The OpenSSH project, developed and maintained under the OpenBSD umbrella, announced the release of OpenSSH 10.1, a widely adopted secure toolset for remote login and file transfer over encrypted connections. It is now available for download on its official mirrors.
A key change in this release is the upcoming deprecation of SHA1 SSHFP DNS records, which will soon be ignored due to weaknesses in the SHA1 algorithm. From now on, ssh-keygen -r will generate only SHA256-based SSHFP records.
OpenSSH 10.1 also introduces a warning for non-post-quantum key agreements, highlighting the risk of “store now, decrypt later” attacks. This behavior is managed by the new WarnWeakCrypto option, enabled by default.
A minor security fix also landed in this release. It prevents control characters from being included in usernames supplied via untrusted SSH command lines or URIs, addressing a potential shell injection issue when ProxyCommand was configured to use username expansions.
This version brings major DSCP (IPQoS) changes. Interactive SSH traffic now defaults to the Expedited Forwarding class for better latency, while non-interactive traffic, such as SFTP transfers, uses the system default. Plus, legacy IPv4 ToS keywords like lowdelay, reliability, and throughput are now ignored, replaced by modern DSCP markings.
On the ssh-agent side, it now stores its sockets under ~/.ssh/agent instead of /tmp, improving security on restricted systems. Additionally, it also cleans up old sockets automatically and can remove expired certificates soon after they expire.
Other notable changes include adding ed25519 key support on PKCS#11 tokens, a new RefuseConnection option in ssh_config, and raises the configuration size limit from 256 KB to 4 MB. The release also fixes delays with X clients, improves diagnostics for key loading, and resolves several memory leaks.
Lastly, the portable build includes minor compatibility fixes for Linux, macOS, and BSD, plus a new GNOME 40+ askpass utility. It also improves PAM handling, seccomp sandboxing, and futex syscall support on 32-bit systems.
For more information, see the changelog.
