Name Date Size #Lines LOC

..--

.github/H--1,089935

contrib/H--5,0223,516

m4/H--224215

openbsd-compat/H--21,65313,974

regress/H--26,53321,446

.dependH A D05-Jan-2024131.6 KiB180178

.git_allowed_signersH A D19-Oct-2022997 65

.git_allowed_signers.ascH A D19-Oct-2022833 1715

.gitignoreH A D18-Mar-2024465 3938

.skipped-commit-idsH A D18-Mar-20243.3 KiB5855

CREDITSH A D08-Sep-20215.4 KiB10398

ChangeLogH A D18-Mar-2024271.6 KiB8,3015,342

FREEBSD-upgradeH A D18-Mar-20246.2 KiB193123

INSTALLH A D11-Aug-202310 KiB294201

LICENCEH A D19-Oct-202218.1 KiB372328

Makefile.inH A D05-Jan-202429.2 KiB790670

OVERVIEWH A D08-Sep-20216.2 KiB163119

PROTOCOLH A D18-Mar-202427.8 KiB796585

PROTOCOL.agentH A D18-Mar-20244.2 KiB11686

PROTOCOL.certkeysH A D08-Sep-202112.8 KiB322258

PROTOCOL.chacha20poly1305H A D08-Sep-20214.5 KiB10884

PROTOCOL.keyH A D19-Oct-20221.6 KiB7253

PROTOCOL.krlH A D11-Aug-20236.9 KiB223154

PROTOCOL.muxH A D18-Mar-20248.8 KiB297218

PROTOCOL.sshsigH A D08-Sep-20213.3 KiB10174

PROTOCOL.u2fH A D08-Sep-202110.8 KiB310243

READMEH A D18-Mar-20242.1 KiB5438

README.dnsH A D08-Sep-20211.6 KiB4830

README.mdH A D16-Mar-20235.1 KiB8756

README.platformH A D18-Mar-20244 KiB9874

README.privsepH A D08-Sep-20212.2 KiB5239

README.tunH A D30-Sep-20064.8 KiB13398

SECURITY.mdH A D13-Apr-2022163 63

TODOH A D11-Sep-20182.5 KiB8161

aclocal.m4H A D06-Feb-2023694 1611

addr.cH A D11-Aug-202310 KiB507384

addr.hH A D06-Feb-20232.4 KiB6543

addrmatch.cH A D08-Sep-20214.4 KiB170109

atomicio.cH A D13-Apr-20224.7 KiB180129

atomicio.hH A D08-Sep-20212.2 KiB5414

audit-bsm.cH A D08-Sep-202111.7 KiB456322

audit-linux.cH A D08-Sep-20213.4 KiB12577

audit.cH A D08-Sep-20215.7 KiB185105

audit.hH A D08-Sep-20212.3 KiB5828

auth-bsdauth.cH A D08-Sep-20213.6 KiB14498

auth-krb5.cH A D08-Sep-20216.9 KiB274201

auth-options.cH A D11-Aug-202323.5 KiB913749

auth-options.hH A D08-Sep-20213.1 KiB10740

auth-pam.cH A D11-Aug-202336.8 KiB1,4141,099

auth-pam.hH A D08-Sep-20211.9 KiB4820

auth-passwd.cH A D08-Sep-20216.4 KiB224147

auth-rhosts.cH A D06-Feb-20239.2 KiB339225

auth-shadow.cH A D16-Mar-20234.3 KiB14286

auth-sia.cH A D11-Sep-20183.2 KiB11671

auth-sia.hH A D05-Jun-20051.4 KiB324

auth.cH A D16-Mar-202324.4 KiB880682

auth.hH A D19-Oct-20228.2 KiB248156

auth2-chall.cH A D08-Sep-20219.5 KiB383305

auth2-gss.cH A D11-Aug-20239.8 KiB344244

auth2-hostbased.cH A D16-Mar-20237.8 KiB260203

auth2-kbdint.cH A D13-Apr-20222.2 KiB7336

auth2-none.cH A D16-Mar-20232.3 KiB7943

auth2-passwd.cH A D19-Oct-20222.4 KiB8146

auth2-pubkey.cH A D11-Aug-202323.8 KiB821667

auth2-pubkeyfile.cH A D16-Mar-202313.7 KiB501361

auth2.cH A D05-Jan-202423.2 KiB861670

authfd.cH A D05-Jan-202419.6 KiB779593

authfd.hH A D05-Jan-20244.1 KiB12379

authfile.cH A D16-Mar-202312.5 KiB529396

authfile.hH A D08-Sep-20212.4 KiB5522

bitmap.cH A D11-May-20184.4 KiB215171

bitmap.hH A D11-May-20181.9 KiB5815

blacklist.cH A D23-Oct-20242.8 KiB9850

blacklist_client.hH A D23-Oct-20242.1 KiB6220

buildpkg.sh.inH A D08-Sep-202117.6 KiB678526

canohost.cH A D11-Aug-20234.8 KiB210147

canohost.hH A D02-Mar-2017842 279

chacha.cH A D11-Aug-20235.3 KiB219188

chacha.hH A D08-Sep-2021994 3722

channels.cH A D18-Mar-2024146 KiB5,3574,246

channels.hH A D05-Jan-202415 KiB402260

cipher-aes.cH A D11-Aug-20234.5 KiB162119

cipher-aesctr.cH A D22-Jan-20162.1 KiB8450

cipher-aesctr.hH A D22-Jan-20161.3 KiB3613

