Skip to content

SSH Deep Dive — Trivia & Interesting Facts

Surprising, historical, and little-known facts about SSH.

SSH was created in 1995 because of a password-sniffing attack

Tatu Ylonen, a researcher at Helsinki University of Technology, created SSH in 1995 after a password-sniffing attack on his university's network compromised thousands of credentials. The first version (SSH-1) was released as free software and gained 20,000 users within the first six months. Ylonen later founded SSH Communications Security and made the software proprietary, which led to the creation of OpenSSH.

OpenSSH is developed by the OpenBSD project and runs on almost every server

OpenSSH was created in 1999 by the OpenBSD team as a free fork of the original SSH 1.2.12 (the last open-source version before Ylonen's company closed the source). Developed primarily by Markus Friedl, Niels Provos, Theo de Raadt, and Damien Miller, OpenSSH is installed on virtually every Linux server, macOS machine, and (since 2018) Windows 10 system in the world.

SSH keys are safer than passwords because of asymmetric cryptography

SSH public-key authentication uses key pairs where the private key never leaves the client machine. During authentication, the server sends a challenge encrypted with the public key, and only the holder of the private key can respond. No secret is ever transmitted over the network, making key-based auth immune to password sniffing, brute force (if passwords are disabled), and credential replay attacks.

SSH agent forwarding is convenient but dangerously insecure

ssh-agent forwarding (-A) lets you use your local SSH keys on remote servers without copying them. However, anyone with root access on the intermediate server can use your forwarded agent socket to authenticate as you to any server your keys can access. ProxyJump (-J) is the safer alternative — it tunnels SSH connections through jump hosts without exposing the agent.

The known_hosts file prevents man-in-the-middle attacks

The first time you connect to a server, SSH records the server's public key fingerprint in ~/.ssh/known_hosts. On subsequent connections, if the fingerprint changes, SSH refuses to connect and displays a scary warning. This Trust On First Use (TOFU) model is not perfect, but it has prevented countless MITM attacks. SSH certificates (signed by a CA) eliminate the TOFU weakness entirely.

SSH tunnels can forward any TCP protocol through an encrypted channel

Local port forwarding (-L) exposes a remote service on a local port. Remote port forwarding (-R) exposes a local service on the remote server. Dynamic port forwarding (-D) creates a SOCKS proxy that tunnels all traffic. These tunneling capabilities make SSH a poor man's VPN and have been used to bypass firewalls, access internal databases, and route traffic through restricted networks.

The SSH config file eliminates the need to remember hostnames and options

~/.ssh/config supports Host blocks with any combination of hostname, port, user, key file, jump host, and forwarding options. You can define Host prod that expands to a full connection specification with ProxyJump through a bastion, specific key, and forwarded ports. Power users often have config files with hundreds of host entries covering their entire infrastructure.

scp was deprecated in favor of sftp in OpenSSH 9.0

OpenSSH 9.0 (April 2022) switched scp to use the SFTP protocol internally by default instead of the legacy SCP/RCP protocol. The old SCP protocol had a vulnerability where a malicious server could overwrite arbitrary files on the client. The change was mostly transparent, but it broke some edge cases around wildcard expansion and non-standard server implementations.

SSH multiplexing can reduce connection time from seconds to milliseconds

The ControlMaster, ControlPath, and ControlPersist directives allow SSH to share a single TCP connection across multiple sessions to the same host. The first connection does the full handshake, but subsequent connections reuse the established channel and authenticate in under 50ms. This makes workflows that spawn many SSH connections (Ansible, git over SSH) dramatically faster.

Ed25519 keys are shorter, faster, and more secure than RSA

Ed25519 (based on Daniel Bernstein's Curve25519) produces 256-bit keys that are as secure as 3072-bit RSA keys. Ed25519 key generation, signing, and verification are all faster than RSA. The public key is only 68 characters (versus hundreds for RSA). Since OpenSSH 6.5 (2014), Ed25519 has been the recommended key type, though RSA remains widely supported for compatibility.