How do you make sense of OpenSSH?
It's got more forks than a restaurant.
OpenSSH is like a well-choreographed dance, in which every move means different things to different people—or nothing at all.
The protocol is designed to make meaningful messages look like gibberish when they traverse an unsecured network.
It plays a critical role in the IT landscape. A whole array of administrative tools and cloud platforms could not exist without it.
[This is a developing story. Subscribe and we will send you the final release.]
What OpenSSH is and what it isn’t
OpenSSH is an open-source implementation of secure shell (SSH for short), a cryptographic network protocol used to secure communications over an unsecured network. In other words: it is a choreographed dance that the participants of a communication chose to perform together in order to exchange information over an unsecured channel in a manner that cannot be understood by third parties. Got it?
Wait, where is my order?
The one and (not) only
OpenSSH is being developed as part of the OpenBSD operating system project and is specifically tailored for OpenBSD. This version is not portable as it is designed to work seamlessly within the OpenBSD environment and nowhere else.
Don´t have OpenBSD on your laptop? Too bad.
Just kidding. It’s not a problem. All you need is Portable OpenSSH and you are probably covered.
Notable Forks of OpenSSH
There are several notable forks of OpenSSH, cater to different needs, from enhancing security to ensuring compatibility across various platforms. Here are a few of the most relevant ones:
Portable OpenSSH: This is the most widely used fork, adapted to work on various Unix-like operating systems, including Linux, macOS and Cygwin (of course) .This edition includes additional features and compatibility layers that support all these starkly different platforms.
Win32-OpenSSH: Managed by PowerShell, this fork is designed to bring OpenSSH to Windows environments.
Open Quantum Safe (OQS) OpenSSH: This fork includes prototype quantum-resistant key exchange and authentication based on liboqs.
Ansible-SSHD (backed by IBM/Red Hat): An Ansible role to configure the OpenSSH server daemon.
Awesome-SSH: A curated list of SSH resources, including OpenSSH.
Some platforms and build-time options often require additional dependencies.
FIDO security token support needs libfido2 and its dependencies.
libfido2 provides library functionality and command-line tools to communicate with a FIDO device over USB or NFC, and to verify attestation and assertion signatures. libfido2 supports the FIDO U2F (CTAP 1) and FIDO2 (CTAP 2) protocols.
“Quantifiable” Risks
The rise of quantum computing presents unique challenges to modern-day cryptography at a time when remote-controlled machines have become commonplace.
The Linux Foundation has been eager to find practical solutions to the Quantum conundrum, most notably with the Open Quantum Safe (OQS) project, an open-source initiative in the Linux Foundation's Post-Quantum Cryptography Alliance.
The Open Quantum Safe (OQS) project consists of two main components:
liboqs: An open-source C library that provides quantum-resistant cryptographic algorithms.
Prototype Integrations: These are integrations into widely used protocols and applications, such as OpenSSL, to facilitate the adoption of quantum-safe cryptography.
The Bottom Line
The far-eastern proverb “May you live in interesting times” was meant as a curse.
The rise of quantum computers is indeed making life somewhat more interesting.
Links to Experimental KEMs within the Falcon and SNTRUP Cryptographic Frameworks
Exploring the realm of experimental Key Encapsulation Mechanisms (KEMs) within the Falcon and SNTRUP cryptographic frameworks reveals several noteworthy projects.
One such initiative is the constant-time hardware implementation of Streamlined NTRU Prime, accessible on GitHub. This project supports parameter sets like sntrup653, sntrup761, and sntrup857, offering experimental synthesis, elaboration, and execution capabilities via GHDL.
Falcon/SNTRUP Fork with Experimental KEMs
A smaller but active community fork that merges Falcon, SNTRUP, and other experimental KEMs. Some contributors have tested grid-based approaches (though these are often incomplete or under heavy development).Another significant endeavor is the SNTRUP_on_FPGA project, which provides a constant-time hardware implementation of Streamlined NTRU Prime tailored for FPGA platforms. This experimental code delivers performance metrics for the sntrup761 parameter set on various hardware configurations.
Additionally, the 'BAT: Small and Fast KEM over NTRU Lattices' paper introduces an IND-CCA secure KEM based on NTRU. This scheme boasts compact parameters and practical efficiency, making it particularly appealing for applications utilizing the Falcon signature, renowned for its compactness in the NIST post-quantum cryptography standardization.
These resources offer valuable insights into the experimental landscape of KEMs within the Falcon and SNTRUP frameworks, contributing to the ongoing development and optimization of post-quantum cryptographic solutions.
PQCrypto Git Repositories
The PQCrypto.eu.org site occasionally links to user-maintained or experimental forks that feature a variety of lesser-known KEM proposals, including some that are grid-based. While there is no single “official” ML-KEM build hosted here, the site’s resources and mailing list archives can point you toward experimental forks in active development.OpenSSH-Unix-Dev Mailing List Archives
Developers sometimes share patches or references to private repositories on the OpenSSH-Unix-Dev mailing list. Searching for recent threads discussing “ML-KEM,” “grid-based KEM,” or “experimental PQ patches” may reveal new or updated forks.
Because these experiments are still a work in progress, expect them to be unstable. Be sure to follow any build instructions in their respective READMEs and proceed with caution if you plan to deploy them in a production-like environment.