Talk:OpenSSH

Resolved

 – Wikibooks link is present in External links via {{Wikibooks}}.

There is a wikibook available under a CC license that can be linked to for Further Reading. http://en.wikibooks.org/wiki/OpenSSH What is needed to bring it up to the level where it can be included here? [18 Nov 2012] — Preceding unsigned comment added by 88.193.52.2 (talk) 13:24, 18 November 2012 (UTC)Reply

 Done The Wikibooks link is present in External Links via {{Wikibooks}}. Sparks19923 (talk) 10:07, 21 May 2026 (UTC)Reply

Resolved

 – Infobox and external links now use openssh.com via {{URL}}.

My understanding was that openssh.COM was the official domain name for the OpenSSH project, and openssh.ORG is not under the developers' control. Does anyone know why the article shows the website as http://www.openssh.org ? Both domains point to the same site at the moment, but it seems to me the article should really be showing the official domain name... EclecticMonk (talk) 14:40, 8 April 2008 (UTC)Reply

Try using nslookup, it's not so hard. 74.13.60.58 (talk) 23:51, 9 April 2008 (UTC)Reply

While they currently point to the same IP address, the concern was over the domain name ownership. Try using whois, it's not so hard. --Karnesky (talk) 01:33, 10 April 2008 (UTC)Reply

I see you've updated it; fantastic. I probably should have just gone in and changed it, but I'm new here and lacking confidence :-) EclecticMonk (talk) 11:17, 15 April 2008 (UTC)Reply

 Done The infobox and external links now use openssh.com via {{URL}} and {{Official website}}. Sparks19923 (talk) 10:07, 21 May 2026 (UTC)Reply

Resolved

 – All Slashdot citations replaced with official OpenSSH release notes and secondary press sources (Ars Technica, Computerworld).

Hello, MureninC! Regarding your edit that added new features for not-yet-released OpenSSH 6.8, in general we should stick to describing already released versions; as summed up in my revert, the section is called "Versions", not "Future versions". Also, the fact that code for some feature has been committed into project's source code repository doesn't necessarily mean that it's going to be part of the next release – it can always be reverted for some reason before 6.8 is actually released. As we know, the content you've added isn't lost, and can be easily restored once 6.8 is released. Hoping that you agree, I'm open to discussing this further. — Dsimic (talk | contribs) 21:03, 13 February 2015 (UTC)Reply

Hello, Dsimic! No, I do not agree; please see WP:FUTURE: It is appropriate to report discussion and arguments about the prospects for success of future proposals and projects or whether some development will occur, if discussion is properly referenced. If you remove valid stuff from the article, it is lost. We cannot babysit the article to make sure that the information is placed back when the new release is released, such manual process and manual reminders and backnotes just don't make any sense in the context of Wikipedia, and are just not scalable, not to mention that they impact the ability of the non-English Wikipedias to have enough time to pick up any such information. Moreover, if you personally feel that "Versions" means "Past Versions" and can under no circumstance include upcoming ones, then you should move the new content under a new "New/Upcoming Versions" section, instead of removing it outright (however, I think such interpretation and the implied necessity of a "Future versions" section seem to be inconsistent with the no-branch release model of both OpenSSH and OpenBSD). MureninC (talk) 05:20, 14 February 2015 (UTC)Reply

Please don't get me wrong, but you should speak for yourself – I do "babysit" articles, by reviewing all edits and maintaining my own to-do list that contains various tasks. Also, no "babysitting" almost always ends up in low-quality articles, software projects, you name it. With that in mind, you should be aware that I would be returning the content once OpenSSH 6.8 is released, if it would be still relevant of course. Mentioning scalability as an argument makes no sense whatsoever, as the rate at which substantial chunks of good-quality new content are added into Wikipedia (at least into computing-related articles) is quite low. Oh, and by the way, Slashdot posts shouldn't be used as a reliable sources. Anyway, I can also be careless to the same degree; thus, I can live with your addition to the article. — Dsimic (talk | contribs) 06:22, 14 February 2015 (UTC)Reply

 Done All Slashdot citations have been replaced with official OpenSSH release notes and secondary press sources (Ars Technica, Computerworld). Sparks19923 (talk) 10:07, 21 May 2026 (UTC)Reply

Resolved

 – Lead expanded to four paragraphs per WP:LEAD in the 2026 rewrite; first sentence corrected to describe OpenSSH as an implementation of the SSH protocol.

