OpenSSH
OpenSSH
8.5

5.0

OpenSSH free download for Mac

OpenSSH for Mac8.5

03 March 2021

SSH protocol connectivity tools.

What is OpenSSH for Mac

OpenSSH is a free version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.

Note: While the software is classified as free, it is actually donationware. Please consider making a donation to help support development.

What's new in OpenSSH

Version 8.5:
Future deprecation notice:
  • It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K.
  • In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future.
  • Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default.
  • This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default.
The better alternatives include:
  • The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.
  • The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5.
  • The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7.
  • To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host
  • If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded.
  • This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms.
  • [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf
Security:
  • ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket.
  • On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions.
  • The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access.
  • Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application.
Potentially-incompatible changes:
This release includes a number of changes that may affect existing configurations:
  • ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519.
  • ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
  • ssh(1), sshd(8): remove the pre-standardization cipherrijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001.
  • ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519.
  • The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default)
  • ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers.

Related articles

Join over 500,000 subscribers.

Subscribe for our newsletter with best Mac offers from MacUpdate.

How would you rate OpenSSH?
0.0
(0 Reviews of )
There are no reviews yet
outer
outer
Apr 22 2012
6.0
0.0
Apr 22 2012
0.0
Version: 6.0
Does this coëxist with or overwrite Apple's implementation? If it overwrites, how can I know whether it will mess up other parts of my Apple-provided infrastructure?
Mac2048
Mac2048
Nov 19 2006
4.5
0.0
Nov 19 2006
0.0
Version: 4.5
I can't install OpenSSH 4.5 because it looks like the Makefile has a syntax error on line 3. It doesn't seem to like ".include" but it's happy with simply "include" without the dot. If I make that change then it gets a similar syntax error down in /usr/share/mk/bsd.own.mk (due to ".if" vs. "if"). I don't want to touch that file. The original error is: Makefile:3: *** missing separator. Stop. MacOS 10.2.8 (old, I know, which is why I want to upgrade ssh), /usr/bin/make is GNU Make version 3.79 Has anybody run into this?
Guest
Guest
Jul 28 2001
2.5.2
1.0
Jul 28 2001
1.0
Version: 2.5.2
Download is unusable when clicked. "File does not appear to be compressed or encoded. Obtain further information about the contents of this file from the sender or provider of the file." Thanks a lot. Me, bitter? Disappointed? An utter waste of download time!
Guest
Guest
Mar 28 2001
2.5.2
1.0
Mar 28 2001
1.0
Version: 2.5.2
err. ok. so it worked flawlessly today. whatever. It works like it should
Guest
Guest
Mar 26 2001
2.5.2
1.0
Mar 26 2001
1.0
Version: 2.5.2
unfortunately, wouldn't let the installation complete..and yes I did go through the whole process of typing in the admin password, trying three times, etc it also reset some of my preferences in the process. &^%$@^%!
Free

5.0

App requirements: 
  • Intel 64
  • Intel 32
  • PPC 64
  • Mac OS X 10.1.5 or later
License: 
FreeAbsolutely Free

Downloaded & Installed 67,303 times

Similar apps
ProxyCap
ProxyCap
Tunnel applications through proxy and SSH servers.
Is this app is similar to ProxyCap? Vote to improve the quality of this list.
Vote results
0
Upvotes
1
Total score
0
Downvotes
SSH Proxy
SSH Proxy
Turn various remote SSH servers into SOCKS v5 proxies.
Is this app is similar to SSH Proxy? Vote to improve the quality of this list.
Vote results
0
Upvotes
1
Total score
0
Downvotes
SSH Tunnel
SSH Tunnel
Manage and control your SSH tunnels.
Is this app is similar to SSH Tunnel? Vote to improve the quality of this list.
Vote results
0
Upvotes
1
Total score
0
Downvotes
SSH Shell
SSH Shell
Secure one-click log-in.
Is this app is similar to SSH Shell? Vote to improve the quality of this list.
Vote results
0
Upvotes
1
Total score
0
Downvotes
Core Tunnel
Core Tunnel
Missing tunnel manager.
Is this app is similar to Core Tunnel? Vote to improve the quality of this list.
Vote results
0
Upvotes
1
Total score
0
Downvotes