
How SSH port became 22 - ronsor
https://www.ssh.com/ssh/port
======
JoshTriplett
While the copies of the original emails are mildly interesting, it looks like
the answer is just "Because I asked for port 22 and got it".

~~~
ahnick
IMHO the interesting thing about the emails is it provides insight into his
process of asking for it. He had done all of the other work ahead of time and
even provided the draft protocol spec in his email. He also was willing to
accept a different port number assignment, but gently suggested just
continuing what they had been using during local testing. Had he asked in a
very terse manner or not done as much legwork up front, then conceivably he
might not have received a port assignment at all.

~~~
notyourwork
These personas are the biggest difference I find between great and decent
engineers. Great engineers do their homework or due diligence first.

------
amichal
Around this time the method to get a DNS name was basically the same. Send an
email with some reasoning to the right person and the name was yours. I
remember being amazed that was the case. I also got a SSL cert issued around
1995-6 and the process then was email followed by faxing (or paper mail) proof
(in the form of bank account, DUNS numbers and state-level incorporation
records) documentation confirming you were who you say you were. I dont
believe money even changed hands then.

~~~
raarts
I vividly recall getting a visit (around '96) from Mark Shuttleworth (of
Canonical fame). He had founded Thawte Consulting, I think the first
competitor of Verisign, who were the only company that sold SSL certificates
at the time. He was traveling Europe to visit ISPs trying to woo them into
using his service for SSL certificates. He had to spend some time explaining
what certificates actually are, because I only had a vague idea (I founded one
of the first ISPs in the Netherlands but nobody used SSL at the time). He was
much cheaper than Verisign, by automating the process on his site so it was an
easy sell.

~~~
heywire
Wow, I can’t believe I didn’t know Mark Shuttleworth founded Thawte. I always
knew him as the Ubuntu guy, but never knew where he earned his millions.

> Shuttleworth founded Thawte Consulting in 1995, a currently running company
> which specialized in digital certificates and Internet security. In December
> 1999, Thawte was acquired by VeriSign, earning Shuttleworth R3.5 billion
> (about US$575 (equivalent to $844.70 in 2017) million).

[https://en.wikipedia.org/wiki/Mark_Shuttleworth](https://en.wikipedia.org/wiki/Mark_Shuttleworth)

------
0x0
The article only briefly mentions port >= 1024 for non-root, but it's probably
important to note that it is desirable to have the default port be < 1024\.
That way, you can be sure you are connecting to an sshd operated by the remote
system's root user (and not, say, a random student's unix user account running
a spoof sshd).

Obviously this matters more for multi-user systems, but even today it's nice
to know that the sshd listen port on the remote end can't be hijacked by a
random wordpress exploit kit (unless that kit also privesc's to root)

~~~
mmirate
Bubkes. A middlebox can transparently rewrite incoming packets' port numbers
from 22 to 2200, and backwards.

~~~
0x0
Absolutely.

But in a classic UNIX network, middleboxes aren't a part of the threat model.

Unprivileged UNIX user accounts binding on TCP ports were and are. So, ports
below 1024 were reserved for the root account and that was a decent protection
at the time against enterprising users trying to race system daemons in
binding listening sockets.

See for example
[https://www.w3.org/Daemon/User/Installation/PrivilegedPorts....](https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html)

And even today, it still protects against an exploit kit running as "www-data"
or "nobody" springboarded from a wordpress exploit.

------
exabrial
It became port 22 because we don't use srv records and we wonder why we have
an IPv4 crisis when there's like only 3 ports of 64k used on any server:
443,80,22.

~~~
chungy
IPv4 crisis has pretty much nothing to do with ports.

~~~
pixl97
Eh, with srv records and port forwarding one IP can easily serve 20,000+sites.

~~~
chungy
It's hardly in dispute but it doesn't really detract from how limited IPv4
addressing is. There's only about 3.7 billion addresses available for the
entire world.

This is in contrast to IPv6, where in the worst case, each organization would
have a /64 and the entire world would have approximately a quintilian networks
(2^(64-4), subtracting the /4 that the entire Internet is currently restricted
to), each of which can support 18 quintilian hosts.. And that's worst case,
even residential ISPs frequently give out /56s.

------
nailer
> The number should preferably be in the range 1-255 so that it can be used in
> the WKS field in name servers.

Can't find any reference to WKS as a 'field' or record type. Any greybeards
want to elaborate?

