OpenSSH 10.3 Patches Five Security Bugs and Drops Legacy Rekeying Support

OpenSSH 10.3 arrives at a time when enterprises are tightening remote‑access security, and the five vulnerability fixes underscore that urgency. The removal of backward‑compatible rekeying code means any client or server that cannot renegotiate keys will fail to connect, forcing organizations to audit their SSH inventory. For mixed‑environment shops that still run older OpenSSH, Dropbear, or proprietary SSH stacks, the upgrade could trigger immediate connectivity issues, making pre‑deployment testing a non‑negotiable step.

Beyond compatibility, the release patches several high‑impact bugs. A timing flaw allowed shell metacharacters in usernames to be expanded via %-tokens, opening a path for command injection on systems that accept untrusted input. A certificate‑principal matching error could let an attacker craft multi‑principal certificates that bypass intended restrictions, while the ECDSA enforcement bug previously accepted any ECDSA key regardless of policy settings. Administrators should rotate affected keys, enforce strict input validation, and review certificate issuance practices to mitigate these vectors.

The update also adds operational enhancements that improve visibility and control. New ssh‑agent protocol extensions align OpenSSH with emerging IETF drafts, and per‑source penalties now penalize invalid usernames with configurable delays, helping throttle brute‑force attempts. Multiplexing diagnostics such as "ssh -O conninfo" and the "~I" escape sequence give operators real‑time insight into active sessions. Together, these features reinforce OpenSSH’s position as the de‑facto standard for secure shell access while nudging the ecosystem toward modern, standards‑compliant implementations.