Master copy is at: http://linuxmafia.com/ssh/
Last updated: 2024-04-11

SSH-Protocol Software for Sundry Platforms

Maintained by Rick Moen, rick@linuxmafia.com

Summary: You no longer have any excuse for using telnet!

SSH clients

are available for BeOS, Java, Java MIDP, Macintosh OS, OpenVMS, OS/2, PalmOS, MS-DOS, SymbianOS all Unixes, Windows Mobile / WinCE, Amiga OS, Cisco IOS, z/OS (MVS), iPhone, BlackBerry, VxWorks, Microsoft Win32 (Win9x/WinME/WinNT/Win2k/WinXP/Vista), and Microsoft Win16. Note that any OS with a Java virtual machine can run the free-software Java clients — even MS Windows 3.1 and MS Windows CE. (Beware that some ssh v. 2.0-protocol clients do not include support for ssh 1.x-protocol servers.)

SSH servers

are available for all Unixes, OS/2, OpenVMS, Cisco IOS, z/OS (MVS), VxWorks, BlackBerry, SymbianOS, iPhone, Java, and Win32.

Protocol family support by OS platform follows. (Each OS's name links to a page of detailed listings.)

OS	2.0	1.5
AmigaOS	FC	FC, PC
BeOS	-	PC
BlackBerry	FC, PCS	FC, PC
Cisco IOS	-	PCS
iPhone	FCS, PCS	PCS
Java	FCS, PC	FC, PC
Java MIDP	FC, PC	FC, PC
Mac OS v. < 10	FC, PC	FC, PC
MS-DOS	PC	PC
OpenVMS	PCS	FC, PCS
OS/2	FCS, PC	FCS, PCS
PalmOS	-	PC
SymbianOS	FCS	FCS
Unix incl. MacOS 10+	FCS, PCS	FCS, PCS
VxWorks	PCS	PCS
Win16	PC	PC
Win32	FCS, PCS	FCS, PCS
Windows Mobile (WinCE)	PC	FC, PC
z/OS (MVS)	FCS	FCS

Key:

• F=free AKA open-source software (per DFSG/OSD)
• P=proprietary
• C=client
• S=server

("Proprietary" in the software context means non-open-source.)

Notes / To Do:

Needs something about ssh-agent[2], ssh-add[2], ssh-keygen[2], ssh-askpass[2] (all client-side), ssh-signer2.

Timeline for release numbers, protocol versions, forks, licence changes, third-party implementations.

See also:

• Alex de Joode's http://www.freessh.org/ , with a variety of SSH resources,
• Seán Boran's excellent overview article at
• • https://web.archive.org/web/20001218105000/http://securityportal.com/research/ssh-part1.html and
  • https://web.archive.org/web/20001217101900/http://securityportal.com/research/ssh-part2.html, his SSH Notes page at http://www.boran.com/security/ssh_stuff.html,
• William Stearns's articles on sundry aspects of SSH use on Linux, at
• • http://www.linuxmonth.com/issue2/articles/security/security.html and
  • http://www.linuxmonth.com/issue3/articles/security/security.html
• Shane's Secure Shell page at http://www.boran.com/security/ssh_shane.html,
• Steve Acheson's SunWorld article "Enter the Secure Shell" at http://www.sunworld.com/sunworldonline/swol-02-1998/swol-02-security.html ,
• Martin Hamilton's LSH site, http://www.net.lut.ac.uk/psst/,
• Andy Polyakov's SSH and Beyond page at http://fy.chalmers.se/~appro/ssh_beyond.html ,
• The SANS Universal SSH Project at http://www.sans.org/newlook/resources/ssh.htm ,
• Tom Berger's <tom@mandrakeuser.org> articles on installing and using Portable OpenSSH on the Linux-Mandrake distribution, at http://www.mandrakeuser.org/secure/
• Charles Curley's Notes on OpenSSH, at http://w3.trib.com/~ccurley/OpenSSH.html
• The SSH FAQ at http://www.employees.org/~satch/ssh/faq/ ,
• The older FAQ by Thomas König <Thomas.Koenig@ciw.uni-karlsruhe.de> at http://www.uni-karlsruhe.de/~ig25/ssh-faq/ ,
• Sven Dietrich's Secure Communications, at http://netsec.gsfc.nasa.gov/~spock/secure.html,
• Kimmo Suominen's Getting Started with SSH page at http://www.tac.nyc.ny.us/~kim/ssh/,
• Christopher Spry's SSH tutorials for SGI at
• • http://sprysgi.sghms.ac.uk/~cspry/computing/Indy_admin/ssh1.html and
  • http://sprysgi.sghms.ac.uk/~cspry/computing/Indy_admin/ssh2.html and
  • http://sprysgi.sghms.ac.uk/~cspry/computing/ssh_windows_client.html ,
• Wayne Schroeder's "Kerberos/DCE, the Secure Shell, and Practical Internet Security", at http://www.sdsc.edu/~schroede/ssh_cug.html
• Ben Gould's <bgould@carmen.onlinemagic.com> "sshd - Windows NT Workstation / Server" instructions at http://www.onlinemagic.com/~bgould/sshd.html,
• David Primmer's <primmer@gnac.org> "The quick way to SSH and SSHD on a NT box" at http://www.gnac.com/techinfo/ssh_on_nt/ssh_on_nt.htm,
• Ville Herva's <vherva@v.iki.fi> "Setting sshd up on NT" paper at http://v.iki.fi/nt-ssh.html ,
• Luis B. Almeida's <Luis.Almeida@inesc.pt> "Running SSH Daemon in Win9x (Improved)" instructions at http://www.uk.research.att.com/vnc/archives/1999-07/0368.html,
• John Fitzgibbon's <fitz@jfitz.com> "Freeware SSH and SCP for Windows 9x, NT and DOS at http://www.jfitz.com/tips/ssh_for_windows.html,
• Cameron Simpson's <cs@zip.com.au> VNC over SSH instructions at http://www.zip.com.au/~cs/answers/vnc-thru-firewall-via-ssh.txt ,
• Jack Wallen's VNC over SSH example/tutorial at http://www.ghacks.net/2010/01/24/connect-to-a-remote-linux-desktop-with-x11vnc-and-gtk-vnc/,
• Frank Stajano's <fstajano@uk.research.att.com> "SSH-protected VNC" paper at http://www.uk.research.att.com/vnc/sshwin.html and http://www.uk.research.att.com/vnc/sshvnc.html,
• CPP14's Secure FTP Transfers via Secure Shell Tunnelling at http://www.ccp14.ac.uk/ccp14admin/security/secure_tunnelling_ftp.htm,
• Chris Walsh's ssh-clients list at http://www.ece.nwu.edu/~mack23/ssh-clients.html ,
• Linux VPN HOWTO (implemnting VPNs using PPP over SSH), at http://www.linuxdoc.org/HOWTO/mini/VPN.html,
• Noah S. Friedman's emacs script to call SSH, similar to ange-ftp, at ftp://ls6-ftp.cs.uni-dortmund.de/pub/src/emacs/ssh.el
• Joey Hess's <joey@kitenet.net> "Anonymous CVS access via ssh", at http://kitenet.net/programs/sshcvs/
• The XFree86 Project's "Anoncvs Via ssh setup in an UNIX-type environment" (possibly inspired by Joey Hess's article, preceding), at http://www.xfree86.org/cvs/,
• Anne Carasik's Secure Shell (SSH) User Contributed Patches Archive, currently just Piotr Zbiegiel's <PZbiegiel@ea.com> ACE/SecureID patch for Ylönen SSH 2.0.13 based on Donald McKillican's <dmckilli@qc.bell.ca> patch, at http://www.tigerlair.com/ssh/patches/,
• Janes Barlow's <jbarlow@ncsa.uiuc.edu> SSH Patch Repository at http://www.ncsa.uiuc.edu/General/CC/ssh/patch_repository/ ,
• Darrent Tucker's SSH patch repository at http://dtucker.freeshell.org/openssh/,
• Jean Chouanard's <chouanar@parc.xerox.com> SecureID patch for Ylönen SSH 1.2.27 at ftp://ftp.parc.xerox.com/pub/jean/sshsdi/,
• Adrian S. Steinmann's <ast@marabu.ch> SecureID patch at http://webgroup.ch/ast/SecurID4ssh1.2.27.patch,
• Dug Song's <dugsong@monkey.org> AFS and Kerberos v4 patch for Ylönen SSH 1.2.27 at http://www.monkey.org/~dugsong/ssh-afs/ aka http://naughty.monkey.org/~dugsong/ssh-afs/ (Note that there is no known AFS support for SSH 2.0 implementations.

  Note also Dug Song's explanation of why .Xauthority files should not be on AFS directories: http://marc.theaimsgroup.com/?l=secure-shell&m=95427507303371&w=2),

• Dug Song's <dugsong@monkey.org> S/Key patch for Ylönen SSH 1.2.23 sshd at http://www.monkey.org/~dugsong/ssh-skey.patch,
• Gerry Bash's <gersh@sonn.com> patch for Ylönen SSH 1.2.27 to add AuthUser and AuthGroup options at http://www.sonn.com/~gersh/ssh/ , and
• Andrew G. Morgan's <morgan@linux.kernel.org> <morgan@transmeta.com> patch for Ylönen SSH 1.x to add full PAM support, at ftp://ftp.kernel.org/pub/linux/libs/pam/pre/applications/,
• Simon Wilkinson's patch for Portable OpenSSH to add Kerberos v.5 support: http://www.sxw.org.uk/computing/patches/openssh.html ,
• Michael Erdeley has instructions for compiling Cygwin/NT versions of SSH, at http://mike.erdelynet.com/sshd.asp ,
• Daniel J. Barrett and Richard E. Silverman's site for their O'Reilly book "SSH: The Secure Shell, The Definitive Guide", http://snailbook.com/.
• Tom Holroyd's patch to add SRP authentication to Portable OpenSSH http://members.tripod.com/professor_tom/archives/
• Roumen Petrov's patch to add X.509e certificate support to OpenSSH
• • http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103790000604836&w=2
  • http://roumenpetrov.info/openssh
• A different X.509 (GSI) patch for OpenSSH by Simon Wilkinson and Von Welch: http://www.ncsa.uiuc.edu/Divisions/ACES/GSI/openssh/
• Juan Manuel Casillas's Jail Chroot Project lets you run an SSHd in a chroot jail without having to patch the source code: http://www.gsyc.inf.uc3m.es/~assman/jail/
• Brian Hatch, "Secure Passwordless Logins with SSH": http://www.hackinglinuxexposed.com/articles/20021211.html
• Michael Martinez's OpenSSH patch for sftp logging, umask setting, chmod/chown: http://sftplogging.sourceforge.net/

make-ssh-known-hosts, ssh-keyscan at ftp://cag.lcs.mit.edu/pub/dm/source/ and ftp://ftp.cs.hut.fi/pub/ssh/contrib/ Related: http://www.uni-karlsruhe.de/~ig25/ssh-faq/comp-host-list

Script for PPP over SSH: http://sites.inka.de/sites/bigred/sw/ssh-ppp-new.txt. http://www.lysator.liu.se/~nisse/lsh/doc/gateway-mode.txt

• Rainbow Technologies CryptoSwift http://isg.rainbow.com/products/cs_1.html
• Hewlett-Packard Co.'s Praesidium SpeedCard,
• Compaq Computer Corp.'s AXL200 PCI Accelerator Card / Atalla Group (WebSafe2),
• Cipher's nForce SCSI 300
• Intel NetStructure, various accelerator models
• Okiok Data and similar accelerator boards.

Speed issues; protocol choice (e.g., twofish-cbc, blowfish).

http://www.progressive-comp.com/Lists/?l=secure-shell&r=1&w=2 list archive. ftp://ftp.celestial.com/pub/mailing-lists/*/ssh List archive by month, 1996-09 through 1999-09. http://www.egroups.com/list/ssh/ List 1996-12 to present. http://www.cs.hut.fi/ssh-archive/ List's recent posts, only.

Crypto regulation? Russia, Iraq, Pakistan, France, USA.

Users within France's jurisdiction currently may not legally use encryption supporting >128 bit encryption. "SSF" is an adaptation of Ylönen's SSH limited to 128 bits: http://ccweb.in2p3.fr/secur/ssf/ The lifting of all remaining restrictions on usage within France is also expected (having been urged by Prime Minister Lionel Jospin on January 19, 1999). Regulatory site: http://www.scssi.gouv.fr/

ftp.ssh.com/pub/ssh/README.SSH2 ftp.ssh.com/pub/ssh/SSH2.QUICKSTART

On platforms where there's no scp, can do "cat file | ssh host 'cat > file'". (Works over telnet, too.)

RSAREF/RSAREF2 limitations, performance problems, security problems. RSAREF has 1024-bit limit, limiting server ssh_host_key to at most 896 bits if RSAREF-based clients must be able to connect to it.

RSA patent (RSADSI, subsidiary of Security Dynamics, Inc.) in the USA _was_ scheduled to expire 2000-09-20 or 2000-09-21, and encumbered the RSA algorithm — but was contributed to the public domain on 2000-09-06. Lesser trademark & copyright issues remain. (On 1995-06-08, as part of an international Agreement on grade-Related Aspects of Intellectual Property, accompanying the Uruguay Round GATT, and passed on 1994-12-08, Public Law # 103-465 took effect modifying the US Patent Code, 35 USC 154. USA patent terms were changed from 17 years from date of issuance to 20 years from earliest application date. The 17-year RSA patent predated this change.) Better RSA implementation: Eric Young's OpenSSL (formerly SSLeay); independent implementation, which thus has no RSADSI copyright issue.