~~~
neilwilson
Good old RFC 1035 is your friend

Section 3.4.2

~~~
jwilk
[https://tools.ietf.org/html/rfc1035#section-3.4.2](https://tools.ietf.org/html/rfc1035#section-3.4.2)

------
rynop
Nice read. Helped me take a moment to reflect how wonderful of a tool ssh is.
Simple to use, yet powerful. Thanks Tatu!!

------
moogly
Previous discussion (with some of the same comments):
[https://news.ycombinator.com/item?id=14178091](https://news.ycombinator.com/item?id=14178091)

------
kimdotcom
I always thought it was because it was one less than telnet's port 23.

~~~
NoPicklez
That sounds like an interesting way to remember it, but isn't necessarily the
reason why.

------
degenerate
tl;dr - port 22 is between 21 (FTP) and 23 (telnet) and Tatu thought it would
give the service clout to have 22. IANA approved his email request and it was
registered.

~~~
Jaruzel
The body text of the article is only 1273 words. It takes all of a minute to
read it.

At which point did the bar for tl:dr become so low?

~~~
foodstances
When it started to take 1273 words to say one sentence of information to
attract readers.

------
cup-of-tea
So why did FTP have 21 and telnet have 23?

~~~
isostatic
FTP has port 21 and port 20.

~~~
js2
FTP's use of two ports is unusual. Port 21 is used for the control channel and
port 20 for data transfer. Its original design goes back to 1971 and predated
TCP/IP by quite a bit.

In the original design ("passive" mode wasn't added till later), the client
connects to a server on port 21 and then when it wants to transfer a file,
opens a local port and the server connects back to the client from port 20.
Also, FTP supported server-to-server transfers, where the client connected to
a pair of servers and then initiated a transfer between them[0].

[0] [https://tools.ietf.org/html/rfc765](https://tools.ietf.org/html/rfc765)
Figure 2.

~~~
isostatic
Looking in /etc/services, it seems that most early protocols used odd numbers
on the server side (echo, finger, chargen, qotd, etc)

I wonder if the standard was originally

Client -> Server -- send to an odd port Server -> Client -- send to an even
port

By the time RFCs reached 4 figures, that (if it did exist) had gone -- gopher
was assigned to port 70 for example.

~~~
js2
It’s apparently due to hysterical raisins. The NCP host-host protocol was
simplex and required a pair of sockets. The convention for the return socket
was to connect to a “port” one less than the receiving port. At least I think.
See the connection establishment process described starting on page 7 of
[https://tools.ietf.org/html/rfc33](https://tools.ietf.org/html/rfc33)

~~~
isostatic
Thanks, something I hadn't encountered:

"On January 1, 1983, known as flag day, NCP was officially rendered obsolete
when the ARPANET changed its core networking protocols from NCP to the more
flexible and powerful TCP/IP protocol suite, marking the start of the modern
Internet."

I was 13 months old then, and (After conversations at tonight's summer party)
I'm apparently "old". Sigh.

> hysterical raisins

Took a while to realise you went for "historical reasons". But then see summer
party (and tomorrow's P45)....

------
rustcharm
I've run it on port 443 (https port) which makes it possible for me to get
through to it from inside many corporate firewalls.

------
amelius
Why is it still port "22" and not port "ssh"?

It seems a bit silly to be using numbers in this day and age.

~~~
jpablo
Are you proposing a ipv8? Put it in the queue, we will get to it about 50
years after IPv6 is implemented.

~~~
tssva
No ipv8 needed. The current recommended best practice in RFC6335 is to request
just a service name and to only request a port number when absolutely
necessary.

The port a protocol is currently using on a particular server can be
discovered by using DNS-SD to return the appropriate DNS SRV record.

