Software:Comparison of SSH clients
An SSH client is a software program which uses the secure shell protocol to connect to a remote computer. This article compares a selection of notable clients.
SSH (Secure Shell) clients provide encrypted network connections for remote system administration, file transfers, and secure tunneling. These clients range from lightweight command-line utilities to feature-rich graphical applications, serving use cases from simple terminal access to complex enterprise workflows. This comparison examines SSH clients across multiple dimensions: basic information and licensing, platform compatibility, protocol support and technical capabilities, user features, and cryptographic algorithm support.
General
This section provides fundamental information about each SSH client, including developer, initial release date, supported platforms, current version, licensing model, and interface type. Understanding these basics helps users identify which clients are actively maintained, compatible with their operating systems, and align with their licensing requirements (open-source versus proprietary).
| Name | Developer | Initial release | Platform | Latest release | License | GUI | TUI/CLI | |
|---|---|---|---|---|---|---|---|---|
| Version | Date | |||||||
| AbsoluteTelnet | Celestial Software (Brian Pence) | 1996 | Windows | Proprietary | 
|
| ||
| Bitvise SSH Client | Bitvise Limited | 2001 | Windows | Proprietary |
|
| ||
| ConnectBot | Kenny Root Jeffrey Sharkey |
2007-11[lower-alpha 1] | Android | Apache-2.0 | ? | ? | ||
| Dropbear | Matt Johnston | 2003-04-06 | AIX | MIT |
|
| ||
| BSD | ||||||||
| Cygwin | ||||||||
| Linux | ||||||||
| HP-UX | ||||||||
| iOS | ||||||||
| Maemo | ||||||||
| macOS | ||||||||
| Solaris | ||||||||
| OpenSSH[lower-alpha 2] | The OpenBSD project | 1999-12-01[lower-alpha 3] | AIX | BSD |
|
| ||
| Android | ||||||||
| BSD | ||||||||
| Cygwin | ||||||||
| Linux | ||||||||
| HP-UX | ||||||||
| iOS | ||||||||
| Maemo | ||||||||
| OpenVMS | ||||||||
| macOS | ||||||||
| Solaris | ||||||||
| Windows | ||||||||
| z/OS | ||||||||
| PuTTY | Simon Tatham | 1999-01-22 | BSD | MIT |
|
| ||
| Linux | ||||||||
| macOS | ||||||||
| Solaris | ||||||||
| Windows | ||||||||
| SecureCRT | VanDyke Software | 1998–06 | Linux | Proprietary |
|
| ||
| macOS | ||||||||
| iOS | ||||||||
| Windows | ||||||||
| Tera Term | TeraTerm Project | 2004[lower-alpha 4] | Windows | BSD-3-Clause |
|
| ||
| TN3270 Plus | SDI USA, Inc. | 2006 | Windows | Proprietary |
|
| ||
| WinSCP | Martin Přikryl | 2000 | Windows | 6.3.3 | 2024-04-16 | GNU GPL |
|
? |
| wolfSSH | wolfSSL | 2016-07-20[lower-alpha 5] | BSD | GPL-3.0-or-later[lower-alpha 6] |
|
| ||
| Cygwin | ||||||||
| Linux | ||||||||
| macOS | ||||||||
| Solaris | ||||||||
| Windows | ||||||||
| ZOC Terminal | EmTec, Innovative Software | 1995-07-01 | macOS | Proprietary |
|
| ||
| OS/2 | ||||||||
| Windows | ||||||||
The SSH client landscape spans from foundational open-source projects like OpenSSH (1999) and PuTTY (1999) to commercial offerings such as SecureCRT (1998) and ZOC Terminal (1995). OpenSSH dominates as the de facto standard, included by default in most Unix-like operating systems and recent Windows versions. Cross-platform support varies significantly: command-line tools like OpenSSH and Dropbear support the widest range of platforms, while graphical clients tend toward platform-specific implementations. The licensing divide is clear, with major open-source clients using BSD (OpenSSH, PuTTY) or MIT (Dropbear, WinSCP) licenses, while commercial clients like SecureCRT and AbsoluteTelnet remain proprietary. Both GUI and CLI interfaces are well-represented, with some clients like PuTTY and ZOC Terminal offering both, while others specialize in one interface type.
Platform
Platform compatibility determines where SSH clients can be deployed and used. This section examines operating system support across desktop, server, mobile, and embedded platforms. The data reveals patterns in cross-platform development strategies and highlights platform-specific solutions versus universal clients.
The operating systems or virtual machines the SSH clients are designed to run on without emulation include several possibilities:
- Partial indicates that while it works, the client lacks important functionality compared to versions for other OSs but may still be under development.
The list is not exhaustive, but rather reflects the most common platforms today. Template:Sort-under
| Name | macOS | Windows | Cygwin | BSD | Linux | Solaris | OpenVMS | z/OS | AIX | HP-UX | iOS | Android | Maemo | Windows Phone |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AbsoluteTelnet | No | Yes | No | No | No | No | No | No | No | No | No | No | No | ? |
| Bitvise SSH Client | No | Yes | No | No | No | No | No | No | No | No | No | No | No | No |
| ConnectBot | No | No | No | No | No | No | No | No | No | No | No | Yes | No | No |
| Dropbear | Yes | No | Yes | Yes | Yes | Yes | ? | ? | Yes | Yes | Yes[lower-alpha 1] | No | Yes | ? |
| lsh | Yes | No | No | Partial[lower-alpha 2] | Yes | Yes | ? | ? | No | No | No | No | No | ? |
| OpenSSH[lower-alpha 3] | Included | Included[lower-alpha 4] | Included | Included | Included[lower-alpha 5] | Yes | Yes | Yes | Yes | Yes | Yes[lower-alpha 1] | Yes | Yes | ? |
| PuTTY | Partial | Yes | ? | Yes | Yes | Yes | ? | ? | No | No | No | No | No | Beta|software release life cycle#Beta|Beta |
| SecureCRT | Yes | Yes | No | No | Yes | No | No | No | No | No | Yes | No | No | ? |
| SmartFTP | No | Yes | No | No | No | No | No | No | No | No | No | No | No | ? |
| Tera Term | No | Yes | No | No | No | No | No | No | No | No | No | No | No | ? |
| TN3270 Plus | No | Yes | No | No | No | No | No | No | No | No | No | No | No | ? |
| WinSCP | No | Yes | No | No | No | No | No | No | No | No | Yes[lower-alpha 1] | No | No | ? |
| wolfSSH | Yes | Yes | Yes | Yes | Yes | Yes | No | No | No | No | No | No | No | No |
| ZOC Terminal | Yes | Yes | No | No | No | No | No | No | No | No | No | No | No | ? |
| Name | macOS | Windows | Cygwin | BSD | Linux | Solaris | OpenVMS | z/OS | AIX | HP-UX | iOS | Android | Maemo | Windows Phone |
- ↑ 1.0 1.1 1.2 Only for jailbroken devices.
- ↑ lsh supports only one BSD platform officially, FreeBSD.
- ↑ Also known as OpenBSD Secure Shell.
- ↑ Included and enabled by default since windows 10 version 1803. Win32-OpenSSH can be installed as an optional component in the Windows versions before Windows 10 version 1803 to Windows 10 version 1709. Portable version can be download from Win32-OpenSSH for other versions.
- ↑ The majority of Linux distributions have OpenSSH as an official package, but a few do not.
Platform support analysis reveals distinct strategies among SSH client developers. OpenSSH demonstrates the broadest compatibility, running on virtually every major operating system including macOS, Windows, Linux, BSD, Solaris, OpenVMS, z/OS, AIX, HP-UX, iOS, and Android, reflecting its role as the industry standard. Dropbear similarly supports wide platform coverage, optimized for embedded and resource-constrained environments. In contrast, Windows-only clients like AbsoluteTelnet, Bitvise SSH Client, Tera Term, and WinSCP serve the large Windows user base with platform-specific features. macOS-focused clients like certain configurations of SecureCRT and ZOC Terminal cater to Apple ecosystem users. Mobile platform support remains limited, with ConnectBot dominating Android and only SecureCRT and WinSCP (jailbroken only) supporting iOS. The inclusion status (where OpenSSH comes pre-installed) on macOS, modern Windows, BSD, and most Linux distributions underscores its ubiquity and reduces the need for alternative clients on these platforms.
Technical
This section examines the technical capabilities and protocol support of SSH clients. Key areas include SSH protocol versions (SSH1 vs SSH2), additional protocols like TELNET and rlogin, tunneling capabilities (port forwarding, SOCKS proxy, VPN), advanced features like session multiplexing and Kerberos authentication, and file transfer protocol support (SFTP/SCP). These technical capabilities determine the versatility and security posture of each client.
| Name | SSH1 (insecure) |
SSH2 | Additional protocols | Port forwarding and Tunneling | Session multiplexing [lower-alpha 1] |
Kerberos | IPv6 | Terminal | SFTP/SCP | Proxy client[lower-alpha 2] | |||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TELNET | rlogin | Port forwarding |
SOCKS [lower-alpha 3] |
VPN [lower-alpha 4] | |||||||||
| AbsoluteTelnet | Yes | Yes | Yes | No | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | SOCKS 4, 5; HTTP |
| Bitvise SSH Client | No | Yes | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | SOCKS 4, 5 |
| Dropbear | No | Yes | No | No | Yes | No | No | No | No | Yes | Yes | Yes | ? |
| lsh | No | Yes | Yes | No | Yes | Yes | No | Yes | No | Yes | Yes | Yes | ? |
| OpenSSH[lower-alpha 5] | No[lower-alpha 6] | Yes | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | ProxyCommand |
| PuTTY | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes[lower-alpha 7] | Yes | Yes | Yes[lower-alpha 8] | SOCKS 4, 5; HTTP; Telnet; Local |
| SecureCRT | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | SOCKS 4, 5; HTTP; Telnet; Generic |
| SmartFTP | No | Yes | Yes | No | No | No | No | No | Yes | Yes | Yes | Yes | SOCKS 4, 5; HTTP |
| Tera Term | Yes | Yes | Yes | No | Yes | No | No | No | No | Yes | Yes | SCP | SOCKS 4, 5; HTTP; Telnet |
| TN3270 Plus | Yes | Yes | Yes | No | No | Yes | No | Yes | No | Yes | Yes | No | SOCKS 4 |
| WinSCP [lower-alpha 9] | No[lower-alpha 10] | Yes | No | No | limited[lower-alpha 11] | No | No | No | Yes | Yes | simple | Yes | SOCKS 4, 5; HTTP; Telnet; Local |
| wolfSSH | No | Yes | No | No | Yes | No | No | No | No | Yes | simple | Yes | No |
| ZOC Terminal | Yes | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes | Yes | Yes[lower-alpha 12][lower-alpha 13] | SOCKS 4; 5; HTTP; Jumpserver |
| Name | SSH1 (insecure) |
SSH2 | Additional protocols | Tunneling | Session multiplexing [lower-alpha 1] |
Kerberos | IPv6 | Terminal | SFTP/SCP | Proxy client[lower-alpha 2] | |||
| TELNET | rlogin | Port forwarding |
SOCKS [lower-alpha 3] |
VPN [lower-alpha 4] | |||||||||
- ↑ 1.0 1.1 Accelerating OpenSSH connections with ControlMaster.
- ↑ 2.0 2.1 Can the SSH client connect itself through a proxy? This is distinct from offering a SOCKS proxy or port forwarding.
