The OpenSSH project shipped version 10.4 on July 6, 2026, a maintenance release that eliminates eight security weaknesses across its widely used SSH client, server, and file transfer utilities, while also offering system administrators an early look at post-quantum signature algorithms designed to resist future quantum computer attacks.

What’s New in OpenSSH 10.4

The update fixes bugs in every major component: ssh (the client), sshd (the server), sftp (secure file transfer), scp (secure copy), and ssh-agent (the key manager). The project’s release notes confirm that all eight vulnerabilities are addressed, though detailed disclosure typically follows once users have had time to apply the patches. Past OpenSSH advisories have ranged from denial-of-service and information leaks to remote code execution, and even a single unauthenticated RCE can compromise an entire server fleet. For that reason, the project urges immediate upgrades.

In addition to patching, OpenSSH 10.4 introduces experimental support for post-quantum signature algorithms. This means the authentication layer—the handshake that proves you are who you claim to be—can now use cryptographic primitives that are believed to be secure against both classical computers and the code-breaking potential of future quantum machines. The feature ships as an opt-in, off-by-default capability, intended for testing and research rather than production environments. Enabling it requires generating new key pairs with a post-quantum algorithm and adjusting server and client configuration files accordingly. No default behavior changes for existing installations.

Why This Update Matters for Windows Users

OpenSSH is not just an Unix utility anymore. Since the Windows 10 Fall Creators Update, Microsoft has shipped OpenSSH as an optional feature, and Windows Server 2019 and later include it as an installable component. Many developers run the OpenSSH server on Windows machines for remote access, CI/CD pipelines, and cross-platform development. On the desktop, tools like PowerShell’s SSH transport, Visual Studio Code’s remote extensions, and even some Git configurations rely on the bundled OpenSSH client.

If you have ever enabled “OpenSSH Server” from Windows’ optional features, your system is running a Microsoft-packaged version of OpenSSH. That version does not always receive security updates as quickly as the upstream project releases them. Microsoft typically integrates upstream fixes into Windows Update on its own schedule, which can leave a window of exposure. Power users and system administrators often bypass this delay by installing the open-source Win32-OpenSSH distribution directly from GitHub, which gets updated within hours of an upstream release.

For home users, the risk is lower unless you intentionally expose an SSH server to the network—for example, by enabling the OpenSSH Server optional feature and leaving port 22 open on your firewall. For IT professionals managing Windows servers, the update is urgent. A single vulnerable sshd instance can act as a pivot point into a larger network. SFTP and SCP bugs are especially dangerous on servers that accept automated file transfers, such as backup servers or build agents.

Developers who use SSH keys stored in ssh-agent should also patch the client. Some of the fixed vulnerabilities affect the agent, potentially allowing a malicious server to extract private keys during an SSH session. If you frequently ssh into remote machines, updating the client is as important as updating the server.

How We Got Here: OpenSSH’s Security Evolution

OpenSSH has been the gold standard for remote administration for over two decades, but its ubiquity makes it a prime target. Recent years have seen a steady trickle of important security patches. In 2023, a double-free bug in the pre-authentication phase (CVE-2023-25136) demonstrated the real-world risk of unpatched SSH servers. In 2024, the project began integrating post-quantum key exchange mechanisms, such as the hybrid [email protected] algorithm, to protect session keys against future quantum decryption.

This latest release extends that work to signatures, the other half of the cryptographic handshake. A post-quantum key exchange ensures that even if an attacker records an encrypted SSH session today, they cannot retroactively decrypt it once large-scale quantum computers arrive. But if the authentication mechanism—typically RSA or ECDSA—remains classical, an adversary could forge a signature and impersonate a server or client. By adding post-quantum signature algorithms, OpenSSH 10.4 closes that gap, at least on an experimental basis.

The move is in sync with the broader industry push toward quantum-resistant cryptography. NIST published its first three post-quantum standards in 2024, and organizations like the IETF have been drafting protocols to incorporate them into TLS, SSH, and other internet protocols. OpenSSH’s early implementation gives the security community a real-world testbed, accelerating the feedback loop between standardization and practical deployment.

What to Do Now

Your immediate task is straightforward: find out which version of OpenSSH you are running and update to 10.4 if you are not already there.

Check your current version:
- On any platform, run ssh -V in a terminal. The output will show the version number.

Update paths for Windows users:

Installation Method Update Instructions
Windows Optional Feature (OpenSSH Client or OpenSSH Server via Settings) Wait for Microsoft to release an updated optional feature via Windows Update, or uninstall the optional feature and switch to Win32-OpenSSH for faster updates. Currently, the optional feature often lags behind upstream security patches.
Win32-OpenSSH (standalone installer from GitHub) Download the latest .msi from the Win32-OpenSSH releases page. Run the installer; it will automatically stop and replace the existing service.
WSL (Windows Subsystem for Linux) Use your Linux distribution’s package manager (sudo apt update && sudo apt upgrade openssh-client openssh-server on Debian/Ubuntu; sudo dnf upgrade openssh on Fedora). Most WSL distros receive upstream patches within days.
Third-party packs (Cygwin, MSYS2, git-bash) Run the respective package manager (pacman -Syu openssh for MSYS2, apt-cyg update openssh for Cygwin). Git for Windows ships its own OpenSSH; check the Git release page for updates.

For server administrators:
- After updating the server, restart the sshd service (sc stop sshd && sc start sshd on Windows; sudo systemctl restart sshd on Linux/WSL).
- Review your configuration files (sshd_config and ssh_config) for any custom settings that might need adjustment. The experimental post-quantum signature support does not change any defaults, so a simple restart is sufficient.

Testing post-quantum signatures (lab only):
- Generate a new key: ssh-keygen -t pqsign (the exact algorithm name may differ; check the release notes).
- Configure the server to accept the key and disable classical fallbacks in /etc/ssh/sshd_config:
ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no PubkeyAcceptedAlgorithms [email protected]
- On the client, specify the key with ssh -o IdentityFile=~/.ssh/id_pqsign user@host.
- Remember: this is experimental. Do not rely on it for production authentication. The purpose is to help the community test compatibility and performance.

Outlook

OpenSSH 10.4 signals that the project is committed to hardening its authentication layer well before quantum computers become a practical threat. The next releases will likely stabilize these experimental algorithms, deprecate older key types, and integrate final NIST standards as they mature. For now, the priority is patching the eight security issues. Windows users who rely on SSH for remote access, DevOps, or development should update immediately and keep a close eye on subsequent point releases. The quantum-safe future is approaching, and OpenSSH is already laying the cryptographic groundwork.