07.10.2025
2 min
534
The OpenSSH 10.1 release introduces a new feature: the client and server can now issue warnings if the selected connection uses a key exchange algorithm that is not resistant to post-quantum cryptography.
The main change in OpenSSH 10.1 is the WarnWeakCrypto mechanism: if an ssh connection uses “weak” key exchange algorithms, warnings will be issued to the user or administrator. The behavior of network prioritization has also been updated: now traffic of interest for interactive sessions receives the EF (Expedited Forwarding) class.
In addition, changes have affected ssh-agent – sockets have been moved from /tmp to ~/.ssh/agent, which increases key isolation. New flags have been added for cleaning up stale sockets and the ssh-add -N option, which prevents automatic removal of certificates after their expiration. Additionally, a vulnerability related to the handling of escape characters and null bytes in usernames and URIs in ssh(1) has now been fixed, closing the way for shell injections via %u.
OpenSSH is a standard implementation of the SSH 2.0 protocol with SFTP support. The project is supported by an open community and is frequently updated to secure network access.
In today’s world, where quantum computers are no longer just a concept, but a real threat, key exchange algorithms that use conventional (non-post-quantum) methods are becoming vulnerable to next-generation attacks. The OpenSSH team has given a signal: preparation for the post-quantum era must start now.
The OpenSSH 10.1 update is an important step towards cryptographic robustness. Warnings about weak algorithms, changes to ssh-agent, and security fixes to the ssh client can protect against attacks that will become common with the development of quantum computing. Users and administrators should immediately update their systems and check their configurations for new features.
