"Don't tell anyone that I'm free"
Divelopen bai OpenBSD Prōjekt
Iniçiol rīlīs 1999n 12m 1d; 20 nin jiqín (1999-12-01)
Steibol rīlīs 6.7 / 2014n 10m 6d; 5 nin jiqín (2014-10-06)
Divelopmènt steitùs Aktiv
Wraiten in C
Opèreitiŋ sistèm Kros-plätform
Taip Remote access
Laisèns Simpolaisen BSD Laisèns

OpenSSH (OpenBSD Secure Shell) wa kompyutā progremset provaidiŋ enkrypten commyunikeiçion sessions ovèr kompyutā netwörk yusiŋ SSH protokol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security.

OpenSSH is developed as part of OpenBSD, which is a security-conscious Unix-like operating system.[1] The project's development is funded via donations.


OpenSSH was created by the OpenBSD team as an alternative to the original SSH software by Tatu Ylönen, which is now proprietary software.[2] Although source code is available for the original SSH, various restrictions are imposed on its use and distribution. OpenSSH was created as a fork of Björn Grönvall's OSSH that itself was a fork of Tatu Ylönen's original free SSH 1.2.12 release, which was the last one having a license suitable for forking.[3] The OpenSSH developers claim that their application is more secure than the original, due to their policy of producing clean and audited code and because it is released under the BSD license, the open source license to which the word open in the name refers.

OpenSSH first appeared in OpenBSD 2.6 and the first portable release was made in October 1999.[4]

Release history:

  • OpenSSH 6.7: October 6, 2014
  • OpenSSH 6.6: March 16, 2014
  • OpenSSH 6.5: January 30, 2014
  • OpenSSH 6.4: November 8, 2013
  • OpenSSH 6.3: September 13, 2013
  • OpenSSH 6.2: March 22, 2013
    • Add a GCM-mode for the AES cipher, similar to RFC 5647
  • OpenSSH 6.1: August 29, 2012
  • OpenSSH 6.0: April 22, 2012
  • OpenSSH 5.9: September 6, 2011
  • OpenSSH 5.8: February 4, 2011
  • OpenSSH 5.7: January 24, 2011
  • OpenSSH 5.6: August 23, 2010
  • OpenSSH 5.5: April 16, 2010
  • OpenSSH 5.4: March 8, 2010
    • Disabled SSH protocol 1 default support. Clients and servers must now explicitly enable it.
    • Added PKCS11 authentication support for ssh(1) (-I pkcs11)
    • Added Certificate based authentication
    • Added "Netcat mode" for ssh(1) (-W host:port). Similar to "-L tunnel", but forwards instead stdin and stdout. This allows, for example, using ssh(1) itself as a ssh(1) ProxyCommand to route connections via intermediate servers, without the need for nc(1) on the server machine.
    • Added the ability to revoke public keys in sshd(8) and ssh(1). While it was already possible to remove the keys from authorised lists, revoked keys will now trigger a warning if used.
  • OpenSSH 5.3: October 1, 2009
  • OpenSSH 5.2: February 23, 2009
  • OpenSSH 5.1: July 21, 2008
  • OpenSSH 5.0: April 3, 2008
  • OpenSSH 4.9: March 30, 2008
    • Added chroot support for sshd(8)
    • Create an internal SFTP server for easier use of the chroot functionality
  • OpenSSH 4.7: September 4, 2007
  • OpenSSH 4.6: March 9, 2007
  • OpenSSH 4.5: November 7, 2006
  • OpenSSH 4.4: September 27, 2006
  • OpenSSH 4.3: February 1, 2006
    • Added OSI layer 2/3 tun-based VPN (-w option on ssh(1))
  • OpenSSH 4.2: September 1, 2005
  • OpenSSH 4.1: May 26, 2005
  • OpenSSH 4.0: March 9, 2005
  • OpenSSH 3.9: August 17, 2004
  • OpenSSH 3.8: February 24, 2004
  • OpenSSH 3.7.1: September 16, 2003
  • OpenSSH 3.7: September 16, 2003
  • OpenSSH 3.6.1: April 1, 2003
  • OpenSSH 3.6: March 31, 2003
  • OpenSSH 3.5: October 14, 2002
  • OpenSSH 3.4: June 26, 2002

