11views
The OpenSSH project, maintained under the OpenBSD umbrella, has released OpenSSH 10.3—a maintenance update now available via official mirrors.
This version introduces a few breaking changes. Support has been dropped for legacy implementations that don’t allow rekeying, meaning such connections will now fail when rekeying is required. Certificates with empty principals are also no longer treated as wildcards.
There are updates to wildcard behavior as well. Wildcards are now consistently supported in host certificates but are no longer valid for user certificates. In addition, the SSH client now validates user and hostnames passed through ProxyJump (-J), helping reduce the risk of shell injection from untrusted input.
On the security front, OpenSSH 10.3 fixes several issues. One vulnerability could allow command execution when user-controlled input is expanded via configuration tokens. Another affected sshd, potentially leading to incorrect principal matching when certificates included comma-separated values in authorized_keys. A long-standing SCP issue has also been resolved, ensuring setuid and setgid bits are cleared when files are downloaded as root in legacy mode.
The release also improves cryptographic handling by restricting ECDSA algorithms to only those explicitly configured. Fixes have been applied to connection multiplexing checks, along with general improvements in configuration handling, PAM integration, and logging.
In terms of new features, OpenSSH now supports IANA-assigned codepoints for SSH agent forwarding, aligning with evolving standards. The ssh-agent and ssh-add tools have been enhanced to query protocol extensions, with ssh-add introducing a new -Q option.
Usability has also been improved. Users can now retrieve connection details using ssh -O conninfo and view active channels with ssh -O channels. A new escape sequence (~I) provides similar insights during interactive sessions.
Configuration flexibility has been expanded with support for multiple files in the RevokedHostKeys and RevokedKeys directives. Additionally, sshd introduces an “invaliduser” penalty under PerSourcePenalties, allowing administrators to better manage failed login attempts for non-existent users. Penalty timing precision has also been refined.
Finally, key management sees enhancements with support for writing ED25519 keys in PKCS8 format and broader support for FIDO/WebAuthn signatures, now enabled by default. Performance improvements have also been made, particularly for the sntrup761 key exchange algorithm.
For more information, see the changelog.
add a comment
Parrot Linux Takes Stand Against Age Verification
Parrot Linux has issued a public statement opposing age verification measures, joining other Linux projects that consider such requirements a...
Netrunner 26 “Twilight” released with Debian 13, Plasma 6, and Linux 6.16
More than a year after its 25 “Shockworm” release, Netrunner— a Debian-based desktop Linux distribution focused on KDE Plasma—has introduced...
Arch-Based Artix Linux 2026.04 Released With XLibre as Default X Server
Artix Linux has rolled out its first official ISO of 2026, built on the Linux 6.19 kernel. For those unfamiliar, Artix is an Arch-based rolling-release distribution that deliberately avoids systemd, instead offering alternative init systems such as OpenRC, runit, s6, and dinit. One of the major updates in this release is the switch to XLibre as the default X server, while Xorg is still available for installation. KDE Plasma users now have the option to run sessions on either Wayland or XLibre. Another notable change is the move from PulseAudio...
PowerShell Advanced Cookbook
If you're looking to take your automation and scripting skills to the next level, the PowerShell Advanced Cookbook by Morten...
