Comparison of SSH clients

Last updated

An SSH client is a software program which uses the secure shell protocol to connect to a remote computer. This article compares a selection of notable clients.

Contents

SSH (Secure Shell) clients provide encrypted network connections for remote system administration, file transfers, and secure tunneling. These clients range from lightweight command-line utilities to feature-rich graphical applications, serving use cases from simple terminal access to complex enterprise workflows. This comparison examines SSH clients across multiple dimensions: basic information and licensing, platform compatibility, protocol support and technical capabilities, user features, and cryptographic algorithm support.

General

This section provides fundamental information about each SSH client, including developer, initial release date, supported platforms, current version, licensing model, and interface type. Understanding these basics helps users identify which clients are actively maintained, compatible with their operating systems, and align with their licensing requirements (open-source versus proprietary).


NameDeveloperInitial releasePlatformLatest release License GUI TUI/CLI
VersionDate
AbsoluteTelnet Celestial Software (Brian Pence)1996Windows13.14  OOjs UI icon edit-ltr-progressive.svg 2025-11-07 Proprietary Check-green.svgDark Red x.svg
Bitvise SSH ClientBitvise Limited2001Windows9.47 [1]   OOjs UI icon edit-ltr-progressive.svg 2025-09-02 Proprietary Check-green.svgCheck-green.svg
ConnectBot Kenny Root
Jeffrey Sharkey		2007-11 [a] Android1.9.10 [2]   OOjs UI icon edit-ltr-progressive.svg 2023-12-21 Apache-2.0 ??
Dropbear Matt Johnston2003-04-06AIX2025.88 [3]   OOjs UI icon edit-ltr-progressive.svg 2025-05-07 MIT Dark Red x.svgCheck-green.svg
BSD
Cygwin
Linux
HP-UX
iOS
Maemo
macOS
Solaris
OpenSSH [b] The OpenBSD project1999-12-01 [c] AIX10.1 [4]   OOjs UI icon edit-ltr-progressive.svg 2025-10-06 BSD Dark Red x.svgCheck-green.svg
Android
BSD
Cygwin
Linux
HP-UX
iOS
Maemo
OpenVMS
macOS
Solaris
Windows
z/OS
PuTTY Simon Tatham 1999-01-22BSD0.83 [5]   OOjs UI icon edit-ltr-progressive.svg 2025-02-08 MIT Check-green.svgCheck-green.svg
Linux
macOS
Solaris
Windows
SecureCRT VanDyke Software1998–06Linux9.6.4 [6]   OOjs UI icon edit-ltr-progressive.svg 2025-09-16 Proprietary Check-green.svgDark Red x.svg
macOS9.6.4 [6]   OOjs UI icon edit-ltr-progressive.svg 2025-09-16
iOS4.0.0 [7]   OOjs UI icon edit-ltr-progressive.svg 2025-10-21
Windows9.6.4 [6]   OOjs UI icon edit-ltr-progressive.svg 2025-09-16
Tera Term TeraTerm Project2004 [d] Windows5.5.1 [8]   OOjs UI icon edit-ltr-progressive.svg 2025-11-17 BSD-3-Clause Check-green.svgDark Red x.svg
TN3270 Plus SDI USA, Inc.2006Windows4.0.7 [9]   OOjs UI icon edit-ltr-progressive.svg 2019-02 Proprietary Check-green.svgDark Red x.svg
WinSCP Martin Přikryl2000Windows6.3.32024-04-16GNU GPLCheck-green.svg?
wolfSSH wolfSSL 2016-07-20 [e] BSD1.4.21 [10]   OOjs UI icon edit-ltr-progressive.svg 2025-10-20 GPL-3.0-or-later [f] Dark Red x.svgCheck-green.svg
Cygwin
Linux
macOS
Solaris
Windows
ZOC Terminal EmTec, Innovative Software1995-07-01macOS9.02.6 [11]   OOjs UI icon edit-ltr-progressive.svg 2026-01-27 Proprietary Check-green.svgCheck-green.svg
OS/24.15 [12]   OOjs UI icon edit-ltr-progressive.svg 2004-08-26
Windows9.02.6 [11]   OOjs UI icon edit-ltr-progressive.svg 2026-01-27
  1. Based on Trilead SSH-2 for Java.
  2. Also known as OpenBSD Secure Shell.
  3. Based on OSSH.
  4. Based on Tera Term Pro 2.3 (1994–1998).
  5. Based on wolfCrypt.
  6. Also available under a proprietary license.

The SSH client landscape spans from foundational open-source projects like OpenSSH (1999) and PuTTY (1999) to commercial offerings such as SecureCRT (1998) and ZOC Terminal (1995). OpenSSH dominates as the de facto standard, included by default in most Unix-like operating systems and recent Windows versions. Cross-platform support varies significantly: command-line tools like OpenSSH and Dropbear support the widest range of platforms, while graphical clients tend toward platform-specific implementations. The licensing divide is clear, with major open-source clients using BSD (OpenSSH, PuTTY) or MIT (Dropbear, WinSCP) licenses, while commercial clients like SecureCRT and AbsoluteTelnet remain proprietary. Both GUI and CLI interfaces are well-represented, with some clients like PuTTY and ZOC Terminal offering both, while others specialize in one interface type.

Platform

Platform compatibility determines where SSH clients can be deployed and used. This section examines operating system support across desktop, server, mobile, and embedded platforms. The data reveals patterns in cross-platform development strategies and highlights platform-specific solutions versus universal clients.


The operating systems or virtual machines the SSH clients are designed to run on without emulation include several possibilities:

The list is not exhaustive, but rather reflects the most common platforms today.

Name macOS Windows Cygwin BSD Linux Solaris OpenVMS z/OS AIX HP-UX iOS Android Maemo Windows Phone
AbsoluteTelnet NoYesNoNoNoNoNoNoNoNoNoNoNo?
Bitvise SSH ClientNoYesNoNoNoNoNoNoNoNoNoNoNoNo
ConnectBot NoNoNoNoNoNoNoNoNoNoNoYesNoNo
Dropbear YesNoYesYesYesYes??YesYesYes [a] NoYes?
lsh YesNoNoPartial [b] YesYes??NoNoNoNoNo?
OpenSSH [c] IncludedIncluded [d] IncludedIncludedIncluded [e] YesYesYesYesYesYes [a] YesYes?
PuTTY PartialYes?YesYesYes??NoNoNoNoNo Beta
SecureCRT YesYesNoNoYesNoNoNoNoNoYesNoNo?
SmartFTP NoYesNoNoNoNoNoNoNoNoNoNoNo?
Tera Term NoYesNoNoNoNoNoNoNoNoNoNoNo?
TN3270 Plus NoYesNoNoNoNoNoNoNoNoNoNoNo?
WinSCP NoYesNoNoNoNoNoNoNoNoYes [a] NoNo?
wolfSSH YesYesYesYesYesYesNoNoNoNoNoNoNoNo
ZOC Terminal YesYesNoNoNoNoNoNoNoNoNoNoNo?
Name macOS Windows Cygwin BSD Linux Solaris OpenVMS z/OS AIX HP-UX iOS Android Maemo Windows Phone
  1. 1 2 3 Only for jailbroken devices.
  2. lsh supports only one BSD platform officially, FreeBSD.
  3. Also known as OpenBSD Secure Shell.
  4. Included and enabled by default since windows 10 version 1803. Win32-OpenSSH can be installed as an optional component in the Windows versions before Windows 10 version 1803 to Windows 10 version 1709. Portable version can be download from Win32-OpenSSH for other versions.
  5. The majority of Linux distributions have OpenSSH as an official package, but a few do not.

Platform support analysis reveals distinct strategies among SSH client developers. OpenSSH demonstrates the broadest compatibility, running on virtually every major operating system including macOS, Windows, Linux, BSD, Solaris, OpenVMS, z/OS, AIX, HP-UX, iOS, and Android, reflecting its role as the industry standard. Dropbear similarly supports wide platform coverage, optimized for embedded and resource-constrained environments. In contrast, Windows-only clients like AbsoluteTelnet, Bitvise SSH Client, Tera Term, and WinSCP serve the large Windows user base with platform-specific features. macOS-focused clients like certain configurations of SecureCRT and ZOC Terminal cater to Apple ecosystem users. Mobile platform support remains limited, with ConnectBot dominating Android and only SecureCRT and WinSCP (jailbroken only) supporting iOS. The inclusion status (where OpenSSH comes pre-installed) on macOS, modern Windows, BSD, and most Linux distributions underscores its ubiquity and reduces the need for alternative clients on these platforms.

Technical

This section examines the technical capabilities and protocol support of SSH clients. Key areas include SSH protocol versions (SSH1 vs SSH2), additional protocols like TELNET and rlogin, tunneling capabilities (port forwarding, SOCKS proxy, VPN), advanced features like session multiplexing and Kerberos authentication, and file transfer protocol support (SFTP/SCP). These technical capabilities determine the versatility and security posture of each client.


NameSSH1
(insecure)		SSH2Additional protocols Port forwarding and Tunneling Session
multiplexing
[a] 		Kerberos IPv6 Terminal SFTP/SCP Proxy client [b]
TELNET rlogin Port
forwarding 		SOCKS
[c] 		VPN
[d]
AbsoluteTelnet YesYesYesNoYesYesNoYesYesYesYesYesSOCKS 4, 5; HTTP
Bitvise SSH ClientNoYesNoNoYesYesYesYesYesYesYesYesSOCKS 4, 5
Dropbear NoYesNoNoYesNoNoNoNoYesYesYes?
lsh NoYesYesNoYesYesNoYesNoYesYesYes?
OpenSSH [e] No [f] YesNoNoYesYesYesYesYesYesYesYesProxyCommand
PuTTY YesYesYesYesYesYesNoYesYes [g] YesYesYes [h] SOCKS 4, 5; HTTP; Telnet; Local
SecureCRT YesYesYesYesYesYesNoYesYesYesYesYesSOCKS 4, 5; HTTP; Telnet; Generic
SmartFTP NoYesYesNoNoNoNoNoYesYesYesYesSOCKS 4, 5; HTTP
Tera Term YesYesYesNoYesNoNoNoNoYesYesSCPSOCKS 4, 5; HTTP; Telnet
TN3270 Plus YesYesYesNoNoYesNoYesNoYesYesNoSOCKS 4
WinSCP [i] No [j] YesNoNolimited [k] NoNoNoYesYessimpleYesSOCKS 4, 5; HTTP; Telnet; Local
wolfSSH NoYesNoNoYesNoNoNoNoYessimpleYesNo
ZOC Terminal YesYesYesYesYesYesNoNoYesYesYesYes [l] [m] SOCKS 4; 5; HTTP; Jumpserver
NameSSH1
(insecure)		SSH2Additional protocols Tunneling Session
multiplexing
[a] 		Kerberos IPv6 Terminal SFTP/SCP Proxy client [b]
TELNET rlogin Port
forwarding 		SOCKS
[c] 		VPN
[d]
  1. 1 2 Accelerating OpenSSH connections with ControlMaster.
  2. 1 2 Can the SSH client connect itself through a proxy? This is distinct from offering a SOCKS proxy or port forwarding.
  3. 1 2 The ability for the SSH client to perform dynamic port forwarding by acting as a local SOCKS proxy.
  4. 1 2 The ability for the SSH client to establish a VPN, e.g. using TUN/TAP.
  5. Also known as OpenBSD Secure Shell.
  6. OpenSSH deleted SSH protocol version 1 support in version 7.6 (2017-10-03)
  7. The version 0.63 supports GSSAPI. Successfully tested on Win 8 using Active Directory
  8. The PuTTY developers provide SCP and SFTP functionality as binaries for separate download.
  9. WinSCP bundles a number of software components including PuTTY. .
  10. WinSCP Version history.
  11. WinSCP connection tunneling.
  12. SCP and SFTP through terminal.
  13. SCP and SFTP according to ZOC features page.

Protocol support reveals significant evolution in SSH client security. Modern clients universally support SSH2, while SSH1 support (now recognized as insecure) has been largely deprecated—OpenSSH removed SSH1 support entirely in version 7.6 (2017), and several newer clients like Bitvise SSH Client, Dropbear, and wolfSSH never implemented it. Port forwarding and SOCKS proxy capabilities are nearly universal among full-featured clients, enabling secure tunneling for various applications. VPN tunneling via TUN/TAP is less common, supported primarily by OpenSSH, Bitvise SSH Client, and WinSCP (limited). Session multiplexing, which allows multiple SSH sessions over a single connection, is supported by advanced clients like OpenSSH, Bitvise SSH Client, lsh, PuTTY, SecureCRT, and TN3270 Plus, offering performance benefits for users managing multiple concurrent sessions. Kerberos integration, important for enterprise environments, is widely supported across both open-source and commercial clients. SFTP/SCP support for file transfers is nearly universal, though implementation quality varies—some clients offer only basic functionality while others provide full-featured file management interfaces. Proxy client capabilities (connecting through intermediate proxies) are comprehensive in clients like PuTTY, SecureCRT, and WinSCP, supporting SOCKS 4/5, HTTP, Telnet, and custom proxy types.

Features

Beyond core protocol support, SSH clients differ significantly in user-facing features that affect usability, productivity, and workflow integration. This section compares features such as keyboard mapping, session tabs, file transfer protocols, text search, mouse support, Unicode handling, scripting capabilities, and security features like public key authentication, smart card support, and FIPS 140-2 validation. These features distinguish basic terminal clients from comprehensive remote access solutions.


NameKeyboard mapping
Session tabs
ZMODEM
transfers
Find text
in buffer
Mouse input
support [a]
Unicode
support
URL hyperlinking
Public key
authentication
Smart card
support
Hardware encryption
FIPS 140-2
validation
Scripting
Shared
Database
Auto-reconnect
CA Certificates
AbsoluteTelnet fullYesYesYesYesYesYesYesYesYes [b] YesYes???
Bitvise SSH Client?NoNoNoYesYesNoYesNo?PartialYesNoYesNo
OpenSSH [c] ?NoNo?Yes [d] Yesnot native [e] YesYesYesPartial [f] NoNo?Yes [g]
PuTTY NoNo [h] NoNoYesYesNo [i] YesNoYesNoNoNoNoNo [j]
SecureCRT YesYesYesYesYesYesYesYesYesNoYesYesNo??
SmartFTP PartialYesNoYesYesYesYesYesYes AES-NI YesNo???
Tera Term YesYesYesNoYesYesYesYesNoNoNoYesNo??
TN3270 Plus YesYesNoNoNoNoYesYesNoNoNoYes???
wolfSSH NoNoNoNoNoYesNoYesNoYesYesNoNoNoYes
ZOC Terminal fullYesYesYesYesYesYesYesYesYes [k] NoYes??Yes [l]
  1. The ability to transmit mouse input to text mode applications such as Midnight Commander
  2. AbsoluteTelnet/SSH supports hardware-backed Secure Keys via FIDO2/WebAuthn (ed25519-sk and ecdsa-sk) beginning with Version 13.14. [13]
  3. Also known as OpenBSD Secure Shell.
  4. Only when the terminal itself supports mouse input. Most graphical ones do, e.g. xterm.
  5. No native URL highlighting; however most graphical consoles support URL highlighting.
  6. Validated when running OpenSSH 2.1 on Red Hat Enterprise Linux 6.2 in FIPS mode or when running OpenSSH 1.1 on Red Hat Enterprise Linux 5 in FIPS mode
  7. OpenSSH supports the minimal certificate format since v5.4. "OpenSSH Release Notes: 5.4". OpenBSD Project. 2010-03-08. Retrieved 2021-08-30.
  8. PuTTY does not support tabs directly, but many wrappers are available that do.
  9. Putty v71.0 does not support OpenSSH certificates. See Ben Harris' 2016-04-21 wish. [14] [15]
  10. ZOC supports FIDO/sk keys with Version 9, see Version history and FIDO2 Instructions. [16] [17]
  11. ZOC supports OpenSSSH style CA Keys, see ZOC feature list (SSH features). [18]

Feature comparison reveals the divide between basic terminal clients and comprehensive remote access solutions. Session tabs and advanced UI features are primarily found in commercial clients like SecureCRT, SmartFTP, Tera Term, TN3270 Plus, and ZOC Terminal, while command-line tools like OpenSSH rely on external terminal emulators for such functionality. ZMODEM file transfer support, once popular for serial communications, remains available in several clients (AbsoluteTelnet, SecureCRT, Tera Term, ZOC Terminal) but has largely been superseded by SFTP/SCP. Unicode support is now standard across modern clients, essential for international character sets and proper terminal display. Public key authentication is universally supported, representing the security standard for SSH connections. Smart card support and hardware encryption capabilities are concentrated in commercial and specialized clients (AbsoluteTelnet, SecureCRT, SmartFTP, ZOC Terminal), targeting enterprise and high-security environments. FIPS 140-2 validation, required for certain government and regulated industry deployments, is available in AbsoluteTelnet, SecureCRT, SmartFTP, and select OpenSSH configurations. Scripting support varies widely: some clients offer no scripting (PuTTY, Dropbear), while others provide comprehensive automation through platform-native languages or proprietary scripting engines. The emergence of FIDO2/security key support (AbsoluteTelnet, OpenSSH, ZOC Terminal) represents the latest evolution in authentication technology, enabling hardware-backed cryptographic keys for enhanced security.

Authentication key algorithms

Cryptographic algorithm support determines both the security level and compatibility of SSH clients with various servers and security policies. This section examines support for authentication key algorithms including legacy DSA, widely-used RSA variants, ECDSA (Elliptic Curve Digital Signature Algorithm), modern EdDSA (Edwards-curve Digital Signature Algorithm), and hardware security keys. Algorithm support reflects both security best practices and backward compatibility requirements.

This table lists standard authentication key algorithms implemented by SSH clients. Some SSH implementations include both server and client implementations and support custom non-standard authentication algorithms not listed in this table.

Namessh-dss [a] ssh-rsa RSA with SHA-2 ECDSA with SHA-2 EdDSA Security keys
rsa-sha2-256rsa-sha2-512ecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521ssh-ed25519ssh-ed448sk-ecdsa-sha2-nistp256sk-ssh-ed25519
AbsoluteTelnet YesYesYesYesYesYesYesYesNoYesYes
Bitvise SSH Client?????????
Dropbear YesYesYesNoYesYesYesYes?
lsh ?????????
OpenSSH [b] Yes [c] YesYesYesYesYesYesYesNoYesYes
PuTTY YesYesYesYesYesYesYesYesYesNo [d] No [d]
SecureCRT YesYesYesYesYesYesYesYes?
SmartFTP YesYesYesYesYesYesYesYesNoNoNo
Tera Term ?????????
TN3270 Plus ?????????
WinSCP NoYesYesYesYesYesYes??
wolfSSH NoYesYesYesYesYesYesNoNoNoNo
ZOC Terminal [e] YesYesYesYesYesYesYesYesNoYes [f] Yes [f]


  1. ssh-dss is based on Digital Signature Algorithm which is sensitive to entropy, secrecy, and uniqueness of its random signature value.
  2. Also known as OpenBSD Secure Shell.
  3. By default, disabled at run-time since OpenSSH 7.0 released in 2015.
  4. 1 2 PuTTY does not support security keys / FIDO tokens, but is supported in PuTTY-CAC
  5. ZOC' SSH is based on OpenSSH and supports the same encryptions.
  6. 1 2 ZOC supports FIDO/sk keys with Version 9, see Version history and FIDO2 Instructions. [16] [17]

Authentication algorithm support demonstrates the ongoing evolution of SSH security standards. The deprecated ssh-dss algorithm, based on DSA and sensitive to weak random number generation, remains supported in several clients for backward compatibility but is disabled by default in security-conscious implementations like OpenSSH (since version 7.0, 2015). Traditional ssh-rsa enjoys universal support as the long-standing standard. Modern RSA variants using SHA-2 (rsa-sha2-256 and rsa-sha2-512) are widely adopted, offering improved security over the original SHA-1-based implementation. ECDSA algorithms across multiple curves (nistp256, nistp384, nistp521) provide strong security with smaller key sizes and are broadly supported. EdDSA algorithms, particularly ssh-ed25519, represent current best practice with superior performance and security characteristics—widely supported across modern clients, though ssh-ed448 support remains less common. Security key support (sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519) for FIDO2/WebAuthn hardware tokens is emerging in leading clients (AbsoluteTelnet, OpenSSH, ZOC Terminal), enabling hardware-backed authentication resistant to key theft. The incomplete data for several clients (indicated by "?") suggests this comparison would benefit from community contributions to document full algorithm support across all implementations.

See also

References

  1. "Bitvise SSH Server Version History".
  2. "Release 1.9.10". 21 December 2023. Retrieved 19 January 2024.
  3. . 7 May 2025 https://github.com/mkj/dropbear/releases/tag/DROPBEAR_2025.88 . Retrieved 8 May 2025.{{cite web}}: Missing or empty |title= (help)
  4. "OpenSSH 10.1". 6 October 2025. Retrieved 6 October 2025.
  5. Simon Tatham (8 February 2025). "PuTTY 0.83 is released" . Retrieved 9 February 2025.
  6. 1 2 3 "SecureCRT 9.6.4".
  7. "SecureCRT on the App Store".
  8. "Release 5.5.1". 17 November 2025. Retrieved 18 November 2025.
  9. "TN3270 Plus Version History". February 2019.
  10. https://github.com/wolfSSL/wolfssh/releases/tag/v1.4.21-stable . Retrieved 22 October 2025.{{cite web}}: Missing or empty |title= (help)
  11. 1 2 "ZOC Version History".
  12. "ZOC V4.15". 25 August 2004.
  13. "AbsoluteTelnet/SSH Release Notes".
  14. "ssh2-openssh-certkeys.html".
  15. "ssh2-openssh-certkeys".
  16. 1 2 "ZOC Version History".
  17. 1 2 "Using FIDO2/SK Keys with ZOC Terminal on Windows for Access to Linux Servers".
  18. "ZOC Feature List (SSH)".
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.