SSH Resource Page

Warning: SSH1 CRC-32 Compensation Attack Detector Vulnerability

A number of client and server implementations of SSH version 1 have been found to contain a potentially serious security problem. There is some evidence that this problem may be exploitable in practice in at least some implementations. If you are running an implementation which is subject to this problem, you should contact your vendor for an upgrade as soon as possible.

The following documents have further information about this flaw:

• The CORE Security Technologies advisory.
• The Bindview advisory.

Note that this flaw is a different and potentially much more serious problem from the "session key recovery" flaw which was publicized around the same time.

SSH implementations

Here are the SSH ports I have been made aware of. I have not evaluated most of the packages listed below, and their appearance on this list should not be interpreted as a recommendation or endorsement. Commercial products are listed separately at the end; to my knowledge, all of the other packages listed here can be downloaded and used by individuals for non-commercial purposes free of charge. Consult the documentation accompanying each software distribution for further information regarding their licencing.

Update: When SSH Communications Security introduced ssh-1.2.29 to correct security problems in the software (and no other features added), they modified the license agreement in such a manner that many users who previously qualified to use the product without paying license fees cannot legally do so with the new version. I consider this practice to be of highly questionable ethics.

They've played such games with their license agreements in the past, and this has been progressively eroding the goodwill they had built up with the community over the years. If you're one of the people who SSH Communications Security is apparently trying to extort into purchasing licenses in order to address a security problem, I would strongly recommend that you consider switching to a competing product with a friendlier license and greater respect for their user community, such as OpenSSH.

February 2001: SSH Communications Security has begun engaging in the dissemination of fear, uncertainty and doubt regarding mostly theoretical vulnerabilities in version 1 of the SSH protocol--or, should I say, the SECSH protocol, since they also assert that referring to the protocol as "SSH," or including those letters in the name of a software package which implements it, amounts to an infringement of their trademark. One can hardly blame them for wanting to protect their business model, but the erosion of goodwill continues.

Please report broken/outdated links to djast@cs.toronto.edu; thanks.

Unix (including Linux):

• The official distribution site for the reference implementation(s): http://www.ssh.fi/sshprotocols2/index.html. (However, please see the note above regarding SSH Communications Security's questionable license tactics.)
• The University of Toronto distribution mirror: ftp://ftp.utoronto.ca/mirror/packages/ssh/
• OpenSSH, part of the OpenBSD project (note that this suite is included as part of release 2.6 and later of the OpenBSD operating system, and is also included with release 10.0.1 and later of the Mac OS X operating system): http://www.openssh.com/. OpenSSH has also been ported to Linux, Solaris, AIX, IRIX, HP/UX, and FreeBSD.
• FreSSH, another independent implementation (a pre-release version, supporting version 1 of the SSH protocol only): http://www.fressh.org/

MS Windows/NT:

• An SSH/SCP (command line version) for Windows 95 and NT: http://bmrc.berkeley.edu/people/chaffee/winntutil.html
• The TeraTerm SSH distribution page: http://www.zip.com.au/~roca/ttssh.html
• PuTTY: A Free Win32 Telnet/SSH Client: http://www.chiark.greenend.org.uk/~sgtatham/putty.html
• Cygwin32 ports:
  • Raju Mathur's page at ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Mathur_Raju
  • Sergey Okhapkin's page at http://miracle.geol.msu.ru/sos/ and mirrored at ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Okhapkin_Sergey and http://www.lexa.ru/sos/
  • ??? http://guardian.htu.tuwien.ac.at/therapy/ssh/
• FiSSH: http://www.massconfusion.com/ssh/
• Metro State College of Denver's SSH (MSSH): http://cs.mscd.edu/MSSH/index.html

• http://deadlock.et.tudelft.nl/~joris/scp/
• http://www.jfitz.com/tips/ssh_for_windows.html

MacIntosh:

• OpenSSH is built into Mac OS X versions 10.0.1 and higher. There is also an article at http://www.stepwise.com/Articles/Workbench/2001-05-02.03.html on how to build a more recent version of OpenSSH on Mac OS X.
• NiftyTelnet, a freeware SSH client for MacIntosh: http://www.lysator.liu.se/~jonasw/freeware.html
• BetterTelnet is another freeware terminal program for MacIntosh. The BetterTelnet home page is http://www.cstone.net/~rbraun/mac/telnet/, but the official version does not yet support SSH. However, a modified third-party version of BetterTelnet with SSH version 2 support is available from http://www.macssh.com/. (Note that this client does not support version 1 of the SSH protocol; your server must support SSH version 2 in order to use this.)

BeOS:

• http://abstrakt.ch/be/ (thanks to vince@sixpak.cs.ucla.edu for bringing this port to my attention)

Java:

• http://www.cl.cam.ac.uk/~fapp2/software/java-ssh/
• AppGate MindTerm: http://www.appgate.org/products/mindterm/

Top Gun SSH for the PalmPilot:

• http://www.ai/~iang/TGssh/

sshCE, an SSH client for Windows CE:

• http://www.movsoftware.com/sshce.htm

Commercial SSH Clients:

• The F-Secure commercial product from Data Fellows: http://www.datafellows.com/f-secure/
• SecureCRT, another commercial SSH client: http://www.vandyke.com/products/SecureCRT/
• dataComet-Secure, a commercial SSH client for the MacIntosh: http://www.databeast.com/

Other SSH resource pages:

• The best site I've seen so far, it's maintained by the authors of the soon-to-be-published O'Reilly And Associates book, "SSH: The Secure Shell--The Definitive Guide": http://www.snailbook.com/
• A "Frequently Asked Questions" list: http://www.employees.org/~satch/ssh/faq/
• A page which tracks "the development of free implementations (in the BSD or GNU sense) of the ssh protocol": http://www.net.lut.ac.uk/psst/
• Setting up sshd on NT: http://v.iki.fi/nt-ssh.html
• Lukas Eklund's list of Mac SSH clients: http://zork.net/~kickaha/
• SecPanel, an SSH-GUI for Unix systems running X11: http://www2.wiwi.uni-marburg.de/~leich/soft/secpanel/
• Another SSH reference page: http://www.boran.com/security/ssh_stuff.html
• FreeSSH.org; another page listing SSH clients, servers, information resources, specifications, and mirrors: http://www.freessh.org/