OpenSSH 9.9 Features Enhanced Quantum-Resistant Algorithms

The OpenSSH project announced the release of OpenSSH 9.9, now available for download on its official mirrors.

This new version introduces significant features, including support for hybrid post-quantum key exchange using a formally verified ML-KEM implementation, improved controls for managing unwanted connections, faster NTRUPrime key exchange code, and more.

OpenSSH 9.9: New Features

One of the most notable additions in OpenSSH 9.9 is the support for a new hybrid post-quantum key exchange method.

This method combines the FIPS 203 Module-Lattice Key Encapsulation Mechanism (ML-KEM) with X25519 Elliptic Curve Diffie-Hellman (ECDH), enhancing security against potential quantum computing threats.

The algorithm, named mlkem768x25519-sha256, is enabled by default, marking a significant step toward post-quantum cryptographic standards.

Additionally, the ssh_config “Include” directive now supports environment variable expansion and the same set of %-tokens as the “Match Exec” option, thus allowing for more flexible and dynamic configuration files.

OpenSSH 9.9 also introduces a new “RefuseConnection” option in sshd_config. When set, it terminates connections at the first authentication request, providing administrators with a tool to drop unwanted connections swiftly.

Complementing this, a new “refuseconnection” penalty class in sshd_config “PerSourcePenalties” applies penalties when a connection is dropped using the “RefuseConnection” keyword.

Moreover, the sshd_config “Match” options now include a “Match invalid-user” predicate. This feature matches when the target username is not valid on the server, allowing for more granular control over authentication attempts.

The release also updates the Streamlined NTRUPrime code for a substantially faster implementation, improving overall performance.

Bug Fixes

On the bug fixes side, OpenSSH 9.9 also addresses several bugs:

• Key Type Name Parsing: Enforces stricter parsing of key type names, allowing only short names in user-interface code and requiring full SSH protocol names elsewhere.
• Relaxed Absolute Path Requirement: Restores the prior behavior where sshd doesn’t require an absolute path when started in inetd mode.
• Logging Fixes: Corrects an issue where source and destination addresses were swapped in some sshd log messages.
• Authorized Keys Handling: Fixes a problem where authorized_keys options were incorrectly applied when signature verification failed.
• User@Host Parsing: OpenSSH 9.9 ensures consistent parsing by looking for the last “@” in the string, allowing usernames that contain “@” characters.

Deprecation Notice

Keep in mind that OpenSSH plans to remove support for the DSA signature algorithm in early 2025. The 9.9 release disables DSA by default at compile time. DSA, as specified in the SSHv2 protocol, is inherently weak—being limited to a 160-bit private key and use of the SHA1 digest, offering an estimated security level of only 80 bits symmetric equivalent.

OpenSSH has discouraged using DSA keys since 2015, retaining only optional run-time support. The reason is that with better algorithms widely supported across all actively maintained SSH implementations, the costs of maintaining DSA are no longer justified.

Check out the release notes for detailed information about all changes in OpenSSH 9.9.