OpenSSH
OpenSSH
8.2

5.0

OpenSSH free download for Mac

OpenSSH

8.2
17 February 2020

SSH protocol connectivity tools.

Overview

OpenSSH is a free version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.

Note: While the software is classified as free, it is actually donationware. Please consider making a donation to help support development.

What's new in OpenSSH

FIDO/U2F Support:
  • This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types
  • ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them
  • Generating a FIDO key requires the token be attached, and will usually require the user tap the token to confirm the operation: $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your security key to authorize key generation. Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub
  • This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used
  • FIDO tokens are most commonly connected via USB but may be attached via other means such as Bluetooth or NFC. In OpenSSH, communication with the token is managed via a middleware library, specified by the SecurityKeyProvider directive in ssh/sshd_config(5) or the $SSH_SK_PROVIDER environment variable for ssh-keygen(1) and ssh-add(1). The API for this middleware is documented in the sk-api.h and PROTOCOL.u2f files in the source distribution
  • OpenSSH includes a middleware ("SecurityKeyProvider=internal") with support for USB tokens. It is automatically enabled in OpenBSD and may be enabled in portable OpenSSH via the configure flag --with-security-key-builtin. If the internal middleware is enabled then it is automatically used by default. This internal middleware requires that libfido2 (https://github.com/Yubico/libfido2) and its dependencies be installed. We recommend that packagers of portable OpenSSH enable the built-in middleware, as it provides the lowest-friction experience for users
  • Note: FIDO/U2F tokens are required to implement the ECDSA-P256 "ecdsa-sk" key type, but hardware support for Ed25519 "ed25519-sk" is less common. Similarly, not all hardware tokens support some of the optional features such as resident keys
  • The protocol-level changes to support FIDO/U2F keys in SSH are documented in the PROTOCOL.u2f file in the OpenSSH source distribution
There are a number of supporting changes to this feature:
  • ssh-keygen(1): add a "no-touch-required" option when generating FIDO-hosted keys, that disables their default behaviour of requiring a physical touch/tap on the token during authentication. Note: not all tokens support disabling the touch requirement
  • sshd(8): add a sshd_config PubkeyAuthOptions directive that collects miscellaneous public key authentication-related options for sshd(8). At present it supports only a single option "no-touch-required". This causes sshd to skip its default check for FIDO/U2F keys that the signature was authorised by a touch or press event on the token hardware
  • ssh(1), sshd(8), ssh-keygen(1): add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that FIDO key signatures attest that the user touched their key to authorize them, mirroring the similar PubkeyAuthOptions sshd_config option
  • ssh-keygen(1): add support for the writing the FIDO attestation information that is returned when new keys are generated via the "-O write-attestation=/path" option. FIDO attestation certificates may be used to verify that a FIDO key is hosted in trusted hardware. OpenSSH does not currently make use of this information, beyond optionally writing it to disk
FIDO2 resident keys:
  • FIDO/U2F OpenSSH keys consist of two parts: a "key handle" part stored in the private key file on disk, and a per-device private key that is unique to each FIDO/U2F token and that cannot be exported from the token hardware. These are combined by the hardware at authentication time to derive the real key that is used to sign authentication challenges
  • For tokens that are required to move between computers, it can be cumbersome to have to move the private key file first. To avoid this requirement, tokens implementing the newer FIDO2 standard support "resident keys", where it is possible to effectively retrieve the key handle part of the key from the hardware
  • OpenSSH supports this feature, allowing resident keys to be generated using the ssh-keygen(1) "-O resident" flag. This will produce a public/private key pair as usual, but it will be possible to retrieve the private key part from the token later. This may be done using "ssh-keygen -K", which will download all available resident keys from the tokens attached to the host and write public/private key files for them. It is also possible to download and add resident keys directly to ssh-agent(1) without writing files to the file-system using "ssh-add -K"
  • Resident keys are indexed on the token by the application string and user ID. By default, OpenSSH uses an application string of "ssh:" and an empty user ID. If multiple resident keys on a single token are desired then it may be necessary to override one or both of these defaults using the ssh-keygen(1) "-O application=" or "-O user=" options. Note: OpenSSH will only download and use resident keys whose application string begins with "ssh:"
  • Storing both parts of a key on a FIDO token increases the likelihood of an attacker being able to use a stolen token device. For this reason, tokens should enforce PIN authentication before allowing download of keys, and users should set a PIN on their tokens before creating any resident keys
Other New Features:
  • sshd(8): add an Include sshd_config keyword that allows including additional configuration files via glob(3) patterns. bz2468
  • ssh(1)/sshd(8): make the LE (low effort) DSCP code point available via the IPQoS directive; bz2986
  • ssh(1): when AddKeysToAgent=yes is set and the key contains no comment, add the key to the agent with the key's path as the comment. bz2564 * ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509 subjects as key comments, rather than simply listing the PKCS#11 provider library path. PR138
  • ssh-keygen(1): allow PEM export of DSA and ECDSA keys; bz3091
  • ssh(1), sshd(8): make zlib compile-time optional, available via the Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure option for OpenSSH portable
  • sshd(8): when clients get denied by MaxStartups, send a notification prior to the SSH2 protocol banner according to RFC4253 section 4.2
  • ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt program, pass a hint to the program to describe the type of desired prompt. The possible values are "confirm" (indicating that a yes/no confirmation dialog with no text entry should be shown), "none" (to indicate an informational message only), or blank for the original ssh-askpass behaviour of requesting a password/phrase
  • ssh(1): allow forwarding a different agent socket to the path specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. * ssh-keygen(1): add a new signature operations "find-principals" to look up the principal associated with a signature from an allowed- signers file. * sshd(8): expose the number of currently-authenticating connections along with the MaxStartups limit in the process title visible to "ps"
Bugfixes:
  • sshd(8): make ClientAliveCountMax=0 have sensible semantics: it will now disable connection killing entirely rather than the current behaviour of instantly killing the connection after the first liveness test regardless of success. bz2627 * sshd(8): clarify order of AllowUsers / DenyUsers vs AllowGroups / DenyGroups in the sshd(8) manual page. bz1690
  • sshd(8): better describe HashKnownHosts in the manual page. bz2560
  • sshd(8): clarify that that permitopen=/PermitOpen do no name or address translation in the manual page. bz3099
  • sshd(8): allow the UpdateHostKeys feature to function when multiple known_hosts files are in use. When updating host keys, ssh will now search subsequent known_hosts files, but will add updated host keys to the first specified file only. bz2738 * All: replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations. * sftp(1): fix a race condition in the SIGCHILD handler that could turn in to a kill(-1); bz3084
  • sshd(8): fix a case where valid (but extremely large) SSH channel IDs were being incorrectly rejected. bz3098
  • ssh(1): when checking host key fingerprints as answers to new hostkey prompts, ignore whitespace surrounding the fingerprint itself
  • All: wait for file descriptors to be readable or writeable during non-blocking connect, not just readable. Prevents a timeout when the server doesn't immediately send a banner (e.g. multiplexers like sslh) * sshd_config(5): document the sntrup4591761x25519-sha512@tinyssh.org key exchange algorithm. PR#151
Portability:
  • sshd(8): multiple adjustments to the Linux seccomp sandbox: - Non-fatally deny IPC syscalls in sandbox - Allow clock_gettime64() in sandbox (MIPS / glibc >= 2.31) - Allow clock_nanosleep_time64 in sandbox (ARM) bz3100 - Allow clock_nanosleep() in sandbox (recent glibc) bz3093
  • Explicit check for memmem declaration and fix up declaration if the system headers lack it. bz3102

Related articles

Join over 500,000 subscribers.

Subscribe for our newsletter with best Mac offers from MacUpdate.

5 OpenSSH Reviews

Rate this app:

Mac2048
19 November 2006

Most helpful

I can't install OpenSSH 4.5 because it looks like the Makefile has a syntax error on line 3. It doesn't seem to like ".include" but it's happy with simply "include" without the dot. If I make that change then it gets a similar syntax error down in /usr/share/mk/bsd.own.mk (due to ".if" vs. "if"). I don't want to touch that file. The original error is: Makefile:3: *** missing separator. Stop. MacOS 10.2.8 (old, I know, which is why I want to upgrade ssh), /usr/bin/make is GNU Make version 3.79 Has anybody run into this?
Like (1)
Version 4.5
outer
22 April 2012
Does this coëxist with or overwrite Apple's implementation? If it overwrites, how can I know whether it will mess up other parts of my Apple-provided infrastructure?
Like (1)
Version 6.0
1 answer(s)
SickTeddyBear
SickTeddyBear
26 April 2012
The more important question is, why do you want to install it? Unless you understand fully the implications of installing this, just leave it alone. OpenSSH is already built-in to OS X, so just use that. Here are some GUI options: http://www.openssh.com/macos.html
Like (1)
Mac2048
19 November 2006
I can't install OpenSSH 4.5 because it looks like the Makefile has a syntax error on line 3. It doesn't seem to like ".include" but it's happy with simply "include" without the dot. If I make that change then it gets a similar syntax error down in /usr/share/mk/bsd.own.mk (due to ".if" vs. "if"). I don't want to touch that file. The original error is: Makefile:3: *** missing separator. Stop. MacOS 10.2.8 (old, I know, which is why I want to upgrade ssh), /usr/bin/make is GNU Make version 3.79 Has anybody run into this?
Like (1)
Version 4.5
2 answer(s)
resuna
resuna
31 March 2008
That means the Makefile is for BSD make, not GNU make. A configure script is possibly misidentifying the OS.
Like
Version 4.9
resuna
resuna
31 March 2008
OK, make it with "bsdmake" not "make".
Like
Version 4.9
Anonymous
28 July 2001
Download is unusable when clicked. "File does not appear to be compressed or encoded. Obtain further information about the contents of this file from the sender or provider of the file." Thanks a lot. Me, bitter? Disappointed? An utter waste of download time!
Like
Version 2.5.2
Anonymous
28 March 2001
err. ok. so it worked flawlessly today. whatever. It works like it should
Like
Version 2.5.2
Anonymous
26 March 2001
unfortunately, wouldn't let the installation complete..and yes I did go through the whole process of typing in the admin password, trying three times, etc it also reset some of my preferences in the process. &^%$@^%!
Like
Version 2.5.2