cipher-chachapoly-libcrypto.cH A D11-Aug-20234.9 KiB166113

cipher-chachapoly.cH A D11-Aug-20234.1 KiB13986

cipher-chachapoly.hH A D08-Sep-20211.6 KiB4117

cipher.cH A D05-Jan-202412.9 KiB506406

cipher.hH A D05-Jan-20243.2 KiB7834

cleanup.cH A D30-Sep-20061 KiB3310

clientloop.cH A D01-Jul-202483.1 KiB2,8782,110

clientloop.hH A D08-Sep-20213.7 KiB8532

compat.cH A D16-Mar-20235.1 KiB167130

compat.hH A D16-Mar-20232.5 KiB6622

config.guessH A D06-Feb-202348.8 KiB1,7751,548

config.hH A D01-Jul-202456.3 KiB2,055376

config.subH A D06-Feb-202335 KiB1,9081,720

configure.acH A D18-Mar-2024156.9 KiB5,8055,455

crypto_api.hH A D06-Feb-20231.7 KiB5738

defines.hH A D13-Apr-202223.7 KiB946709

dh.cH A D08-Sep-202115.4 KiB506403

dh.hH A D08-Sep-20212.7 KiB8536

digest-libc.cH A D13-Apr-20226.1 KiB268216

digest-openssl.cH A D08-Sep-20214.9 KiB208160

digest.hH A D09-May-20182.5 KiB7132

dispatch.cH A D16-Mar-20233.5 KiB13595

dispatch.hH A D08-Sep-20212 KiB5017

dns.cH A D16-Mar-20238.9 KiB345246

dns.hH A D16-Mar-20232.1 KiB6026

ed25519.cH A D06-Feb-2023196.8 KiB2,0311,760

ed25519.shH A D06-Feb-20234.1 KiB12095

entropy.cH A D06-Feb-20233 KiB11056

entropy.hH A D11-Sep-20181.5 KiB357

fatal.cH A D08-Sep-20211.8 KiB4714

fixalgorithmsH A D30-Oct-2013422 2713

fixpathsH A D23-Apr-2003499 2312

freebsd-configure.shH A D23-Apr-20221.8 KiB5833

freebsd-namespace.shH A D23-Apr-20221.9 KiB8456

groupaccess.cH A D08-Sep-20213.5 KiB13579

groupaccess.hH A D01-Aug-20081.5 KiB367

gss-genr.cH A D18-Mar-20247.9 KiB304210

gss-serv-krb5.cH A D11-Sep-20185.6 KiB212143

gss-serv.cH A D11-Aug-202310.3 KiB405256

hash.cH A D08-Sep-2021781 4428

hmac.cH A D08-Sep-20215.1 KiB199150

hmac.hH A D22-Jan-20161.6 KiB3915

hostfile.cH A D16-Mar-202324.7 KiB947734

hostfile.hH A D08-Sep-20214.4 KiB12475

includes.hH A D13-Apr-20223.8 KiB179135

install-shH A D06-Feb-202315 KiB542352

kex.cH A D18-Mar-202443.9 KiB1,6911,424

kex.hH A D18-Mar-20249 KiB277219

kexc25519.cH A D08-Sep-20215.7 KiB200149

kexdh.cH A D08-Sep-20215 KiB204161

kexecdh.cH A D08-Sep-20216.1 KiB240188

kexgen.cH A D13-Apr-202210.4 KiB372304

kexgex.cH A D08-Sep-20213.7 KiB10570

kexgexc.cH A D13-Apr-20227 KiB242186

kexgexs.cH A D11-Aug-20236.3 KiB217158

kexsntrup761x25519.cH A D13-Apr-20227.6 KiB252199

krb5_config.hH A D23-Apr-2022299 1110

krl.cH A D11-Aug-202335.6 KiB1,3871,157

krl.hH A D11-Aug-20232.7 KiB6838

log.cH A D01-Jul-202412 KiB505400

log.hH A D08-Sep-20217 KiB133103

loginrec.cH A D13-Apr-202242.1 KiB1,7311,106

loginrec.hH A D08-Sep-20214.6 KiB13553

logintest.cH A D08-Sep-20218.5 KiB309214

mac.cH A D08-Sep-20217.2 KiB263209

mac.hH A D02-Mar-20172 KiB5424

match.cH A D11-Aug-20239.6 KiB368206

match.hH A D08-Sep-20211.2 KiB3114

mdoc2man.awkH A D11-May-20188.4 KiB371341

misc.cH A D18-Mar-202466 KiB3,0792,416

misc.hH A D18-Mar-20248.9 KiB252190

mkinstalldirsH A D11-May-2018633 3923

moduliH A D05-Jan-2024605.6 KiB456455

moduli.5H A D19-Oct-20223.6 KiB127126

moduli.cH A D16-Mar-202320.7 KiB817501

monitor.cH A D09-Oct-202351.8 KiB1,9571,560

monitor.hH A D08-Sep-20213.9 KiB9656

monitor_fdpass.cH A D08-Sep-20214.6 KiB186144

monitor_fdpass.hH A D01-Aug-20081.5 KiB355

monitor_wrap.cH A D05-Jan-202426 KiB1,021806

monitor_wrap.hH A D19-Oct-20223.8 KiB10361

msg.cH A D08-Sep-20212.7 KiB9560

msg.hH A D22-Jan-20161.5 KiB336

mux.cH A D05-Jan-202462.8 KiB2,3751,983

