OpenSSH Security

OpenSSH is a free SSH/SecSH protocol suite providing encryption for network services like remote login or remote file transfer.  OpenSSh is an Open Source Project which provides a lot of features and since the software is open source that makes it free for everyone under Open Source Definition (OSD)

  • Strong Encryption (3DES, Blowfish, AES, Arcfour)
  • X11 Forwarding (encrypt X Window System traffic)
  • Port Forwarding (encrypted channels for legacy protocols)
  • Strong Authentication (Public Key, One-Time Password and Kerberos Authentication)
  • Agent Forwarding (Single-Sign-On)
  • Interoperability (Compliance with SSH 1.3, 1.5, and 2.0 protocol Standards)
  • SFTP client and server support in both SSH1 and SSH2 protocols.
  • Kerberos and AFS Ticket Passing
  • Data Compression

Strong Encryption

OpenSSH supports 3DES, Blowfish, AES and arcfour as encryption algorithms. These are patent free.
Triple DES is a time proven and well understood cipher that provides strong encryption.
Blowfish is a fast block cipher invented by Bruce Schneier that can be used by people that require faster encryption.
AES is the US Federal Information Processing Standard (FIPS) Advanced Encryption Standard developed as a replacement for DES. It is a fast block cipher.
Arcfour is a fast stream cipher. It is believed to be compatible with RC4[TM], a proprietary cipher of RSA Security Inc.

Encryption is started before authentication, and no passwords or other information is transmitted in the clear. Encryption is also used to protect against spoofed packets.

X11 Forwarding

X11 forwarding allows the encryption of remote X windows traffic, so that nobody can snoop on your remote xterms or insert malicious commands. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel. Fake Xauthority information is automatically generated and forwarded to the remote machine; the local client automatically examines incoming X11 connections and replaces the fake authorization data with the real data (never telling the remote machine the real information).

Port Forwarding

Port forwarding allows forwarding of TCP/IP connections to a remote machine over an encrypted channel. Standard Internet applications like POP can be secured with this.

Strong Authentication

Strong authentication protects against several security problems, e.g., IP spoofing, fakes routes, and DNS spoofing. The authentication methods are: .rhosts together with RSA based host authentication, pure RSA authentication, one-time passwords with s/key, and finally authentication using Kerberos.

Agent Forwarding

An authentication agent, running in the user’s laptop or local workstation, can be used to hold the user’s RSA or DSA authentication keys. OpenSSH automatically forwards the connection to the authentication agent over any connections, and there is no need to store the RSA or DSA authentication keys on any machine in the network (except the user’s own local machine). The authentication protocols never reveal the keys; they can only be used to verify that the user’s agent has a certain key. Eventually the agent could rely on a smart card to perform all authentication computations.


OpenSSH versions before 2.0 support the SSH 1.3 and SSH 1.5 protocols permitting communication with most UNIX, Windows and other commercial ssh implementations.

As of OpenSSH 2.0, as well as supporting SSH 1.3 protocol and SSH 1.5 protocol, OpenSSH also has support for the SSH 2.0 protocol. This protocol avoids using the RSA algorithm — since at the time protocol 2.0 was invented the RSA patent was still in effect — and uses the freely useable DH and DSA algorithms instead.

Thus, OpenSSH gives you the best of both worlds. You can interoperate with both types of ssh clients and servers!

SFTP client and server support in both SSH1 and SSH2 protocols

As of OpenSSH 2.5.0, complete SFTP support is included, using the sftp(1) command as a client. The sftp-server(8) subsystem automatically works in both SSH1 and SSH2 protocol.

Kerberos and AFS Ticket Passing

OpenSSH also passes tickets for Kerberos and AFS on to the remote machine. A user can thus access all his Kerberos and AFS services without the need to type in a password again.

Data Compression

Data compression before encryption improves the performance for slow network links.

More information and product features can be found Thanks again for this great project and keep up the good work.


%d bloggers like this: