OpenSSH 10.1 enhances certificate logging and disallows control characters in usernames

OpenSSH 10.1 has been released as the latest version of the Secure Shell protocol suite, bringing several user-focused enhancements and security safeguards. This release blocks control characters in usernames provided on the command line or those expanded from configuration %-sequences. It also disallows NUL \0 characters in ssh:// Uniform Resource Identifiers (URIs), reducing the risk of malformed or malicious input.

Building on core functionality, OpenSSH now supports Ed25519 keys stored on PKCS#11-compatible cryptographic tokens. Users working with graphical forwarding will see X11 display number checks relate to the X11DisplayOffset, allowing higher port ranges without affecting defaults. For diagnostics, SIGINFO signal handlers now enable active channel and session logging.

Following updates for troubleshooting, certificate authentication failures provide logs with certificate-identifying information and reasons for refusal, easing the investigation of authorization issues. Administrators gain new configuration flexibility using the RefuseConnection option in ssh_config, immediately ending sessions with a specified error message.

To assist ongoing quality assurance, the unit test framework gains basic benchmarking features. OpenSSH 10.1 also includes portability enhancements and addresses about a dozen bug fixes, improving reliability across platforms.