# Install openssh with Homebrew, apk, chocolatey, apt, dnf, MacPorts, Nix, pacman, scoop, zypper, winget

OpenBSD freely-licensed SSH connectivity tools. Version 10.4p1 via Homebrew; verified 2026-07-06.

## Install

```sh
sudo av install brew:openssh
```

## Agent safety answer

openssh provides remote login, key, and transfer tools with broad host access.

- **Credential access:** Reads SSH keys, agent sockets, known hosts, config, and forwarded credentials.
- **Remote mutation:** Can execute commands and transfer files on remote hosts.
- **Publish/artifact risk:** Can deploy files, change servers, and expose forwarded credentials.
- **Recommended control:** Gate remote command execution, scp/sftp writes, key generation, and agent forwarding.
- **Agent-use guidance:** Allow local key inspection; require approval before connecting to or mutating remote hosts.

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install openssh
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install openssh
```

  Evidence: MacPorts ports tree: net/openssh/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add openssh
```

  Evidence: Alpine Linux edge package indexes: openssh from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install openssh-client
```

  Evidence: Debian stable package indexes: openssh-client from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install openssh
```

  Evidence: Fedora Rawhide package metadata: openssh from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#openssh
```

  Evidence: nixpkgs package indexes: openssh from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix

- pacman (92%):

```sh
sudo pacman -S openssh
```

  Evidence: Arch Linux sync databases: openssh from https://geo.mirror.pkgbuild.com/core/os/x86_64/core.db.tar.gz

- zypper (92%):

```sh
sudo zypper install openssh
```

  Evidence: openSUSE Tumbleweed package metadata: openssh from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Chocolatey (92%):

```sh
choco install openssh
```

  Evidence: Chocolatey community package catalog: openssh from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','office365homepremium'

- Scoop (92%):

```sh
scoop install main/openssh
```

  Evidence: Scoop official bucket manifest trees: bucket/openssh.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id Syncplify.Server -e
```

  Evidence: Windows Package Manager source index: Syncplify.Server from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:openssh
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/openssh>
- **Version:** 10.4p1
- **Source summary:** OpenBSD freely-licensed SSH connectivity tools
- **Homepage:** <https://www.openssh.com/>
- **Repository:** <https://anongit.mindrot.org/openssh.git>
- **Upstream docs:** <https://www.openssh.com/manual.html>
- **License:** SSH-OpenSSH
- **Source archive:** <https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.4p1.tar.gz>
- **Last updated:** 2026-07-06T18:10:51Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- scp (cli)
- sftp (cli)
- slogin (cli)
- ssh (cli)
- ssh-add (cli)
- ssh-agent (cli)
- ssh-keygen (cli)
- ssh-keyscan (cli)
- sshd (cli)
- scp (alias)
- sftp (alias)
- slogin (alias)
- ssh (alias)
- ssh-add (alias)
- ssh-agent (alias)
- ssh-keygen (alias)
- ssh-keyscan (alias)
- sshd (alias)

## Dependencies

- ldns
- libfido2
- openssl@3

## Build dependencies

- pkgconf

## Uses from macOS

- krb5
- libedit
- libxcrypt

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 10.4p1
- Package-manager updated: 2026-07-06
- Local data: ok
- Upstream repository: https://www.openssh.com/
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

OpenSSH is the OpenBSD project's freely licensed implementation of the SSH protocol suite: remote login, remote command execution, file transfer, key management, agent forwarding, and server-side SSH access. The package includes `ssh`, `sshd`, `scp`, `sftp`, `ssh-keygen`, `ssh-agent`, `ssh-add`, and related tools.

### Project history

OpenSSH began in 1999 when OpenBSD developers forked Bjorn Gronvall's OSSH, itself derived from Tatu Ylonen's last sufficiently free ssh 1.2.12 release. The OpenSSH project history describes the goal as freeing SSH from license restrictions, cleaning up the code, and maintaining it under the OpenBSD security-audit culture.

The initial import landed on September 26, 1999, shortly before OpenBSD 2.6. The early team removed portability clutter, replaced problematic cryptographic and GPL components, repaired bugs, restored features, and added support for SSH 1.5 and later SSH 2. The OpenBSD manual credits Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song with creating OpenSSH from the original free ssh base.

OpenSSH's project goal was explicit: because telnet and rlogin are insecure, operating systems should ship SSH support. SSH 2 support became usable around May 4, 2000, solving the integrity and patent-era problems of SSH 1 and giving OpenSSH the protocol base that would become standard for secure administration.

