SSH-Based Solutions - Looking for Industry Proof?

mcwop asks: "My company's IT department is trying to set up secure FTP with a vendor. It would be set up on a Sun box (not running Solaris 9). I emailed suggesting they look at OpenSSH. The response I received stated that they don't like to use freeware, but only consider industry proven and supported software. I have found one commercial version at SSH. What other commercial versions are out there (I know Solaris 9 comes with SSH)? But more importantly, what are some commercial successes? What large organizations are implementing SSH?"

Client side

[Archangel+Michael]

Tera Term on Windows is the best.

Re:Client side

[lboxman]

Of course remembering to use the TTSSH addon program

Re:Client side

[rjamestaylor]

I thought so until I found light, fast, easy putty.

Re:Client side

[|<amikaze]

or putty. it's a 200k executable and is available on tucows

Re:Client side

I agree with the posters who say "putty".

Re:Client side

[sql*kitten]

Tera Term on Windows is the best.

It's good, but I've switched to PuTTY, mainly because it can heartbeat an SSH connection with an empty packet every minute to prevent sessions being timed out by over-zealous firewalls - very convenient if you need to monitor several machines.

Re:Client side

[Clue4All]

Tera Term is most definitely NOT the best Windows SSH client. Besides being less configurable and scriptable than PuTTY, the terminal emulation is often poor, and most importantly, it doesn't support SSH v2 in the SSH add-on. If there's someone between you and your server with a sniffer, SSH v1 is no more secure than telnet, literally. You might as well put a sign up on the side of your house with your password.

Re:Client side

[bobKali]

Terra Term's SSH extensions only support protocol 1, while putty supports 1 and 2.

Re:Client side

[Rupert]

I would go back to Putty in a flash if it did port forwarding. Till then, ttssh for me.

Re:Client side

Please explain the passive attack against SSHv1.

Re:Client side

[warkda+rrior]

The beta version does port forwarding. And it behaves very nicely (i.e. no crashes or hangups) for a beta.

Re:Client side

I think its time for your heatbeat. Putty supports port forwarding right now.That how I monitor my web servers control panel from behind a company firewall that only leaves http, telnet and ftp ports open

Re:Client side

[sjmurdoch]

I would go back to Putty in a flash if it did port forwarding. Till then, ttssh for me.

It does, and has done for some time. See the PUTTY documentation for more details.

Re:Client side

Perhaps you could ask yet another retarded Ask Slashdot about it when the answer is, as always, right under your nose..

Re:Client side

[Dg93]

putty now does port forwarding. flash away

Re:Client side

neither of these are commercial products, and both are decided less professional than openssh. And as far as I know, are only clients. Vandyke.com has secureCRT plus secure terminal and FTP servers for windows. Also checkout FSecure from Datafellow.s

Re:Client side

[cygnusx]

Yes, the 0.52 beta had port forwarding, and now 0.52 final is out as well.

Re:Client side

[_ph1ux_]

ya - putty rocks. and is tiny. I am going to frys later to pick up one of those USB keychains to keep putty and other things on it. I always throw putty

but as far as the article is concerned - your managers are smoking crack if they dont think that openSSH is good enough for them.

Re:Client side

[Vairon]

You're in luck then, because the latest version of Putty does port forwarding. In fact the new Macromedia Dreamweaver MX uses putty to port forward regular ftp traffic securely.

http://www.chiark.greenend.org.uk/~sgtatham/putty/

Re:Client side

[Spacelord]

Not only the beta version. The 0.52 release does port forwarding quite nicely!

Here's a download link link for the lazy.

Re:Client side

[Rupert]

Thanks to:

• sjmurdoch
  
• warkda rrior
  
• cygnusx
  
• Dg93
  
• Vairon
• 
  and
  
• Anonymous Coward

All of whom pointed out that Putty does indeed now do port forwarding. And particular thanks to Simon and the Putty team for making it so.

Re:Client side

Sniffing telnet gives you exact passwords in plaintext. Traffic analysis of SSH1 gives you information about the length of passwords. For interactive password entry, it provides possibly useful timing information which -might- allow you to infer key combinations--if the typist is too slow for Nagle's algorithm to kick in.

Please explain how this is "literally" the same level of insecurity.

Re:Client side

Pledge of Allegiance: One nation, under Bob, indivisible, with liberty and justice for all...

Re:Client side

Hey:

What part of the establishment clause don't you understand?

I don't give a flying fuck about you, your pledge, or your would-be theocrats in Washington. Thanks for playing.

Re:Client side

[rjamestaylor]

You cared enough to fly off and write a response...

Re:Client side

[freaker_TuC]

I am using the commercial SecureCRT from Vandyke. I have never had any problems with the client and it supports everything a administrator needs...

It's shareware.. If I only knew how my Ikey 1000 works with SecureCRT ...

Re:Client side

Jeez, the guy asks for commercial versions of software with support and you recommend TT and PuTTY. Did you guys NOT bother to read what he said? And why the HELL were these non helpfull posts modded up.

For commercial ssh clients and servers try the SSH corp and SecureCRT.

Re:Client side

[DaveBarr]

This reply should be marked 'Off Topic', since the guy is asking about servers, not clients.

Re:Client side

if you had the code, you might be able to figure it out, or ask someone else...as it is, you're stuck with their schedule. Smart move.

Re:Client side

[evilviper]

TT only supports SSH1 (last time I used it) which is generally weaker, (even if there isn't a pending exploit this week)...

Even though I use Putty on windows machines (and WinSCP2) I don't like putty's interface one bit. I'd use plink (command-line putty) if it would only support all the options a the GUI putty. Right now, I just build OpenSSH under cygwin, and copy the exes and Cygwin dlls to other machines.

Re:Client side

Pledge of Allegiance: One nation, indivisible, with liberty and justice for all...

Seperation of church and state and all, dildo.

Re:Client side

[severnaGates]

I think he was talking about bob from chrurch of the subgenius http://www.subgenius.com

Re:Client side

try separating your body from your spirit dildo... cant be done. any fundamentalists like yourself are clearly fools - and are doomed to repeat your cycles in life ad infinitum

Re:Client side

[CH-BuG]

Maybe the parent poster referred to active attacks like the ones you can setup with tools like ettercap...

Re:Client side

The liberty and justice for some still stands though.

Re:Client side

[rasjani]

That company is not called Datafellows anymore. They changed the name toe F-Secure like year or two ago atleast.

Re:Client side

[ryepup]

probably because it is odd that your sig is longer than your message, and there is no clear seperator, so when first reading your posts, I thought you were just saying that out of the blue. Maybe he didn't get that it was your sig, or maybe the whole issue is such a non-issue that we find it ridiculous to change your sig to state your stance on this meaningless piece of legislation.

Re:Client side

last time I checked, Tera Term still didn't support ssh2. Since none of our boxes will accept anything lower than 2, TeraTerm is out.

Its too bad, since I like some of the features better than Putty.

Re:Client side

[ryepup]

I seperated my body from my spirit a couple of months back, and I feel great! A few med students pulled it out of my ear canal. I keep it in a little glass jar on my top shelf.

Re:Client side

[rjamestaylor]

Slashdot provides a clear seperator between text and the sig--if you enable it (or is it if you don't disable it?).

And this "meaningless piece of legislation" is

1. not legislation, but a court opinion.
   • That so many people accept judicial activism as "legislative process" is bothersome
2. not meaningless.
   • You may not agree with it, you may not care, but it has definite meaning.
3. Thanks for your reasonable tone in your response.

Re:Client side

[glitchvern]

Also PuTTY allows X Window style coping and pasting ... which is totally sweet.

Re:Client side

No, you really can monitor an SSH1 session in realtime with an ARP spoofer and a specially modified sshd. Look up "man in the middle attack". Thank you.

Re:Client side

[lingon]

... which doesn't help a thing if the user doesn't click "yes" on all alerts notifying him/her that the host key has changed.

Re:Client side

[HawkingMattress]

futhermore PuTTY seems to handle emacs very nicely, and have no stupid windows menu that prevent Alt from working..

Confused

[awgy]

Perhaps I'm confused, but isn't OpenSSH a rather well-proven program?

Re:Confused

[MonkeyBot]

Yes, it is. The confusing part is the fact that a lot of businesses won't use freeware, even when it is as well-tested as SSH!

Re:Confused

[adamy]

Kein Mitleid für die Mehrheit.

I'd been trying to remember what KMFDM stood for.

Translation for the Non-Deutch Enabled:

No Mercy(Sympathy) for the Majority.

