|
|
Subscribe / Log in / New account

OpenSSH 10.0 released

[Posted April 9, 2025 by jzb]

OpenSSH 10.0 has been released. Support for the DSA signature algorithm, which was disabled by default beginning in 2015, has been removed. Other notable changes include using the post-quantum algorithm mlkem768x25519-sha256 for key agreement by default, support for systemd-style socket activation in Portable OpenSSH, and moving code for user authentication from the sshd-session binary to the new ssh-auth binary:

Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection. It also yields a small runtime memory saving as the authentication code will be unloaded after the authentication phase completes. This change should be largely invisible to users, though some log messages may now come from "sshd-auth" instead of "sshd-session". Downstream distributors of OpenSSH will need to package the sshd-auth binary.

The release notes also warn that "software that naively matches versions using patterns like "OpenSSH_1*"" may be confused by the new version number.


to post comments

systemd socket activation

Posted Apr 9, 2025 15:08 UTC (Wed) by gdamjan (subscriber, #33634) [Link] (4 responses)

It seems that the systemd socket activation is only implemented for the ssh-agent (not for sshd).

systemd socket activation

Posted Apr 10, 2025 4:01 UTC (Thu) by iabervon (subscriber, #722) [Link] (3 responses)

The sshd part was released in 9.8 last summer, and just isn't new in 10.0.

systemd socket activation

Posted Apr 10, 2025 7:11 UTC (Thu) by djm (subscriber, #11651) [Link] (2 responses)

No, sshd never supported socket activation. ssh-agent only gained it recently.

You can try out a WIP patch for systemd-style socket activation at https://github.com/djmdjm/openssh-portable-wip/pull/7 - feedback is welcome.

systemd socket activation

Posted Apr 10, 2025 10:15 UTC (Thu) by grawity (subscriber, #80596) [Link] (1 responses)

It does support inetd-style socket activation, doesn't it? Which can be used with systemd (Accept=true, StandardInput=socket) – and (with SSHv1 gone) that works well enough for things like personal computers where one would want socket activation in the first place.

systemd socket activation

Posted Apr 10, 2025 22:32 UTC (Thu) by djm (subscriber, #11651) [Link]

pretty sure you can do inetd-style socket activation right now with existing flags, but it loses you all the attack/brute-force mitigation (e.g. PerSourcePenalties) that sshd has added recently.

Sorting in Release Notes

Posted Apr 10, 2025 7:25 UTC (Thu) by taladar (subscriber, #68407) [Link] (1 responses)

It seems the sorting in their Release Notes list also naively sorted 10.0p1 somewhere around the 1.x versions.

Sorting in Release Notes

Posted Apr 10, 2025 8:30 UTC (Thu) by job (guest, #670) [Link]

The warning about naively sorting software versions in the release announcement is extra funny in light of the Release Notes version order.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds