SSH Protocol Support
ZestSSH implements the SSH 2.0 protocol. SSH 1.x is not supported and will not be added --- it has known cryptographic weaknesses and has been deprecated for over a decade.
Protocol Version
Section titled “Protocol Version”SSH-2.0 as defined by RFC 4253 (The Secure Shell Transport Layer Protocol). ZestSSH identifies itself with the version string SSH-2.0-dartssh2_X.Y.Z during the protocol handshake.
Core RFCs
Section titled “Core RFCs”ZestSSH’s SSH implementation covers the following core specifications:
| RFC | Title | Coverage |
|---|---|---|
| RFC 4250 | SSH Protocol Assigned Numbers | Identifiers and constants |
| RFC 4251 | SSH Protocol Architecture | Overall architecture |
| RFC 4252 | SSH Authentication Protocol | Password, publickey, keyboard-interactive |
| RFC 4253 | SSH Transport Layer Protocol | Key exchange, encryption, integrity |
| RFC 4254 | SSH Connection Protocol | Channels, sessions, forwarding |
Authentication Methods
Section titled “Authentication Methods”| Method | RFC | Supported |
|---|---|---|
publickey | RFC 4252 | Yes |
password | RFC 4252 | Yes |
keyboard-interactive | RFC 4256 | Yes |
hostbased | RFC 4252 | No |
none | RFC 4252 | No |
Keyboard-interactive authentication is used for two-factor authentication prompts and systems that use PAM challenges beyond simple passwords.
Key Exchange Algorithms
Section titled “Key Exchange Algorithms”See Supported KEX Algorithms for the full list.
ZestSSH supports Curve25519 (the recommended default), ECDH with NIST curves, Diffie-Hellman group exchange, and fixed-group DH.
Host Key Algorithms
Section titled “Host Key Algorithms”See Supported Key Types for the full list.
ZestSSH supports Ed25519, Ed448, RSA (with SHA-1, SHA-256, and SHA-512 signatures), and ECDSA with NIST curves.
Encryption Algorithms
Section titled “Encryption Algorithms”See Supported Ciphers for the full list.
ZestSSH supports ChaCha20-Poly1305 (the recommended default), AES-GCM, AES-CTR, and AES-CBC in various key sizes.
Extensions
Section titled “Extensions”| Extension | Source | Supported |
|---|---|---|
[email protected] | OpenSSH | Yes |
[email protected] | OpenSSH | Yes |
[email protected] | OpenSSH | Yes |
[email protected] | libssh | Yes |
rsa-sha2-256 | RFC 8332 | Yes |
rsa-sha2-512 | RFC 8332 | Yes |
Channel Types
Section titled “Channel Types”| Channel Type | RFC | Supported |
|---|---|---|
session | RFC 4254 | Yes |
direct-tcpip (local port forwarding) | RFC 4254 | Yes |
forwarded-tcpip (remote port forwarding) | RFC 4254 | Yes |
x11 | RFC 4254 | No |
Subsystems
Section titled “Subsystems”| Subsystem | Supported |
|---|---|
sftp | Yes |
Compression
Section titled “Compression”| Algorithm | Supported |
|---|---|
none | Yes (default) |
zlib | Yes |
[email protected] | Yes (delayed compression after auth) |
Zlib compression can be enabled per connection in the connection editor. It reduces bandwidth on slow links but adds CPU overhead.
Keep-Alive
Section titled “Keep-Alive”ZestSSH sends SSH keep-alive packets (SSH_MSG_IGNORE) at a configurable interval to prevent idle timeout disconnects. The interval is set per connection (default: disabled, recommended: 15-30 seconds for mobile).
Agent Forwarding
Section titled “Agent Forwarding”SSH agent forwarding (RFC 4254, section 6.1) is supported and can be enabled per connection. When enabled, the remote server can use the client’s SSH keys for onward authentication without the keys being stored on the remote server.
Not Supported
Section titled “Not Supported”The following SSH features are not currently supported:
- SSH 1.x protocol
- X11 forwarding
- Host-based authentication
- GSSAPI authentication
- Certificate-based authentication (OpenSSH certificates)
ssh-dss(DSA) host keys or user keys --- deprecated due to known weaknesses