Re:Confused

[cetan]

Damn, and I was told KMFDM stood for "Kill Mother-Fucking Depeche Mode."

Oh the lies!!

Re:Confused

[roybadami]

It's not freeware, it's open source software. There's a difference.

Re:Confused

[_Swank]

kmfdm actually stands for 'kein mehrheit für die mitleid.' kein mitleid für die mehrheit means what you said.

Re:Confused

Ahhh.... but now they are MDFMK

Re:Confused

[StarOwl]

If by "proven" you mean a new vulnerability is discovered monthly, then yes, it's quite "well-proven"!

I thought we already agreed that Windows was well-proven.

Re:Confused

[questionlp]

Unfortunately, not a lot of managers know the difference between Open Source software and Freeware. Also many like to think that Open Source software and Freeware do not include any form of support other than other geeks and that cannot be dependant on. I had a manager like that and it really pissed me off. Thankfully, that person is no longer my manager but rather someone who is happy that Open Source software is being used where stability is key.

If the businesses who do not use "freeware" (OSS + Freeware) because it isn't proven, then they are hypocrites if they start using Apache. Of course, those managers would most likely opt for Windows + IIS than say Solaris + Apache. Solaris + Covalent Apache would be a compromise.

Re:Confused

[afidel]

The answer is simple, tell them that SUN, you know, the dot in .com is shipping openssh standard with Solaris 9, their newest and most secure version =)

Re:Confused

[questionlp]

heh... true :)

So far, Solaris 9 isn't too bad (got it running on a semi-old Ultra 10) and OpenSSH works quite well. I just need to update it to the latest version and start playing around with keys and OTP.

Though it would go against our current plans, which is to move from the Sun E450 (sorely underused running Solaris 2.6) and a desktop running as a server (FreeBSD 4.1.1) to three 1U servers running FreeBSD 4.6-STABLE (and of course OpenSSH 3.4p1). The reason for the change is we are running out of rack space and we want to standardize on BSD (Linux was an option but since we already had other FreeBSD servers, it would be easier to have a single build of FreeBSD, configure scripts, shell scripts, etc. to focus on).

Re:Confused

[RevDobbs]

Well, if the OpenSSH licence allows it (and I belive it does), write up an invoice & charge your company an arm & two legs for the software, if spending money makes them feel better about the whole situation.

Re:Confused

Mod up these trolls. They're making valid points.

Re:Confused

[antirename]

"Desktop running stable as a server" doesn't quite make sense. You've got your business on an out-of-warranty Compaq, or something?

Re:Confused

Perhaps I'm confused, but isn't OpenSSH a rather well-proven program?

In the same way that lego is well-proven in the construction business. At least that's how a lot of companies look at open source development.

Re:Confused

[arkanes]

No, it's "Kill Madonna for Destroying Music"

Re:Confused

[questionlp]

Oops... One of our Unix servers is a Dell desktop that was used to run FreeBSD as a test DNS and Samba server that ended getting used in our production environment since we couldn't get another server shipped in time. It has been quite stable and it's a backup server to our Sun E450.

freeware?

is that accurate?

Good luck...

[adam613]

You're going to be hard-pressed to find a commercial solution which is more widely used (and therefore proven in the industry) than OpenSSH.

Re:Good luck...

Eh? New holes are discovered almost every month. There are very good commercial alternatives with LOTS of people working on them to make sure they are secure, even those may have holes but not as many as openssh.

The costs of licenses can always be discussed but that is the cost of a breakin? It can drive your whole business to bancruptsy. It's good to be price-knowledgeable but pushing it to far is just stupid.

Re:Good luck...

I installed the support Solaris 9 packages on Solaris 8 - no worries mate - works just like a bought one!

Re:Good luck...

A lot of OpenSSH code is based off SSH v1 code. And so is most all the other commercial products. And there are not a lot of OpenSSH holes either.

Re:Good luck...

[Nailer]

The response I received stated that they don't like to use freeware, but only consider industry proven and supported software

I agree with the poster above. Since when are these mutually exclusive? That people refer to proprietary software as `commercial' is a fault of their logic. Chances are they are already relying in soem way or another on one of the following Open Source applications that are either produced for commercial reasons and have some kind of backing. Oh, did I mention that each of these apps is the markt leader in their field?

• the Bind DNS Server
  
• Sendmail
  
• Apache
  
• Squid
  
• WU FTPd (yes, I know it sucks, but its still the world most popular FTP)
  

Re:Good luck...

I'd wager that commercial SSH has more security flaws that OpenSSH.

Just because something is "commercially backed" doesn't mean it's good.

Re:Good luck...

ICK.

your first, second and fifth examples are hardly good cases to use for security and reliability (especially #5).

BIND: written by drunken, tripping grad students from Berkeley in the 80s, and it shows.

Sendmail: at least we haven't had a remote root exploit this year. yet.

wuftpd: who am I kidding, this joke is too easy to bother with.

Re:Good luck...

maybe, but if you're connecting to a crappy old 486, ssh.com's server is helluva lot quicker than openssh...

Silly

[rmassa]

Why don't you talk to the openssh team? I'm sure that for some nominal fee you can get extra priority support. OpenSSH is (IMHO) the best ssh implementation out there, and its from a dedicated team where security supercedes even functionality. The newest version of OpenSSH promises to be very hard to exploit.

Re:Silly

Agreed. OpenSSH is the best option out there, but somehow they are blind to it because of prejudice. I say fuck them. Let them pay money through their nose for an inferior product with "support". Hopefully a twin company somewhere is in the same situation but chooses to use "freeware". The marketplace will decide which one was right.

Re:Silly

[Camel+Pilot]

All open source (teams|foundations|etc) should have a means with which to accept payment and set a standardized "corporate quality distribution fee" for those who must pay to feel good about the transaction.

I have run into this snobbish attitude also in my consulting work. I have been told on occasions "sorry son, we only use corporate quality software here". ...ha ha lol... What ever the heck that means! I always try to contain my mirth.

If when proposing a particular solution I could quickly add that a site licencing fee is only $850 most corporate customers would not even flinch and would somehow feel more comfortable that they are not using some "freeware" or "shareware" product to run their business.

Re:Silly

Open-ssh has to few people working on it, they simply don't keep up.

If security is important to you I would go with ssh communications or f-secure. The cost of a penetration may be huge!

Re:Silly

Apparently your cost of penetration was pretty low.

Re:Silly

If security supercedes even functionality, allow me to present the most secure SSH implementation EVER:

int main(void) {
return 0;
}

Re:Silly

[scaryman]

the cost of penetration is only 50 euros in amsterdam

Re:Silly

The problem with this is that they expect someone to provide support in a timely manner for that money they just payed you. And ultimately if the software doesn't work, they want it to be someone else's problem. Which somewhat explains the basis of those commercial only policies.

Everyone..

[quadra]

I don't know any unix admins who aren't pushing to replace ftp, telnet, r* with ssh. Sending unencrypted passwords over the net is not good.

Putty.exe is nice for windows clients

I really like it.

http://www.chiark.greenend.org.uk/~sgtatham/putt y/

OpenSSH

[scorpioX]

Mac OS X (and X Server) ship with OpenSSH. Those are considered commercial OS's. I bet Solaris 9's SSH is also OpenSSH (don't know for sure though). Sounds like your managers have their heads where the sun doesn't shine.

Re:OpenSSH

[questionlp]

Solaris 9 does use OpenSSH for its "Solaris Secure Shell". They mention it on this page.

Re:OpenSSH

Lots of networking equipment vendors - Foundry, Redback - offer default or optional ssh interfaces for management. You could ask their sales peple why...

Thomas

Re:openSSH

[Bloem]

Even though recently some security issues are found in openssh, it can be regarded as one of the more stable and secure implementations of the ssh protocol.

Make sure that when openssh is used, it is configured properly.
e.g.
- no root login
- SSH2 instead of SSH1
- use login with key instead of passwords

There are more configuration options, please read the man pages for those.

Re:openSSH

[philovivero]

Almost any provider of IT services or network services uses it, unless they have no *nix boxes at all and provide no services on anything other than a windows platform.

Actually, you're a little wrong there. At a Windows shop I worked at, I installed Cygwin with OpenSSH and installed SSH as a Windows service.

You could then SSH to the Windows box with all the other benefits of SSH you'd expect.

Re:openSSH

"You'd be hard pressed to find a fortune 500 company that isn't using it somewhere"

Really? Thats just scary! Lots of security holes!

