OpenSSH 10.4 Released: How to Upgrade Your Linux Servers and What Changed

OpenSSH 10.4 landed on July 6, 2026 with three security fixes and a batch of new features that sysadmins should understand before upgrading. One fix addresses a malicious-server file redirection flaw in sftp. Another closes an scp path traversal issue. A third patches a client-side use-after-free triggered by mid-session host key changes. Beyond the security fixes, the OpenSSH 10.4 Linux upgrade also brings expanded post-quantum cryptography support, improved host key rotation tooling, and the removal of several deprecated legacy options that will break sshd if not removed first. Since OpenSSH is the most widely deployed remote access tool on Linux infrastructure, every sysadmin needs to know what changed, what breaks, and how to upgrade safely.

OpenSSH 10.4 Linux upgrade security patch sftp scp use-after-free vulnerability fix
OpenSSH 10.4 released July 6, 2026 with three security fixes. The sftp malicious-server file redirection flaw is the most impactful for sysadmins who use sftp in automation scripts or pull files from untrusted remote hosts.

The Three Security Fixes in OpenSSH 10.4

Understanding each fix helps you prioritize urgency based on how SSH is used in your environment.

Fix 1: sftp Malicious-Server File Redirection

When an sftp client requests a file, a malicious server could respond with a different file path. Because of that, the client would write remote content to an unexpected local location. Since sftp is commonly used in automation pipelines, this flaw has real exploitation potential in supply-chain and man-in-the-middle scenarios. The fix adds strict validation that the server response matches the requested path before writing any data locally. Any automation that calls sftp against untrusted or third-party servers should be treated as the highest priority for this upgrade.

Fix 2: scp Path Traversal

A malicious server could supply a filename containing path components that cause the scp client to write files outside the intended destination directory. Although scp is deprecated in favor of sftp and rsync-over-SSH, it remains in widespread use in legacy automation. Upgrading the client to 10.4 closes the issue even when connecting to older servers.

Fix 3: ssh Client Use-After-Free on Host Key Change

A use-after-free condition in the ssh client was triggered when a server changes its host key mid-session — a scenario that can be deliberately induced by attackers. In the worst case it leads to a crash or exploitable memory corruption in the connecting client. For automated SSH connections in CI/CD pipelines, this fix is particularly relevant.

OpenSSH 10.4 sftp malicious server file redirection vulnerability CVE patch fix
The sftp file redirection flaw is especially dangerous in automation pipelines. A script pulling deployment artifacts via sftp from an untrusted source could have those files silently redirected to unexpected local paths before this fix.

Check Your Current OpenSSH Version

Before upgrading, confirm what is running on each server. Many distributions ship a backported version that may already include security fixes even if the version number appears older:

ssh -V
sshd -V 2>/dev/null || /usr/sbin/sshd -V 2>/dev/null

# RHEL / AlmaLinux -- check RPM
rpm -q openssh openssh-server 2>/dev/null

# Ubuntu / Debian -- check dpkg
dpkg -l openssh-server openssh-client 2>/dev/null | grep '^ii'

# Check for backported security fixes in changelog
rpm -q --changelog openssh 2>/dev/null | grep -E 'sftp|scp|use-after-free' | head -5

# Target: OpenSSH_10.4p1 or later
ssh -V 2>&1

Scan sshd_config Before Upgrading

OpenSSH 10.4 removes four options that were deprecated years ago. If any of these are present in your sshd_config, sshd will refuse to start after the upgrade. Scan and remove them before running the package update:

# Scan for removed options
grep -E 'UseRoaming|RhostsRSAAuthentication|KeyRegenerationInterval|ServerKeyBits' \
  /etc/ssh/sshd_config /etc/ssh/ssh_config 2>/dev/null

# Remove any matches found -- edit the file and delete those lines
# Then test config validity
sshd -t
# No output means config is valid

Upgrade on RHEL / AlmaLinux / Rocky

dnf update openssh openssh-server openssh-clients -y

# Verify version
ssh -V

# Test config and restart
sshd -t && systemctl restart sshd
systemctl status sshd | head -5

Upgrade on Ubuntu / Debian

Always have console or out-of-band access ready before restarting sshd on a remote server. Existing sessions are not dropped — only new connections use the updated binary:

apt update && apt upgrade openssh-server openssh-client -y

# Verify version
ssh -V

# Confirm Debian 12 backport includes the security fix
apt-cache show openssh-server | grep Version

Compile from Source When Distro Package Is Not Yet Available

# Install build dependencies -- RHEL / AlmaLinux
dnf groupinstall 'Development Tools' -y
dnf install zlib-devel openssl-devel pam-devel -y

# Ubuntu / Debian
apt install build-essential zlib1g-dev libssl-dev libpam0g-dev -y

# Download and build OpenSSH 10.4
curl -fsSL https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.4p1.tar.gz \
  -o /tmp/openssh-10.4p1.tar.gz
cd /tmp && tar xzf openssh-10.4p1.tar.gz && cd openssh-10.4p1
./configure --with-pam --with-ssl-dir=/usr --prefix=/usr --sysconfdir=/etc/ssh
make -j$(nproc) && make install

# Restart and verify
systemctl restart sshd && ssh -V
OpenSSH 10.4 upgrade guide RHEL Ubuntu Debian AlmaLinux production server patch
Package manager upgrades restart sshd automatically. Existing sessions are not dropped. Always verify with ssh -V and test config syntax with sshd -t before restarting on production.

