What’s the main security fix in OpenSSH 10.3?

It fixes late validation of metacharacters in usernames, preventing potential command injection during auth.

Does OpenSSH 10.3 break old SSH clients?

Yes, it drops support for clients that can't rekey. Upgrade them or find new toys.

Absolutely, especially if exposed to the internet. Security first, compat second.

What if your SSH login name was secretly executing code? OpenSSH 10.3 just fixed that nightmare — plus more housekeeping that old servers won't like.

Open Source Beat Apr 07, 2026 4 min read

Critical fix for metacharacter validation in usernames prevents auth exploits. 𝕏
Drops compatibility for non-rekeying SSH clients — modernize or bust. 𝕏
scp now safely strips setuid/setgid bits in root legacy mode. 𝕏

Published by

Community-driven. Code-first.

#OpenSSH 10.3 #SSH security #SSH security fix #rekeying #rekeying changes #scp fix #scp root fix #vulnerability fix

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by LWN.net