Re:OpenSSH

God, you're a tool. It's obvious you've never worked in the real world. The poster already said his boss had given him a requirement that they not use free tools. You're telling him to argue with his boss who has already made up his mind. That's a great way to get fired.

"But I would never work for a company who blah blah blah". That's easy to say when you're still living in your mom's basement.

Re:openSSH

[MattW]

I wasn't saying an all-windows shop would not use it, only that a shop that is not all-windows will almost certainly be using it. I had a colleague port the original ssh 1.2.x source to cygwin back before openssh existed (at least, before I heard of it, but I think it was before the project had a stable release). Certainly, it could be a great thing for windows, but most corporate types seem to prefer PCAnywhere or something that lets them play with their GUIs.

Re:openSSH

You could then SSH to the Windows box with all the other benefits of SSH you'd expect.

You can tunnel back your display to your local windows box?
i.e. Run an app on the remote machine, and have it displayed locally...

Re:openSSH

[mabinogi]

Yes you can, if it's an X program...

Re:openSSH

but most corporate types seem to prefer PCAnywhere or something that lets them play with their GUIs

To be fair, until very recently, you couldn't do many worthwhile tasks from the command line. SSH is quite limited for such Windows machines, since there's no easy way, for example, to edit the registry, or configure anything with a GUI interface.

Re:openSSH

[Sojourn7]

Sure, with VNC.

Re:OpenSSH

[hendridm]

> Sounds like your managers have their heads where the sun doesn't shine.

But I'm sure introducing a Mac OS X server in their IT department won't cause any problems...

Re:openSSH

[fishbowl]

>use login with key instead of passwords

This is harder than it should be, to convince semitechnical people that it is more secure, or secure at all.

It's very, very hard for some people to get their brain around key-based authentication, or the concept that a password scheme could be weaker.

Re:OpenSSH

[asv108]

Too bad Mac OSX server only runs on Mac hardware.

Re:openSSH

Heh. You're funny. Really. Anyone who takes security seriously uses OpenSSH because they actually respond to security issues.

Re:OpenSSH

The guy asked for IDEAS and he is getting just that.
Spare us your ego please. Welcome to slashdot.
-
Working in the real world requires dealing with ideas
and people that you don't agree with. true.
Compromise until you bleed. true.
Coming to slashdot and whining about open source and
someone is going to call you a fucking moron. VERY
true.

Re:OpenSSH

[ExtremeSims]

"The poster already said his boss had given him a requirement that they not use free tools. You're telling him to argue with his boss who has already made up his mind. That's a great way to get fired."

If you are working for a boss that does not allow you to put forth a BUSINESS model of why the company should move forward with something that will meet mission requirements and save money, you need to go to that manager's boss. If that's the company's vision as a whole, it's time to move on. Anywhere they enforce status quo, regardless of business reasons, and stifle creativity in building the business, is going to fail, or bleed itself to death.

Re:openSSH

[sokoloff]

So, use SSH to tunnel VNC and you can operate your windows box like you were sitting at it.

Re:openSSH

[matts.nu]

>use login with key instead of passwords

This is not necessarily more secure. The server admin cannot easily force users to use good pass phrases on their private keys. And if the encrypted private key gets stolen then the theif can brute force the pass phrase offline.

The best security is a private key on a smart card, and users who will report the loss of the card immediately.

Re:openSSH

Good point - I forgot about that aspect of SSH. I have a mental picture of a glorified telnet server.

MUST... ABOLISH... BAD... MENTAL... IMAGE

Re:openSSH

[bcaulf]

Exactly. It's not secure telnet, it's the secure r* suite: rsh (both interactive and single command), rcp, and throw in port fowarding for good measure.

What?

Explain to them that it isn't freeware, it's Free Software.

Been there, done that

[bee]

In 1994, I took a job at a bank in Oklahoma. My boss at the time had the attitude "We're a bank, we pay for software".

Then I showed him screen. Suddenly the light went on in his head-- "Hey, I don't have to use 2 phone lines and 2 modems to get 2 shells at work!" To him, it was the greatest thing since sliced bread.

After that, he didn't have any problems letting me install emacs. :-)

Re:Been there, done that

I would have fired you for installing Emacs.

Re:Been there, done that

[Nightpaw]

I would have fired you for installing Emacs.

Yeah, when is that thing going to achieve sentience?

Re:Been there, done that

[Wanker]

I would have fired you for installing Emacs.

Yeah, when is that thing going to achieve sentience?

Sssh! You'll make it angry!

Re:Been there, done that

[|<amikaze]

PuTTY is one of the best Windows SSH clients I have ever used!

Re:Been there, done that

[BeagleBoi]

> Sssh! You'll make it angry!
^^^^^

That would be the Silent Secure Shell?

Re:Been there, done that

[zmooc]

500K? That's quite a lot. You should have started a company to resell OpenSSH. You'd be rich by now. And you could also send the OpenSSH guys some money.

first look at solutions...

if it's a vendor that can be replaced... I would see if you can start looking, and let this vendor know you are looking at their competitors BECAUSE they refuse to use tools that work. Many MANY big companies use Open source.. (My company has in the Computer use policies that you are to see free alternatives FIRST before you purchase software)

Any vendor that refuses to use a proven OSS server/package needs to be educated that they will start to lose customers because of outdated policies.

some me one that's not..

[jspectre]

so we can 0wn them. ;-)

seriously, any unix admin worth their paycheck isn't using unsecure telnet or ftp.. i sure know i'm not. (and i don't get paid enough)

Re:some me one that's not..

And 70% will rip what's nailed down and run off with it.

Re:some me one that's not..

[tunah]

I hear this a lot, that you should never under any circumstances run telnetd. If it's firewalled off so it's only accessible inside a trusted network (my network at home) is there any security issue (eg if an attacker gets into one machine could they use telnet to exploit another)

Re:some me one that's not..

[jspectre]

the problem with telnetd is that user id's and passwords are sent in clear text. anyone with a sniffer on your network will be reading them as easily as reading the newspaper.

firewalled off or not why take the risk? ssh does everything telnet does and more (like X and port forwarding, file transfers with scp). everything that goes through is encrypted.

the risk goes up even further if you're happily using an unencrypted network at home, behind a firewall. anyone sitting outside your house can watch you telnet from box to box! even encrypted 802.11b transmissions can be broken with time.

why take any chances when protection is so simple? it's also good to simply practice safe computing.

Re:some me one that's not..

[jspectre]

correction! i should have said:

the risk goes up even further if you're happily using an unencrypted wireless network at home, behind a firewall. anyone sitting outside your house can watch you telnet from box to box! even encrypted 802.11b transmissions can be broken with time.

Re:some me one that's not..

Your internal network is only as secure as all the other machines on it. Just the added benefit of compression, RSA keys, X11 and misc. port forwarding capabilities alone make it better to use than telnet on a private LAN. Turn off your FTP server too and use scp.

Re:some me one that's not..

[sql*kitten]

seriously, any unix admin worth their paycheck isn't using unsecure telnet or ftp..

If management seriously don't want to use OpenSSH, then have them go for regular telnet and ftp over a Cisco VPN. Problem solved. (Note that I didn't say S/WAN 'cos that might be free too).

openSSH

[MattW]

OpenSSH is far more widely used than any commercial variant. You'd be hard pressed to find a fortune 500 company that isn't using it somewhere. Almost any provider of IT services or network services uses it, unless they have no *nix boxes at all and provide no services on anything other than a windows platform. Try a quick survey of network security companies and ask how they do remote access/filetransfer -- no matter how big, scp/ssh will be the answer, and it will be openssh for a majority of them.

Ssh communications.

Most businesses goes with SSH communications, www.ssh.com. They also have a low-memory-fotprint version, ipsec, tunneling software and some other stuff.

Re:Ssh communications.

[wilhelm]

Not to mention the fact that you can do chroot-sftp with SSH Communications' software, where you can't with OpenSSH. It's quite trivial to set up, about as hard as chroot-ftp (i.e. not hard at all).

Re:Ssh communications.

[pmsr]

That one is sad to know. I have been looking like crazy for a way to do it with openssh, chroot scp, and give public access to it. I need some secure ftp access, and that seemed the ideal.

/Pedro

Re:Ssh communications.

[dossen]

I'm just thinking out loud here, but couldn't one just start a second sshd in a chroot-jail, with whatever, minimal, environment is needed and the stuff to be shared mounted in using loopback/--bind, read-only? Then fix the config for this particular sshd to only allow whatever access you whish. Of cause it will be running on a non-default port, or your real sshd will...

