OpenSSH 10.3 patches five security bugs and drops legacy rekeying support

OpenSSH 10.3 shipped carrying five security fixes alongside feature additions and a set of behavior changes that will break compatibility with older SSH implementations that do not support rekeying.

Rekeying compatibility removed

SSH clients and servers that lack rekeying support will fail when they attempt to interoperate with OpenSSH going forward. The project removed the bug-compatibility code that previously allowed such implementations to keep working. Deployments running non-standard or legacy SSH software should verify rekeying support before upgrading.

Shell injection via ssh user names

A validation timing flaw in the ssh client allowed shell metacharacters in user names supplied on the command line to be expanded through %-tokens in ssh_config before they were checked. For configurations that use a %u token in a Match exec block, an attacker able to control the user name passed to ssh could potentially execute arbitrary shell commands. Exposing SSH command-line arguments to untrusted input remains inadvisable regardless of mitigations.

Certificate principal matching bug

A bug in sshd used an incorrect algorithm when matching an authorized_keys principals="" option against principals listed in a certificate. The flaw could allow inappropriate matching when a principal name in the certificate contains a comma character. Exploitation requires an authorized_keys entry listing more than one principal and a certificate authority willing to issue a certificate encoding more than one of those principal names separated by a comma. The bug affected only user-trusted CA keys in authorized_keys; the main certificate authentication path using TrustedUserCAKeys and AuthorizedPrincipalsFile was not affected.

Empty certificate principals now treated as non-matching

A separate certificate behavior change addresses a long-standing design issue. Previously, a certificate with an empty principals section was treated as a wildcard when used via authorized_keys principals="", meaning it would authenticate as any user who trusted the issuing CA. A CA that accidentally issued such a certificate would have unknowingly granted broad access. The new behavior treats an empty principals section as never matching any principal. The release also standardizes wildcard handling in certificate principals: wildcards are supported for host certificates and not supported for user certificates.

ECDSA algorithm enforcement fixed

sshd was not enforcing the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms directives correctly for ECDSA keys. If any ECDSA algorithm name appeared in either directive, any other ECDSA algorithm would be accepted regardless of whether it appeared in the list. The fix closes that gap.

scp root download preserves setuid/setgid bits

When downloading files as root using scp in legacy mode without the -p flag, the tool did not strip setuid and setgid bits from downloaded files. The project traced the flaw to the original Berkeley rcp program.

ProxyJump input validation

The -J and equivalent -oProxyJump options now validate user and host names passed on the command line. Validation catches shell injection in configurations where those options are exposed to adversarial input. The validation applies only to command-line use; configuration file entries are not validated.

Connection multiplexing confirmation fix

Multiplexing confirmation requested via ControlMaster ask/autoask was not being tested for proxy mode multiplexing sessions using ssh -O proxy.

ssh-agent protocol additions

The release adds support for IANA-assigned codepoints for SSH agent forwarding, aligned with the draft IETF specification draft-ietf-sshm-ssh-agent. When a server advertises support for the new names via the EXT_INFO message, OpenSSH will prefer those names. Support for the existing pre-standardization @openssh.com extensions remains in place. The ssh-agent also gains support for the query extension from the same draft, and ssh-add adds a -Q flag to query agent protocol extensions.

Per-source penalties and connection diagnostics

sshd gains an invaliduser penalty for PerSourcePenalties, applied when login attempts use usernames that do not correspond to real accounts. The default penalty is five seconds, matching the existing authfail penalty, with administrator-configurable longer durations. Penalty time resolution also moves to floating point, allowing penalties shorter than one second for high-frequency events.

New multiplexing commands give operators more visibility into running sessions. The ssh -Oconninfo command and the ~I escape option both display connection information for active sessions, and ssh -O channels reports which channels a running multiplexer process has open.

Additional changes

sshd adds a GSSAPIDelegateCredentials server option controlling whether delegated credentials offered by clients are accepted, mirroring the existing client-side option. ssh-keygen gains support for writing ED25519 keys in PKCS8 format. The RevokedHostKeys directive in ssh_config and the RevokedKeys directive in sshd_config now accept multiple files.

A fix for PKCS#11 key PIN entry problems introduced in OpenSSH 10.1 and 10.2 is also included, along with FIDO/WebAuthn certificate signature handling improvements, a sshd crash fix related to missing subsystem directives in Match blocks, and a PAM username confusion fix in the portable branch.

Download: 2026 SANS Identity Threats & Defenses Survey