myproposal.hH A D15-Apr-20223.7 KiB11779

nchan.cH A D18-Mar-202411.8 KiB444343

nchan.msH A D30-Oct-20133.9 KiB10074

nchan2.msH A D30-Oct-20133.4 KiB8964

openssh.xml.inH A D30-Oct-20132.8 KiB9161

opensshd.init.inH A D19-Dec-20211.2 KiB6946

packet.cH A D18-Dec-202372.3 KiB2,7682,129

packet.hH A D18-Dec-20237.6 KiB224159

pathnames.hH A D23-Apr-20226 KiB18074

pkcs11.hH A D03-Jun-201441.4 KiB1,3581,119

platform-misc.cH A D09-May-20181.1 KiB3613

platform-pledge.cH A D14-Mar-20161.9 KiB7227

platform-tracing.cH A D09-Nov-20222.5 KiB7747

platform.cH A D15-Apr-20225.8 KiB251173

platform.hH A D15-Apr-20221.5 KiB3918

poly1305.cH A D11-Aug-20234.5 KiB160121

poly1305.hH A D22-Jan-2016645 2311

progressmeter.cH A D11-Aug-20237.5 KiB303219

progressmeter.hH A D08-Sep-20211.5 KiB293

readconf.cH A D18-Mar-2024104.2 KiB3,7243,147

readconf.hH A D18-Mar-20249 KiB259191

readpass.cH A D19-Oct-20228.3 KiB333256

rijndael.cH A D22-Jan-201651.6 KiB1,1301,009

rijndael.hH A D13-Apr-20222 KiB5620

sandbox-capsicum.cH A D19-Oct-20223.4 KiB12983

sandbox-darwin.cH A D08-Sep-20212.5 KiB10058

sandbox-null.cH A D03-Jun-20141.6 KiB7336

sandbox-pledge.cH A D08-Sep-20211.8 KiB7847

sandbox-rlimit.cH A D08-Sep-20212.4 KiB9759

sandbox-seccomp-filter.cH A D16-Mar-202315.8 KiB544446

sandbox-solaris.cH A D09-May-20182.9 KiB11577

sandbox-systrace.cH A D08-Sep-20216.3 KiB219163

scp.1H A D06-Feb-20237.9 KiB326325

scp.cH A D05-Jan-202453.5 KiB2,2761,862

servconf.cH A D18-Mar-202496.7 KiB3,2772,844

servconf.hH A D09-Oct-202311.7 KiB326229

serverloop.cH A D09-Oct-202328.6 KiB933711

serverloop.hH A D09-May-20181,000 295

session.cH A D18-Mar-202467.9 KiB2,7512,038

session.hH A D06-Feb-20232.6 KiB8548

sftp-client.cH A D05-Jan-202479 KiB3,0102,440

sftp-client.hH A D09-Oct-20236.5 KiB20883

sftp-common.cH A D11-Aug-20236.9 KiB266212

sftp-common.hH A D19-Oct-20222.1 KiB5420

sftp-glob.cH A D09-Oct-20234.3 KiB181112

sftp-realpath.cH A D19-Dec-20216 KiB226147

sftp-server-main.cH A D19-Oct-20221.4 KiB5327

sftp-server.8H A D08-Sep-20215 KiB171170

sftp-server.cH A D11-Aug-202351.9 KiB2,1091,793

sftp-usergroup.cH A D09-Oct-20235.5 KiB240187

sftp-usergroup.hH A D19-Oct-20221.1 KiB264

sftp.1H A D06-Feb-202316.9 KiB729728

sftp.cH A D18-Mar-202463.7 KiB2,6972,224

sftp.hH A D01-Aug-20083.3 KiB10255

sk-api.hH A D19-Oct-20222.9 KiB10465

sk-usbhid.cH A D11-Aug-202338.3 KiB1,4801,321

sk_config.hH A D19-Oct-2022338 109

smult_curve25519_ref.cH A D03-Jun-20146.7 KiB266227

sntrup761.cH A D06-Feb-202325.3 KiB1,274886

sntrup761.shH A D06-Feb-20232.8 KiB8767

srclimit.cH A D08-Sep-20213.8 KiB141100

srclimit.hH A D08-Sep-2021895 193

ssh-add.1H A D18-Mar-202410.5 KiB351350

ssh-add.cH A D18-Mar-202427 KiB1,056903

ssh-agent.1H A D09-Oct-20238.1 KiB277276

ssh-agent.cH A D18-Mar-202465.6 KiB2,5052,099

ssh-dss.cH A D18-Mar-202411.8 KiB458379

ssh-ecdsa-sk.cH A D16-Mar-202313.6 KiB468363

ssh-ecdsa.cH A D16-Mar-202312.1 KiB469392

ssh-ed25519-sk.cH A D06-Feb-20237.6 KiB289239

ssh-ed25519.cH A D06-Feb-20237.8 KiB314261

ssh-gss.hH A D23-Apr-20224.7 KiB14092

ssh-keygen.1H A D07-Sep-202341 KiB1,3501,349

ssh-keygen.cH A D18-Mar-2024106.7 KiB3,9683,469

ssh-keyscan.1H A D16-Mar-20234.7 KiB194193

ssh-keyscan.cH A D18-Mar-202420.2 KiB893749

ssh-keysign.8H A D15-Apr-20222.9 KiB9493

ssh-keysign.cH A D18-Mar-20248.1 KiB312233

ssh-pkcs11-client.cH A D18-Mar-202417.2 KiB657559