Deprecated Options Removed in 10.4

Scan and remove these before upgrading or sshd will refuse to start:

Removed Option Notes
UseRoaming Deprecated since OpenSSH 7.1 — remove from ssh_config
RhostsRSAAuthentication SSHv1 auth method — remove from sshd_config entirely
KeyRegenerationInterval SSHv1 only — sshd refuses to start if present
ServerKeyBits SSHv1 only — sshd refuses to start if present

New Features in OpenSSH 10.4

Post-Quantum Cryptography: ML-KEM Now Default

OpenSSH 10.4 prefers mlkem768x25519-sha256 for key exchange when both endpoints support it. This post-quantum hybrid algorithm combines classical X25519 with ML-KEM, providing quantum resistance while remaining secure against classical attacks. No configuration change is needed — both sides negotiate it automatically:

# Verify PQC key exchange is active on new connections
ssh -v user@host 2>&1 | grep -i 'kex\|mlkem'
# Look for: kex: algorithm: mlkem768x25519-sha256

Host Key Rotation Improvements

A new -O rotate-hostkeys option in ssh-keygen allows the server to advertise both old and new host keys during a transition window, reducing client disruption during key rotation:

# Generate a new host key
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key_new -N ''

# Initiate graceful rotation (old key stays active during transition)
ssh-keygen -O rotate-hostkeys -f /etc/ssh/ssh_host_ed25519_key_new

# After clients update known_hosts, complete the rotation
systemctl restart sshd
OpenSSH 10.4 new features PQC ML-KEM host key rotation sysadmin configuration
OpenSSH 10.4 prefers mlkem768x25519-sha256 for key exchange when both endpoints support it. No configuration change is needed — the algorithm is negotiated automatically.

Post-Upgrade Verification and Hardening

After upgrading, verify the version, test the config, then tighten your sshd_config. Always keep your existing console session open while testing a new connection:

# Verify version and config syntax after upgrade
ssh -V
sshd -t
# No output from sshd -t = config is valid

# Restart only after config is confirmed clean
systemctl restart sshd
systemctl status sshd | head -5

# Test new connection from separate terminal before closing existing session
ssh -v user@localhost 2>&1 | grep -E 'OpenSSH|kex algorithm'

After confirming the upgrade, add a hardened drop-in config under /etc/ssh/sshd_config.d/ to tighten algorithm choices and take advantage of the new ML-KEM post-quantum key exchange:

mkdir -p /etc/ssh/sshd_config.d/
cat > /etc/ssh/sshd_config.d/99-hardened.conf << 'SSHEOF'
# OpenSSH 10.4 hardening baseline
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no
AllowAgentForwarding no
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org
SSHEOF

sshd -t && systemctl reload sshd

Audit Your sftp Automation After Upgrading

Because the sftp file redirection fix changes behavior for certain edge cases, automation scripts that use sftp should be tested after upgrading. Scripts pulling files from third-party sftp servers may see new path validation errors — this is the fix working correctly, not a regression:

# Find sftp usage in cron and automation scripts
grep -rn 'sftp' /etc/cron* /var/spool/cron /opt /home 2>/dev/null | grep -v '.pyc'

# Test sftp connectivity verbosely
sftp -v user@remote-host 2>&1 | head -20

# Test a specific get operation
sftp -v user@remote-host << 'SFTPEOF'
get /remote/path/file.txt /local/destination/file.txt
SFTPEOF

If automation breaks with path validation errors after upgrading, the remote sftp server is returning a different path than the client requested. That was previously allowed and is now correctly rejected. The fix is to update the remote server or switch from sftp to rsync-over-SSH, which is the recommended approach for new automation anyway.

OpenSSH 10.4 hardening sshd_config audit post-upgrade Linux server security baseline
Adding a hardened drop-in config under /etc/ssh/sshd_config.d/ is cleaner than editing the main sshd_config directly — it survives package upgrades and is easy to audit or revert.

Upgrade OpenSSH Across a Fleet

For environments managing multiple servers, use a targeted update to control timing:

# RHEL / AlmaLinux fleet
for HOST in server1 server2 server3; do
  echo "=== $HOST ==="
  ssh root@$HOST 'dnf update openssh openssh-server -y && ssh -V && systemctl is-active sshd'
done

# Ubuntu / Debian fleet
for HOST in server1 server2 server3; do
  echo "=== $HOST ==="
  ssh root@$HOST 'apt update -q && apt upgrade openssh-server openssh-client -y && ssh -V'
done

# Verify all hosts are on 10.4
for HOST in server1 server2 server3; do
  echo -n "$HOST: "
  ssh root@$HOST 'ssh -V 2>&1'
done

After the fleet upgrade, review your SSH key posture and rotate any host keys more than two years old using the new rotation tooling. Our guide on SSH key sprawl on Linux covers the full audit and cleanup process. The Linux server hardening checklist covers the complete SSH hardening baseline. Full release notes are at openssh.com and security analysis at CyberSecurityNews.

Conclusion

The OpenSSH 10.4 Linux upgrade closes three real security issues and delivers meaningful new capabilities. Start by checking your current version with ssh -V on every server. After that, scan your sshd_config for the four deprecated options that will break sshd on upgrade. Then update via your package manager, verify the version string, and test config syntax with sshd -t before restarting. Always keep a console session open while testing after any sshd restart on a remote server. Once confirmed, add a hardened drop-in config to tighten cipher suites and enable the new ML-KEM post-quantum key exchange. Finally, audit your sftp automation scripts for any that pull from untrusted sources. OpenSSH runs on essentially every Linux server in production. Keeping it current is one of the most impactful security hygiene tasks available.

}