Top stories
OpenSSH 10.4 ships post-quantum signatures and several transport fixes
- Category: Security
- Status: confirmed
- Sources: release notes, HN discussion
- Summary: OpenSSH 10.4 and 10.4p1 were released 2026-07-06. The release corrects several transport and file-transfer issues: a malicious server could cause sftp downloads to land in unexpected locations, remote-to-remote scp could write to parent directories, internal-sftp silently truncated command arguments past the ninth position and could discard security-relevant options, GSSAPI authentication had a pre-authentication denial-of-service path, and a client-side use-after-free could occur if a server changed host keys during key re-exchange. New work adds experimental post-quantum signature support combining ML-DSA 44 with Ed25519 (disabled by default) and replaces the wildcard pattern matcher with an NFA-based implementation to avoid exponential worst-case matching. The notes assign no CVE identifiers.
- Why it matters: OpenSSH is near-universal on servers and developer machines, so its transport and sftp fixes and its first experimental post-quantum signature option reach almost every operational environment.
- Follow-up: Watch for distribution packages picking up 10.4, downstream portable builds, and whether the post-quantum signature path moves past experimental.