### Adoption history

OpenSSH became infrastructure software because it replaced insecure remote-login and file-transfer tools with a default, scriptable, auditable SSH suite. The portable release made the OpenBSD code usable on Linux, macOS, Cygwin, Solaris, AIX, HP-UX, and other Unix-like systems by adding compatibility layers, PAM/auditing hooks, and platform-specific sandboxing.

Package managers generally split OpenSSH into client and server packages or ship it in the operating-system base. Homebrew's `openssh` formula exists for users who want a packaged OpenSSH newer or different from the system copy, with dependencies such as libfido2 and OpenSSL for modern authentication and crypto support.

### How it is used

Operators use OpenSSH for daily host access, jump hosts, port forwarding, remote command execution, Git-over-SSH, rsync transport, and automated deployments. Developers touch the package through keys, `~/.ssh/config`, known-host verification, `ssh-agent`, `scp`/`sftp`, and server configuration in `sshd_config`.

OpenSSH also functions as a security policy surface. Choices such as allowed key algorithms, FIDO/U2F support, host key rotation, agent forwarding, chrooting, and subsystem configuration are all exposed through a familiar command and config ecosystem.

### Why package nerds care

OpenSSH is one of the canonical examples of a package becoming part of the operating-system substrate. It is both an upstream security project and a downstream packaging problem: vendors patch it, split client/server binaries, coordinate crypto-library choices, and backport fixes because remote access breakage can lock administrators out of machines.

For package nerds, OpenSSH is also a portability case study. The upstream OpenBSD version stays small and tightly audited, while portable OpenSSH carries the compatibility code that lets one security-sensitive codebase work across many Unix variants.

### Timeline

- 1999: OpenBSD developers fork OSSH and import the code on September 26.
- December 1, 1999: OpenBSD 2.6 ships with OpenSSH.
- May 4, 2000: SSH 2 support is implemented sufficiently to be usable.
- 2017: OpenSSH 7.6 removes SSH 1 protocol support.
- 2026: Homebrew packages OpenSSH 10.3p1 in the `openssh` formula.

### Related projects

- OpenSSH descends from Tatu Ylonen's original SSH and Bjorn Gronvall's OSSH. It interacts with crypto libraries such as LibreSSL, OpenSSL, AWS-LC, and BoringSSL, and it overlaps operationally with file-transfer tools, bastion-host systems, VPNs, and configuration-management systems.

### Sources

- <https://formulae.brew.sh/formula/openssh>
- <https://github.com/openssh/openssh-portable>
- <https://man.openbsd.org/ssh.1>
- <https://www.openssh.com/goals.html>
- <https://www.openssh.com/history.html>
- <https://www.openssh.com/portable.html>


## Security Notes

broad file, network, media, or database tool signal.

- **Geiger risk:** blue / medium
- broad file, network, media, or database tool signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: ~/.ssh/config

