ssh-forcecommand is a script to safely execute remote commands via ssh. It is especially aimed at automated remote commands (in which ssh keys are not secured via password), where a compromise of the remote system could also compromise the local system. To prevent this, ssh-forcecommand can be invoked through the ssh configuration, which will limit the remote system so that it can only execute a set of statically defined commands. This way, compromising the local system is made much more difficult.
ssh-keyinstall is a script that helps an ssh user set up the keys at both ends of an ssh connection. It creates an rsa or dsa key if needed and copies the public half to the server. Once the process is done, you'll be able to log in with the passphrase and key instead of a password.
ssh-multiadd adds multiple ssh keys to the ssh authentication agent. These may use the same passphrase. When run without arguments, it adds $HOME/.ssh/identity and $HOME/.ssh/id_dsa. Alternative file names can be given on the command line or in the configuration file. It uses ssh-askpass if necessary. Unlike ssh-add, if any of the keys use the same passphrase, you will only need to enter each unique passphrase once, and keys that are already added will not be prompted for again.
ssh-smart is a basic proof-of-concept implementation of ssh authentication via smartcard. The smartcard which is used to store the ssh identity is a memory card (I2C 16KBIT/2048 bytes). ssh-smart uses multiple Perl scripts and the smartcard program to establish communication with the reader and the memory card. It has only been tested with the Towitoko chip drive micro, but it could work with other card reader terminal drivers using the CT-API library. The project is in an early stage of development and a lot has to be done before it can be considered a reliable solution to store an ssh identity in a secure way.
sshdfilter automatically blocks ssh brute force attacks by reading sshd log output in real time and adding iptables rules based on authentication failures. Block rules are created by logging on with an invalid user name, or wrongly guessing the password for an existing account. Block rules are removed after a week to maintain a small list of blocks. It also comes with a LogWatch filter.
sshutout is a daemon that periodically monitors log files, looking for multiple failed login attempts via the Secure Shell daemon. The daemon is meant to mitigate what are commonly known as "dictionary attacks," i.e. scripted brute force attacks that use lists of user IDs and passwords to effect unauthorized intrusions. The sshutout daemon blunts such attacks by creating firewall rules to block individual offenders from accessing the system. These rules are created when an attack signature is detected, and after a configurable expiry interval has elapsed, the rules are deleted.