I have gone through and created a new lead within the article as part of a project for this course. I am open to constructive criticism and hope to make this article the best it can be. Thank You. JRammy (talk) 15:40, 2 March 2015 (UTC)Reply

Hello! First off, why is the whole lead section bunched together into a single paragraph? That makes it so unreadable. Next, where did you get the "OpenBSD Secure Shell" part from? Following that, stating that OpenSSH is an "alternative to the proprietary SSH network protocol" is pretty much wrong, as it's an alternative implementation of the endpoints for the same protocol. I have more suggestions, but let's go with a few at a time, if you agree. :) — Dsimic (talk | contribs) 13:21, 7 March 2015 (UTC)Reply

@Dsimic: I am definitely open to improvement and corrections. I used the initial statement from the previous version by user MureninC stating that OpenSSH was also known as Open BSD Secure Shell. I also confirmed the information via this link. As for the formatting, It was just a single thought, so I wrote it as a single intro paragraph. I am open to breaking it up. In the statement referencing an alternative version, I was referring to an alternative option or a free version of the SSH protocol. It may be semantics here, but I believe we are getting at the same thing. My understanding is that the OpenSSH protocol came from an earlier fork of the SSH protocol before it's source was closed and is now being distributed as an open source alternative to the SSH protocol that is not open source. If my understanding is incorrect, I am certainly open to correcting it. JRammy (talk) 02:31, 9 March 2015 (UTC)Reply

@JRammy: My apologies for a delayed response, got distracted with all the work on other articles. First off, IMHO breaking the lede into three paragraphs made it much more readable. Speaking of "Open BSD Secure Shell", on second thought mentioning that name shouldn't hurt, however to my knowledge it's mainly used in various sshd startup scripts so noting that using a short {{Efn}} note might be a good thing.

Regarding the wording around the SSH protocol itself, please see the OpenSSH protocol specifications and this OpenSSH FAQ entry; in other words, there are no two different versions of the SSH protocols, and—apart from minor incompatibilities‍—‌OpenSSH and the commercial SSH implementation are able to interoperate. Thus, the lede should say something like "open-source alternative to the proprietary SSH implemenation" instead of "open source alternative to the proprietary SSH network protocol". Also, stating that the commercial SSH implementation "is commonly used to secure data communications" might be misleading until there are some references providing such statistics.

I'm probably going to have a few more suggestions, but let's discuss these first – if you agree, of course. :) — Dsimic (talk | contribs) 13:36, 22 March 2015 (UTC)Reply

@Dsimic:I am amenable to all those changes and have incorporated them. Sorry for the delay in responding. Our class project is over and I haven't logged into Wikipedia in quite some time. JRammy (talk) 13:24, 27 March 2015 (UTC)Reply

No worries about the delay. I'm glad that you agree with those suggestions; I've cleaned up the lead section a bit further, hopefully you'll agree with those changes. — Dsimic (talk | contribs) 17:15, 27 March 2015 (UTC)Reply

 Done The 2026 rewrite expands the lead to four paragraphs per WP:LEAD and reworks the first sentence to describe OpenSSH as an implementation of the SSH protocol rather than an alternative to it. Sparks19923 (talk) 10:07, 21 May 2026 (UTC)Reply

Resolved

 – Tatu Ylönen redirects to Secure Shell Protocol; link removed from article per Anton.bersh (2021).

Why Tatu Ylönen link redirect to https://en.wikipedia.org/wiki/Secure_Shell_Protocol

 Done Hi, @XP 2600: Tatu Ylönen redirects back here because different people created a number of redirects redirecting to each other to facilitate searches (Tectia, Tatu Ylönen, may be more). I have removed the link on Tatu Ylönen because it does not serve any purpose, as you noticed. Anton.bersh (talk) 08:36, 10 June 2021 (UTC)Reply

Thank you! XP_2600 (talk) 10:58, 7 August 2024 (UTC)Reply

Confirmed: Tatu Ylönen remains unlinked in the current article text. Sparks19923 (talk) 10:07, 21 May 2026 (UTC)Reply

Resolved

 – regreSSHion (CVE-2024-6387) is covered in the new "Security history" section, citing the Qualys advisory and Ars Technica. The XZ Utils supply chain attack (CVE-2024-3094) is covered in the adjacent subsection.

