatal errors. If the sandbox can't enable SECCOMP or NO_NEW_PRIVS, the server bails out instead of logging a warning and continuing. A sandbox that's off isn't much of a sandbox.

sshd -G behavior changed too. Configuration dump mode now writes directives in mixed case, like PubkeyAuthentication, whereas previous versions emitted only lowercase names. If you parse that output with brittle scripts, you might need to adjust them.

A few other items worth scanning:

  • internal-sftp no longer silently truncates command lines after the ninth argument. Security options beyond that point can now survive.
  • ssh-agent fixes incorrect replies to extension query requests and enforces limits on username lengths to prevent runtime denial of service.
  • Client-side use-after-free risks during host key re-exchanges have been patched.
  • sftp no longer gets stuck in infinite loops when a broken server repeatedly returns zero-length reads.

Head here to grab OpenSSH 10.4 from the project mirrors. Keep in mind that the post-quantum signature support is experimental, so test it in non-production environments before rolling it out across your infrastructure.