ssh-pkcs11-helper.8H A D19-Oct-20221.7 KiB7271

ssh-pkcs11-helper.cH A D13-Apr-202210.5 KiB447362

ssh-pkcs11.cH A D11-Aug-202347.3 KiB1,8891,544

ssh-pkcs11.hH A D05-Jan-20241.7 KiB4422

ssh-rsa.cH A D16-Mar-202319.6 KiB769643

ssh-sandbox.hH A D03-Jun-20141.1 KiB256

ssh-sk-client.cH A D13-Apr-202211.2 KiB481409

ssh-sk-helper.8H A D19-Oct-20221.7 KiB7271

ssh-sk-helper.cH A D06-Feb-202310 KiB368288

ssh-sk.cH A D11-Aug-202322.5 KiB880767

ssh-sk.hH A D13-Apr-20222.7 KiB8027

ssh-xmss.cH A D11-Aug-202310.1 KiB390332

ssh.1H A D05-Jan-202446.3 KiB1,7981,797

ssh.cH A D18-Mar-202472.6 KiB2,4931,960

ssh.hH A D08-Sep-20212.8 KiB10522

ssh2.hH A D05-Jan-20245.8 KiB18181

ssh_api.cH A D18-Mar-202414.8 KiB581461

ssh_api.hH A D11-Sep-20184.3 KiB13831

ssh_configH A D11-Aug-20231.5 KiB4742

ssh_config.5H A D18-Mar-202466.5 KiB2,3582,357

ssh_namespace.hH A D18-Mar-202451.5 KiB1,0241,019

sshbuf-getput-basic.cH A D19-Oct-202212.2 KiB634527

sshbuf-getput-crypto.cH A D18-Mar-20244.4 KiB181141

sshbuf-io.cH A D08-Sep-20212.7 KiB11886

sshbuf-misc.cH A D13-Apr-20227 KiB309260

sshbuf.cH A D06-Feb-20239.8 KiB428337

sshbuf.hH A D06-Feb-202313.5 KiB394171

sshconnect.cH A D18-Mar-202449 KiB1,7321,346

sshconnect.hH A D05-Jan-20243.2 KiB9757

sshconnect2.cH A D18-Mar-202465 KiB2,3661,905

sshd.8H A D09-Oct-202332.1 KiB1,0531,052

sshd.cH A D01-Aug-202469.1 KiB2,5651,850

sshd_configH A D06-Aug-20243.2 KiB12297

sshd_config.5H A D06-Aug-202459.4 KiB2,1462,145

ssherr.cH A D08-Sep-20215.2 KiB152133

ssherr.hH A D08-Sep-20213.4 KiB9065

sshkey-xmss.cH A D06-Feb-202329.7 KiB1,114975

sshkey-xmss.hH A D06-Feb-20232.9 KiB5728

sshkey.cH A D18-Mar-202491.1 KiB3,7153,081

sshkey.hH A D11-Aug-202312.3 KiB352267

sshlogin.cH A D19-Oct-20225.3 KiB175100

sshlogin.hH A D30-Oct-2013935 248

sshpty.cH A D08-Sep-20215.7 KiB233165

sshpty.hH A D06-Mar-20171 KiB2910

sshsig.cH A D18-Mar-202429.4 KiB1,1581,001

sshsig.hH A D13-Apr-20224 KiB11236

sshtty.cH A D28-Apr-20102.9 KiB9752

survey.sh.inH A D30-Oct-20131.7 KiB7049

ttymodes.cH A D08-Sep-20219.7 KiB451328

ttymodes.hH A D09-May-20184.9 KiB170104

uidswap.cH A D08-Sep-20217.3 KiB239158

uidswap.hH A D11-Sep-2018680 183

umac.cH A D16-Mar-202344.9 KiB1,284770

umac.hH A D13-Apr-20224.6 KiB13042

umac128.cH A D23-Apr-2022398 1812

utf8.cH A D08-Sep-20218.2 KiB356240

utf8.hH A D08-Sep-20211.3 KiB2911

version.hH A D06-Aug-2024219 94

xmalloc.cH A D15-Apr-20222.5 KiB11986

xmalloc.hH A D08-Sep-20211.1 KiB289

xmss_commons.cH A D08-Sep-2021631 3725

xmss_commons.hH A D11-May-2018450 2213

xmss_fast.cH A D08-Sep-202132.2 KiB1,107734

xmss_fast.hH A D11-May-20183.6 KiB11250

xmss_hash.cH A D18-Mar-20243.3 KiB13897

xmss_hash.hH A D11-May-2018841 2311

xmss_hash_address.cH A D08-Sep-20211.2 KiB6742

xmss_hash_address.hH A D11-May-2018836 4115

xmss_wots.cH A D08-Sep-20214.7 KiB193135

xmss_wots.hH A D11-May-20181.9 KiB6521

README

1See https://www.openssh.com/releasenotes.html#9.7p1 for the release
2notes.
3
4Please read https://www.openssh.com/report.html for bug reporting
5instructions and note that we do not use Github for bug reporting or
6patch/pull-request management.
7
8This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other
9Unices.
10
11OpenSSH is based on the last free version of Tatu Ylonen's sample
12implementation with all patent-encumbered algorithms removed (to
13external libraries), all known security bugs fixed, new features
