OpenSSH

In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

The OpenSSH suite consists of the following tools:

• Remote operations are done using ssh, scp, and sftp.
• Key management with ssh-add, ssh-keysign, ssh-keyscan, and ssh-keygen.
• The service side consists of sshd, sftp-server, and ssh-agent.

OpenSSH is developed by a few developers of the OpenBSD Project and made available under a BSD-style license.

Features

• Completely open source project with free licensing
• The OpenSSH source code is available free to everyone via the Internet. This encourages code reuse and code auditing. Code review ensures the bugs can be found and corrected by anyone. This results in secure code. OpenSSH is not covered by any restrictive license. It can be used for any and all purposes, and that explicitly includes commercial use. The license is included in the distribution. We feel that the world would be better if routers, network appliances, operating systems, and all other network devices had ssh integrated into them. All components of a restrictive nature (i.e. patents) have been removed from the source code. Any licensed or patented components are chosen from external libraries (e.g. LibreSSL).
• Strong cryptography (AES, ChaCha20, RSA, ECDSA, Ed25519...)
• Encryption is started before authentication, and no passwords or other information is transmitted in the clear. Encryption is also used to protect against spoofed packets. A number of different ciphers and key types are available, and legacy options are usually phased out in a reasonable amount of time.
• X11 forwarding (which also encrypts X Window System traffic)
• X11 forwarding allows the encryption of remote X windows traffic, so that nobody can snoop on your remote xterms or insert malicious commands. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel. Fake Xauthority information is automatically generated and forwarded to the remote machine; the local client automatically examines incoming X11 connections and replaces the fake authorization data with the real data (never telling the remote machine the real information).
• Port forwarding (encrypted channels for legacy protocols)
• Port forwarding allows forwarding of TCP/IP connections to a remote machine over an encrypted channel. Insecure internet applications like POP can be secured with this.
• Strong authentication (public keys, one-time passwords)
• Strong authentication protects against several security problems: IP spoofing, fakes routes and DNS spoofing. Some authentication methods include public key authentication, one-time passwords with s/key and authentication using Kerberos (only in -portable).
• Agent forwarding
• An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's authentication keys. OpenSSH automatically forwards the connection to the authentication agent over any connections, and there is no need to store the authentication keys on any machine in the network (except the user's own local machine). The authentication protocols never reveal the keys; they can only be used to verify that the user's agent has a certain key. Eventually the agent could rely on a smart card to perform all authentication computations.
• Interoperability
• Interoperability between implementations is a goal, but not a promise. As OpenSSH development progresses, older protocols, ciphers, key types and other options that have known weaknesses are routinely disabled. Some examples can be found on the legacy page.
• SFTP client and server support.
• Complete SFTP support is included, using the sftp(1) command as a client and sftp-server(8) subsystem as a server.
• Optional data compression
• Data compression before encryption improves the performance for slow network links.

What's New

OpenSSH 9.1 was released on 2022-10-04. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support.

• It is now possible[1] to perform chosen-prefix attacks against the
• SHA-1 algorithm for less than USD$50K.
• In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future.
• Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default.
• This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default.

Security

• This release contains fixes for three minor memory safety problems. None are believed to be exploitable, but we report most memory safety problems as potential security vulnerabilities out of caution.
• ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing. Reported by Qualys

Potentially-incompatible changes

This release includes a number of changes that may affect existing configurations:

• ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519.
• ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
• ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001.
• ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519.
• The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default)
• ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers.

Changes

New features

• ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions:
  • The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile).
  • The same key does not exist under another name.
  • A certificate host key is not in use.
  • known_hosts contains no matching wildcard hostname pattern.
  • VerifyHostKeyDNS is not enabled.
  • The default UserKnownHostsFile is in use.
  • We expect some of these conditions will be modified or relaxed in future.
• ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists.
• ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key.
• ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys.
• ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files.
• ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS.
• ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials.
• sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit.

Bugfixes

• ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224
• sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201
• ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded.
• ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229
• ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client.
• ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253
• ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.
• sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet.
• ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
• sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206
• Minor man page fixes (capitalization, commas, etc.) bz#3223
• sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222
• ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879
• ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320
• sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239
• sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248.
• ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250
• ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
• This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type.

Portability

• sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260
• sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259
• Sync contrib/ssh-copy-id with upstream.
• unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN.