Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSH and OpenSSH Comparisons?

Posted by Cliff on from the which-secure-shell dept.

Colonel Bleep asks: "My company is finally on the road to getting serious about Unix server security. Though there's a lot more to do, the current push is to replace telnet, ftp, rcp and the like with ssh. Problem is, the security team in charge of the transition is composed mostly of Microsoft-trained techicians that hold varying opinions of open source software. Non team members, such as myself, are kept abreast of developments via email. Input is encouraged. OpenSSH came up during a recent email exchange with the coordinator. It didn't take long for the "isn't proprietary is better?" mantra to rear its ugly head. Though I use OpenSSH at home I found myself at a loss to explain why the corp might want to consider using it over commercial SSH. That's aside from the obvious open source peer review argument, of course. I haven't been able to uncover any direct side-by-side reviews of the two products but I would very much like to pass such a comparison along. What say ye?" Update: 11/14 2:40p EDT by C : Users of SSHv1 may want to take a look at this security bulletin on a potential SSHv1 exploit that is rumored to be in the wild.

26 comments

  1. User Interface by macemoneta · · Score: 3, Interesting

    While the two are essentially the same in functionality from a user perspective, the commercial version does have a nice GUI. While it may not sound like much, it improves the usability, and probably reduces support costs.

    --

    Can You Say Linux? I Knew That You Could.

  2. Obvious differences by Tet · · Score: 4, Informative
    Every line of code in OpenSSH has been security audited, which explains why the commercial ssh has been found vulnerable to a number of attacks, while OpenSSH has (for the most part) been OK.

    OpenSSH will save your company money. This has to be balanced against the lack of a commercial support contract, although I'm sure you could find someone prepared to sell you a supoprt contract for OpenSSH. Where the balance swings depends on your companies priorities.

    OpenSSH gives you peace of mind that the software you're depending on isn't vulnerable to the financial failure of a commercial company.

    Commercial ssh has a few features that aren't yet present in OpenSSH (twofish and IDEA ciphers, for example, or host based authentication).

    --
    "The invisible and the non-existent look very much alike." -- Delos B. McKown
    1. Re:Obvious differences by Anonymous Coward · · Score: 0

      That's FUD; there's been so far more security flaws in OpenSSH than in the $$H. (Search www.securityfocus.com if you don't believe me)

    2. Re:Obvious differences by noahm · · Score: 1
      Every line of code in OpenSSH has been security audited, which explains why the commercial ssh has been found vulnerable to a number of attacks, while OpenSSH has (for the most part) been OK.

      If you don't think that all of the commercial implementations have been audited, you are very mistaken. The commercial ssh vendors would not be in business if they did not realize the security benefits of code audits.

      noah

    3. Re:Obvious differences by roybadami · · Score: 1

      I'm pretty sure OpenSSH now has SSH v2 host-based authentication (it's always had SSH v1.5 host-based authentication).

  3. The differences are minor... by pwagland · · Score: 3, Interesting
    Hi,

    The reality is that the differences are really minor, and, now that RSA is legal, openssh can be setup to act almost exactly the same as closedssh.

    The only signicant difference between them for most peole is the price.

    There used to be a fair bit of difference, but at least for unix, this is no longer true. Since 2.5 openssh has supported sftp. Since 3.0 it supports rekeying a session. With external PAM modules you can support smart cards and securid logins.

    The one advantage that ssh has over openssh is that this is all integrated into one package. The smartcard support is built in, you don't have to go looking for support.

    If you are not planning on using smartcards or tokens, then openssh wins based on price alone. You can get it pre-compiled for most platforms, so the compilation is not so much the issue. Otherwise you have to weigh the choices a little more carefully. Check to see if your required token/card is supported by both. If not, then it is likely to be easier to add support into openssh, having the source and all.

    In terms of windows clients...that is one big differentiator. Again, mostly money! We use tera-term and that works quite well, but does not do ssh V2 protocols.

    In either case, you are buying a big whack of security, but don't forget, passwords can be extremely weak! Don't let up on the other security policies just because you now have SSH. (And yes, I know that the poster is not responsible for this, this is just a general admonition :-)

    Whatever you get, I wish you the best of luck.

    Now for the gratuitous links: :-)

    securid and openssh

    some preliminary smartcard itegration with openssh

    another smartcard and openssh link

    1. Re:The differences are minor... by Anonymous Coward · · Score: 2, Informative

      For a nice, opensource windows client :-

      http://www.chiark.greenend.org.uk/~sgtatham/putt y/

  4. Features by MadCamel · · Score: 1

    Commercial SSH is open source, always has been from version 1, just under a propritary liscence. IMHO, commercial SSH3 just plain rocks. It has nice GUI features, and lots of other functionality that OpenSSH does not have. If your company has money to spend, Commercial SSH is the way to go.

    1. Re:Features by rdieter · · Score: 1
      It has nice GUI features, and lots of other functionality that OpenSSH does not have... Commercial SSH is the way to go.
      Could you please elaborate? What nice GUI features? What other functionality? I, for one, wouldn't want to base my desision on which ssh to use such unsubstantiated/undetailed claims.
    2. Re:Features by cymen · · Score: 1

      He's gotta be talking about a Putty like client for Windows or something... Why would you want graphical SSH under *nix? Or he could be full of something ;).

    3. Re:Features by nsushkin · · Score: 2, Informative

      Van Dyke Secure CRT is a really good GUI that support SSH2 with the most advanced encryption and authentication schemes (AES). My favourite features are:

      1. Configurable defeat of idle disconnect
      2. Configurable word delimiter for cut and paste
      3. Use Alt as Meta key for emacs.
      4. Can disable scroll-to-bottom on output.
      5. Supports OpenSSH private key format (allegedly in new versions, haven't checked)
      6. Login scripting

      You can probably implement all those features when you use OpenSSH via an Xterm, but it would take you days to research Xwindow configuration and expect scripting language.