14reintroduced and many other clean-ups.  OpenSSH has been created by
15Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt,
16and Dug Song. It has a homepage at https://www.openssh.com/
17
18This port consists of the re-introduction of autoconf support, PAM
19support, EGD/PRNGD support and replacements for OpenBSD library
20functions that are (regrettably) absent from other unices. This port
21has been best tested on AIX, Cygwin, HP-UX, Linux, MacOS/X,
22FreeBSD, NetBSD, OpenBSD, OpenServer, Solaris and UnixWare.
23
24This version actively tracks changes in the OpenBSD CVS repository.
25
26The PAM support is now more functional than the popular packages of
27commercial ssh-1.2.x. It checks "account" and "session" modules for
28all logins, not just when using password authentication.
29
30There is now several mailing lists for this port of OpenSSH. Please
31refer to https://www.openssh.com/list.html for details on how to join.
32
33Please send bug reports and patches to https://bugzilla.mindrot.org or
34the mailing list openssh-unix-dev@mindrot.org.  To mitigate spam, the
35list only allows posting from subscribed addresses.  Code contribution
36are welcomed, but please follow the OpenBSD style guidelines[1].
37
38Please refer to the INSTALL document for information on dependencies and
39how to install OpenSSH on your system.
40
41Damien Miller <djm@mindrot.org>
42
43Miscellania -
44
45This version of OpenSSH is based upon code retrieved from the OpenBSD CVS
46repository which in turn was based on the last free sample implementation
47released by Tatu Ylonen.
48
49References -
50
51[0] https://www.openssh.com/
52[1] https://man.openbsd.org/style.9
53
54

README.dns

1How to verify host keys using OpenSSH and DNS
2---------------------------------------------
3
4OpenSSH contains support for verifying host keys using DNS as described
5in https://tools.ietf.org/html/rfc4255. The document contains very brief
6instructions on how to use this feature. Configuring DNS is out of the
7scope of this document.
8
9
10(1) Server: Generate and publish the DNS RR
11
12To create a DNS resource record (RR) containing a fingerprint of the
13public host key, use the following command:
14
15	ssh-keygen -r hostname -f keyfile -g
16
17where "hostname" is your fully qualified hostname and "keyfile" is the
18file containing the public host key file. If you have multiple keys,
19you should generate one RR for each key.
20
21In the example above, ssh-keygen will print the fingerprint in a
22generic DNS RR format parsable by most modern name server
23implementations. If your nameserver has support for the SSHFP RR
24you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
25
26To publish the fingerprint using the DNS you must add the generated RR
27to your DNS zone file and sign your zone.
28
29
30(2) Client: Enable ssh to verify host keys using DNS
31
32To enable the ssh client to verify host keys using DNS, you have to
33add the following option to the ssh configuration file
34($HOME/.ssh/config or /etc/ssh/ssh_config):
35
36    VerifyHostKeyDNS yes
37
38Upon connection the client will try to look up the fingerprint RR
39using DNS. If the fingerprint received from the DNS server matches
40the remote host key, the user will be notified.
41
42
43	Jakob Schlyter
44	Wesley Griffin
45
46
47$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
48

