ssh, scp and sftp for java
Java Groovy


sshj - SSHv2 library for Java

sshj Codacy code quality Maven Central Javadoc

To get started, have a look at one of the examples. Hopefully you will find the API pleasant to work with :)

Getting SSHJ

To get SSHJ, you have two options:

  1. Add a dependency to SSHJ to your project.

  2. Build SSHJ yourself.

And, if you want, you can also run the SSHJ examples.

Binary releases of SSHJ are not provided here, but you can download it straight from the Maven Central repository if you want to.

Depending on SSHJ

If you’re building your project using Maven, you can add the following dependency to the pom.xml:


If your project is built using another build tool that uses the Maven Central repository, translate this dependency into the format used by your build tool.

Building SSHJ

  1. Clone the Overthere repository.

  2. Ensure you have Java6 installed with the Unlimited strength Java Cryptography Extensions (JCE).

  3. Run the command ./gradlew clean build.

Running the examples

In the examples directory, there is a separate Maven project that shows how the library can be used in some sample cases. If you want to run them, follow these guidelines:

  1. Install Maven 2.2.1 or up.

  2. Clone the Overthere repository.

  3. Go into the examples directory and run the command mvn eclipse:eclipse.

  4. Import the examples project into Eclipse.

  5. Change the login details in the example classes (address, username and password) and run them!

Features of the library include:

  • reading known_hosts files for host key verification

  • publickey, password and keyboard-interactive authentication

  • command, subsystem and shell channels

  • local and remote port forwarding

  • scp + complete sftp version 0-3 implementation

Supported algorithms

Implementations / adapters for the following algorithms are included:


aes{128,192,256}-{cbc,ctr}, blowfish-{cbc,ctr}, 3des-{cbc,ctr}, twofish{128,192,256}-{cbc,ctr}, twofish-cbc, serpent{128,192,256}-{cbc,ctr}, idea-{cbc,ctr}, cast128-{cbc,ctr}, arcfour, arcfour{128,256} SSHJ also supports the following extended (non official) ciphers: camellia{128,192,256}-{cbc,ctr}, camellia{128,192,256}-{cbc,ctr}

key exchange

diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521,


ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, ssh-ed25519


hmac-md5, hmac-md5-96, hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512


zlib and (delayed zlib)

private key files

pkcs8 encoded (what openssh uses)

If you need something that is not included, it shouldn’t be too hard to add (do contribute it!)

Comparing to other implementations


Java 6+. slf4j is required. bouncycastle is highly recommended and required for using some of the crypto algorithms. jzlib is required for using zlib compression.

Reporting bugs


Fork away!

Release history

SSHJ 0.17.3 (2016-09-30)
  • Fixed Android compatibility

  • Upgrade to Gradle 3.0

  • Merged #271: Load known_hosts without requiring BouncyCastle

  • Merged #269: Brought back Java6 support by popular demand

  • Merged #267: Added support for per connection logging (Fixes #264)

  • Merged #262, #265 and #266: Added PKCS5 key file support

  • Fixed toString of sftp FileAttributes (Fixes #258)

  • Fixed #255: No longer depending on 'privately marked' classes in net.i2p.crypto.eddsa.math package, fixes OSGI dependencies

SSHJ 0.17.2 (2016-07-07)
  • Treating SSH Server identification line ending in '\n' instead of '\r\n' leniently.

SSHJ 0.17.1 (2016-07-06)
  • Improved parsing of the SSH Server identification. Too long header lines now no longer break the protocol.

SSHJ 0.17.0 (2016-07-05)
  • Introduced breaking change in SFTP copy behaviour: Previously an SFTP copy operation would behave differently if both source and target were folders with different names. In this case instead of copying the contents of the source into the target directory, the directory itself was copied as a sub directory of the target directory. This behaviour has been removed in favour of the default behaviour which is to copy the contents of the source into the target. Bringing the behaviour in line with how SCP works.

  • Fixed #252 (via: #253): Same name subdirs are no longer merged by accident

SSHJ 0.16.0 (2016-04-11)
  • Fixed #239: Remote port forwards did not work if you used the empty string as address, or a catch-all address.

  • Fixed #242: Added OSGI headers to sources jar manifest

  • Fixed #236: Remote Port forwarding with dynamic port allocation fails with BufferUnderflowException

  • Upgraded gradle distribution to 2.12

  • Closed #234: Dropped Java6 support (0.15.0 was already Java6 incompatible due to Java7 dependency)

  • Fixed #118: Added configuration switch for waiting on a server ident before sending the client ident.

  • Fixed #114: Added javadoc that you always need to call close() on a Command before inspecting the exit codes.

  • Fixed #237: Fixed race condition if a global request is received directly after a successful auth.

SSHJ 0.15.0 (2015-11-20)
  • Fixed #220: Added support for ssh-ed25519 host keys

  • Fixed #225: Fixed bug in ECDSA fingerprint calculation that sometimes produced an incorrect fingerprint

  • Added arcfour Stream Ciphers from RFC4253 and RFC4345

  • Added all Block Ciphers from RFC4344 and RFC4253

SSHJ 0.14.0 (2015-11-04)
  • Fixed #171: Added support for key exchange algorithm

  • Added support for ecdh-sha2-nistp256, ecdh-sha2-nistp384 and ecdh-sha2-nistp521 key exchange algorithms

  • Fixed #167: Added support for diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256 key exchange methods

  • Fixed #212: Configure path escaping to enable shell expansion to work correctly

  • Merged #210: RemoteFileInputStream.skip returns wrong value (Fixes #209)

  • Merged #208: Added SCP bandwidth limitation support

  • Merged #211: Made keyfile format detection more robust

SSHJ 0.13.0 (2015-08-18)
  • Merged #199: Fix for IndexOutOfBoundsException in ReadAheadRemoteFileInputStream, fixes #183

  • Merged #195: New authentication supported: gssapi-with-mic

  • Merged #201: New option to verify negotiated key exchange algorithms

  • Merged #196: Fix for looking up complete hostname in known hosts file

SSHJ 0.12.0 (2015-04-14)
  • Added support for HTTP proxies when running JDK6 or JDK7, fixes: #170

  • Merged #186: Fix for detecting end-of-stream

  • Compiling to JDK6, fixes #179 and #185

  • Correctly close socket and channel when LocalPortForwarder fails to open and start the channel (Fixes #175 and #176)

  • Merged #181: Invalid write packet length when reading with offset (Fixes #180)

SSHJ 0.11.0 (2015-01-23)
  • New maven coordinates com.hierynomus:sshj:0.11.0 as @hierynomus took over as maintainer of SSHJ

  • Migrated build system to Gradle 2.2.1

  • Merged #150: Fix for incorrect file handle on some SSH servers, fixes: #54, #119, #168, #169

  • Made jzlib optional in OSGi bundling, fixes: #162

  • Improved some log levels, fixes: #161

  • Merged #156, #164, #165: Fixed block sizes for hmac-sha2-256 and hmac-sha2-512

  • Merged #141: Add proxy support

  • Merged #157, #163: Doc and build fixes

  • Upgraded BouncyCastle to 1.51, fixes: #142

  • Implemented keep-alive with connection drop detection, fixes #166