It is possible to advance OpenSSH through donations of hardware or money. See the OpenSSH project web site at www.openssh.org for details.
OpenSSH is a volunteer project with the goal of making quality software. In that way it relies upon hardware and cash donations to keep the project rolling. Funds are needed for daily operation to cover network line subscriptions and electrical costs. If 2 dollars were given for every download of the OpenSSH source code in 2015 from the master site, ignoring the mirrors, or if a penny was donated for every pf or OpenSSH installed with a mainstream operating system or phone in 2015, then funding goals for the year would be met. Hardware is needed for development and porting to new architectures and platforms always requires new hardware.
OpenSSH is currently developed by two teams. The first team works providing code that is as clean, simple and secure as possible as part of the OpenBSD project. The second team works using this core version and ports it to a great many other operating systems. Thus there are two development tracks, the OpenBSD core and the portable version. The work is all done in countries that permit export of cryptography.
Use the Source, Luke
The main development branch of OpenSSH is part of the OpenBSD project. So the "-current" branch of OpenBSD, available as source code, is where to look for current activity.
The source code for the portable releases of OpenSSH are published using anonymous CVS, so no password is needed to download source from the read-only repository. It is provided and maintained by Damien Miller. Nightly, bleeding-edge snapshots of OpenSSH itself are publicly available from its own CVS tree. Use a mirror when possible.
export CVSROOTemail@example.com:/cvs export CVS_RSH=/usr/bin/ssh cvs get openssh
The fingerprint for the key used by the OpenSSH source code repository, as of this writing, is:
2048 SHA256:UNyCGjDDKB8hPDhrgMRAID6F53TyECEgnMmBN/4ZbuY anoncvs.mindrot.org (RSA)
We ask anyone wishing to report security bugs in OpenSSH to please use the contact address given in the source and to practice responsible disclosure.
libssh is an independend project that provides a mulitplatform C library implementing the SSHv2 and SSHv1 protocol for client and server implementations. With libssh, developers can remotely execute programs, transfer files and use a secure and transparent tunnel for your remote applications.
libssh is available under LGPL 2.1 license, on the web page https://www.libssh.org/
- Key Exchange Methods: firstname.lastname@example.org, ecdh-sha2-nistp256, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1
- Hostkey Types: ecdsa-sha2-nistp256, ssh-dss, ssh-rsa
- Ciphers: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc, des-cbc-ssh1, blowfish-cbc
- Compression Schemes: zlib, email@example.com, none
- MAC hashes: hmac-sha1, none
- Authentication: none, password, public-key, hostbased, keyboard-interactive, gssapi-with-mic
- Channels: shell, exec (incl. SCP wrapper), direct-tcpip, subsystem, firstname.lastname@example.org
- Global Requests: tcpip-forward, forwarded-tcpip
- Channel Requests: x11, pty, exit-status, signal, exit-signal, email@example.com, firstname.lastname@example.org
- Subsystems: sftp(version 3), publickey(version 2), OpenSSH Extensions
- SFTP: email@example.com, firstname.lastname@example.org
- Thread-safe: Just don’t share sessions
- Non-blocking: it can be used both blocking and non-blocking
- Your sockets: the app hands over the socket, or uses libssh sockets
- OpenSSL or gcrypt: builds with either
- Client and server support
- SSHv2 and SSHv1 protocol support
- Supports Linux, UNIX, BSD, Solaris, OS/2 and Windows
- Full API documentation and a tutorial
- Automated test cases with nightly tests
- Event model based on poll(2), or a poll(2)-emulation.
libssh2 is another independent project providing a lean C library implementing the SSH2 protocol for embedding specific SSH capabilities into other tools. It has a stable, well-documented API for working on the client side with the different SSH subsystems: Session, Userauth, Channel, SFTP, and Public Key. The API can be set to either blocking or non-blocking. The code uses strict name spaces, is C89-compatible and builds using regular GNU Autotools.
libssh2 is available under a modified BSD license. The functions are each documented in their own manual pages. The project web site contains the documentation, source code and examples: http://www.libssh2.org/
There is a mailing list for libssh2 in addition to an IRC channel. The project is small, low-key and, as true to the spirit of the Internet, a meritocracy. Hundreds of specific functions allow specific activities and components to be cherry-picked and added to an application:
- Shell and SFTP sessions
- Port forwarding
- Password, public-key, host-based keys, and keyboard-interactive authentication methods.
- Key Exchange Methods diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
- Host Key Types: ssh-rsa and ssh-dss
- Ciphers: aes256-cbc (email@example.com), aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, or without a cipher.
- Compression Scheme zlib or without compression
- Message Authentication Code (MAC) algorithms for hashes: hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-ripemd160 (firstname.lastname@example.org), or none at all
- Channels: Shell, Exec – including the SCP wrapper, direct TCP/IP, subsystem
- Channel Requests: x11, pty
- Subsystems: sftp version 3, public-key version 2
- Thread-safe, blocking or non-blocking API
- Your sockets: the app hands over the socket, calls select() etc.
- Builds with either OpenSSL or gcrypt
See also the library libcurl which supports SFTP and SCP URLs.
Thrussh is an SSH library written in Rust and available under the Apache License version 2.0. It is a full implementation of the SSH 2 protocol. The only non-Rust part is the crypto backend, which uses ring instead. It is designed to work on any platform and to use asynchronous I/O. The project web site contains the documentation, source code, and examples. The code is accessible using darcs:
darcs get https://pijul.org/thrussh
It is not an implementation of an actual server or client, but instead contains all the elements needed to write custom clients and servers using Rust.
Other language bindings for the SSH protocols
What follows is a list of additional independent resources by programming language:
- Net::SSH2: a wrapper module for libssh2.
- Net::SSH::Perl: a full SSH/SFTP implementation in pure Perl. Unfortunately this module is not being maintained any more and has several open bugs. Also, installing it can be a daunting task due to some of its dependencies.
- Net::OpenSSH: a wrapper for OpenSSH binaries and other handy programs (scp, rsync, sshfs). It uses OpenSSH multiplexing feature in order to reuse connections.
- Net::OpenSSH::Parallel a module build on top of Net::OpenSSH that allows to transfer files and run programs on several machines in parallel efficiently.
- SSH::Batch another module build on top of Net::OpenSSH that allows to run programs on several hosts in parallel.
- Net::SSH::Expect: this module uses Expect to drive interactive shell sessions run on top of SSH.
- Net::SSH: a simple wrapper around any SSH client. It does not support password authentication and is very slow as it establishes a new SSH connection for every remote program invoked.
- Net::SCP and Net::SCP::Expect: modules wrapping the scp program. Note that Net::SSH2, Net::SSH::Perl and Net::OpenSSH already support file transfers via scp natively.
- Net::SFTP::Foreign: a full SFTP client written in Perl with lots of bells and whistles. By default is uses ssh to connect to the remote machines but it can also run on top of Net::SSH2 and Net::OpenSSH.
- GRID::Machine, IPC::PerlSSH and SSH::RPC: these modules allow to distribute and run Perl code on remote machines through SSH.
JSch - a pure Java implementation of SSH2.
- "The OpenBSD Foundation 2016 Fundraising Campaign". The OpenBSD Foundation. 2016. http://www.openbsdfoundation.org/campaign2016.html. Retrieved 2016-03-07.
Overview • Why Encryption • Protocols • Implementations • Clients • Client Configuration • Server • Patterns • Utilities • Third Party • Logging • Development