Re:Ssh communications.

[BJH]

I believe that at one point there were patches that allowed chroot-sftp under OpenSSH, but because they were never in sync with the latest version, they're no longer maintained.

Re:Ssh communications.

[alsta]

Well, Solaris 9 has an SSH implementation which in fact is OpenSSH. They've modified a few things though; such as the reported version string;

Escape character is '^]'.
SSH-2.0-Sun_SSH_1.0
^]
telnet>q

Everything else (config files, library dependencies etc.) speaks of OpenSSH so much that there is no other possible option. Sun probably took OpenSSH and modified a few things and released it as their own, as they are allowed to by the BSD license.

These configure options should get you an identical setup to that of the layout on Solaris 9;

CC=cc \
CFLAGS="-g -I/tmp/foo/include" \
LDFLAGS="-L/tmp/foo/lib -R/tmp/foo/lib" \
./configure \
--prefix=/tmp/foo \
--bindir=/usr/bin \
--sbindir=/usr/lib/ssh \
--localstatedir=/var/run \
--libdir=/usr/lib \
--includedir=/usr/include \
--mandir=/usr/share/man \
--with-ssl-dir=/tmp/foo \
--sysconfdir=/etc/ssh \
--libexecdir=/usr/lib/ssh \
--datadir=/usr/lib/ssh \
--with-pid-dir=/var/run \
--with-prngd-socket=/var/run/prng-socket \
--with-zlib=/tmp/foo \
--disable-wtmp \
--disable-utmp

The $CC variable is to build with Sun Forte, substitute with gcc as you please. Note the LDFLAGS and CFLAGS though. This configure expects to find zlib and openssl headers in /tmp/foo/include and _static_ libraries /tmp/foo/lib. Don't dynamically link with anything unless it's available on the system itself when it comes to Solaris. You'll introduce nasty inter-dependancies which you'll regret in the long run. Trust me, installing shared libraries on 500 machines isn't that fun.

Re:Ssh communications.

[Demerara]

They also have a low-memory-fotprint version

So, tell me, just how little memory does the average fot use these days?

Re:Ssh communications.

The Sun version works around issues with BSM and auditd on Solaris 8+ (Obviously since it comes with 9), plain vanilla openSSH will require you to use the "useLogin" directive, else editing a crontab will stop it from working.

Unless Sun contributed their patches that is.

ssh is a for profit company

[mqy]

So if you really want to you can pay for it.
ssh.com

F-Secure, SSH, or OpenSSH

[edyu]

Both SSH (Company) and F-Secure sells commerical products of SSH. But maybe if you word it differently, your management should accept OpenSSH since it is being used by many companies. My company (a smaller 100+ person) uses OpenSSH extensively.

Re:F-Secure, SSH, or OpenSSH

[rasjani]

True allthou SSH is the company who makes it, F-Secure have only licensed the product to sell it. They even had huge fights here in Finland (where both companies are from) over that licensing issue...

Well proven?

[k98sven]

I'd point them to the Netcraft survey.

More than half the sites with SSH are using OpenSSH.. Tell them to go get a clue instead.

Re:Well proven?

[ddstreet]

What survey are you talking about? The Secure Server Survey? That's not SSH...

If you really mean a SSH (not SSL) survey, by Netcraft, I don't know about it and can't find it on their website...where is it?

Re:Well proven?

[bolverk]

You mean the "very similar to the Netcraft Web Server Survey" done by the OpenSSH people?

Couldn't find anything at Netcraft, so I assumed this is what you were talking about.

Did you think at all?

[SquadBoy]

http://www.openssh.org/users.html

Also Nokia's IPSO (on their Checkpoint based firewalls uses openssh.
As you can see Sun uses it. Good enough. I thought so.

Re:Did you think at all?

[umjaja96]

Actually, last time I checked Nokia was using F-Secure's SSH, not OpenSSH.

http://www.nokia.com/securitysolutions/management/ ssh.html

Re:Did you think at all?

[SquadBoy]

I stand corrected I thought the server side was OpenSSH. But the rest of the post stands IBM, HP, Sun. Many major players use OpenSSH. Thanks.

Re:Did you think at all?

[SquadBoy]

Also Cisco has *really* good things to say about OpenSSH.

Re:Did you think at all?

Really? Then ask them when their equip will support V2.

Data Fellows...

[Helmholtz+Coil]

...has a version of SSH available for Unices, Windows, Macs, even the Nokia 200. Don't know how good it is, but they've got a fair amount of info on the site.

Re:Data Fellows...

[veeoh]

They are not called datafellows, and have not been so for a few years, catch up with the times man - the are now F-Secure

F-Secure SSH

[Medieval]

F-Secure makes a rather kick-ass line of SSH products. We use them in production here (major tire manufacturer.), and it is FIPS 140-1 compliant. The client-side portion is pretty schweeeeeeet (esp the Windows client), even if you don't use the server portion.

http://www.f-secure.com/products/ssh/

List of platforms:

Server
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows 2000, Windows NT 4.0

Client
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows XP
Windows 2000
Windows NT 4.0
Windows 95
Windows 98
Windows ME
MacOS
Nokia 9200 Series Communicators

Re:F-Secure SSH

We used f-secure on half our DNS caching servers. When our NOC started migrating to Linux workstations, scp (secure copy) would not work from the workstation to DNS server. Apparently was an underlying f-secure issue using SSH-1 or something (their statements, many e-mails). Anyway, for this *paid* support, we received little help on some type of resolution.
OUR SOLUTION....We scrapped f-secure and went OpenSSH (BSD version anyway). We been very happy, and have save thousands of $$ in maintaince fees. Example: The recently posted problem with SSH had a newsgroup workaround posted within the same day. I tested the workaround and upgraded our machines by that evening. Anyway, that's truly....schweeeeeet!

Re:F-Secure SSH

[HeUnique]

hmm...

I wish there was a client for Nokia 9110 that doesn't costs a fortune...

Re:F-Secure SSH

[gengee]

The 9110 supports Java, doesn't it? There are a couple open source SSH Java implementations floating around..

Re:F-Secure SSH

[xSterbenx]

We use f-secure on our workstations to connect to both a server running AIX and one running Solaris 8. Both of these are running OpenSSH. However, with f-secure s-ftp it never transfers text files properly from a windows environment to a unix (the end of line character), while secure-ssh does. With respect to this, unless I've missed a setting somewhere, I would prefer secure-ssh for sftp.

Re:F-Secure SSH

[Medieval]

I've never had a problem with CR/LF; the settings I've changed in our environment (F-Sec SSH 2.something on Sol 2.6 and 3.something on Sol 8) would not affect this...

Re:F-Secure SSH

Another excellent (and free) Windows client is PuTTY

Re:F-Secure SSH

F-Secure doesn't make anything. They've been leeching off SSH Communications Security for years.

It's the EXACT same product. Get a clue people

Re:F-Secure SSH

[doomicon]

I am currently rolling out F-Secure Client and Server within our environment here at Verizon. It's a great product, and from previous poster you can see it is supported on numerous platforms. Highly recommended and great product.
Btw, the support is pretty damn good too.

Re:F-Secure SSH

When our NOC started migrating to Linux workstations, scp (secure copy) would not work from the workstation to DNS server. Apparently was an underlying f-secure issue using SSH-1 or something (their statements, many e-mails).

Actually, this is a known issue with OpenSSH.

The scp shipped with OpenSSH isn't compatable with anyone else's version. IIRC, the response from the OpenSSH team when someone asked was "we don't care, but you can work around it by using SFTP instead"

F-Secure

[og_sh0x]

One of our software vendors recommended the use of F-Secure for their support dept. to get a remote connection to our AIX-based accounting system. We replied and asked them why we can't use OpenSSH, since f-secure's license is about $500. They replied they'll look into it, but it's not a high priority. Since SSH is a standard protocol, couldn't we just use OpenSSH despite whatever implementation of SSH they're using on their end? I know my boss doesn't care, his favorite phrase is, "We like free." (But we use Windows NT for everything but our accounting system... Go fig.)

Re:F-Secure

[rjamestaylor]

• But we use Windows NT for everything but our accounting system

So, what do you use for your accounting system?

Re:F-Secure

One of our software vendors recommended the use of F-Secure [f-secure.com] for their support dept. to get a remote connection to our AIX-based accounting system

hmmmmmmmmm..... AIX

Re:F-Secure

[rjamestaylor]

never did well on those reading comprehension thingies

ssh use at a large (now defunct) company

[euph0436]

we used ssh on all servers at excite@home.

