OpenSSH 10.4 Upgrade Notes for SREs

SSH is still the emergency lane for most infrastructure. It backs bastions, automation users, Git deploy keys, break-glass access, SFTP flows, and a long tail of scripts nobody wants to rediscover during an incident. That makes the OpenSSH 10.4 release worth reading even if your distribution will package it later.
What Changed in OpenSSH 10.4?
OpenSSH 10.4 was released on July 6, 2026. The release includes security fixes for sftp, scp, sshd, and client-side key reexchange behavior. It also tightens protocol handling during post-authentication key reexchange, makes some Linux seccomp sandbox failures fatal, and changes sshd -G configuration dump output from lower-case directive names to mixed case.
The most future-facing addition is experimental support for a composite post-quantum signature scheme that combines ML-DSA 44 and Ed25519. It is not enabled by default, but it gives platform teams a concrete place to start testing post-quantum SSH identity without abandoning existing Ed25519 operational habits.
Why SREs Should Care
- Bastions are high-blast-radius systems: A small SSH behavior change can affect incident access, deploy automation, and support workflows.
- Config parsers may break: If internal tooling expects
sshd -Goutput to be lower case, mixed-case directives need a compatibility check. - Seccomp failures are now fatal: Older Linux environments or unusual builds may stop instead of logging and continuing.
- Protocol strictness can expose old clients: Non-compliant peers may disconnect during rekey instead of limping along.
- SFTP and SCP fixes matter: File transfer paths are often used by backups, vendor drops, and admin scripts.
Rollout Checklist
Start with inventory. Find bastions, CI workers, appliance-style hosts, SFTP-only users, Git servers, and automation accounts that depend on SSH.
ssh -V
sshd -T | sort > sshd-effective-config.txt
sshd -G | sort > sshd-dump-before.txt
Then test the upgrade in a staging subnet. Exercise human login, certificate login, Git clone, Ansible or Terraform SSH transport, SFTP uploads, SCP between remote hosts, port forwarding, and any tunnel-based maintenance jobs.
For Linux hosts with seccomp sandboxing, verify sshd startup explicitly after package upgrade:
sudo sshd -t
sudo systemctl restart sshd
sudo systemctl status sshd --no-pager
Do not enable the new mldsa44-ed25519 key type fleet-wide on day one. Generate lab keys, test client and server support, and document where the algorithm appears in HostKeyAlgorithms and PubkeyAcceptedAlgorithms.
Operational Tips
Treat OpenSSH as part of your reliability surface. Add SSH smoke tests to golden image validation, keep a rollback path for bastions, and monitor authentication failures after rollout. If your team has SFTP-only accounts, test their exact forced-command and internal-sftp options, especially long command lines.
It is also worth tightening automation around SSH config inspection. Normalize directive names before diffing sshd -G output, and alert on risky access changes like forwarding, tunneling, password authentication, and host key algorithm drift.
Conclusion
OpenSSH 10.4 is not a flashy release, but it touches the access layer operators rely on when everything else is broken. The right move is a measured upgrade: read the release notes, test bastions and automation paths, watch for config parser assumptions, and keep post-quantum signatures in the lab until your clients are ready.
Need a cleaner way to coordinate operational checks after dependency and access-layer changes? Akmatori helps SRE teams run AI-assisted incident workflows, automate remediation, and keep human control over production actions. For globally distributed traffic infrastructure, Gcore provides edge, cloud, DNS, and security services that pair well with resilient operations.