README.md

1# Portable OpenSSH
2
3[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml)
4[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
5[![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)
6
7OpenSSH is a complete implementation of the SSH protocol (version 2) for secure remote login, command execution and file transfer. It includes a client ``ssh`` and server ``sshd``, file transfer utilities ``scp`` and ``sftp`` as well as tools for key generation (``ssh-keygen``), run-time key storage (``ssh-agent``) and a number of supporting programs.
8
9This is a port of OpenBSD's [OpenSSH](https://openssh.com) to most Unix-like operating systems, including Linux, OS X and Cygwin. Portable OpenSSH polyfills OpenBSD APIs that are not available elsewhere, adds sshd sandboxing for more operating systems and includes support for OS-native authentication and auditing (e.g. using PAM).
10
11## Documentation
12
13The official documentation for OpenSSH are the man pages for each tool:
14
15* [ssh(1)](https://man.openbsd.org/ssh.1)
16* [sshd(8)](https://man.openbsd.org/sshd.8)
17* [ssh-keygen(1)](https://man.openbsd.org/ssh-keygen.1)
18* [ssh-agent(1)](https://man.openbsd.org/ssh-agent.1)
19* [scp(1)](https://man.openbsd.org/scp.1)
20* [sftp(1)](https://man.openbsd.org/sftp.1)
21* [ssh-keyscan(8)](https://man.openbsd.org/ssh-keyscan.8)
22* [sftp-server(8)](https://man.openbsd.org/sftp-server.8)
23
24## Stable Releases
25
26Stable release tarballs are available from a number of [download mirrors](https://www.openssh.com/portable.html#downloads). We recommend the use of a stable release for most users. Please read the [release notes](https://www.openssh.com/releasenotes.html) for details of recent changes and potential incompatibilities.
27
28## Building Portable OpenSSH
29
30### Dependencies
31
32Portable OpenSSH is built using autoconf and make. It requires a working C compiler, standard library and headers.
33
34``libcrypto`` from either [LibreSSL](https://www.libressl.org/) or [OpenSSL](https://www.openssl.org) may also be used.  OpenSSH may be built without either of these, but the resulting binaries will have only a subset of the cryptographic algorithms normally available.
35
36[zlib](https://www.zlib.net/) is optional; without it transport compression is not supported.
37
38FIDO security token support needs [libfido2](https://github.com/Yubico/libfido2) and its dependencies and will be enabled automatically if they are found.
39
40In addition, certain platforms and build-time options may require additional dependencies; see README.platform for details about your platform.
41
42### Building a release
43
44Releases include a pre-built copy of the ``configure`` script and may be built using:
45
46```
47tar zxvf openssh-X.YpZ.tar.gz
48cd openssh
49./configure # [options]
50make && make tests
51```
52
53See the [Build-time Customisation](#build-time-customisation) section below for configure options. If you plan on installing OpenSSH to your system, then you will usually want to specify destination paths.
54
55### Building from git
56
57If building from git, you'll need [autoconf](https://www.gnu.org/software/autoconf/) installed to build the ``configure`` script. The following commands will check out and build portable OpenSSH from git:
58
59```
60git clone https://github.com/openssh/openssh-portable # or https://anongit.mindrot.org/openssh.git
61cd openssh-portable
62autoreconf
63./configure
64make && make tests
65```
66
67### Build-time Customisation
68
69There are many build-time customisation options available. All Autoconf destination path flags (e.g. ``--prefix``) are supported (and are usually required if you want to install OpenSSH).
70
71For a full list of available flags, run ``./configure --help`` but a few of the more frequently-used ones are described below. Some of these flags will require additional libraries and/or headers be installed.
72
73Flag | Meaning
74--- | ---
75``--with-pam`` | Enable [PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module) support. [OpenPAM](https://www.openpam.org/), [Linux PAM](http://www.linux-pam.org/) and Solaris PAM are supported.
76``--with-libedit`` | Enable [libedit](https://www.thrysoee.dk/editline/) support for sftp.
77``--with-kerberos5`` | Enable Kerberos/GSSAPI support. Both [Heimdal](https://www.h5l.org/) and [MIT](https://web.mit.edu/kerberos/) Kerberos implementations are supported.
78``--with-selinux`` | Enable [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) support.
79
80## Development
81
82Portable OpenSSH development is discussed on the [openssh-unix-dev mailing list](https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev) ([archive mirror](https://marc.info/?l=openssh-unix-dev)). Bugs and feature requests are tracked on our [Bugzilla](https://bugzilla.mindrot.org/).
83
84## Reporting bugs
85
86_Non-security_ bugs may be reported to the developers via [Bugzilla](https://bugzilla.mindrot.org/) or via the mailing list above. Security bugs should be reported to [openssh@openssh.com](mailto:openssh.openssh.com).
87

