The new version of OpenSSH 10.1 is now available and introduces significant security and functionality enhancements, focused on blocking potential attack vectors and providing better control for administrators and power users.
One of the most notable changes addresses a vulnerability that allowed an attacker to manipulate shell commands using special characters in usernames or URIs, when using the ProxyCommand option with %u substitutions.
This problem It mainly affected systems that obtained data from untrusted sources.To address this, OpenSSH 10.1 now prohibits the use of control and null characters in usernames passed on the command line or in ssh:// URLs. Only values ​​defined in local configuration files, which are considered trusted, are exempt from this restriction.
Functional improvements in ssh and ssh-agent
OpenSSH 10.1 Extends key support by allowing the use of ED25519 stored in PKCS#11 tokens, which strengthens cryptographic security without sacrificing flexibility. In addition, introduces a new option configuration call RefuseConnection, that can be used to end a connection in a controlled manner and display customized messages, ideal for redirecting users or notifying about outdated servers.
So much Both ssh and sshd now include SIGINFO signal handlers., which log information about active sessions and channels, facilitating debugging and real-time monitoring. Meanwhile, the certificate authentication process adds an additional layer of transparency: when authentication fails, the log will include the details necessary to identify the certificate involved.
Changes that impact compatibility
OpenSSH 10.1 introduces adjustments that, although necessary, may affect previous configurations. One of them is the warning about cryptographic algorithms vulnerable to quantum attacks, Designed to warn about key exchange methods that might not be resistant to future quantum computing-based attacks. Administrators can disable this warning with the new WarnWeakCrypto option.
Also The management of Service Quality parameters was reviewed (IPQoS). Now, Interactive traffic is given priority by class EF (Expedited Forwarding), which improves the experience on wireless networks. Non-interactive traffic, on the other hand, remains in the operating system's default class. Additionally, the use of the old ToS (Type of Service) parameters has been eliminated, in favor of DSCP, the current standard.
Improvements in security, performance and internal structure
Among the internal changes, the sUnix sockets of ssh-agent and sshd have been relocated from /tmp to ~/.ssh/agent, a key decision to prevent unauthorized access from processes with file restrictions. Likewise, logs SHA1-based SSHFP DNS are considered deprecated and will be replaced by versions that use SHA256, strengthening cryptographic integrity.
The ssh-add command now automatically adds a five-minute buffer to the certificate's validity period, ensuring they are deleted upon expiration. Those who wish to disable this behavior can do so with the new -N option. Finally, support for XMSS keys, which were considered experimental and never enabled by default, has been removed.
Porting fixes and improvements
In OpenSSH 10.1 these were fixed multiple memory leaks, race conditions, and errors in processes like MaxStartups and X11 session handling. Additionally, writing of known_hosts files has been optimized, making it more atomic to avoid problems in high-concurrency environments.
As for portability, New checks were added for PAM environments, the improved integration with FreeBSD, macOS and Android, and compatibility headers were introduced for systems lacking certain standard libraries. These changes ensure that OpenSSH remains a robust and stable tool on a wide range of platforms.
If you are interested in knowing more about it, you can check the details in the following link.
How to install OpenSSH on Linux?
For those who are interested in being able to install this new version of OpenSSH on their systems, for now they can do it downloading the source code of this and performing the compilation on their computers.
This is because the new version has not yet been included in the repositories of the main Linux distributions. To get the source code, you can do from the following link.
Done the download, now we are going to unzip the package with the following command:
tar -xvf openssh-10.1.tar.gz
We enter the created directory:
cd openssh-10.1
Y we can compile with the following commands:
./configure --prefix = / opt --sysconfdir = / etc / ssh make make install