OpenSSH

The Secure Shell protocol was created by Finnish computer scientist Tatu Ylönen in 1995 after a password-sniffing attack on his university network. Ylönen released the original SSH implementation freely, but subsequent versions bore increasingly restrictive licenses; SSH 1.2.12, released in 1995, was the last version under terms permitting open-source redistribution.^[4] Björn Grönvall rediscovered the SSH 1.2.12 source in early 1999 and created OSSH, a bug-fixed derivative that supported only the SSH 1.3 protocol.^[4]

OpenBSD developers learned of Grönvall's work less than two months before the planned OpenBSD 2.6 release. The initial import of OSSH into the OpenBSD tree was made on 26 September 1999. A team that included Theo de Raadt, Niels Provos, Markus Friedl, Bob Beck, Aaron Campbell, and Dug Song audited the code, removed cryptographic and GPL-licensed components, and improved the protocol implementation. Markus Friedl replaced the SSH 1.3 implementation with SSH 1.5, compatible with the widely deployed SSH 1.2.27 series, and later added SSH-2 protocol support. The resulting release, OpenSSH 1.2.2, shipped with OpenBSD 2.6 on 1 December 1999.^[4]

Almost immediately after the OpenBSD 2.6 release, Damien Miller, Philip Hands, and others began porting OpenSSH to Linux and other operating systems. To keep the OpenBSD codebase free of platform-specific code, a separate portability team maintains a branch to which compatibility patches are applied before each portable release.^[4]

OpenSSH 2.0, released in 2000, was the first version to support the SSH-2 protocol alongside SSH-1. Privilege separation was introduced in version 3.2 (April 2002): sshd forks into a privileged monitor process and an unprivileged network handler, limiting the code surface exposed to hostile input.^[8] The same portability model is used by other OpenBSD projects including OpenNTPD and OpenSMTPD.

OpenSSH 5.7 (January 2011) added ECDSA public key support.^[9] OpenSSH 6.5 (January 2014) introduced the Ed25519 key type and the ChaCha20-Poly1305 authenticated cipher, both based on work by Daniel Bernstein; Ed25519 offered stronger security than ECDSA at comparable performance, and ChaCha20-Poly1305 provided authenticated encryption that does not require AES hardware support.^[10] OpenSSH 6.7 (October 2014) removed CBC ciphers and arcfour from the default cipher set.^[11]

OpenSSH 7.0 (August 2015) disabled DSA host and user keys at run-time and deprecated SSH-1 protocol support.^[12] In October 2019, OpenSSH 8.1 introduced memory protections for private keys stored in RAM against side-channel attacks and speculative-execution techniques.^[13] OpenSSH 8.8 (September 2021) disabled the ssh-rsa public key algorithm, which relies on SHA-1, while retaining support for RSA keys using SHA-2 signatures.^[14]

On 19 October 2015, Microsoft announced plans to add native OpenSSH support to Windows via PowerShell, releasing an early implementation publicly.^[15] OpenSSH client and server programs were included in Windows 10 from version 1803, released April 2018; the SSH client and key agent are enabled by default, and the SSH server is an optional Feature-on-Demand.^[6]

OpenSSH is a suite of programs, not a single application. Its principal components are:

• ssh: the SSH client, used for interactive remote login and remote command execution; a replacement for unencrypted rlogin, rsh, and telnet.
• sshd: the SSH server daemon.
• scp: an encrypted file-copy program; a replacement for unencrypted rcp.
• sftp: an interactive file-transfer client; a replacement for unencrypted ftp.
• ssh-keygen: a key-generation and inspection tool for RSA, DSA, ECDSA, and Ed25519 key types.
• ssh-agent and ssh-add: a key agent and its control program; the agent holds decrypted private keys in memory to avoid repeated passphrase entry.
• ssh-keyscan: collects and prints public host keys from a list of hosts.

The OpenSSH server supports the authentication methods defined in the SSH-2 protocol: password authentication; public-key authentication using per-user keys in ~/.ssh/authorized_keys; host-based authentication using trusted host keys; keyboard-interactive challenge–response, often used with one-time passwords; and Kerberos/GSSAPI single sign-on.^[16] The server can invoke the host operating system's pluggable authentication modules (PAM) or BSD Authentication for additional mechanisms; PAM support typically requires root privileges. From version 3.7, OpenSSH allows PAM to be disabled at run-time, permitting non-root sshd instances.

