Skip to main content
GrN.dk

Main navigation

  • Articles
  • Contact
  • Your Digital Project Manager
  • About Greg Nowak
  • Services
  • Portfolio
  • Container
    • Excel Freelancer
    • Kubuntu - tips and tricks
    • Linux Apache MySQL and PHP
    • News
    • Image Gallery
User account menu
  • Log in

Breadcrumb

  1. Home

OpenSSH 10 Crypto Changes: Why Old SFTP Integrations Need a Cleanup Plan

By Greg Nowak. Last updated 2026-06-24.

As of June 24, 2026, the current OpenSSH 10.x release line is 10.3, and the compatibility work that started in 10.0 is no longer theoretical. If your company still depends on long-lived SFTP drop-boxes, nightly file pushes, vendor collection scripts, or agency-run client automations, the risk is not only that SSH may fail. The larger risk is that nobody owns the detail until payroll, reporting, fulfillment, or a client handoff misses a file.

What Changed In OpenSSH 10

OpenSSH 10.0 removed support for the DSA signature algorithm. That matters because a server or client that still depends on DSA is not merely using an unfashionable key. It is depending on key material OpenSSH has now retired after years of deprecation. For a business owner, the practical answer is simple: DSA keys should be replaced, not worked around.

OpenSSH 10.1 added a client warning when a connection negotiates a key exchange that is not post-quantum. The transfer may still succeed, but the warning is a useful early signal. OpenSSH explains the issue as the risk of encrypted sessions being captured today and decrypted later if future quantum computers can break the key agreement. The relevant fix is usually on the server side: support modern hybrid key exchanges such as mlkem768x25519-sha256 or sntrup761x25519-sha512, and make sure local policy has not disabled them.

OpenSSH 10.0 also narrowed server-side defaults by removing the older finite-field Diffie-Hellman group and group-exchange methods from the default server KexAlgorithms list. OpenSSH 10.3 adds another reminder for brittle integrations by removing bug compatibility for implementations that do not support rekeying. In plain English: old transfer paths can break for more than one crypto reason, and version numbers alone do not tell you what will actually negotiate.

Signal Likely Cause First Business-Safe Action
DSA key fails after an OpenSSH update The integration still relies on retired DSA key material Replace the key and test the exact batch job end to end
Non-post-quantum warning appears The server does not offer a supported hybrid key exchange Upgrade or reconfigure the server before suppressing warnings
Key exchange mismatch Client and server no longer share acceptable KEX algorithms Inspect both sides and avoid estate-wide legacy fallbacks
Manual login works but automation fails The job uses a different identity, config path, or agent state Pin the intended identity and test with batch-mode settings
A practical triage matrix for OpenSSH 10 SFTP cleanup work.

Start With Inventory, Not Exceptions

The wrong first move is to paste legacy algorithms into a global SSH config and hope the warnings stop. Start with an endpoint register: host, port, owner, vendor contact, business process, schedule, client version, server version if known, authentication key, host key, negotiated key exchange, and whether the job is interactive, batch, or embedded in another tool.

OpenSSH gives you useful inspection commands before you touch policy:

ssh -Q kex
ssh -Q HostKeyAlgorithms
ssh -Q PubkeyAcceptedAlgorithms

Those commands show what the installed client can support. Then test the real job path, not a convenient manual shortcut. If the production task uses SFTP, batch mode, a named key, and a cron environment, test that shape directly:

sftp -vvv -oBatchMode=yes partner-legacy-sftp

The goal is to find the negotiated behavior, not to prove that some SSH connection can be made from a developer laptop.

Replace Weak Keys Cleanly

Where DSA appears, plan a controlled key replacement. Ed25519 is a good default when the partner system supports it, while RSA with SHA-2 signatures may be needed for some older commercial appliances. The important part is not the key type alone. It is the rollout: create the new key, install the public key with the partner, test in parallel if possible, update the automation, and remove the old key from authorized access.

ssh-keygen -t ed25519 -f ~/.ssh/vendor_sftp_2026 -C vendor-sftp-2026

For unattended jobs, pin the intended identity so the job does not accidentally succeed because an agent offered a different key:

Host partner-legacy-sftp
    HostName sftp.partner.example
    User upload
    IdentityFile ~/.ssh/vendor_sftp_2026
    IdentitiesOnly yes

Keep Exceptions Small And Visible

Some partners will not modernize on your timeline. That is normal, but it should be handled as an explicit exception. The OpenSSH client supports Host and Match blocks, and WarnWeakCrypto can suppress the post-quantum warning for a specific host. Use that carefully:

Match host partner-legacy-sftp
    WarnWeakCrypto no-pq-kex

That line is not remediation. It is a documented risk acceptance while the server owner catches up. Put a reason, owner, and review date beside it in your endpoint register. Do not put the same setting under Host *, because that teaches every future SSH connection to be quieter when it should be more informative.

