OpenSSH 10.0 has been officially released, introducing a number of protocol changes and security upgrades, including a key enhancement for post-quantum security. The release makes the mlkem768x25519-sha256 algorithm the default for key agreement. This hybrid algorithm combines ML-KEM (a NIST-standardized key encapsulation mechanism) with the classical X25519 elliptic curve method, offering quantum-resistant properties while maintaining compatibility and performance.
OpenSSH has supported one post-quantum algorithm since 2022, and this second algorithm being added will now be used by default for key agreement. This shift is designed to resist attacks by both classical and quantum adversaries, aligning OpenSSH with the U.S. National Institute of Standards and Technology’s (NIST) selected post-quantum cryptographic algorithms.
Beyond the key exchange changes, OpenSSH 10.0 drops the long-deprecated DSA signature algorithm, disables finite-field Diffie-Hellman in the server by default, and separates user authentication code into a new sshd-auth binary to reduce the pre-authentication attack surface. These changes further harden the system against current and future threats. Additional updates include improvements in configuration matching, FIDO2 token support, session type detection, and portability features. On the cryptographic side, AES-GCM is now preferred over AES-CTR, and OpenSSH has improved its modular handling of moduli files for group exchange.
OpenSSH is one of the most widely deployed secure communication protocols globally. The inclusion of a post-quantum default key exchange mechanism signals growing consensus around hybrid cryptographic adoption in mission-critical open-source infrastructure. The OpenSSH project continues to play a foundational role in global network security, with changes like these setting baselines for future-proof encryption.
You can read the official mailing list announcement here and a summary of the release via Phoronix here.
April 9, 2025