Re:ssh use at a large (now defunct) company

where you with the matchlogic part of excite@home ?

Re:ssh use at a large (now defunct) company

[euph0436]

no

don't tell them it's freeware

[Triumph+The+Insult+C]

in fact, have them buy the cd. that'll lend some weight to your argument

https://https.openbsd.org/cgi-bin/order

besides, it's the right thing to do. =)

-Triumph

Re:don't tell them it's freeware

You should suggest to the company to get a NEW IT department (preferably monkeys, as they will provide the same support that these guys are obviously doing at half the cost). What are these guys running on sun hardware thats not solaris? is there a *commercial* alternative to solaris for sun hardware(I am totally out of the loop on suns hardware, sorry)?

These guys really shouldnt be setting up your servers and whatnot if they (don't know anything about/will not consider) OpenSSH.

Other thoughts

[tsetem]

Not sure what the requirements are, but if you are looking for secure access, you may want to consider a web-based file repository with an SSL front-end on it. You could have your choice of Apache & mod_ssl, or Stronghold (Apache derivative)

If using OpenSSH is questionable, using the #1 webserver shouldn't be. If Apache isn't proven or reliable in their eyes, then you have a really tough uphill battle.

F-Secure Commercial sshd for Solaris

[uglyhead69]

We use OpenSSH and F-Secure ssh daemons on Solaris 7 and 8. Its easy to use, and we've never had a successful penetration. Their url is: http://www.fsecure.com

Re:F-Secure Commercial sshd for Solaris

How do you know for sure?

perhaps

Perhaps you should assassinate the ignorant heads
of your IT department - attrition will ensure that
eventually Someone with a clue will rise to the
top .. hopefully someone that pays attention to the
real world and not what some trade-rag has to say
about the state of technology. Tho I can't name
where I work, about 3 years ago we adopted NT at
the recommendtation of our then-head of IT. That
person has since left in a blaze of idiocy, and his
ranking minions followed suit not long after. Now
we're stuck with a mess of poop.

poop.

Re:perhaps

Yea but look at how much lower your TCO is now that
you are running a microsoft product.
Yea but look at the level of integration you now
have between the front-end and the back-end.
Yea but look at the quality of product you are getting
from a reliable vendor.
-
Sorry I just wanted to step in and astroturf your
silly butt.

Been there, done that

[gr8fulnded]

I had the exact same situation about 6 months ago. I won, sorta. I simply said our industry is going through hard times right now and using OpenSSH will save your $500k in licensing fees.

We ended up compromising. They wanted vendor software, I wanted free. For the mission critical systems, we chose FSecure (fsecure.com) and for the high-importance and below (to include desktops), we went with OpenSSH.

Worked out well. With FSecure we also purchased Windows clients for the developers and if anything ever happened, they had the support they were looking for the vendor software. With everything else, OpenSSH did the job along with PuTTY on the peasants computers.

Re:pricks!!

Despite what seems to be the common idea here on slashdot most businesses wants products that has a company backing it.

SSH Is Proven

[skinney]

I am shocked that people think that SSH (OpenSSH) is not a industry standard. Here is a good client for windows. And of course you can get the server for free here.

~Shane

Bad week to ask...

For all the benefits of using SSH, you're not likely to get a huge response of "Oh yes, I'm with Company X and we love it here", particularly right now. First, those who use it are security conscious, and we don't like others knowing our defenses. Second, there was a rather serious bug announced about some versions of OpenSSH that, when configured and compiled in a certain way, would grant root access remotely. Given the timing of your question, it would seem to the, um, overtly paranoid, that this was a troll for vulnerable hosts.

Having said that, you really should press forward with your process. The idea of using unencrypted protocols is going the way of the buggy whip. While I won't reveal where I work, I will say that I am working vigourously here to eliminate any use of a protocol which passes userids and passwords in cleartext. Period.

Re:Bad week to ask...

The OpenSSH team has released (as of 26 June) version 3.4 of OpenSSH which fixes this bug. (See http://www.openssh.org/txt/preauth.adv)

SSH for secure file transfers

[bastion_xx]

Our company had similar requirements:

1) Encrypted file transfer
2) User authentication
3) chroot jail environment

After initally looking at F-Secure's ssh server for Windows to match the system standards. We found out that certain SSH subsystems (namely sftp) we not 100% compatible with all clients. I'd put the openssh code up against commercial offerings if you can spend a little bit of time configuring.

In the end we waived standards and used Linux, openssh+openssl+ldap. It did require patching the sftp subsystem for chroot access that was obtained off of the openssh mailing list. This does require a suid executable, but since our customers are [semi] trusted, the risk of them smashing the stack is manageable.

Customers can now sftp or scp in and are rooted to the ~username directory. At present, implementation has be as easy as our dedicated line FTP customers. Ironically, we recommend commerical SSH clients...

Lots of Options

There are several options for commercial SSH vendors. I found myself in a similar position a couple of years ago. I worked at a company that provided 24/7 security support to hundreds of companies, and _had_ to have a commercially supported SSH for both insurance and customer relation purposes. We started out using F-Secure, but the licensing and support was terrible. On top of that we found out that F-Secure simply licensed SSH.com's code and rebranded it. We worked a fantastic deal with ssh.com that allowed us to deploy SSH enterprise wide. On top of the good deal, we found the support to be excellent. At one point we needed some LDAP integration done and SSH.com had it done by the next release. I have also found SSH.com to be better security wise (since they do this to make money) than OpenSSH, check their track record. Anyhow, F-Secure, SSH.com and a couple of other companies offer SSH commercially. Good luck.

Re:Lots of Options

>I have also found SSH.com to be better security wise (since they do this to make money)

Man, linux and open source software is excellent because they do it for pleasure (most of the times) and not forced to get some $$$.

Your argument isnt valid.

Re:Lots of Options

That's rediculous. No one claimed that linux or other open source software isn't a good thing. The fact remains, ssh.com has a better security track record than OpenSSH does, end of story. Not only that, but _because_ 'they do it for pleasure' fixing a bug isn't always a top priority for Free source developers, paying rent is. Also, don't group opensource and freesource in the same category. Lots of companies now are 'open source', but that doesn't mean you can do as you wish with that source. Get your facts straight.

Re:Lots of Options

Dear Mr. Gates,
I would refer you to a letter written by an official
from the Peruvian government that takes your position
apart point by point.
Cheers
-
-
Fixing bugs is not a top priority for the openssh
team???? WTF is your problem.
Shall we look at Microsofts record of security to
see how ridiculous it is to say that money is
the driving force behind strong security?
-Not a good ASSumption.
YOU are strongly implying that Open Source (free software)
free as in beer free as in ideas) has problems because
its 'just a bunch of volunteers farting around in
their free time' .

No!

It's Ask Slashdot after all!

D'uh!

[dsb3]

> What large organizations are implementing SSH?

All of them.

DOH

At the Department of Health I contracted with we are using SFTP for all (file) data transfer to and from our integration broker. Data that makes use of other protocols are secured in their respective formats. It works efficiently and robustly.

solution

[tps12]

I will sell you TpsSSH for $5000 (site license). It is fully compatible with OpenSSH.

OpenSSH

[rongage]

Let's see. Their argument is that freeware stuff isn't secure? Exactly what is their proof of this? They DO have some evidence to back up their claims, don't they?

How many hundreds (thousands??) of products and devices would they need as proof of security? How many code audits must OpenSSH submit to before it is suddenly (magically) now secure?

It does not logically follow that having the source code in the public view makes a product insecure. One only need look at Microsoft's Outlook products versus Evolution to see the evidence to shoot that argument down.

OpenSSH _is_ industry-proven.

[mesozoic]

OpenSSH is by far the best SSH implementation available; the fact that it's freeware is a horrible reason not to use it. Explain to your employers that for a fee (and probably a smaller fee than most corporations would want) the OpenSSH team would most likely provide your company with expert support and services.

Don't to roll over and allow your firm to adopt a second-rate (and more expensive) security product simply because they don't trust open source. The answer to your problem, as uncomfortable a situation as it may be, is to try to inform the higher-ups of why they're misguided (without losing your job ;D).

Re:OpenSSH _is_ industry-proven.

[VValdo]

Don't to roll over and allow your firm to adopt a second-rate (and more expensive) security product simply because they don't trust open source.