- ↑ 3.0 3.1 The ability for the SSH client to perform dynamic port forwarding by acting as a local SOCKS proxy.
- ↑ 4.0 4.1 The ability for the SSH client to establish a VPN, e.g. using TUN/TAP.
- ↑ Also known as OpenBSD Secure Shell.
- ↑ OpenSSH deleted SSH protocol version 1 support in version 7.6 (2017-10-03)
- ↑ The version 0.63 supports GSSAPI. Successfully tested on Win 8 using Active Directory
- ↑ The PuTTY developers provide SCP and SFTP functionality as binaries for separate download.
- ↑ WinSCP bundles a number of software components including PuTTY. [1].
- ↑ WinSCP Version history.
- ↑ WinSCP connection tunneling.
- ↑ SCP and SFTP through terminal.
- ↑ SCP and SFTP according to ZOC features page.
Protocol support reveals significant evolution in SSH client security. Modern clients universally support SSH2, while SSH1 support (now recognized as insecure) has been largely deprecated—OpenSSH removed SSH1 support entirely in version 7.6 (2017), and several newer clients like Bitvise SSH Client, Dropbear, and wolfSSH never implemented it. Port forwarding and SOCKS proxy capabilities are nearly universal among full-featured clients, enabling secure tunneling for various applications. VPN tunneling via TUN/TAP is less common, supported primarily by OpenSSH, Bitvise SSH Client, and WinSCP (limited). Session multiplexing, which allows multiple SSH sessions over a single connection, is supported by advanced clients like OpenSSH, Bitvise SSH Client, lsh, PuTTY, SecureCRT, and TN3270 Plus, offering performance benefits for users managing multiple concurrent sessions. Kerberos integration, important for enterprise environments, is widely supported across both open-source and commercial clients. SFTP/SCP support for file transfers is nearly universal, though implementation quality varies—some clients offer only basic functionality while others provide full-featured file management interfaces. Proxy client capabilities (connecting through intermediate proxies) are comprehensive in clients like PuTTY, SecureCRT, and WinSCP, supporting SOCKS 4/5, HTTP, Telnet, and custom proxy types.
Features
Beyond core protocol support, SSH clients differ significantly in user-facing features that affect usability, productivity, and workflow integration. This section compares features such as keyboard mapping, session tabs, file transfer protocols, text search, mouse support, Unicode handling, scripting capabilities, and security features like public key authentication, smart card support, and FIPS 140-2 validation. These features distinguish basic terminal clients from comprehensive remote access solutions.
| Name | Keyboard mapping | Script error: No such module "Vertical header". | Script error: No such module "Vertical header". | Script error: No such module "Vertical header". | Script error: No such module "Vertical header". | Script error: No such module "Vertical header". | URL hyperlinking | Script error: No such module "Vertical header". | Script error: No such module "Vertical header". | Hardware encryption | Script error: No such module "Vertical header". | Script error: No such module "Vertical header". | Script error: No such module "Vertical header". | Script error: No such module "Vertical header". | Script error: No such module "Vertical header". |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AbsoluteTelnet | full | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes[lower-alpha 1] | Yes | Yes | ? | ? | ? |
| Bitvise SSH Client | ? | No | No | No | Yes | Yes | No | Yes | No | ? | Partial | Yes | No | Yes | No |
| OpenSSH[lower-alpha 2] | ? | No | No | ? | Yes[lower-alpha 3] | Yes | not native[lower-alpha 4] | Yes | Yes | Yes | Partial[lower-alpha 5] | No | No | ? | Yes[lower-alpha 6] |
| PuTTY | No | No[lower-alpha 7] | No | No | Yes | Yes | No[lower-alpha 8] | Yes | No | Yes | No | No | No | No | No[lower-alpha 9] |
| SecureCRT | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | No | ? | ? |
| SmartFTP | Partial | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | AES-NI | Yes | No | ? | ? | ? |
| Tera Term | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No | No | Yes | No | ? | ? |
| TN3270 Plus | Yes | Yes | No | No | No | No | Yes | Yes | No | No | No | Yes | ? | ? | ? |
| wolfSSH | No | No | No | No | No | Yes | No | Yes | No | Yes | Yes | No | No | No | Yes |
| ZOC Terminal | full | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes[lower-alpha 10] | No | Yes | ? | ? | Yes[lower-alpha 11] |
- ↑ AbsoluteTelnet/SSH supports hardware-backed Secure Keys via FIDO2/WebAuthn (ed25519-sk and ecdsa-sk) beginning with Version 13.14. [1]
- ↑ Also known as OpenBSD Secure Shell.
