OpenSSH 10.4 was released on 2026-07-06. It is available from the<br>mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and<br>includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their<br>continued support of the project, especially those who contributed<br>code or patches, reported bugs, tested snapshots or donated to the<br>project. More information on donations may be found at:<br>https://www.openssh.com/donations.html
Potentially-incompatible changes
* sshd(8): configuration dump mode ("sshd -G") now writes directives<br>in mixed case (e.g. "PubkeyAuthentication") whereas previously it<br>emitted only lower-case names.
* sshd(8): on Linux systems with the seccomp sandbox enabled,<br>failures to enable SECCOMP or NO_NEW_PRIVS are now fatal.<br>Previously sshd(8) would log the error but continue operation,<br>to support systems that lacked these features. Now systems that<br>lack these should instead disable the sandbox at configure time.
* ssh(1), sshd(8): make the transport protocol stricter by<br>disconnecting if the peer sends non-KEX messages during a post-<br>authentication key re-exchange. Previously a malicious peer could<br>continue sending non-key exchange messages without penalty. These<br>would be buffered, causing memory to be wasted up until the<br>connection terminated or the server/client hit a memory limit.<br>Implementations that do not restrict messages sent during key<br>exchange as per RFC4253 section 7.1 may be disconnected.<br>Reported by Marko Jevtic.
Changes since OpenSSH 10.3
This release contains a number of security fixes as well as general<br>bugfixes and a couple of new features.
Security
* sftp(1): when downloading files on the command-line using<br>"sftp host:/path .", a malicious server could cause the file to<br>be downloaded to an unexpected location. This issue was identified<br>by the Swival Security Scanner.
* scp(1): when copying files between two remote destinations, do<br>not allow a malicious server to write files to the parent<br>directory of the intended target directory. This issue was<br>identified by the Swival Security Scanner.
* sshd(8): when using the "internal-sftp" SFTP server implementation<br>(this is not the default), long command lines were previously<br>truncated silently after the 9th argument. If a security-relevant<br>option was in the 10th or later position, it would be discarded.<br>Reported by Steve Caffrey.
* sshd(8): add a documentation note to mention that the<br>GSSAPIStrictAcceptorCheck option is ineffective when the server<br>is joined to a Windows Active Directory. Reported by Yarin Aharoni<br>of Safebreach.
* sshd(8): DisableForwarding=yes didn't override PermitTunnel=yes<br>as it was documented to do. Note that PermitTunnel is not enabled<br>by default. Reported independently by Huzaifa Sidhpurwala of<br>Redhat and Marko Jevtic.
* sshd(8): avoid a potential pre-authentication denial of service<br>when GSSAPIAuthentication was enabled (this feature is off by<br>default). This was not mitigated by MaxAuthTries, but would be<br>penalised by PerSourcePenalties. This was reported by Manfred<br>Kaiser of the milCERT AT (Austrian Ministry of Defence).
* sshd(8): fix a number of cases where the minimum authentication<br>delay was not being enforced. Reported by the Orange Cyberdefense<br>Vulnerability Team.
* ssh(1): fix a possible client-side use-after-free if the server<br>changes its host key during a key reexchange. This was reported by<br>Zhenpeng (Leo) Lin of Depthfirst.
New features
* All: add experimental support for a composite post-quantum<br>signature scheme that combines ML-DSA 44 and Ed25519 as specified<br>in draft-miller-sshm-mldsa44-ed25519-composite-sigs.
This scheme is not enabled by default. To use it, you'll need<br>to add it to HostKeyAlgorithms, PubkeyAcceptedAlgorithms, etc.<br>Keys may be generated using "ssh-keygen -t mldsa44-ed25519".
* ssh(1), sshd(8): replace the wildcard pattern matcher with an<br>implementation based on an NFA. This avoids exponential worst-case<br>behaviour for the old implementation.
Bugfixes
* ssh-agent(1): fix incorrect reply to "query" SSH_AGENTC_EXTENSION<br>requests. bz3967
* sshd(8): avoid sending observably different messages for valid vs<br>invalid users in GSSAPIAuthentication (disabled by default).
* ssh(1), sshd(8): fix several bugs that incorrectly<br>classified bulk traffic as interactive. bz3972, bz3958
* ssh-keygen(1), ssh-add(1): skip unsupported key types when<br>downloading resident keys from a FIDO token. Previously, downloads<br>would abort when one was encountered. GHPR657
* ssh(1): fix a potential use-after-free on an error path if<br>cipher_init() fails.
* sshd(8): perform stricter encoding and validation of transport<br>state passed between sshd privilege separation subprocesses. This<br>somewhat further hardens the server against attacks on sshd-auth<br>or sshd-session subprocesses.
* ssh-agent(1): avoid possible runtime denial of service by<br>enforcing some limits on the length of usernames in key use<br>constraints.
*...