If however, they INSIST on a commercial version, please let me know and I'd be happy to take their money. My soon-to-be-created company will charge per copy precisely their budget divided by the number of copies they want.

Support is extra, of course. But source is included.

W

Re:OpenSSH _is_ industry-proven.

... except for the remote root exploits in the default install.

Re:OpenSSH _is_ industry-proven.

[autechre]

No, the current version (3.4) of OpenSSH has not only fixed the remote exploit, but also defaults to having privelege separation turned on.

HPUX has an official OpenSSH-based implementation

[Marx_Mrvelous]

They have .depot's available for 11.00 and 11i, and they are officially supporting it. That's a commerical OS/backing.

Usage Stats

[rwash]

http://www.openssh.org/usage/index.html

The OpenSSH team has put together a great page with a number of different usage statistics for SSH.

Re:Usage Stats

[kraf]

"No address or domain specific information will be supplied to anyone outside
the project itself, only the conclusions. We will not publish
any details of what hosts are running what versions."

Haha, how convenient.
OpenSSH leads in a survey conducted by the OpenSSH people.
Who would have thought...

Re:SSH Is Proven (Update)

[skinney]

Here is the extra link to the parent. SSH Client for Windows
Whoops ;)

~Shane

Kerberos

[typedef]

While it would be somewhat more complicated from an administrative and support standpoint to implement, a 'Kerberized' ftp daemon (I believe that one comes with the stock MIT KerberosV distribution) could possibly be a solution to your problem. Kerberos, while technically 'freeware' has been around for quite some time, has existed in several major UNIX distributions, and is used quite extesnivly in many major orginizations. Otherwise, if security is a concern, why not just set up a VPN between the client and your company and have the FTP go through that?

Re:Kerberos

[karlm]

Otherwise, if security is a concern, why not just set up a VPN between the client and your company and have the FTP go through that?

One compromised machine or one inside operator and the whole house of cards comes crashing down.

Kerberos is nice IFF you enforce strong passwords. Session integrity is only protected by the password (via string-to-key and excryption of your ticket-granting ticket and associated session key). Kerberos is very suceptable to ofline attacks if you have weak passwords.

OpenSSH vs Commercial SSH

[Bagheera]

The company I work for ("a little hardware vendor in the Valley") switched from the Commercial ssh client and server package to OpenSSH for all of our servers. OpenSSH proved more robust and easier to support - not to mention much, much, less expensive. And yes, I'm including the "cost" of our SysAdmin's time and the time of the person who manages distribution of our 'approved' OpenSSH package.

There really is no reason to use a commercial product unless the management is stuck on the "We need someone to sue if it breaks" business model of software acquisition.

Re:OpenSSH vs Commercial SSH

out of curiosity, has anyone managed to sue because the software broke, and more importantly, WON

Re:OpenSSH vs Commercial SSH

[_Sprocket_]

There really is no reason to use a commercial product unless the management is stuck on the "We need someone to sue if it breaks" business model of software acquisition.

SSH, Inc.'s Windows server offering had much better system integration than any of the Windows OpenSSH projects. Granted - this may no longer be the case (last I looked at this issue was over a year ago).

Re:OpenSSH vs Commercial SSH

Really? Have you taken a look at VShell by Van Dyke software? http://www.vandyke.com.

Re:OpenSSH vs Commercial SSH

Sue a software company for a bug??
HA HA HA HA HA
where is page widening script??

Re:OpenSSH vs Commercial SSH

Have you read the EULAs? You can't sue the proprietary vendors either.

Come to think of it, that would be one way to get through to management, if you don't mind potentially career-limiting moves.

Requirement: "We need someone to sue if it breaks"

Microsoft EULA: "... disclaim all warranties, inculding merchantability ..."

size of result set: 0

Re:OpenSSH vs Commercial SSH

[funky+womble]

Fwiw, the ssh.com server isn't any more expensive than OpenSSH for (Free|Open|Net)BSD or Linux, as long as you compile it yourself.

Re:OpenSSH vs Commercial SSH

[Bagheera]

As was pointed out, I should have said propriatory, not necessarily commercial - though they are often the same thing. The "free" version of ssh from ssh.com is free only for personal or educational use, unless you're on BSD or Linux. From their website:

A non-commercial source code version of SSH Secure Shell for Servers is available for Unix and Linux platforms. The non-commercial version can be used for personal hobby/recreational use, by universities, and by charity organizations and public libraries. It can also be freely used for any purpose on the Linux, FreeBSD, NetBSD and OpenBSD operating systems.

Commercial use (on operating systems other than those listed above) requires the purchase of a license. Also, precompiled binaries and support are only available for commercial licenses.


It would appear to be free for some applications, but again, there's no compelling reason to use it over OpenSSH unless management wants support - in which case it's a $495 product.

Re:OpenSSH vs Commercial SSH

[funky+womble]

I found it much faster to login to ssh.com's software than OpenSSH on old (486) hardware. And it often improves security to have diversity in software.

Bit of a niche, admittedly, but still worth mentioning I thought. And it seems some people are under the impression that the ssh.com version still costs money for all commercial use no matter what the OS. (I think that it used to - the license seems to change every so often).

Re:OpenSSH vs Commercial SSH

[_Sprocket_]

Is VShell based off of OpenSSH? I didn't notice anything that would indicate it. In fact, their FAQ mentions an incompatability (and deviation from the standard, I think) from the SSH protocol that breaks PuTTY and OpenSSH clients.

Yep, let's not use freeware

[unformed]

ala FreeBSD, OpenBSD (One remote hole in the default install, in nearly 6 years!) , OpenSSH, Apache, etc.

Instead, let's use proprietary "secure" software, ala Win2000, IIS, etc.

Re:Yep, let's not use freeware

Poor confused bastard.

Re:Yep, let's not use freeware

[Joutsa]

FreeBSD default install doesn't have any holes, but that's because it doesn't have any services running. If you plan to actually use the box for something, you must enable services and open potential holes.

Also, doesn't anybody remember last week's OpenSSH security hole? As far as I know it still isn't fixed. To prove how well the open source bazaar model works, they didn't tell what the problem was but instead told people to upgrade to newest incomplete version. Which still has the bug.

A friend (who works at SSH Communications and should know something about the stuff) told that OpenSSH has also had their share of security problems in the past but they've fixed them quietly whenever they could (not that SSH or F-Secure were all clean).

AOL does, why not you?

We had a partnership with AOL and were setting up a secure file drop probably similar to what you wanted. We started with ssh.fi's commercial server and AOL actually told us they wanted us to use OpenSSH instead. Maybe that would provide some weight to your argument? :-)

(Posted anonymously for various potential disclosure issues. Sorry.)

Re:AOL does, why not you?

AOL said that because they were rooting you :)

All down to marketing . . . .

[Aliks]

Sigh,

So much software gets shifted because someone is actively pushing it. Not because its good, useful or well supported but because someone is out there at trade shows, advertising in trade mags, shipping out trial licenses etc, actively recruiting early adopters.

Maybe there is a need for an idiots guide like "Crossing the Chasm"

http://search.barnesandnoble.com/booksearch/isbn In quiry.asp?userid=18DJH2Q01P&isbn=0066620023

If I was marketing a utility like OpenSSH I would make sure it was "on the list" in every place that someone might look for secure remote connection software. This might mean

* Tie-up deals with other suppliers to get the software shipped and trialled

* Presentations at banking industry seminars

* White papers to learned security journals

* Following up downloads and trial licences in big companies

* Printing case studies and success stories

On a side note I probably wouldn't call it freeware so much as "its a commodity these days, why would anyone pay for it"

Solaris ships with OpenSSH

You read the subject correct.
the ssh package that Sun provides is openssh.

I've installed I know

SSH over OpenSSH?

[StupidKatz]

While I can respect the company's policy of only wanting to deal with "respected and proven" commercial software, many commercial apps critical to secure operations are not "proven". Even SSH is relatively far behind the development curve of OpenSSH, its open-source counterpart. Nor is it in use in as many types of environments.

It may sound silly to suggest it again, but consider mentioning OpenSSH in your spread of possibilities. Even though it did have a possible remote root exploit exposed recently, look how fast working updates and/or workarounds were released. You'd be very hard pressed to find that in a commercial product.

Re:SSH over OpenSSH?

Yup. Want to know how much commercial "support" sucks for security bugs? We're still waiting for Oracle to ship an updated Apache (they have custom mods that we have apps that depend on) for the chunk bug. Thank God it's an intranet server and not exposed (though I'm certainly not dumb enough to think that that makes us completely safe, it at least makes me feel a bit safer).