OpenSSH 8.2 added support for FIDO2/U2F hardware security keys, which perform signing inside the hardware authenticator and require physical confirmation. The corresponding key types are ecdsa-sk and ed25519-sk.^[5]

From OpenSSH 3.2, sshd uses privilege separation: the daemon forks a privileged monitor process that holds credentials and an unprivileged worker that handles network input and cryptographic operations.^[8] On OpenBSD, the unprivileged process is further restricted using pledge and a dedicated system user, minimizing the actions available if the network-facing worker is compromised.

OpenSSH can forward TCP connections and Unix domain socket traffic through an established SSH session. Local port forwarding sends traffic from a local port over the SSH session for delivery at the remote end; remote port forwarding exposes a remote port locally; dynamic port forwarding creates a SOCKS proxy that routes outgoing connections through the SSH server. These capabilities can multiplex connections over a single SSH session, carry unencrypted protocols through an encrypted channel, and traverse firewalls.^[17]

Forwarding TCP-encapsulating protocols such as PPP over an SSH session is known as TCP-over-TCP tunneling and can cause throughput degradation because of the TCP meltdown problem. OpenSSH's port forwarding avoids this in most configurations because the SSH client decapsulates the local TCP stream and sends the payload through the tunnel's own TCP connection rather than nesting one TCP flow inside another.

From version 4.3 (February 2006), OpenSSH supports an OSI layer 2/3 tun-based virtual private network, the most flexible tunneling mode, allowing applications to access remote network resources transparently without SOCKS proxying.^[18]

OpenSSH supports the following public key types for user and host authentication:^{[9][10][19][5]}

• ssh-dss: disabled at run-time since OpenSSH 7.0 (2015).
• ssh-rsa: disabled at run-time since OpenSSH 8.8 (2021); RSA keys using SHA-2 signatures remain supported.
• ecdsa-sha2-nistp256, nistp384, nistp521: added in OpenSSH 5.7 (January 2011).
• ssh-ed25519: added in OpenSSH 6.5 (January 2014).
• rsa-sha2-256 and rsa-sha2-512: added in OpenSSH 7.2 (February 2016).
• ecdsa-sk and ed25519-sk: FIDO2/U2F-backed variants added in OpenSSH 8.2 (February 2020).

Before OpenSSH 5.2, a flaw in CBC mode cipher handling allowed an attacker with control of the network to recover up to 14 bits of plaintext with a success probability of 2⁻¹⁴. The attack exploited error messages returned after decryption failures. Countermeasures were introduced in OpenSSH 5.2 (February 2009); the AES-CTR mode ciphers were not affected.^[20]

A local privilege escalation vulnerability affected OpenSSH 6.8 to 6.9 (CVE-2015-6565). World-writable TTY devices (permissions 622) allowed an authenticated user to inject characters into another user's terminal using the TIOCSTI ioctl and execute arbitrary commands on Linux. The issue was fixed in OpenSSH 7.0.^[12]

An undocumented client-side feature called "roaming," designed to resume interrupted SSH connections, was present in the OpenSSH client from version 5.4 (March 2010) through 7.1 but was never implemented in the server. A malicious or compromised SSH server could use the roaming code to read portions of the client process's memory, potentially including private keys for other systems. The vulnerability was removed in OpenSSH 7.1p2, released 14 January 2016. The associated CVE identifiers are CVE-2016-0777 (information leak) and CVE-2016-0778 (buffer overflow).^[21]

On 29 March 2024, security researcher Andres Freund disclosed a backdoor embedded in XZ Utils, specifically in its liblzma library, targeting sshd on Linux systems where the daemon loads libsystemd. The malicious code had been contributed by an attacker who had spent roughly two years building credibility in the XZ Utils project; it was designed to intercept RSA key operations inside sshd processes linking against the compromised library. The OpenSSH source code itself was not modified; the attack operated through a dependency chain from libsystemd to liblzma.^[22][23]

On 1 July 2024, Qualys disclosed regreSSHion, a remote unauthenticated code-execution vulnerability in sshd assigned CVE-2024-6387. The bug was a signal-handler race condition: if a client failed to complete authentication within the login grace period, sshd called an async-signal-unsafe function from a signal handler, producing an exploitable state.^[7] It had been present in OpenSSH 8.5p1 (March 2021) as an inadvertent regression of a fix originally applied in 2006, and was corrected in OpenSSH 9.8/9.8p1, released the same day as the disclosure. Qualys researchers assessed exploitation on 32-bit Linux systems as practical; 64-bit exploitation was considered more difficult because of address space layout randomization. OpenBSD systems were not affected, as OpenBSD's sshd had carried a separate mitigation since 2001.^[7][24]