OpenSSH/Third Party Utilities

From Wikibooks, open books for an open world
Jump to: navigation, search
scanssh – a scanner for SSH hosts and some kinds of proxies
sshfs – a user-space file system client based on SFTP
sshfp – generate SSHFP DNS records from knownhosts files or ssh-keyscan
keychain – re-use ssh-agent and/or gpg-agent between logins
rsync - synchronize files and directories using delta encoding
gstm - graphical front-end for managing SSH-tunneled port redirects
sslh - a protocol demultiplexer
sshguard - an intrusion detection system with packet filtering


scanssh scans hosts and networks for running services. ScanSSH - Scanning the Internet for SSH Servers [1] It checks the version number of the server and displays the results in a list. It detects ssh, sftp and several kinds of SOCKS, HTTP, and telnet proxies.

Scan a small subnet for ssh servers:

$ sudo scanssh -n 22 -s ssh

Scan the same small network for socks proxies:

$ sudo scanssh -s socks5,socks4

Variable scanning speeds can be set as well as random sampling. Open proxy detection scans to detect open proxies on common ports.

Scan 1000 hosts randomly selected from through, at a rate of 200 per second :

$ sudo scanssh -r 200 -p random(1000)/

The hosts and networks to be scanned can be either specified as an IPv4 address or an CIDR like IP prefix with ip address and network mask. Ports can be appended by adding a colon at the end of address specification. The sequence of hosts scanned is random, but that can be modified by the following two parameters, random and split:

random(n[,seed])/ selects a sample of n random addresses from the range specified as targets for scanning. n is the number of address to randomly create in the given network and seed is an optional seed for the pseudo random number generator. For example, it is possible to sample 10000 random hosts from the Internet by specifying 'random(10000)/' as the address.

split(s,e)/ selects a specific segment of the address range for use. e specifies the number of segments in parallel and s is the segment number used by this particular scan. This can be used to scan from several hosts in parallel by scanning a different segment from each host.

-n Specifies the port numbers to scan. Ports are separated by commas. Each specified scanner is run for each port in this list. The default port is 22.

Scan for ssh servers on both port 22 and 2022:

$ scanssh -s ssh -n 22,2022


sshfs builds on Filesystem in Userspace (FUSE) to use allow non-privileged users to create a secure, reliable file system framework. As the name implies, this is done in user space and not the kernel as is usually required for file systems. FUSE has a stable API library and bindings to C, C++ and Java. In this case it is specifically the SFTP client that is mounted as a file system.

sshfs allows a remote file system to be mounted as a local folder taking advantage of the SFTP subsystem. It uses SFTP to mount a directory from a remote server as a local directory. In that way, all use applications can interact with that directory and its contents as if it were local.

See the Cookbook section on SFTP


sshfp generates SSHFP NS records using the public keys stored in a known_hosts file or provided by ssh-keyscan, as a means to use DNS to publish SSH key fingerprints. That in turn allows DNSSEC lookups to verify SSH keys before use. SSHFP resource records in DNS are used to store fingerprint of SSH public host keys that are associated with host names. A record itself consists of an algorithm number, fingerprint type and the fingerprint of the public host key. See RFC 4255 for details on SSHFP.


keychain is a manager for ssh-agent to allow multiple shells and processes, including cron jobs, to use the keys held by the agent. It is often integrated into desktop-specific tools like Apple Keychain on OS X or kdewallet for KDE.


rsync is a file transfer utility to transfer files between computers very efficiently. It can run on top of SSH or use its own protocol. SSH is the default.

gstm (Gnome SSH Tunnel Manager)[edit]

gstm is a graphical front-end for managing SSH connections and especially port forwarding.


sslh is a protocol demultiplexer. It accepts connections on specified ports and forwards them based on the first packet sent by the client. It can be used to share a single port between SSH, SSL, HTTP, OpenVPN, tinc and XMPP. See also the section on Multiplexing for a discussion with examples.


sshguard is an intrusion prevention system. It monitors logs to detect undesirable patterns of activities and triggers corresponding packet filter rules for increasing periods of time. It can be used with a few other services besides SSH.

Additional Third Party Utilities[edit]

The following are useful in working with OpenSSH, but outside the scope of this book to go into detail. However, they are enough worth mentioning to warrant a list:

netstat – Show network connections, routing tables, interface statistics, masquerade connections, and multicast memberships
nc or netcat – Netcat, the TCP/IP swiss army knife.
socat – SOcket CAT, a multipurpose relay similar to netcat.
nmap – Network exploration tool and security scanner.
tcpdump – Display network traffic realtime.
telnet – Unencrypted interaction with another host.
pagsh – Creates a new credential cache sandbox and process authentication group (PAG).
nohup – Invoke a process that ignores HANGUP signals
sudo – Execute programs as another user
lftp – A handy interactive multi-protocol file transfer text-based client supporting SFTP.
curl – A multi-protocol file transfer text-based client supporting SCP and SFTP.


  1. Niels Provos; Peter Honeyman (2001). "ScanSSH - Scanning the Internet for SSH Servers". Center for Information Technology Integration (CITI), University of Michigan. Retrieved 2016-03-05.