The new version of the popular secure connectivity system marks a turning point in security, compatibility, and performance.
The OpenSSH development team officially announced the release of version 10.0 on April 9, 2025. Now available from its mirror servers, this new release represents one of the most ambitious updates in recent years, introducing significant changes in key management, security hardening, and the internal architecture of the world’s most widely used SSH service.
OpenSSH 10.0 is a complete implementation of the SSH 2.0 protocol and includes support for both SFTP client and server. As usual, the team expressed gratitude to the community for contributing code, bug reports, and ongoing testing.
Critical Changes and Incompatibilities
One of the most anticipated —and at the same time, most sensitive— changes is the definitive removal of support for the DSA (Digital Signature Algorithm) signing algorithm. Disabled by default since 2015, this considered weak algorithm has now been completely removed from the source code, culminating a deprecation process that began a decade ago.
Adjustments have also been made to the behavior of the scp and sftp tools, which will no longer create implicit control sessions if the ControlMaster parameter is enabled, thus avoiding unexpected connections. Additionally, the internal organization of the SSH server (sshd) has been restructured, separating the authentication code into a new binary called sshd-auth, which reduces the attack surface and enhances the security of the authentication process.
Another significant change affects the key exchange mechanism. OpenSSH 10.0 disables traditional Diffie-Hellman modp-based methods by default, removing algorithms like diffie-hellman-group* from the default list in favor of more modern and efficient options such as elliptic curve-based exchanges (ECDH).
Post-Quantum Security Enabled by Default
The most notable change in cryptography is the adoption of the hybrid algorithm mlkem768x25519-sha256 as the default key exchange method. This hybrid mechanism combines the well-known curve25519 with a variant of the post-quantum ML-KEM standard validated by NIST. This decision positions OpenSSH as one of the first widely adopted tools to provide default protection against potential quantum attacks.
Furthermore, the SSH client now prioritizes ciphers in AES-GCM mode over CTR mode, establishing a new hierarchy of preferences that prioritizes ChaCha20/Poly1305, followed by AES-GCM (128/256), and lastly AES-CTR.
Functional and Configurable Improvements
System administrators will also benefit from new configuration options such as the ability to use glob patterns in the AuthorizedKeysFile and AuthorizedPrincipalsFile, as well as new Match rules that allow behavior to be conditioned based on the version of OpenSSH or the type of session established (shell, exec, subsystem…).
On the client side, there has been an improvement in variable expansion in the SetEnv and User directives within configuration files, offering greater flexibility in dynamic environments.
There have also been enhancements to ssh-agent, which can now remove all loaded keys via a SIGUSR1 signal and supports activation via a systemd-style socket. As for ssh-keygen, options have been expanded to work with FIDO keys, including support for devices like Windows Hello that do not return attestation data.
Bug Fixes and Compatibility Improvements
This version fixes a significant number of bugs detected in previous versions, including a vulnerability related to the DisableForwarding option, which did not correctly block X11 and agent forwarding.
Performance issues in connections with X11 forwarding, null dereference errors in ssh and sftp, as well as several compatibility failures with big-endian systems and storage devices with limited RSA algorithms have also been resolved.
From a portability perspective, OpenSSH 10.0 introduces support for cryptographic libraries like AWS-LC and adds compatibility with modern systems, including secure replacements for wtmp logs and memory management improvements on Linux systems.
Availability
OpenSSH 10.0 is now available for download from the official servers:
The developers also reminded that the SHA256 checksums of the tar files are base64 encoded, which may require compatible tools for verification.
Source: OpenSSH