Probably want you to use SSL

[Satan's_Tool]

They probably want you to use SSL FTP for your secure connection with their FTP server. We ran into the same problem and had to purchase WS_FTP PRO to get a 'secure' connection with our vendor.

secureFTP == SSL + FTP

If it is the above - try http://www.covalent.net/. They sell an apache 2.0 based FTP server which works with the SSL module (which also does the HTTP->HTTPS security).

If you want industry standard...

[TheRealSlimShady]

...use IPSEC based VPN's. Most firewals will do this, just make sure they use a common key exchange method (i.e. don't use anything from Novell)

SSH is the original

[ddstreet]

The SSH protocol was created by ssh.com, and in the past they have tried to stop openSSH from using the SSH name (see here and here and here). The SSH product from ssh.com was created before any SSH standard existed, and its protocols became the defacto way to communicate securely. It was (and according to the license agreement, still is) available for free (as in beer) for non-commercial and educational use. It's available at their ftp site or a mirror.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

Re:SSH is the original

Yes, but the licensing agreement changes on a daily basis.

That's what everyone wants! ;-)

What about other "freeware"

[Halo-]

So how do they feel about Apache? I mean, IBM will sell it to you can IBM HTTPD, but it's still Apache. Or Java? Or... grrr

Open Source solaris

Does you co.'s Solaris have Perl instlled? How about
sendmail, bind? Maybe even Apache running somewhere
on there corporate web?

How about Perl/CGI somewhere? I ran into this
with Avaya/IBM CS.

Re:pricks!!

[Trevin]

I take it you mean a company with legal backing, rather than one with technical backing?

Just point them to Sun

[hexile]

Sun themselves recommend OpenSSH. Just search http://www.sun.com.

Some notable links:
http://www.sun.com/blueprints/0102/configs sh.pdf
http://www.sun.com/blueprints/0701/openSSH .pdf

The scripts for an automated package creation have been very useful for me over the past few months, as OpenSSH has blazed through the 3.x versions.

Cambridge University (UK)

[Denny]

When I worked at Cambridge Uni I had to use ssh and scp to access my work machines from home. I'd have been horrified if they'd had ftp and telnet access into that network.

Regards,
Denny

SecureFX from Vandyke Tech...

[lugonn]

...It cost $59.95, but it sounds like that is what your customer wants. Software that cost money and has support.

It supports many other protocols besides SSH too.

Goto: www.vandyke.com/products/securefx

I use SecureCRT everyday and it rocks! I've never used SecureFX (thier premier file transfer program), but I get what I need from CRT and it's $30 cheaper (it's a terminal, but has z-modem).

Re:SecureFX from Vandyke Tech...

We have about a dozen home workers and clients who use SecureFX to transfer documents between an OpenBSD-based OpenSSH server at the office. Granted, $60 a copy may seem like a lot, (considering there are several free SSH implementations out there) but it's an excellent Win app that's very easy to use and easy to install, which is important since most of the users aren't very tech-savvy.

Since the encryption is done the app itself, we also don't have to the potential headache of messing around with the network stack on a client's PC -- something that a lower-layer solution (IPSec/VPN) would involve.

Re:XFree86

Given that it took some 5 or 6 years to go from version 3 to 4, and that all versions prior to 4.0 were colossal, dysfunctional hacks, that hardly seems surprising.

OpenSSH plus chroot patch

[punkball]

I worked for Harvard Law School for a year as one of my coop assignments and we used a chroot patch I picked up maintenance for to mimic ftp's chrooting (chrootssh.sourceforge.net if yer interested. We found it to work flawlessly and have been using ssh.com's ssh/sftp client for all our users, which include professor's and various employee's maintaining websites. Seeing as those types of users aren't really technical it was great to see they had no problems using our ftp replacement. Good luck!

Motorola CMTS's are provided with OpenSSH...

[tcmardoc]

even motorola cmts's (if you can call this company enterprise class) are using OpenSSH, and so does many network equipments that uses the unix/bsd kernel, are using open secure-shell for the remote access management. so tell your bosses.. that if it's free it's better.

I'll sell your company a commercial version....

of OpenSSH that is. What price are they willing to pay? *grin*

Dude, you could make some serious cash

[RedRun]

Ok, this is what you do:

Register a company called "Secure Products Inc.", and make a quick website, fake some letterhead, etc. Then, tell your boss you found a great SSH product from Secure Products for only $50 per seat. Then, download the newest version of OpenSSH, change the name to SPISSH and watch the $$$$ roll in!

Word.

Re:Dude, you could make some serious cash

If there was a button, and a peasant on the other side of the world....

Cisco uses ssh

I work at Cisco, we use ssh internally on our Unix machines. We recently dropped telnet on all workstations for remote access.

Our routers also have a built-in ssh client (your ios must have a crypto feature set) so it's another incentive to use it.

Re:Cisco uses ssh

[kcurrie]

...we dropped both telnet AND ftp actually. I'm the one doing the change actually :-)

Re:Cisco uses ssh

[Brummund]

Cool! You work for Cisco as a programmer? How's working as a programmer for such a big company? I'm self-employed, and a bit scared of those big corps, so it would be great if you'd share some opinions.

Re:Cisco uses ssh

drop the telnet daemon and go with an ssh daemon

one of our ids boxes (sits in promiscuous mode, all traffic in/out the building is trunked to it's port on the etherswitch) sniffs the networking group's passwords all day long. they have a bad habit of telnetting into the etherswitches to make config changes =)

then again, don't. when they are too slow to respond, i'll move ports over to vlans when i need. =)

Re:Cisco uses ssh

[melloncollienet]

can you then concentrate on getting some bugs out of the IOS after that? - somebody that has to work with Cisco kit that isn't behaving.

SSH Alternatives (or HTTP/SSL?)

I have run into the same situation myself, where the vendor I need to work with wants to transfer critical, sensitive or otherwise private data across the internet, using the very insecure FTP protocol.

I have suggested SSH to these vendors and each time they cite reasons relating to their use of Microsoft Windows (often a managed server at some hosting company like AT&T), or their refusal to use non-mainstream-commercial software. They also tend to try to argue that FTP is good enough, and that the law doesn't require anything more secure. As we all should know, this is just plain senseless, and dangerous.

In my hunt for an alternative that would be acceptable to them as well as me, AND would be able to be automated, I realized that good old HTTP over SSL (HTTPS) would work just fine for transferring the data. Not only would it be secure enough (at 128-bit) but I could automate the entire thing with OSS tools from my side, and they already had everything they would need to make it work on their end under Windows.

With just a little configuration on each end, and a simple little perl script, we have a secure transfer mechanism.

In our case our internal policy states that we initiate all secure data transfers from our side so making our transfers "bi-directional" was easy, but for others who do not have this policy, or where it would be inappropriate, it is quite simple to set up an http server on the local side to handle inbound transfers, even on a Windows server/host.

There are of course other possibilities including using a TLS enabled ftp client/server, and they all come with other considerations including some relating to compatibility. I highly suggest that you personally review each of the alternatives yourself and do not rely purely on the advice gleaned here on Slashdot, as accurate (or not) as it may be.

Hope this helps!
-Anon

Solaris 9 ssh IS OpenSSH

[Burdell]

Solaris 9 comes with a slightly modified OpenSSH (according to Sun).
The only commercial Unix ssh server that I'm aware of is from SSH.com
(it is resold be several companies like F-Secure IIRC).

Compaq^WHP supplies SSH.com's ssh for Tru64 Unix (free download from
Compaq's site, and I think will be included with Tru64 5.1B).

If I am not mistaken.

[FreeLinux]

SSH is a proprietery product from SSH.COM. It is an outstanding technology that has been adopted by the open movement and SSH "tolerates" Open SSH. However, all other commercial products must license it from SSH. So, if you must get it from a commercial vendor then why not get it from the horses mouth, as it were.

Now, to answer your question regarding Open SSH specifically. The only major and well known company that I know for sure that uses Open SSH is Cisco. There are certainly many others but, there are probably few who use it as a matter of policy. But, that doesn't mean that their engineers, having half a brain, haven't all acquired a copy and rely heavily on Open SSH. Part of the problem with free software is that it doesn't show up on the radar unless it is used very heavily but, that doesn't mean that it isn't used by many.

You've got a tough sell ahead of you as you must sell mind share, which is very difficult. It's far eaisier to sell SSH on technical merit but, that's already been done for you. To add further insult, if anyone does take you seriously and checks into Open SSH they will likely find a couple of recent vulnerabilities which, although already fixed, won't help your arguement.

