<!doctype html>
<html lang=en>
<meta charset=utf-8>
<title>OpenSSH: Features</title>
<meta name="description" content="OpenSSH Features">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openssh.com/features.html">
<style>
dt, dd {
margin-bottom: 1em;
}
</style>
<h2 id=OpenBSD>
<a href="/">
<i>Open</i><b>SSH</b></a>
Features
</h2>
<hr>
<p>
OpenSSH is a free SSH protocol suite providing encryption for
network services like remote login or remote file transfers.
<p>
The following is a list of OpenSSH features:
<ul>
<li><p>Completely open source project with
<a href="https://www.openbsd.org/policy.html">free licensing</a>
<p>
The OpenSSH source code is available free to everyone via the Internet.
This encourages code reuse and code auditing. Code review ensures the bugs
can be found and corrected by anyone. This results in secure code. OpenSSH
is not covered by any restrictive license. It can be used for any and all
purposes, and that explicitly includes commercial use.
<a href="https://cvsweb.openbsd.org/src/usr.bin/ssh/LICENCE?rev=HEAD">
The license</a> is included in the distribution. We feel that the world would
be better if routers, network appliances, operating systems, and all other
network devices had ssh integrated into them. All components of a restrictive
nature (i.e. patents) have been removed from the source code. Any licensed or
patented components are chosen from external libraries (e.g.
<a href="https://www.libressl.org">LibreSSL</a>).
<li><p>Strong cryptography (AES, ChaCha20, RSA, ECDSA, Ed25519...)
<p>
Encryption is started before authentication, and no passwords or other
information is transmitted in the clear. Encryption is also used to protect
against spoofed packets. A number of different ciphers and key types are
available, and legacy options are usually phased out in a reasonable amount
of time.
<li><p>X11 forwarding (which also encrypts X Window System traffic)
<p>
X11 forwarding allows the encryption of remote X windows traffic, so
that nobody can snoop on your remote xterms or insert malicious
commands. The program automatically sets DISPLAY on the server
machine, and forwards any X11 connections over the secure channel.
Fake Xauthority information is automatically generated and forwarded
to the remote machine; the local client automatically examines
incoming X11 connections and replaces the fake authorization data with
the real data (never telling the remote machine the real information).
<li><p>Port forwarding (encrypted channels for legacy protocols)
<p>
Port forwarding allows forwarding of TCP/IP connections to a remote
machine over an encrypted channel. Insecure internet applications
like POP can be secured with this.
<li><p>Strong authentication (public keys, one-time passwords)
<p>
Strong authentication protects against several security problems:
IP spoofing, fakes routes and DNS spoofing. Some authentication methods
include public key authentication, one-time passwords with s/key and
authentication using Kerberos (only in -portable).
<li><p>Agent forwarding
<p>
An authentication agent, running in the user's laptop or local workstation,
can be used to hold the user's authentication keys. OpenSSH automatically
forwards the connection to the authentication agent over any connections,
and there is no need to store the authentication keys on any machine in the
network (except the user's own local machine). The authentication protocols
never reveal the keys; they can only be used to verify that the user's agent
has a certain key. Eventually the agent could rely on a smart card to perform
all authentication computations.
<p>
OpenSSH extends the original SSH agent protocol to offer some
<a href="agent-restrict.html">path-based restrictions</a> over the use of keys.
<li><p>Interoperability
<p>
Interoperability between implementations is a goal, but not a promise.
As OpenSSH development progresses, older protocols, ciphers, key types
and other options that have known weaknesses are routinely disabled.
Some examples can be found on the <a href="legacy.html">legacy</a> page.
<li><p>SFTP client and server support.
<p>
Complete SFTP support is included, using the
<a href="https://man.openbsd.org/sftp">sftp(1)</a> command as a client and
<a href="https://man.openbsd.org/sftp-server">sftp-server(8)</a>
subsystem as a server.
<li><p>Optional data compression
<p>
Data compression before encryption improves the performance
for slow network links.
</ul>
![[BACK]](/icons/back.gif){kind=icon}
Return to features.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www / openssh