README.platform

1This file contains notes about OpenSSH on specific platforms.
2
3AIX
4
5Beginning with OpenSSH 3.8p1, sshd will honour an account's password
6expiry settings, where prior to that it did not.  Because of this,
7it's possible for sites that have used OpenSSH's sshd exclusively to
8have accounts which have passwords expired longer than the inactive time
9(ie the "Weeks between password EXPIRATION and LOCKOUT" setting in SMIT
10or the maxexpired chuser attribute).
11
12Accounts in this state must have their passwords reset manually by the
13administrator.  As a precaution, it is recommended that the administrative
14passwords be reset before upgrading from OpenSSH <3.8.
15
16As of OpenSSH 4.0p1, configure will attempt to detect if your version
17and maintenance level of AIX has a working getaddrinfo, and will use it
18if found.  This will enable IPv6 support.  If for some reason configure
19gets it wrong, or if you want to build binaries to work on earlier MLs
20than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS
21to force the previous IPv4-only behaviour.
22
23IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
24IPv6 known broken: 4.3.3ML11 5.1ML4
25
26If you wish to use dynamic libraries that aren't in the normal system
27locations (eg IBM's OpenSSL and zlib packages) then you will need to
28define the environment variable blibpath before running configure, eg
29
30blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
31  --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
32
33If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
34by default) then sshd checks that users are permitted via the
35loginrestrictions() function, in particular that the user has the
36"rlogin" attribute set.  This check is not done for the root account,
37instead the PermitRootLogin setting in sshd_config is used.
38
39If you are using the IBM compiler you probably want to use CC=xlc rather
40than the default of cc.
41
42
43Cygwin
44------
45To build on Cygwin, OpenSSH requires the following packages:
46gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
47openssl-devel, zlib, minres, minires-devel.
48
49
50Darwin and MacOS X
51------------------
52Darwin does not provide a tun(4) driver required for OpenSSH-based
53virtual private networks. The BSD manpage still exists, but the driver
54has been removed in recent releases of Darwin and MacOS X.
55
56Tunnel support is known to work with Darwin 8 and MacOS X 10.4 in
57Point-to-Point (Layer 3) and Ethernet (Layer 2) mode using a third
58party driver. More information is available at:
59	https://tuntaposx.sourceforge.net
60
61Recent Darwin/MacOS X versions are likely unsupported.
62
63Linux
64-----
65
66Some Linux distributions (including Red Hat/Fedora/CentOS) include
67headers and library links in the -devel RPMs rather than the main
68binary RPMs. If you get an error about headers, or complaining about a
69missing prerequisite then you may need to install the equivalent
70development packages.  On Redhat based distros these may be openssl-devel,
71zlib-devel and pam-devel, on Debian based distros these may be
72libssl-dev, libz-dev and libpam-dev.
73
74
75Solaris
76-------
77If you enable BSM auditing on Solaris, you need to update audit_event(4)
78for praudit(1m) to give sensible output.  The following line needs to be
79added to /etc/security/audit_event:
80
81	32800:AUE_openssh:OpenSSH login:lo
82
83The BSM audit event range available for third party TCB applications is
8432768 - 65535.  Event number 32800 has been chosen for AUE_openssh.
85There is no official registry of 3rd party event numbers, so if this
86number is already in use on your system, you may change it at build time
87by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
88
89
90Platforms using PAM
91-------------------
92As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
93PAM is enabled.  To maintain existing behaviour, pam_nologin should be
94added to sshd's session stack which will prevent users from starting shell
95sessions.  Alternatively, pam_nologin can be added to either the auth or
96account stacks which will prevent authentication entirely, but will still
97return the output from pam_nologin to the client.
98

README.privsep

1Privilege separation, or privsep, is method in OpenSSH by which
2operations that require root privilege are performed by a separate
3privileged monitor process.  Its purpose is to prevent privilege
4escalation by containing corruption to an unprivileged process.
5More information is available at:
6	http://www.citi.umich.edu/u/provos/ssh/privsep.html
7
8Privilege separation is now mandatory.  During the pre-authentication
9phase sshd will chroot(2) to "/var/empty" and change its privileges to the
10"sshd" user and its primary group.  sshd is a pseudo-account that should
11not be used by other daemons, and must be locked and should contain a
12"nologin" or invalid shell.
13
14You should do something like the following to prepare the privsep
15preauth environment:
16
17	# mkdir /var/empty
18	# chown root:sys /var/empty
19	# chmod 755 /var/empty
20	# groupadd sshd
21	# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
22
23/var/empty should not contain any files.
24
25configure supports the following options to change the default
26privsep user and chroot directory:
27
28  --with-privsep-path=xxx Path for privilege separation chroot
29  --with-privsep-user=user Specify non-privileged user for privilege separation
30
31PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD,
32HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
33
34On Cygwin, Tru64 Unix and OpenServer only the pre-authentication part
35of privsep is supported.  Post-authentication privsep is disabled
36automatically (so you won't see the additional process mentioned below).
37
38Note that for a normal interactive login with a shell, enabling privsep
39will require 1 additional process per login session.
40
41Given the following process listing (from HP-UX):
42
43     UID   PID  PPID  C    STIME TTY       TIME COMMAND
44    root  1005     1  0 10:45:17 ?         0:08 /opt/openssh/sbin/sshd -u0
45    root  6917  1005  0 15:19:16 ?         0:00 sshd: stevesk [priv]
46 stevesk  6919  6917  0 15:19:17 ?         0:03 sshd: stevesk@2
47 stevesk  6921  6919  0 15:19:17 pts/2     0:00 -bash
48
49process 1005 is the sshd process listening for new connections.
50process 6917 is the privileged monitor process, 6919 is the user owned
51sshd process and 6921 is the shell process.
52