      The only feature that command line SSH (OpenSSH and the commercial ssh.fi ssh) has is the ability to forward authentication using ssh-agent.

    4. Re:Features by lscotte · · Score: 3, Informative

      I used to be a big Secure-CRT fan, but the latest releases of Putty provide about everything Secure-CRT does, and for about $90 cheaper.

      I've found Putty interoperates better with OpenSSH 3.0 than Secure-CRT - at least versus SCRT version 3.1. This may be better in 3.4, but Van Dyke wants upgrade fees, so...

      I also have a problem with the way Van Dyke forces you to pay upgrade fees - The 3.1 version I purchased from them won't even install anymore, it says it has expired. It's OK to charge for software upgrades, but it's wrong to disallow use of older versions!

      Free for non-commercial use, the Windows ssh client at ssh.com is pretty decent and polished.

      And there's always TeraTerm Pro. It used to be better than Putty, but recent builds of Putty have turned that around, IMHO. I believe TT supports only SSH1, and not SSH2.

      As an example, recent Putty versions support port forwarding, SSH2 DSA keys, and agent forwarding. And as always, it has a very small footprint.

      Lastly, iXplorer is a nice Windows GUI dropped on top of pscp/plink for secure (SCP) file transfers.

      --
      This post is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.
    5. Re:Features by Anonymous Coward · · Score: 0

      Finding cracks for SecureCRT is trivial.

    6. Re:Features by Cow4263 · · Score: 1

      I believe he is refering to some sort of graphical config tool for SSH, not the actual client side connection.

    7. Re:Features by cdh · · Score: 1

      I've had major problems with i-explorer, as in not being able to change directories on the remote side. It also hangs my machine repeatedly (Win98).
      I've talked to other people who have experienced this too. I had one version (about a year+ ago) work fine, but none of the new ones have worked for me.

      However, I have recently found WinSCP and it works great! More configurable than i-explorer, much more intuitive UI (configurable: Windows Explorer like or Norton Command like). Freeware too. It doesn't even "install", it's just one executable, no spyware, funky registry keys, etc. Very nice.

    8. Re:Features by MadCamel · · Score: 1

      Nah. Check out ssh-agent's X interface some time.

  5. Not too much of a difference by Outland+Traveller · · Score: 1

    This isn't a terribly insightful comment, but the technical differences between commercial ssh and openssh are minor, even trivial.

    If spending money for support and proactive updates is easier for company than having a your current IT staff RTFM and monitor security-related mailing lists, then go with commercial ssh.

    Remember too that in almost all cases openssh and commercial ssh can interoperate. So, you could buy commercial ssh on a few machines until you're confortable with using it, and then implement future installations using openssh.

    -D

  6. OpenSSH is the way to go... by haplo21112 · · Score: 2

    Lower cost
    Peer Audited Code
    If a bug is found its patched nearly same or next day usually
    And I have never been able to get Closed SSH 3.0 to compile on Slackware, mandrake, or Stampede, always dies with weird complier errors.
    OpenSSH works everytime.

    --
    Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
  7. Chroot sftp by m_ilya · · Score: 2, Informative

    Comerical ssh has one good feature which is not supported by openssh. It supports chroot for sftp subsystem. It is not essential feature but still it is nice to have it.

    --

    --
    Ilya Martynov (http://martynov.org/)

  8. SSH crc32 problem by Zule_Boy · · Score: 1

    "Rumored to be in the wild"? I had a box rooted, and then re-rooted 2 weeks ago. Upgrade your SSH, please. I am still having nightmares.

  9. Pro's / Con's by jaymz411 · · Score: 1

    As a server/client running on a unix system, i think openssh is a much better alternative. It is easy to install, configure, and manage. We have been using openssh as a default for over a year now. As a windows client, openssh does not even have an option. you have to find and alternative, and none of them (IMHO) even compare - especially since i couldn't find one that had a decent sftp interface like the commercial version. Just my .02

    1. Re:Pro's / Con's by xbill · · Score: 1

      The cygwin toolkit openssh client on Windows works very well against a unix server.

      It may be a bit of overkill to install all the cygwin tools just to get the openssh support- but
      since I have them installed anyways....

    2. Re:Pro's / Con's by extra88 · · Score: 1
      Network Simplicity makes a Windows installer based on Cygwin and OpenSSH which can makes it about as easy as installing any Windows program. The whole install is less than 4MB.


      http://www.networksimplicity.com/openssh/


      It's primarily for adding sshd as a service but it includes ssh which can be run on the command line.

  10. OpenSSH codebase originates from ssh.com by Anonymous Coward · · Score: 1, Insightful

    One additional point: OpenSSH and the ssh.com SSH (old version 1) come from the same origins.

    OpenSSH is basically a very old ssh.com SSH with some improvements. The SSH technology as we know it wouldn't exist without ssh.com's efforts of developing and standardizing it in the first place. Some might consider that this alone is enough reason for buying the commercial version to support the development of the SSH technology.

    1. Re:OpenSSH codebase originates from ssh.com by puetzk · · Score: 2

      Yes, it originates in the old ssh1 codebase. But everything since then (ssh1.5, ssh2, sftp, lots more that I don't use daily and thus don't remember) in openssh has been developed by the openBSD team in order to have an Free software ssh client.

      They have done their share of work too, and are more than a cheap ripoff of the ssh1 codebase.

      --
      The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.