IDEA: US Pat. No. 5,214,703, applied for 1991-05-16, issued 1993-05-25 to James Massey and Xuejia Lai (Ascom Tech AG). Will expire 2010-05-25. European Patent Office (covering Austria, France, Germany, Italy, Netherlands, Spain, Sweden, Switzerland, United Kingdom) patent # 0482154, applied for 1991-05-16, issued 1993-06-30, expires 2011-05-16. Japan patent # 508119/1991, applied for 1991-05-16, still pending. Patent rights are held/administered by iT-SEC Systec Ltd., http://www.itsec.ch/

.shosts / .rhosts

PKI for distributing 2.0-protocol public keys with certificates, e.g., via OpenPGP. Equivalent to SSL 3.0 / TLS. Still need a means to distribute root certificate. v. 1 protocol limited to distribution of known_hosts files, or you have to live with possibility of man-in-the-middle attack during first exchange.

Is DSS/DSA based on Diffie-Hellman? (No, it seems.) Does it implement the El Gamal fix? (El Gamal appears to be supported separately.)

X.509 standard for certificates (recommended). ssh-dss standard (required). spki (optional). pgp / OpenPGP (optional).

IETF ssh1.5 draft standard http://www.tigerlair.com/ssh/faq/ssh1-draft.txt IETF ssh2 draft standard http://www.ietf.org/html.charters/secsh-charter.html IETF ssh2 sftp draft standard

http://www.ietf.org/internet-drafts/draft-ietf-secsh-filexfer-02.txt

IETF working group formed after an informal BOF on 1996-12-11 at the 37th IETF conference in San Jose. Majordomo list: ietf-ssh@clinet.fi

Note theoretical buffer-overflow attack against Kerberos5-enabled ssh 1.2.26: http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-11-01&msg=199811050038.CAA19536@kuvastin.ssh.fi OpenSSH uses the KTH Kerberos v4 implementation, and is not vulnerable. That implementation has the advantage over MIT's Kerberos v5 implementation that it checks for suid-root programs opening arbitary ticket files. Ylönen SSH 1.2.27 sidesteps/masks the problem by disabling kerberos authentication if the ssh client is installed suid-root. (If ssh client isn't suid-root, .shosts authentication doesn't work.) Ylönen's (SSH Communications Security's) for Win32 doesn't. KTH = Kungl Tekniska Högskolan (Royal Institute of Technology), Stockholm, Sweden. KTH Kerberos: http://www.pdc.kth.se/kth-krb/

Look up stream ciphers v. block ciphers. (Done.) (The former are not supported by OpenSSH.) Ordinarily, DES and IDEA are purely block ciphers, but Ylönen SSH uses them in CFB = stream-cipher mode without any reset operation. TCP over TCP situation?

As of Ylönen's (SSH Communications Security's) v. 2.1, F-Secure Corporation has no licence to sell the new SSH Win32 client, or other new SSH Communications products.

ssh 1.x: features are requested by the client. ssh 2.0: Server can (e.g.) force compression enabled. More differences at http://marc.theaimsgroup.com/?l=secure-shell&m=94279273425043&w=2

Info on one RSAREF2 security hole, and that library's licence, at http://marc.theaimsgroup.com/?l=secure-shell&m=94425692307516&w=2 http://marc.theaimsgroup.com/?l=secure-shell&m=94416478809096&w=2

Ylönen's 1.2.13 came out 1996-02-10 (increments ssh version to 1.3). 1.2.12 came out 1995-12. SSH 1.0 issued 1995-07-12. Right around the issuance of 1.2.13, the files for 1.2.1 through 1.2.12 were removed from the main SSH ftp site and its mirrors. The history of this is a little murky, but it may have been pursuant to the commercial distribution agreement signed between Ylönen's company, SSH Communications Security, Ltd. and Data Fellows, Ltd. (now F-Secure Corporation) at that time, when slightly more restrictive licensing was introduced. The licence was changed again starting with 1.2.28, requiring payment for any use in a commercial setting.

Functional Win9x ports were not possible until late 1996, when Mark Solinski < markso@mcs.com> wrote a fix to Win95's defective GetFileType function, which balked on sockets: http://www.mcs.net/~markso/cvs/cvs95.html

sftp and scp variants: To quote Markus Friedl:

openssh's scp command uses the RCP protocol over both SSH1 and SSH2. openssh's sftp command uses the SFTP protocol over both SSH1 and SSH2. ssh.com's sftp command uses the SFTP protocol over SSH2. ssh.com's scp2 command uses the SFTP protocol over SSH2.

So you cannot use openssh's scp to talk to a ssh.com server, since they do not support the RCP protocol (unless you install a scp1 binary from openssh or from the ssh-1.2.x software).

The public key formats of ssh.com's SSH and OpenSSH are different and incompatible. They can, however, be converted. http://www.ssh.com/faq/index.cfm?id=1243

More clients: http://www.process.com/sshclients/
http://www.cs.hmc.edu/tech_docs/qref/ssh.html

—

SSH-Protocol Software for Sundry Platforms is Copyright © 2000-2024 by Rick Moen, and licensed under CC BY-SA 4.0.