README.tun

1How to use OpenSSH-based virtual private networks
2-------------------------------------------------
3
4OpenSSH contains support for VPN tunneling using the tun(4) network
5tunnel pseudo-device which is available on most platforms, either for
6layer 2 or 3 traffic.
7
8The following brief instructions on how to use this feature use
9a network configuration specific to the OpenBSD operating system.
10
11(1) Server: Enable support for SSH tunneling
12
13To enable the ssh server to accept tunnel requests from the client, you
14have to add the following option to the ssh server configuration file
15(/etc/ssh/sshd_config):
16
17	PermitTunnel yes
18
19Restart the server or send the hangup signal (SIGHUP) to let the server
20reread it's configuration.
21
22(2) Server: Restrict client access and assign the tunnel
23
24The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
25restrict the client to connect to a specified tunnel and to
26automatically start the related interface configuration command. These
27settings are optional but recommended:
28
29	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
30
31(3) Client: Configure the local network tunnel interface
32
33Use the hostname.if(5) interface-specific configuration file to set up
34the network tunnel configuration with OpenBSD. For example, use the
35following configuration in /etc/hostname.tun0 to set up the layer 3
36tunnel on the client:
37
38	inet 192.168.5.1 255.255.255.252 192.168.5.2
39
40OpenBSD also supports layer 2 tunneling over the tun device by adding
41the link0 flag:
42
43	inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
44
45Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
46interface, like the following example for /etc/bridgename.bridge0:
47
48	add tun0
49	add sis0
50	up
51
52(4) Client: Configure the OpenSSH client
53
54To establish tunnel forwarding for connections to a specified
55remote host by default, use the following ssh client configuration for
56the privileged user (in /root/.ssh/config):
57
58	Host sshgateway
59		Tunnel yes
60		TunnelDevice 0:any
61		PermitLocalCommand yes
62	        LocalCommand sh /etc/netstart tun0
63
64A more complicated configuration is possible to establish a tunnel to
65a remote host which is not directly accessible by the client.
66The following example describes a client configuration to connect to
67the remote host over two ssh hops in between. It uses the OpenSSH
68ProxyCommand in combination with the nc(1) program to forward the final
69ssh tunnel destination over multiple ssh sessions.
70
71	Host access.somewhere.net
72	        User puffy
73	Host dmzgw
74	        User puffy
75	        ProxyCommand ssh access.somewhere.net nc dmzgw 22
76	Host sshgateway
77	        Tunnel Ethernet
78	        TunnelDevice 0:any
79	        PermitLocalCommand yes
80	        LocalCommand sh /etc/netstart tun0
81	        ProxyCommand ssh dmzgw nc sshgateway 22
82
83The following network plan illustrates the previous configuration in
84combination with layer 2 tunneling and Ethernet bridging.
85
86+--------+       (          )      +----------------------+
87| Client |------(  Internet  )-----| access.somewhere.net |
88+--------+       (          )      +----------------------+
89    : 192.168.1.78                             |
90    :.............................         +-------+
91     Forwarded ssh connection    :         | dmzgw |
92     Layer 2 tunnel              :         +-------+
93                                 :             |
94                                 :             |
95                                 :      +------------+
96                                 :......| sshgateway |
97                                      | +------------+
98--- real connection                 Bridge ->  |          +----------+
99... "virtual connection"                     [ X ]--------| somehost |
100[X] switch                                                +----------+
101                                                          192.168.1.25
102
103(5) Client: Connect to the server and establish the tunnel
104
105Finally connect to the OpenSSH server to establish the tunnel by using
106the following command:
107
108	ssh sshgateway
109
110It is also possible to tell the client to fork into the background after
111the connection has been successfully established:
112
113	ssh -f sshgateway true
114
115Without the ssh configuration done in step (4), it is also possible
116to use the following command lines:
117
118	ssh -fw 0:1 sshgateway true
119	ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
120
121Using OpenSSH tunnel forwarding is a simple way to establish secure
122and ad hoc virtual private networks. Possible fields of application
123could be wireless networks or administrative VPN tunnels.
124
125Nevertheless, ssh tunneling requires some packet header overhead and
126runs on top of TCP. It is still suggested to use the IP Security
127Protocol (IPSec) for robust and permanent VPN connections and to
128interconnect corporate networks.
129
130	Reyk Floeter
131
132$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $
133