OpenSSH free download for Mac


27 May 2020

SSH protocol connectivity tools.


OpenSSH is a free version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.

Note: While the software is classified as free, it is actually donationware. Please consider making a donation to help support development.

What's new in OpenSSH

Version 8.3:
New features:
  • sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts.
  • sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks; bz3148 ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding.
  • all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present.
  • ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH.
  • ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path" bz#3132
Bug fixes:
  • ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a PKCS11Provider; bz#3141
  • ssh-keygen(1): avoid NULL dereference when trying to convert an invalid RFC4716 private key.
  • scp(1): when performing remote-to-remote copies using "scp -3", start the second ssh(1) channel with BatchMode=yes enabled to avoid confusing and non-deterministic ordering of prompts.
  • ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token, perform hashing of the message to be signed in the middleware layer rather than in OpenSSH code. This permits the use of security key middlewares that perform the hashing implicitly, such as Windows Hello.
  • ssh(1): fix incorrect error message for "too many known hosts files."
  • ssh(1): make failures when establishing "Tunnel" forwarding terminate the connection when ExitOnForwardFailure is enabled; bz#3116
  • ssh-keygen(1): fix printing of fingerprints on private keys and add a regression test for same.
  • sshd(8): document order of checking AuthorizedKeysFile (first) and AuthorizedKeysCommand (subsequently, if the file doesn't match);
  • sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not considered for HostbasedAuthentication when the target user is root; bz#3148
  • ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key parsing (oss-fuzz #20074).
  • ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted in various configuration options.
  • ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11 C_Login failure cases; bz#3130
  • ssh(1), sshd(8): make error messages for problems during SSH banner exchange consistent with other SSH transport-layer error messages and ensure they include the relevant IP addresses bz#3129
  • various: fix a number of spelling errors in comments and debug/error messages
  • ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a token, don't prompt for a PIN until the token has told us that it needs one. Avoids double-prompting on devices that implement on-device authentication.
  • sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option should be an extension, not a critical option.
  • ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when trying to use a FIDO key function and SecurityKeyProvider is empty.
  • ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the values allowed by the wire format (u32). Prevents integer wraparound of the timeout values. bz#3119
  • ssh(1): detect and prevent trivial configuration loops when using ProxyJump. bz#3057.
  • Detect systems where signals flagged with SA_RESTART will interrupt select(2). POSIX permits implementations to choose whether select(2) will return when interrupted with a SA_RESTART-flagged signal, but OpenSSH requires interrupting behaviour.
  • Several compilation fixes for HP/UX and AIX.
  • On platforms that do not support setting process-wide routing domains (all excepting OpenBSD at present), fail to accept a configuration attempts to set one at process start time rather than fatally erroring at run time. bz#3126
  • Improve detection of egrep (used in regression tests) on platforms that offer a poor default one (e.g. Solaris).
  • A number of shell portability fixes for the regression tests.
  • Fix theoretical infinite loop in the glob(3) replacement implementation.
  • Fix seccomp sandbox compilation problems for some Linux configurations bz#3085
  • Improved detection of libfido2 and some compilation fixes for some configurations when --with-security-key-builtin is selected.

Related articles

Join over 500,000 subscribers.

Subscribe for our newsletter with best Mac offers from MacUpdate.

How would you rate OpenSSH app?

5 Reviews of OpenSSH

22 April 2012
Version: 6.0

Most helpful

Does this coëxist with or overwrite Apple's implementation? If it overwrites, how can I know whether it will mess up other parts of my Apple-provided infrastructure?
22 April 2012
Version: 6.0
Does this coëxist with or overwrite Apple's implementation? If it overwrites, how can I know whether it will mess up other parts of my Apple-provided infrastructure?
Show comment (1)
19 November 2006
Version: 4.5
I can't install OpenSSH 4.5 because it looks like the Makefile has a syntax error on line 3. It doesn't seem to like ".include" but it's happy with simply "include" without the dot. If I make that change then it gets a similar syntax error down in /usr/share/mk/ (due to ".if" vs. "if"). I don't want to touch that file. The original error is: Makefile:3: *** missing separator. Stop. MacOS 10.2.8 (old, I know, which is why I want to upgrade ssh), /usr/bin/make is GNU Make version 3.79 Has anybody run into this?
Show comments (2)
28 July 2001
Version: 2.5.2
Download is unusable when clicked. "File does not appear to be compressed or encoded. Obtain further information about the contents of this file from the sender or provider of the file." Thanks a lot. Me, bitter? Disappointed? An utter waste of download time!
28 March 2001
Version: 2.5.2
err. ok. so it worked flawlessly today. whatever. It works like it should
26 March 2001
Version: 2.5.2
unfortunately, wouldn't let the installation complete..and yes I did go through the whole process of typing in the admin password, trying three times, etc it also reset some of my preferences in the process. &^%$@^%!