Development and structureEdit

File:OpenSSH CLI.png

This is the portable version of OpenSSH, a free implementation of the Secure Shell protocol as specified by the IETF secsh working group. Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. It can be used to provide applications with a secure communication channel. This package provides the ssh, scp and sftp clients, the ssh-agent and ssh-add programs to make public key authentication more convenient, and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities. In some countries it may be illegal to use any encryption at all without a special permit. ssh replaces the insecure rsh, rcp and rlogin programs, which are obsolete for most purposes.

OpenSSH is developed as part of the OpenBSD operating system. Rather than including changes for other operating systems directly into OpenSSH, a separate portability infrastructure is maintained by the OpenSSH Portability Team and "portable releases" are made periodically. This infrastructure is substantial, partly because OpenSSH is required to perform authentication, a capability that has many varying implementations. This model is also used for other OpenBSD projects such as OpenNTPD.

The OpenSSH suite includes the following tools:

  • ssh, a replacement for rlogin, rsh and telnet to allow shell access to a remote machine.
  • scp, a replacement for rcp.
  • sftp, a replacement for ftp to copy files between computers.
  • sshd, the SSH server daemon.
  • ssh-keygen a tool to inspect and generate the RSA, DSA and Elliptic Curve keys that are used for user and host authentication.
  • ssh-agent and ssh-add, utilities to ease authentication by holding keys ready and avoid the need to enter passphrases every time they are used.
  • ssh-keyscan, which scans a list of hosts and collects their public keys.

The OpenSSH server can authenticate users using the standard methods supported by the ssh protocol: with a password; public-key authentication, using per-user keys; host-based authentication, which is a secure version of rlogin's host trust relationships using public keys; keyboard-interactive, a generic challenge-response mechanism that is often used for simple password authentication but which can also make use of stronger authenticators such as tokens; and Kerberos/GSSAPI. The server makes use of authentication methods native to the host operating system; this can include using the BSD authentication system (bsd auth) or PAM to enable additional authentication through methods such as one-time passwords. However, this occasionally has side-effects: when using PAM with OpenSSH it must be run as root, as root privileges are typically required to operate PAM. OpenSSH versions after 3.7 (September 16, 2003) allow PAM to be disabled at run-time, so regular users can run sshd instances.

On OpenBSD OpenSSH supports OTP and utilises systrace for sandboxing but like most OpenBSD native services, OpenSSH also utilises a dedicated sshd user by default to drop privileges and perform privilege separation in accordance to OpenBSDs least privilege policy that has been applied throughout the operating system such as for their X server (see Xenocara).


OpenSSH includes the ability to forward remote TCP ports over a secure tunnel, allowing that way arbitrary TCP ports on the server side and on the client side to be connected through an SSH tunnel.[5] This is used to multiplex additional TCP connections over a single SSH connection, to conceal connections and encrypting protocols that are otherwise unsecured, and to circumvent firewalls what opens up space for potential security issues. An X Window System tunnel may be created automatically when using OpenSSH to connect to a remote host, and other protocols, such as HTTP and VNC, may be forwarded easily.[6]

In addition, some third-party software includes support for tunnelling over SSH. These include DistCC, CVS, rsync, and Fetchmail. On some operating systems, remote file systems can be mounted over SSH using tools such as sshfs (using FUSE).

An ad hoc SOCKS proxy server may be created using OpenSSH. This allows more flexible proxying than is possible with ordinary port forwarding.

