SSH and OpenSSH Comparisons?

Colonel Bleep asks: "My company is finally on the road to getting serious about Unix server security. Though there's a lot more to do, the current push is to replace telnet, ftp, rcp and the like with ssh. Problem is, the security team in charge of the transition is composed mostly of Microsoft-trained techicians that hold varying opinions of open source software. Non team members, such as myself, are kept abreast of developments via email. Input is encouraged. OpenSSH came up during a recent email exchange with the coordinator. It didn't take long for the "isn't proprietary is better?" mantra to rear its ugly head. Though I use OpenSSH at home I found myself at a loss to explain why the corp might want to consider using it over commercial SSH. That's aside from the obvious open source peer review argument, of course. I haven't been able to uncover any direct side-by-side reviews of the two products but I would very much like to pass such a comparison along. What say ye?" Update: 11/14 2:40p EDT by C : Users of SSHv1 may want to take a look at this security bulletin on a potential SSHv1 exploit that is rumored to be in the wild.

Obvious differences

[Tet]

Every line of code in OpenSSH has been security audited, which explains why the commercial ssh has been found vulnerable to a number of attacks, while OpenSSH has (for the most part) been OK.

OpenSSH will save your company money. This has to be balanced against the lack of a commercial support contract, although I'm sure you could find someone prepared to sell you a supoprt contract for OpenSSH. Where the balance swings depends on your companies priorities.

OpenSSH gives you peace of mind that the software you're depending on isn't vulnerable to the financial failure of a commercial company.

Commercial ssh has a few features that aren't yet present in OpenSSH (twofish and IDEA ciphers, for example, or host based authentication).