July 6, 2026
Secure shell, insecure feelings
OpenSSH 10.4/10.4p1 Released
OpenSSH drops a safety-packed update as fans cheer, shrug, and nitpick old locks
TLDR: OpenSSH 10.4 adds important security fixes and a new experimental future-ready key option, even if most people won't use that part yet. The comments were peak sysadmin energy: polite applause, a shrug over the shiny new feature, and immediate suspicion about whether old weak settings are still around.
OpenSSH — the software that quietly powers secure logins and file transfers across the internet — just dropped version 10.4, and the community response is a perfect mix of mild hype, cautious optimism, and classic nerd nitpicking. The release itself is serious business: it fixes several security problems, tightens how connections behave, and adds an experimental new kind of future-proof key meant to help in a possible post-quantum world. In plain English: fewer weird security edge cases, stricter rules, and a glimpse of tomorrow.
But the real action is in the comments, where the crowd instantly split into familiar camps. One commenter breezily pointed everyone to the HTML release notes, which is the most on-brand open source community move imaginable: less "wow," more "here's the documentation." Another zoomed in on the flashy part — the new post-quantum signing option — but delivered the kind of dry, measured take only this crowd could love: cool feature, not urgent, and don't expect it to turn on by default anytime soon. That sparked the underlying mood of the thread: appreciation without panic.
Then came the classic security veteran energy. One user cut through the future-tech buzz with a pointed question about whether older protection methods are still enabled by default, basically saying: before we celebrate tomorrow's locks, what about the old ones still hanging on the front door? No meme war erupted, but the vibe was deliciously familiar — one part applause, one part side-eye, and one part "yes, but what about..."
Key Points
- •OpenSSH 10.4/10.4p1 was released on 2026-07-06 and is available from OpenSSH mirrors.
- •The release includes potentially incompatible changes such as mixed-case output from `sshd -G`, fatal seccomp sandbox initialization failures on Linux, and stricter handling of non-KEX messages during post-authentication key re-exchange.
- •Multiple security fixes were included across `sftp`, `scp`, `sshd`, and `ssh`, covering path handling, forwarding controls, denial-of-service conditions, authentication delay enforcement, and a client-side use-after-free.
- •The release adds experimental support for a composite post-quantum signature scheme combining ML-DSA 44 and Ed25519.
- •The new post-quantum signature feature is disabled by default and must be explicitly enabled through algorithm configuration settings, with keys generated via `ssh-keygen -t mldsa44-ed25519`.