## Credential files

- Unix: ~/.ssh/id_*, ~/.ssh/config
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** openssh
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- Debian apt - openssh-client - 1:10.0p1-7+deb13u4: normalized package name match | Debian stable package indexes: openssh-client from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | secure shell (SSH) client, for secure access to remote machines | https://www.openssh.com/
- Debian apt - openssh-client-gssapi - 1:10.0p1-7+deb13u4: normalized package name match | Debian stable package indexes: openssh-client-gssapi from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | secure shell (SSH) client, with GSS-API support | https://www.openssh.com/
- Debian apt - openssh-server - 1:10.0p1-7+deb13u4: normalized package name match | Debian stable package indexes: openssh-server from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | secure shell (SSH) server, for secure access from remote machines | https://www.openssh.com/
- Debian apt - openssh-server-gssapi - 1:10.0p1-7+deb13u4: normalized package name match | Debian stable package indexes: openssh-server-gssapi from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | secure shell (SSH) server, with GSS-API key exchange | https://www.openssh.com/
- Debian apt - openssh-sftp-server - 1:10.0p1-7+deb13u4: normalized package name match | Debian stable package indexes: openssh-sftp-server from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | secure shell (SSH) sftp server module, for SFTP access from remote machines | https://www.openssh.com/
- Debian apt - openssh-tests - 1:10.0p1-7+deb13u4: normalized package name match | Debian stable package indexes: openssh-tests from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | OpenSSH regression tests | https://www.openssh.com/
- Debian apt - ssh - 1:10.0p1-7+deb13u4: normalized package name match | Debian stable package indexes: ssh from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | secure shell client and server (metapackage) | https://www.openssh.com/
- Debian apt - ssh-askpass-gnome - 1:10.0p1-7+deb13u4: normalized package name match | Debian stable package indexes: ssh-askpass-gnome from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | interactive X program to prompt users for a passphrase for ssh-add | https://www.openssh.com/
- Nix - openssh: normalized package name match | nixpkgs package indexes: openssh from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix
- Ubuntu apt - openssh-client - 1:9.6p1-3ubuntu13: normalized package name match | Ubuntu 24.04 LTS package indexes: openssh-client from https://archive.ubuntu.com/ubuntu/dists/noble/main/binary-amd64/Packages.gz | secure shell (SSH) client, for secure access to remote machines | https://www.openssh.com/
- Ubuntu apt - openssh-server - 1:9.6p1-3ubuntu13: normalized package name match | Ubuntu 24.04 LTS package indexes: openssh-server from https://archive.ubuntu.com/ubuntu/dists/noble/main/binary-amd64/Packages.gz | secure shell (SSH) server, for secure access from remote machines | https://www.openssh.com/
- Ubuntu apt - openssh-sftp-server - 1:9.6p1-3ubuntu13: normalized package name match | Ubuntu 24.04 LTS package indexes: openssh-sftp-server from https://archive.ubuntu.com/ubuntu/dists/noble/main/binary-amd64/Packages.gz | secure shell (SSH) sftp server module, for SFTP access from remote machines | https://www.openssh.com/
- Ubuntu apt - openssh-tests - 1:9.6p1-3ubuntu13: normalized package name match | Ubuntu 24.04 LTS package indexes: openssh-tests from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | OpenSSH regression tests | https://www.openssh.com/
- Ubuntu apt - ssh - 1:9.6p1-3ubuntu13: normalized package name match | Ubuntu 24.04 LTS package indexes: ssh from https://archive.ubuntu.com/ubuntu/dists/noble/main/binary-amd64/Packages.gz | secure shell client and server (metapackage) | https://www.openssh.com/
- Ubuntu apt - ssh-askpass-gnome - 1:9.6p1-3ubuntu13: normalized package name match | Ubuntu 24.04 LTS package indexes: ssh-askpass-gnome from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | interactive X program to prompt users for a passphrase for ssh-add | https://www.openssh.com/
- apk - openssh - 10.3_p1-r0: normalized package name match | Alpine Linux edge package indexes: openssh from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Port of OpenBSD's free SSH release | https://www.openssh.com/portable.html


## Related links

- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [ldns](https://www.automicvault.com/pkg/brew/ldns/) - Runtime dependency declared by Homebrew.
- [libfido2](https://www.automicvault.com/pkg/brew/libfido2/) - Runtime dependency declared by Homebrew.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [ssh-copy-id](https://www.automicvault.com/pkg/brew/ssh-copy-id/) - Shares the same upstream homepage.
- [botan](https://www.automicvault.com/pkg/brew/botan/) - Shares av.db curated category or tags: cli, cryptography, security.
- [ccrypt](https://www.automicvault.com/pkg/brew/ccrypt/) - Shares av.db curated category or tags: cli, cryptography, security.
- [cfssl](https://www.automicvault.com/pkg/brew/cfssl/) - Shares av.db curated category or tags: cli, cryptography, security.
- [gmssl](https://www.automicvault.com/pkg/brew/gmssl/) - Shares av.db curated category or tags: cli, cryptography, security.
- [gnupg-pkcs11-scd](https://www.automicvault.com/pkg/brew/gnupg-pkcs11-scd/) - Shares av.db curated category or tags: cli, cryptography, security.
- [gnutls](https://www.automicvault.com/pkg/brew/gnutls/) - Shares av.db curated category or tags: cli, cryptography, security.
- [gpgme](https://www.automicvault.com/pkg/brew/gpgme/) - Shares av.db curated category or tags: cli, cryptography, security.
- [hopenpgp-tools](https://www.automicvault.com/pkg/brew/hopenpgp-tools/) - Shares av.db curated category or tags: cli, cryptography, security.
- [libxmlsec1](https://www.automicvault.com/pkg/brew/libxmlsec1/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, cryptography, openssl, openssl-3, security.

## Combined YAML source

View the package source record on GitHub. [combined/openssh.yml](https://github.com/automic-vault/db/blob/main/combined/openssh.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
- curated agent safety answer