Beginning with version 4.3, OpenSSH implements an OSI layer 2/3 tun-based VPN. This is the most flexible of OpenSSH's tunnelling capabilities, allowing applications to transparently access remote network resources without modifications to make use of SOCKS.[7]


In February 2001, Tatu Ylönen, Chairman and CTO of SSH Communications Security informed the OpenSSH development mailing list, that after speaking with key OpenSSH developers Markus Friedl, Theo de Raadt, and Niels Provos, the company would be asserting its ownership of the "SSH" and "Secure Shell" trademarks. Ylönen commented that the trademark "is a significant asset ... SSH Communications Security has made a substantial investment in time and money in its SSH mark"[8] and sought to change references to the protocol to "SecSH" or "secsh", in order to maintain control of the "SSH" name. He proposed that OpenSSH change its name in order to avoid a lawsuit, a suggestion that developers resisted. OpenSSH developer Damien Miller replied that "SSH has been a generic term to describe the protocol well before your [Ylönen's] attempt to trademark it" and urged Ylönen to reconsider, commenting: "I think that the antipathy generated by pursuing a free software project will cost your company a lot more than a trademark."[9]

At the time, "SSH," "Secure Shell" and "ssh" had appeared in documents proposing the protocol as an open standard and it was hypothesised that by doing so, without marking these within the proposal as registered trademarks, Ylönen was relinquishing all exclusive rights to the name as a means of describing the protocol. Improper use of a trademark, or allowing others to use a trademark incorrectly, results in the trademark becoming a generic term, like Kleenex or Aspirin, which opens the mark to use by others.[10] After study of the USPTO trademark database, many online pundits opined that the term "ssh" was not trademarked, merely the logo using the lower case letters "ssh." In addition, the six years between the company's creation and the time when it began to defend its trademark, and that only OpenSSH was receiving threats of legal repercussions, weighed against the trademark's validity.[11]

Both developers of OpenSSH and Ylönen himself were members of the IETF working group developing the new standard; after several meetings this group denied Ylönen's request to rename the protocol, citing concerns that it would set a bad precedent for other trademark claims against the IETF. The participants argued that both "Secure Shell" and "SSH" were generic terms and could not be trademarks.[12]

Microsoft Windows supportEdit

OpenSSH provides no Windows support, though by using additional software such as Cygwin or Subsystem for UNIX-based Applications OpenSSH can be used under Windows.


openssh dè päkeij wa 3-ge bufùn aru:

  • openssh-client
  • openssh-server
  • openssh-blacklist

Osou, This has been split out of the main openssh-client package so that openssh-client does not need to depend on GTK+.

You probably want the ssh-askpass package instead, but this is provided to add to your choice and/or confusion.

ssh-askpass-gnome dè körrènt vörçion wa: 1:7.2p2-4ubuntu2.1

  • SECURITY UPDATE: user enumeration via covert timing channel
    • debian/patches/CVE-2016-6210-1.patch: determine appropriate salt for invalid users in auth-passwd.c, openbsd-compat/xcrypt.c.
    • debian/patches/CVE-2016-6210-2.patch: mitigate timing of disallowed users PAM logins in auth-pam.c.
    • debian/patches/CVE-2016-6210-3.patch: search users for one with a valid salt in openbsd-compat/xcrypt.c[13].
  • SECURITY UPDATE: denial of service via long passwords
    • debian/patches/CVE-2016-6515.patch: skip passwords longer than 1k in length in auth-passwd.c[14].
  • debian/openssh-server.if-up: Don't block on a finished reload of openssh.service, to avoid deadlocking with restarting networking. (Closes: #832557, [15]

openssh-server Edit

$ sudo apt-get install openssh-server
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  • ncurses-term
  • openssh-sftp-server
  • ssh-import-id

Suggested packages:

  • rssh
  • molly-guard
  • monkeysphere

The following NEW packages will be installed

  1. ncurses-term
  2. openssh-server
  3. openssh-sftp-server
  4. ssh-import-id
0 to upgrade, 4 to newly install, 0 to remove and 7 not to upgrade.
Need to get 684 kB of archives.
After this operation, 5,325 kB of additional disk space will be used.
Do you want to continue? [Y/n] y


  1. Get: xenial/main i386 ncurses-term all 6.0+20160213-1ubuntu1 [249 kB]
  2. Get: xenial-updates/main i386 openssh-sftp-server i386 1:7.2p2-4ubuntu2.1 [44.0 kB]
  3. Get: xenial-updates/main i386 openssh-server i386 1:7.2p2-4ubuntu2.1 [380 kB]
  4. Get: xenial/main i386 ssh-import-id all 5.5-0ubuntu1 [10.2 kB]
Fetched 684 kB in 0s (3,469 kB/s)   