- ↑ Only when the terminal itself supports mouse input. Most graphical ones do, e.g. xterm.
- ↑ No native URL highlighting; however most graphical consoles support URL highlighting.
- ↑ Validated when running OpenSSH 2.1 on Red Hat Enterprise Linux 6.2 in FIPS mode or when running OpenSSH 1.1 on Red Hat Enterprise Linux 5 in FIPS mode
- ↑ OpenSSH supports the minimal certificate format since v5.4. "OpenSSH Release Notes: 5.4". OpenBSD Project. 2010-03-08. https://www.openssh.com/releasenotes.html#5.4.
- ↑ PuTTY does not support tabs directly, but many wrappers are available that do.
- ↑ PuTTY does not support hyperlinks, but some forks of PuTTY do.
- ↑ Putty v71.0 does not support OpenSSH certificates. See Ben Harris' 2016-04-21 wish.[2][3]
- ↑ ZOC supports FIDO/sk keys with Version 9, see Version history and FIDO2 Instructions.[4][5]
- ↑ ZOC supports OpenSSSH style CA Keys, see ZOC feature list (SSH features).[6]
Feature comparison reveals the divide between basic terminal clients and comprehensive remote access solutions. Session tabs and advanced UI features are primarily found in commercial clients like SecureCRT, SmartFTP, Tera Term, TN3270 Plus, and ZOC Terminal, while command-line tools like OpenSSH rely on external terminal emulators for such functionality. ZMODEM file transfer support, once popular for serial communications, remains available in several clients (AbsoluteTelnet, SecureCRT, Tera Term, ZOC Terminal) but has largely been superseded by SFTP/SCP. Unicode support is now standard across modern clients, essential for international character sets and proper terminal display. Public key authentication is universally supported, representing the security standard for SSH connections. Smart card support and hardware encryption capabilities are concentrated in commercial and specialized clients (AbsoluteTelnet, SecureCRT, SmartFTP, ZOC Terminal), targeting enterprise and high-security environments. FIPS 140-2 validation, required for certain government and regulated industry deployments, is available in AbsoluteTelnet, SecureCRT, SmartFTP, and select OpenSSH configurations. Scripting support varies widely: some clients offer no scripting (PuTTY, Dropbear), while others provide comprehensive automation through platform-native languages or proprietary scripting engines. The emergence of FIDO2/security key support (AbsoluteTelnet, OpenSSH, ZOC Terminal) represents the latest evolution in authentication technology, enabling hardware-backed cryptographic keys for enhanced security.
Authentication key algorithms
Cryptographic algorithm support determines both the security level and compatibility of SSH clients with various servers and security policies. This section examines support for authentication key algorithms including legacy DSA, widely-used RSA variants, ECDSA (Elliptic Curve Digital Signature Algorithm), modern EdDSA (Edwards-curve Digital Signature Algorithm), and hardware security keys. Algorithm support reflects both security best practices and backward compatibility requirements.