What A Good Cleanup Project Leaves Behind

A useful OpenSSH 10 cleanup is small but disciplined. It should leave you with modern keys where possible, scoped compatibility settings where unavoidable, a record of which endpoints still need partner action, and simple monitoring around the transfers that matter. For most teams, that means alerting on failed exits, missing expected files, and new crypto warnings during the migration window.

For agencies, the same approach can be packaged across client estates without turning every exception into a permanent custom snowflake. For operations leads, it gives you something better than a vague security concern: a finite list of endpoints, owners, risks, and fixes. If you want this handled as a contained engineering project, talk to Greg about an SSH/SFTP cleanup.

Related on GrN.dk

  • HubSpot OAuth v1 deprecation: what old CRM integrations need next
  • NGINX 1.30 changed upstream connection reuse by default: what to check before you upgrade
  • When Google can call the business, your local data stops being cosmetic

Need help with this kind of work?

Scope an SSH/SFTP cleanup with Greg Get in touch with Greg.

Sources

  • OpenSSH Release Notes
  • OpenSSH Post-Quantum Cryptography
  • OpenBSD ssh_config(5) Manual
  • OpenBSD sshd_config(5) Manual
  • OpenBSD ssh(1) Manual
Last modified
2026-06-24

Tags

  • OpenSSH
  • SFTP
  • SSH
  • Linux
  • Automation

Review Greg on Google

Greg Nowak Google Reviews

 

Illustrated infographic summarizing: If the Facts Need JavaScript, AI Search May Miss the Full Page
If the Facts Need JavaScript, AI Search May Miss the Full Page
2026-07-14

A practical guide to finding and fixing JavaScript rendering gaps that can hide services, prices, contact details and metadata from AI search crawlers.

Illustrated infographic summarizing: Search Console Can See Social Posts—Your Reports Need a New Map
Search Console Can See Social Posts—Your Reports Need a New Map
2026-07-13

Search Console now reports how social posts perform across Google. Here’s a practical way to manage properties, permissions, baselines and exports.

Illustrated infographic summarizing: WordPress 7.0 Has an AI Client. Plugins Need Their Own Guardrails
WordPress 7.0 Has an AI Client. Plugins Need Their Own Guardrails
2026-07-12

WordPress 7.0 standardizes how plugins call AI providers, while leaving developers responsible for access control, cost limits, capability checks and graceful failures.

Illustrated infographic summarizing: Google’s AI Search toggle needs a test plan, not a gut decision
Google’s AI Search toggle needs a test plan, not a gut decision
2026-07-11

Google’s AI Search control creates a measurable publishing choice. Test visibility, traffic and leads before changing the setting across your site.

Illustrated infographic summarizing: OpenAI Is Retiring Agent Builder: Save the Workflow, Not Just Prompts
OpenAI Is Retiring Agent Builder: Save the Workflow, Not Just Prompts
2026-07-10

OpenAI retires Agent Builder on November 30, 2026. Here is what teams need to preserve, how to choose a migration path, and how to cut over safely.

Illustrated infographic summarizing: AI agents need a browser policy before they start clicking around
AI agents need a browser policy before they start clicking around
2026-07-09

Browser-using AI agents can save time, but they need clear rules before they enter CRMs, CMSs, portals, or admin tools and start taking action.

Illustrated infographic summarizing: When AI writes JSON, one bad field can break the workflow
When AI writes JSON, one bad field can break the workflow
2026-07-08

Structured AI output is useful in real workflows, but teams need schemas, validation, retries, and logs before JSON reaches production systems.

Illustrated infographic summarizing: AI search is eating the click: measure the queries before rewriting pages
AI search is eating the click: measure the queries before rewriting pages
2026-07-07

AI summaries are cutting into search clicks. Start with a practical dashboard that shows query risk, bot purpose, page value, and crawler policy.

Illustrated infographic summarizing: AI shopping visibility now depends on boring product-data plumbing
AI shopping visibility now depends on boring product-data plumbing
2026-07-07

AI-assisted shopping puts more pressure on ecommerce catalog data, feeds, schema, prices, availability, and return-policy governance.

Illustrated infographic summarizing: Drupal AI Demos Need a Permissions Rehearsal Before Launch
Drupal AI Demos Need a Permissions Rehearsal Before Launch
2026-07-07

Drupal’s July 2026 AI advisories show why agencies should test permissions, uploads, approval loops, logs, and rollback before client demos go live.

More articles
RSS feed

GrN.dk web platforms, web optimization, data analysis, data handling and logistics.