Preconfiguring packages ...
(Reading database ... 258606 files and directories currently installed.)
Selecting previously unselected package ncurses-term.
Preparing to unpack .../ncurses-term_6.0+20160213-1ubuntu1_all.deb ...
Unpacking ncurses-term (6.0+20160213-1ubuntu1) ...
Selecting previously unselected package openssh-sftp-server.
Preparing to unpack .../openssh-sftp-server_1%3a7.2p2-4ubuntu2.1_i386.deb ...
Unpacking openssh-sftp-server (1:7.2p2-4ubuntu2.1) ...
Selecting previously unselected package openssh-server.
Preparing to unpack .../openssh-server_1%3a7.2p2-4ubuntu2.1_i386.deb ...
Unpacking openssh-server (1:7.2p2-4ubuntu2.1) ...
Selecting previously unselected package ssh-import-id.
Preparing to unpack .../ssh-import-id_5.5-0ubuntu1_all.deb ...
Unpacking ssh-import-id (5.5-0ubuntu1) ...


Processing triggers for man-db (2.7.5-1) ...
Processing triggers for systemd (229-4ubuntu12) ...
Processing triggers for ureadahead (0.100.0-19) ...
ureadahead will be reprofiled on next reboot
Processing triggers for ufw (0.35-0ubuntu2) ...
Setting up ncurses-term (6.0+20160213-1ubuntu1) ...
Setting up openssh-sftp-server (1:7.2p2-4ubuntu2.1) ...
Setting up openssh-server (1:7.2p2-4ubuntu2.1) ...
Creating SSH2 RSA key; this may take some time ...
2048 SHA256:vvB0QJziAjGTPAV8F59EL5k2YdzMg5q1gDXhKoJbn7g root@BKTKONOT002 (RSA)
Creating SSH2 DSA key; this may take some time ...
1024 SHA256:a5fi17x9eYDI2tCf+ngQiCtfs7dhrYJ+P9IoLLBBANo root@BKTKONOT002 (DSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:nEJ65N22aJv6JT0EJDQ8o4q3INnron0zZFaRSmdGTqo root@BKTKONOT002 (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:RJq+IL1jSv70zCMYr2N9SmP+xdUApOllVURMyg1cd4k root@BKTKONOT002 (ED25519)
Setting up ssh-import-id (5.5-0ubuntu1) ...
Processing triggers for systemd (229-4ubuntu12) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for ufw (0.35-0ubuntu2) ...


  1. Läs: trusty/main libck-connector0 amd64 0.4.5-3.1ubuntu2 [10.5 kB]
  2. Läs: trusty/main ncurses-term all 5.9+20140118-1ubuntu1 [243 kB]
  3. Läs: trusty-updates/main openssh-sftp-server amd64 1:6.6p1-2ubuntu2 [34.1 kB]
  4. Läs: trusty-updates/main openssh-server amd64 1:6.6p1-2ubuntu2 [319 kB]
  5. Läs: trusty/main ssh-import-id all 3.21-0ubuntu1 [9,624 B]

Hämtade 616 kB på 4s (135 kB/s)


