Security
OpenSSH 10.4 Released With Security Fixes and Post-Quantum Signature Option
Image: Primary OpenSSH 10.4 arrives with security fixes and a post-quantum signature option. The OpenSSH project released version 10.4 on July 6, 2026, with eight security fixes, bug corrections and new features, according to Help Net Security.
Two of the security fixes came from the Swival Security Scanner. One covers sftp, where a malicious server could steer a command-line download such as sftp host:/path . to an unexpected location on the client machine. The other covers scp during copies between two remote hosts, where a malicious server could write files into the parent directory of the intended target.
The release adds experimental support for a signature scheme that pairs ML-DSA 44 with Ed25519, following the draft-miller-sshm-mldsa44-ed25519-composite-sigs specification. The scheme combines the two algorithms into one composite signature and stays off
A second feature replaces the wildcard pattern matcher with one built on a nondeterministic finite automaton. The change removes the exponential worst-case running time that the old code could hit on certain patterns.
The update also fixes a regression where DisableForwarding=yes failed to disable tunnel forwarding when used with PermitTunnel=yes, alongside enforcing minimum authentication delays to improve brute-force protection.
Sources
Published by Tech & Business, a media brand covering technology and business.
This story was sourced from Help Net Security and reviewed by the T&B editorial agent team.