This table lists standard authentication key algorithms implemented by SSH clients. Some SSH implementations include both server and client implementations and support custom non-standard authentication algorithms not listed in this table.
| Name | ssh-dss[lower-alpha 1] | ssh-rsa | RSA with SHA-2 | ECDSA with SHA-2 | EdDSA | Security keys | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| rsa-sha2-256 | rsa-sha2-512 | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | ecdsa-sha2-nistp521 | ssh-ed25519 | ssh-ed448 | sk-ecdsa-sha2-nistp256 | sk-ssh-ed25519 | |||
| AbsoluteTelnet | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes |
| Bitvise SSH Client | ? | ? | ? | ? | ? | ? | ? | ? | ? | ||
| Dropbear | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | ? | ||
| lsh | ? | ? | ? | ? | ? | ? | ? | ? | ? | ||
| OpenSSH[lower-alpha 2] | Yes[lower-alpha 3] | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes |
| PuTTY | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No[lower-alpha 4] | No[lower-alpha 4] |
| SecureCRT | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | ? | ||
| SmartFTP | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No | No |
| Tera Term | ? | ? | ? | ? | ? | ? | ? | ? | ? | ||
| TN3270 Plus | ? | ? | ? | ? | ? | ? | ? | ? | ? | ||
| WinSCP | No | Yes | Yes | Yes | Yes | Yes | Yes | ? | ? | ||
| wolfSSH | No | Yes | Yes | Yes | Yes | Yes | Yes | No | No | No | No |
| ZOC Terminal[lower-alpha 5] | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes[lower-alpha 6] | Yes[lower-alpha 6] |
- ↑
ssh-dssis based on Digital Signature Algorithm which is sensitive to entropy, secrecy, and uniqueness of its random signature value. - ↑ Also known as OpenBSD Secure Shell.
- ↑ By default, disabled at run-time since OpenSSH 7.0 released in 2015.
- ↑ 4.0 4.1 PuTTY does not support security keys / FIDO tokens, but is supported in PuTTY-CAC
- ↑ ZOC' SSH is based on OpenSSH and supports the same encryptions.
- ↑ 6.0 6.1 ZOC supports FIDO/sk keys with Version 9, see Version history and FIDO2 Instructions.[4][5]
Authentication algorithm support demonstrates the ongoing evolution of SSH security standards. The deprecated ssh-dss algorithm, based on DSA and sensitive to weak random number generation, remains supported in several clients for backward compatibility but is disabled by default in security-conscious implementations like OpenSSH (since version 7.0, 2015). Traditional ssh-rsa enjoys universal support as the long-standing standard. Modern RSA variants using SHA-2 (rsa-sha2-256 and rsa-sha2-512) are widely adopted, offering improved security over the original SHA-1-based implementation. ECDSA algorithms across multiple curves (nistp256, nistp384, nistp521) provide strong security with smaller key sizes and are broadly supported. EdDSA algorithms, particularly ssh-ed25519, represent current best practice with superior performance and security characteristics—widely supported across modern clients, though ssh-ed448 support remains less common. Security key support (sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519) for FIDO2/WebAuthn hardware tokens is emerging in leading clients (AbsoluteTelnet, OpenSSH, ZOC Terminal), enabling hardware-backed authentication resistant to key theft. The incomplete data for several clients (indicated by "?") suggests this comparison would benefit from community contributions to document full algorithm support across all implementations.
See also
References
- ↑ "AbsoluteTelnet/SSH Release Notes". https://www.celestialsoftware.net/version-history.
- ↑ "ssh2-openssh-certkeys.html". https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ssh2-openssh-certkeys.html.
- ↑ "ssh2-openssh-certkeys". https://git.tartarus.org/?p=simon/putty-wishlist.git;a=history;f=data/ssh2-openssh-certkeys;hb=refs/heads/master.
- ↑ 4.0 4.1 "ZOC Version History". https://www.emtec.com/zoc/versionhistory.html.
- ↑ 5.0 5.1 "Using FIDO2/SK Keys with ZOC Terminal on Windows for Access to Linux Servers". https://www.emtec.com/kb/en/2008/create-fido2-keys-for-linux-login.
- ↑ "ZOC Feature List (SSH)". https://www.emtec.com/zoc/features.html#features_ssh.
 |  |