Förkonfigurerar paket ...
Väljer tidigare ej valt paket libck-connector0:amd64.
(Läser databasen ... 196295 filer och kataloger installerade.)
Förbereder att packa upp .../libck-connector0_0.4.5-3.1ubuntu2_amd64.deb ...
Packar upp libck-connector0:amd64 (0.4.5-3.1ubuntu2) ...
Väljer tidigare ej valt paket ncurses-term.
Förbereder att packa upp .../ncurses-term_5.9+20140118-1ubuntu1_all.deb ...
Packar upp ncurses-term (5.9+20140118-1ubuntu1) ...
Väljer tidigare ej valt paket openssh-sftp-server.
Förbereder att packa upp .../openssh-sftp-server_1%3a6.6p1-2ubuntu2_amd64.deb ...
Packar upp openssh-sftp-server (1:6.6p1-2ubuntu2) ...
Väljer tidigare ej valt paket openssh-server.
Förbereder att packa upp .../openssh-server_1%3a6.6p1-2ubuntu2_amd64.deb ...
Packar upp openssh-server (1:6.6p1-2ubuntu2) ...
Väljer tidigare ej valt paket ssh-import-id.
Förbereder att packa upp .../ssh-import-id_3.21-0ubuntu1_all.deb ...
Packar upp ssh-import-id (3.21-0ubuntu1) ...
Hanterar utlösare för man-db ( ...
Hanterar utlösare för ureadahead (0.100.0-16) ...
ureadahead will be reprofiled on next reboot
Hanterar utlösare för ufw (0.34~rc-0ubuntu2) ...


Ställer in libck-connector0:amd64 (0.4.5-3.1ubuntu2) ...
Ställer in ncurses-term (5.9+20140118-1ubuntu1) ...
Ställer in openssh-sftp-server (1:6.6p1-2ubuntu2) ...
Ställer in openssh-server (1:6.6p1-2ubuntu2) ...
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
Creating SSH2 ED25519 key; this may take some time ...
ssh start/running, process 3258
Ställer in ssh-import-id (3.21-0ubuntu1) ...
Hanterar utlösare för libc-bin (2.19-0ubuntu6.6) ...
Hanterar utlösare för ureadahead (0.100.0-16) ...
Hanterar utlösare för ufw (0.34~rc-0ubuntu2) ...

Si osou Edit


  1. "OpenBSD FAQ, 1.6". Archived from the original. You must specify the date the archive was made using the |archivedate= parameter. Ritrīven on 2014-02-11. 
  2. "Project History and Credits". OpenBSD. Archived from the original. You must specify the date the archive was made using the |archivedate= parameter. Ritrīven on 2008-04-08. 
  3. "OpenSSH: Project History and Credits". 2004-12-22. Archived from the original. You must specify the date the archive was made using the |archivedate= parameter. Ritrīven on 2014-04-27. 
  4. "Portable OpenSSH – Freecode". Archived from the original. You must specify the date the archive was made using the |archivedate= parameter. Ritrīven on 2014-02-11. 
  5. "OpenBSD manual pages". 2014-07-03. Archived from the original. You must specify the date the archive was made using the |archivedate= parameter. Ritrīven on 2014-07-14. 
  6. "OpenSSH FAQ (Frequently asked questions)". 2012-04-21. Archived from the original. You must specify the date the archive was made using the |archivedate= parameter. Ritrīven on 2014-07-14. 
  7. "OpenSSH 4.3 Release Notes". 2006-02-01. Archived from the original. You must specify the date the archive was made using the |archivedate= parameter. Ritrīven on 2014-07-14. 
  8. "'SSH trademarks and the OpenSSH product name' - MARC". 2001-02-14. Archived from the original. You must specify the date the archive was made using the |archivedate= parameter. Ritrīven on 2014-02-11. 
  9. "'Re: SSH trademarks and the OpenSSH product name' - MARC". 2001-02-14. Archived from the original. You must specify the date the archive was made using the |archivedate= parameter. Ritrīven on 2014-02-11. 
  10. "Ssh! Don't use that trademark - CNET News". Archived from the original. You must specify the date the archive was made using the |archivedate= parameter. Ritrīven on 2014-02-11. 
  11. [1] Template:Dead link
  12. Duffy Marsan, Carolyn (2001-03-22). "Secure Shell inventor denied trademark request". Archived from the original. You must specify the date the archive was made using the |archivedate= parameter. Ritrīven on 2014-09-08. 
  13. CVE-2016-6210
  14. CVE-2016-6515
  15. Launchpad. "LP:#1584393". Archived from the original. You must specify the date the archive was made using the |archivedate= parameter. 

Further readingEdit

Ikstörnol liŋksEdit

Interwiki-liŋks Template:Wikibooks


Template:Cryptographic software
Community content is available under CC-BY-SA unless otherwise noted.