RCE; affects a LOT of systems (excluding OpenBSD).

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt 2A02:AB88:6A88:9A80:892:5FDA:5E09:7528 (talk) 16:40, 4 July 2024 (UTC)Reply

https://www.cve.org/CVERecord/SearchResults?query=OpenSSH

and

https://www.cve.org/CVERecord/SearchResults?query=Openbsd

may have more information about some vulnerabilities that may have been found in openssh and openbsd. It also may have information if and when these may or may not have been patched.

I do not know about any security problems in the blobs that may forbid reverse engineering by licenses in these programs and operation systems, but it could help the "may need to be rewritten" vulnerabilities section about OpenSSH. It could also help to show what time these were found and what operation systems are affected by what vulnerabilities.

Other Cody (talk) 21:13, 18 February 2026 (UTC)Reply

 Done regreSSHion (CVE-2024-6387) is now covered in a dedicated subsection of the new "Security history" section, citing the Qualys advisory and Ars Technica. The XZ Utils supply chain attack (CVE-2024-3094) is covered in the adjacent subsection. Sparks19923 (talk) 10:07, 21 May 2026 (UTC)Reply

The article has been substantially rewritten. The previous version was C-class: a thin lead, a large unstructured version table, stub-level prose, and a "Vulnerabilities" section tagged for rewrite since 2017. The following changes have been made.

New sections

• History (new): three subsections — "Origins in SSH and OSSH" (covering the 1999 OSSH fork, the OpenBSD import on 26 September 1999, and the OpenSSH 1.2.2 / OpenBSD 2.6 release on 1 December 1999); "Development and protocol evolution" (privilege separation in 3.2, ECDSA in 5.7, Ed25519/ChaCha20-Poly1305 in 6.5, DSA deprecation in 7.0, ssh-rsa disabled in 8.8); "Windows integration" (Microsoft's October 2015 announcement and inclusion in Windows 10 1803).
• Architecture (new): three subsections — "Suite components" (all seven programs); "Authentication" (password, public key, host-based, keyboard-interactive, GSSAPI, PAM/BSD Auth, FIDO2); "Privilege separation" (monitor/worker split; pledge(2) on OpenBSD).
• Features (new): two subsections — "Tunneling and port forwarding" (local, remote, dynamic/SOCKS, tun-based VPN from 4.3); "Supported public key types" (DSA, RSA, ECDSA, Ed25519, rsa-sha2, FIDO2 variants with version and deprecation history).
• Trademark dispute (new): covers Ylönen's February 2001 trademark claim, the IETF working group's rejection, and the generic-trademark analysis.

Security history (replaces "Vulnerabilities", tagged for rewrite since May 2017): five named subsections — CBC mode vulnerability (fixed in 5.2); local privilege escalation CVE-2015-6565 (fixed in 7.0); roaming information leak CVE-2016-0777/CVE-2016-0778 (removed in 7.1p2); XZ Utils supply chain attack (CVE-2024-3094, March 2024); regreSSHion CVE-2024-6387 (disclosed 1 July 2024, fixed in 9.8p1).

Lead: expanded from one paragraph to four per WP:LEAD. First sentence corrected to "implementation of the SSH protocol" (not "alternative to"). regreSSHion and Windows bundling added to the lead summary.

Infobox: removed hardcoded logo size = 190px; added logo alt; fixed genre from Remote access to Remote access software; replaced raw RFC numbers with {{IETF RFC}} templates; added website = {{URL}}.

Short description: changed from 58 characters to "Free and open-source SSH suite" (30 characters, within the 40-character limit).

Developer links: Theo de Raadt and Niels Provos are now wikilinked at first occurrence. Tatu Ylönen remains unlinked (his article redirects to Secure Shell Protocol; see thread above).

Citations: all Slashdot references replaced with official OpenSSH release notes and secondary sources (Ars Technica, Computerworld). All bare-URL <ref>[URL]</ref> entries converted to {{cite web}}, {{cite news}}, or {{cite mailing list}}. Archive URLs added to all web references.

Dates: MDY dates corrected to DMY throughout, consistent with the existing {{Use dmy dates}} tag.

added.

Sparks19923 (talk) 10:07, 21 May 2026 (UTC)Reply