The following is a list of OpenSSH features:
The OpenSSH source code is available free to everyone via the Internet. This encourages code reuse and code auditing. Code review ensures the bugs can be found and corrected by anyone. This results in secure code. OpenSSH is not covered by any restrictive license. It can be used for any and all purposes, and that explicitly includes commercial use. The license is included in the distribution. We feel that the world would be better if routers, network appliances, operating systems, and all other network devices had ssh integrated into them. All components of a restrictive nature (i.e. patents) have been removed from the source code. Any licensed or patented components are chosen from external libraries (e.g. LibreSSL).
Encryption is started before authentication, and no passwords or other information is transmitted in the clear. Encryption is also used to protect against spoofed packets. A number of different ciphers and key types are available, and legacy options are usually phased out in a reasonable amount of time.
X11 forwarding allows the encryption of remote X windows traffic, so that nobody can snoop on your remote xterms or insert malicious commands. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel. Fake Xauthority information is automatically generated and forwarded to the remote machine; the local client automatically examines incoming X11 connections and replaces the fake authorization data with the real data (never telling the remote machine the real information).
Port forwarding allows forwarding of TCP/IP connections to a remote machine over an encrypted channel. Insecure internet applications like POP can be secured with this.
Strong authentication protects against several security problems: IP spoofing, fakes routes and DNS spoofing. Some authentication methods include public key authentication, one-time passwords with s/key and authentication using Kerberos (only in -portable).
An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's authentication keys. OpenSSH automatically forwards the connection to the authentication agent over any connections, and there is no need to store the authentication keys on any machine in the network (except the user's own local machine). The authentication protocols never reveal the keys; they can only be used to verify that the user's agent has a certain key. Eventually the agent could rely on a smart card to perform all authentication computations.
Interoperability between implementations is a goal, but not a promise. As OpenSSH development progresses, older protocols, ciphers, key types and other options that have known weaknesses are routinely disabled. Some examples can be found on the legacy page.
Data compression before encryption improves the performance for slow network links.