The OpenSSH project has released version 10.3 and its portable counterpart, 10.3p1, delivering critical security patches that system administrators worldwide should prioritize immediately.

Following a brief testing phase in late March 2026, this major update addresses several high-impact vulnerabilities, with the most urgent being a dangerous shell injection flaw in the SSH client.

Shell Injection Flaw

The centerpiece of this release is the patching of a shell injection vulnerability discovered in OpenSSH’s SSH client.

Attackers could craft malicious usernames passed via the command line to execute arbitrary shell commands when configuration files used specific tokens, such as %u.

OpenSSH 10.3 resolves this by enforcing stricter validation rules for shell characters, effectively closing this attack vector.

Developers, however, continue to strongly advise against directly exposing SSH command lines to untrusted input as a matter of security hygiene.

Additional Security Patches

Beyond the headline fix, OpenSSH 10.3 addresses three other notable security issues:

  • Certificate Authentication Bug: A flaw in sshd allowed certificates with comma-separated names to bypass certain restrictions defined in the authorized_keys file now corrected.
  • Legacy SCP Permissions: A long-standing bug in legacy scp that failed to clear the dangerous setuid/setgid Permission bits when downloading files as root has been remediated.
  • ECDSA Key Enforcement: An issue where restricting an ECDSA key to a specific algorithm inadvertently permitted any other ECDSA algorithm has been resolved.

OpenSSH 10.3 also ships with operational improvements designed to enhance connection management and harden servers against automated attacks:

  • Connection Insights: New commands (~I and ssh -Oconninfo) let users instantly view details about active SSH connections and open channels.
  • Stronger Anti-Spam Penalties: A invaliduser penalty automatically throttles bots and attackers attempting logins with invalid usernames.
  • Multiple Revocation Files: The RevokedHostKeys and RevokedKeys configurations now support multiple files, improving compromised key management.
  • Sub-Second Penalties: The PerSourcePenalties The feature now supports decimal time values, enabling defensive blocks shorter than one full second.
  • Standardized Agent Forwarding: Support for IANA-assigned names for SSH agent forwarding improves cross-platform compatibility.

This release also introduces several compatibility-breaking changes. OpenSSH 10.3 officially drops support for older software implementations that lack cryptographic rekeying support.

Additionally, the ProxyJump command-line option now strictly validates hostnames and usernames to prevent further shell injection risks.

Notably, an empty principals field in a certificate no longer functions as a wildcard it now strictly matches nothing.

Organizations running OpenSSH are strongly urged to upgrade both their servers and clients to version 10.3 without delay to mitigate exposure to these newly disclosed vulnerabilities.

Source: https://cyberpress.org/openssh-10-3-fixes/

Tags: , , , , , ,
Posted by in Blog on April 7, 2026 |

Archives

Recent Posts