Vivian Voss

Read on LinkedIn

Technical Beauty: OpenSSH

ssh security unix

Technical Beauty ■ Episode 10

In 1999, the original SSH implementation was drifting in a direction that open-source projects drift when a commercial entity starts adding licence restrictions. Features accumulated. The codebase grew. Audit coverage did not keep pace. The tool that was supposed to secure every remote connection was itself becoming a liability.

Theo de Raadt and the OpenBSD team looked at this trajectory and did what they have always done when software disappoints them: they forked it, stripped it down, and audited every line. The result is OpenSSH. It runs on 32 million internet-facing servers. It is the default on every Linux distribution, every BSD, macOS, and Windows since 2018. Not because it is feature-rich. Because it is correct.

The Architect

De Raadt founded the OpenBSD project in 1995 with a single conviction: security is not a feature you add; it is a property that emerges from removing everything that is not necessary. He has maintained this position for three decades with a consistency that borders on the geological. The OpenBSD team does not ship code that has not been audited. They do not enable features by default that increase attack surface. They do not trust vendor claims about hardware, about compilers, about operating system guarantees.

“I have always felt that vendor systems were not designed for quality.” That is not cynicism. It is an engineering observation with thirty years of evidence behind it.

The Problem

Every server that faces the internet exposes a surface. The question is not whether attackers will probe it but how little they will find when they do. The original SSH solved the encryption problem: your credentials no longer crossed the wire in plain text. But the daemon itself was a monolithic process running as root. If an attacker found a vulnerability in the parsing code, in the key exchange, in any of the thousand lines that handle network input, they owned the machine. Root. Game over. The lock on the front door was excellent, but the entire house was a single room.

Privilege Separation Monolithic sshd Everything runs as root root (PID 1) Key exchange Authentication Channel handling Network parsing Compression Session management Packet dispatch 100% as root One bug = full compromise OpenSSH privsep Split at the trust boundary Privileged monitor Authentication only ~25% of code ■ separation boundary Unprivileged worker Network, parsing, channels Sandboxed • chroot • no root ~75% of code Bug in worker ≠ root access Not “how do we prevent bugs?” but “how do we contain them when they exist?” Privilege separation since 2002. Sandboxing since 2012.

The Architecture

In 2002, Niels Provos and the OpenSSH team introduced privilege separation. The design is disarmingly simple. When a connection arrives, the SSH daemon forks into two processes. One is the privileged monitor: a small, tightly audited process that handles authentication and retains root access. The other is the unprivileged worker: it handles everything else, network parsing, channel management, compression, packet dispatch, all running in a chroot with no root privileges and, since 2012, sandboxed by the operating system.

Seventy-five per cent of the codebase runs unprivileged. The attack surface that faces the network, the parsing, the decompression, the protocol negotiation, all the code most likely to contain a vulnerability, runs without the ability to do anything catastrophic even if compromised. The privileged monitor communicates with the worker through a narrow, well-defined interface. It does not trust the worker. It validates every request. The architecture assumes that the unprivileged code will be compromised, and contains the damage when it is.

This is not defence in depth. Defence in depth implies layers of mitigation around a single process. This is structural separation. The question is not “how do we prevent bugs?” but “how do we ensure that bugs in 75 per cent of the codebase cannot escalate to root?”

The Track Record

Twenty-five years in production. Default on every major operating system. Thirty-two million internet-facing instances counted by Shodan. And for eighteen of those years, not a single remote code execution vulnerability.

In 2024, that record ended. CVE-2024-6387, named regreSSHion by the Qualys research team, was a signal handler race condition in the authentication timeout code. It was a regression: a bug that had been fixed in 2006, reintroduced in 2020 during a refactor. The irony was noted. The patch shipped within days. The vulnerability required approximately 10,000 connection attempts over several hours to exploit on 64-bit systems, a theoretical threat that was nonetheless taken seriously because the OpenBSD team does not grade vulnerabilities on a curve.

25 Years. One Incident. 1999 Fork 2002 Privsep 2012 Sandbox 2018 Windows 2024 CVE Patched 18 years without a single RCE Default on Linux, macOS, BSD, Windows. 32 million internet-facing servers. The first serious vulnerability was a regression. It was patched in days. Designed for paranoia. The paranoia paid off.

Eighteen years without a remote code execution vulnerability in the most attacked service on the internet. The comparison writes itself. Apache httpd has had dozens. Sendmail, dozens more. Microsoft’s IIS has lost count. OpenSSH ran for nearly two decades without a single critical remotely exploitable flaw, and when one finally appeared, it was a regression of a bug that had been fixed eighteen years earlier. The original fix was correct. The reintroduction was the error.

The Philosophy

De Raadt’s approach to security is often described as paranoid, usually by people who mean it as a criticism. It is not. It is a methodology. Assume the network is hostile. Assume your own code contains bugs. Assume the compiler will not optimise correctly. Assume the hardware will lie. Then design so that none of these assumptions, when they prove correct, can escalate to a catastrophe.

When the industry added features to SSH, de Raadt removed attack surface. When vendors shipped default configurations with everything enabled, OpenSSH shipped with the minimum necessary to function. When other projects relied on automated testing to catch bugs, the OpenBSD team read the code. Line by line. Function by function. The audit culture is not a process bolted on after development. It is development.

This philosophy extends beyond OpenSSH. The OpenBSD project has produced OpenSSH, OpenBGPD, OpenNTPD, LibreSSL, and the pledge() and unveil() system calls. Each one follows the same principle: less code, fewer privileges, smaller attack surface. The project does not accept that software must be complex to be capable.

The Portability

OpenSSH was written for OpenBSD. The rest of the world wanted it too. Rather than compromise the clean codebase with portability ifdefs, the project maintains a separate portable layer that wraps the OpenBSD-native code with compatibility shims for Linux, macOS, Solaris, AIX, and everything else. The core code remains clean. The portability complexity is quarantined. It is, in miniature, the same architectural instinct that produced privilege separation: separate the concerns, contain the mess.

In 2018, Microsoft shipped OpenSSH as a default component of Windows 10. The most commercially paranoid operating system vendor on earth chose the tool built by the most technically paranoid open-source project on earth. The irony was lost on no one. The quality was lost on no one either.

The Reduction

What makes OpenSSH technically beautiful is not its feature list. The feature list is deliberately short. It is the discipline of refusal. Every line of code is an opportunity for a bug. Every feature is an expansion of attack surface. Every default-enabled option is a door that an attacker might find before you remember to close it.

De Raadt and the OpenBSD team have maintained this discipline for twenty-five years. The result is not a tool that does everything. It is a tool that does one thing, secure remote access, with a correctness record that no comparable project can match. Thirty-two million servers. One serious vulnerability in a quarter century. Not because the code is perfect, but because the architecture assumes it is not.

Privilege separation. Sandboxing. Audited code. Minimal defaults. 32 million servers. 25 years. The most paranoid design philosophy in open source, vindicated by the only metric that matters: the absence of catastrophe.