OpenSSH 10.3 Released With Patch for Shell Injection and Other Security Bugs
The OpenSSH project has released version 10.3 alongside its portable version 10.3p1. This major update followed a brief testing phase in late March and addresses several important security vulnerabilities.
The most critical fix addresses a dangerous shell injection vulnerability, making this update essential for system administrators globally.
OpenSSH continues to lead the implementation of the SSH protocol 2.0, providing secure encrypted communications.
The primary focus of this release is a shell injection vulnerability found within the SSH client.
Previously, malicious usernames passed via the command line could execute arbitrary shell commands when specific tokens, like “%u”, were used in configuration files.
OpenSSH 10.3 resolves this vulnerability by implementing stricter validation rules for shell characters. however, developers strongly advise against directly exposing SSH command-lines to untrusted input.
Other notable security fixes include:
- Certificate Authentication Bug: a flaw within the server (
sshd) was fixed where certificates containing comma-separated names could bypass certain restrictions in theauthorized_keysfile. - Legacy SCP Permissions: a long-standing bug in legacy
scpwas addressed where downloading files as root failed to clear dangeroussetuid/setgidpermission bits. - ECDSA Key Enforcement: an issue allowing the accidental acceptance of any ECDSA algorithm when restricting a key to a specific one was resolved.
Key Features and Improvements
Beyond security patches, OpenSSH 10.3 introduces several valuable features for administrators to manage connections and prevent abuse:
- Connection Insights: new commands (
~Iandssh -O conninfo) allow users to quickly view detailed information about active SSH connections and open channels. - Stronger Anti-Spam Penalties: the server now includes an ‘invaliduser’ penalty to automatically slow down bots and attackers using fake usernames.
- Multiple Revocation Files: administrators can now list multiple files in the
RevokedHostKeysandRevokedKeysconfigurations to better manage compromised keys. - Standardized Agent Forwarding: support for official IANA-assigned names for SSH agent forwarding has been added, improving compatibility.
- Sub-Second Penalties: the
PerSourcePenaltiesfeature now supports decimal times, enabling defensive blocks lasting less than a second.
Administrators should be aware of a few changes that might disrupt older network setups. OpenSSH 10.3 officially drops support for older, insecure software implementations that do not support cryptographic rekeying.
Furthermore, the ProxyJump command-line option now performs strict hostname and username validation to mitigate further shell injection risks.
Finally, an empty “principals” section in a certificate no longer acts as a wildcard; it now strictly matches nothing.
Organizations are advised to upgrade their servers and clients to OpenSSH 10.3 promptly to protect their infrastructure against these newly disclosed vulnerabilities.