I'd say let it go. If they want to pay for SSH then let them. Comfort yourself in thinking that that money will be used by SSH to advance the product and some of those advancements will make it into OpenSSH too.

Re:If I am not mistaken.

[akeru]

well, you are, in part, mistaken. SSH is a proprietary product from SSH.com (I don't know what the exact company name is ATM) and while it is an outstanding technology (well, v2 of the protocol is, v1 . . . not so much) it was not "adopted" by the open movement. SSH (the company) has had the protocol ratified as a standard, and OpenSSH is an implementation of that standard (well, Internet-Draft at the moment) and SSH.com "tolerates" OpenSSH only in that it has no alternative as it initially submitted SSH to the IETF. So if they want it to be a standard, they can't inhibit other implementations of said standard. This is also the reason they lost (and horribly, I might add) their battle over the "SSH" trademark. SSH is the name of a standard protocol (at their own doing) so the company lost the right to use it exclusively.

Re:If I am not mistaken.

[afidel]

Not sure what you mean exactly by Cisco using openssh, but sitting at my Cisco supplied desktop running the default windows install and opening the ssh client it is ssh secure shell from SSH Communication Security Corp version 2.4.0. Now the Solaris hosts I log into generally run openssh, and in fact telnet and ftp access were recently turned off in favor of ssh/scp but I would say like most corps they run a mix of SSH clients/servers.

Re:If I am not mistaken.

[DaveBarr]

Never get the facts get in the way of a good troll, eh?

The truth of the matter is that back in the early days of SSH, the world was entirely SSH.COM (now F-Secure). That's because there was noone else. SSH 1.x was all we had, and it was free (for non-commercial use, after 1.2.something).

It's profoundly clear that the large majority of businesses are switching to OpenSSH. The numbers prove it (check out openssh's statistics, posted here several times). Why? Because the old SSH 1.x installations are steadily dying, and people are forced to perform a semi-major upgrade. It's clear they're choosing OpenSSH. If you read the statistics in fact, it appears that the number of F-Secure installations is dropping. (not couting F-Secure 1.x, which is dropping like a stone).

You may think "oh, big conservative companies want a commerical product". Take for example UBS Warburg. A mega-huge conservative financial institution. They use OpenSSH whever possible ("as a matter of policy" to use your words). In fact, several of their employees are involved in OpenSSH development. I used to work for a hosting company, and there were other fiancial institutions that used OpenSSH. Of course not just banks liked OpenSSH. We had very few requests to support F-Secure.

They're by far not the only ones. Your "horses mouth" argument is way off the mark, too. The vast majority of development is going on in the OpenSSH world, not the closed proprietary world of F-Secure. Oh, and F-Secure's SSH isn't without a recent hole either.

Re:If I am not mistaken.

[buss_error]

I thought Cisco charged for SSH on the routers?

Re:If I am not mistaken.

Actually, you are slightly mistaken as well. For the IETF drafts, there needs to be two INDEPENDENT implementations before becoming RFCs.

In this case, it was SSH.com and lsh--not OpenSSH. OpenSSH started because they were pissed off about the constant licensing changes going on with SSH Comm. Security's implementations.

Re:If I am not mistaken.

Funny, that's the same exact vulnerability on SSH.com's earlier versions as well :)

http://www.ssh.com/products/ssh/advisories/authe nt ication.cfm

Sun RECOMMENDS OpenSSH

[jsimon12]

And has docs on it. Use things like sendmail and bind (DNS) as examples of opensource in practice. Also, show them the prices for a commercial SSH implementation on a large scale. Very little beats the bottom line of free, as in beer/books.

What I implemented at my company

[ALecs]

I'm the admin for a small (lt 20 people) company so I can usually get the chance to do things right from the beginning. When the exec's asked for a way for off-site consultants to access our internal (samba) fileserver, I cringed (ohmigod, Windows VPNs, etc.) until I found SecureFX.

SecureFX implements FTP-over-SSH2 and SFTP. All I had to do was turn on "Subsystem SFTP" on the servers, give each exec a DSA key and install this program. It was ~$60/seat when we bought it - we only bought 5 seats, one for each consultant - and it's easy enough for our Windoze users handle.

Basically, it looks just like and FTP client to the user. I just set the initial directory to our samba-shared directory path and bingo! You can drag-and-drop and whatnot. Only thing to worry about is getting users to upload the file again when they've made their changes (we've had files get out of sync that way).

One annoyance - it uses SSH.COM's SSH engine so you have to generate DSA keys with the client program and convert the public key to OpenSSH format for use on the server. Minor annoyance.

Re:What I implemented at my company

WinSCP works pretty well too. And its free.

http://winscp.vse.cz/eng/

Let's not look a gifthorse in the mouth...

[ClarkEvans]

Who has a company which can charge these people?
Preferrably one with credit card processing facilities to make it painless as possible for them. Once the charge goes through; you could then take most of the money and dole it out to some of the big OpenSSH contributors...

It's certified on Windows NT 4 SP 5 only !

That's one serious certification :)

I think all of us know that the majority of certifications is mostly marketing crap allowing non-technical buying managers to say 'Ya. Ceritified. Must be good then.'

I'd personally will take a size of an OpenSSH userbase as a much stronger argument in favor of OpenSSH even if f-secure would've be have tons of certificates wrapped all over it.

Re:It's certified on Windows NT 4 SP 5 only !

Psst. Chack out www.nist.gov before you start to talk of things you apparently know nothing about.

Re:SPISSH

[Lord+Bitman]

Superior Pornographic Industrial Sex Sex House would hereby like to sue you for infringing use of our trademarked "SPISSH" name. But we can't 'cause the bitch took all the money. So just act like we sued you, and give us some cash.

Corporate Examples......

[jsimon12]

Email me, I can give you names and number for people using OpenSSH in a corporate envionment. (I am posting this to the main commments since the article poster doesn't have an email address).

"freeware" to them and to the rest of us

[cetan]

I am willing to bet that when they said "freeware" they were thinking TuCows and fly-by-wire or 13-year-old VB h4x0r in his basement.

I'm sure your boss(es) need a good clue-bat to the head and they'll be fine.

Re:"freeware" to them and to the rest of us

[cetan]

I just realized that perhaps it's not your bosses that are resisting "freeware" OpenSSH but in fact the vendor. Either way, someone needs to explain the differences to them.

Resist the MS FUD

"Industry Proven" and "Industry Supported" are concepts that only exist in MS generated FUD. These phrases have no relevence out of the contexed of "ClosedSource vs. OpenSource". That is they would not exist if better Open Source alternatives did not exist to some "Industry Supported", ie propriatary software. They started to appear in the venaculare of IT departments being target by MS. The statements "Industry Proven" and "Industry Supported" sound real cool and IT managers like to say cool and impressive things. MS taught them the phrases and now they parot them any time they get a chance. The real funny thing about all of this is that neither phrase has any real meaning, and what little meaning there is has almost no possitive monitary impact on any IT department. BTW, most IT managers don't know shit about Software, that is why they are so easily bambooseled by MS.

Reasonable prices, don't know about service

http://www.goodtechsys.com/products.htm

corporations that use this?

[Satanboy]

hmmm
well I can say that the insurance company I work for (name withheld) uses SSH.

Also the old ASP I worked for, Interliant (now Interland) uses SSH for stuff.

I can't believe for an instant these managers want something "proven". What are the alternatives? TELNET????

--those are my two cents, fish in the change return for more

Stupid managers: fire them

[Ogerman]

The response I received stated that they don't like to use freeware, but only consider industry proven and supported software.

Then your company needs to fire its IT management staff since it is apparent they have absolutely no idea what they're talking about. In the meantime, you can tell them that OpenSSH is NOT Freeware. I wouldn't trust freeware either. The difference? Freeware is typically closed source software that the authors refuse to release to code to because they think they're really "eleet" or some similar childish reason. I would also ask you: if you're a talented geek (assumption), why are you working for some lame company that refuses to touch Open Source software? Go somewhere where you're gonna make a difference. If you have the skills, you'll find plenty of jobs doing what you'd really like to do.

From Their Download Page:

[ImaLamer]

"SSH is now the de-facto standard for remote administration over the Internet. It is used in more than 50 countries by thousands of organizations, including e.g. MCI, Stanford University, Lawrence Livermore National Laboratories, and NASA."

I saved my previous company $60K with OpenSSH

[oobeleck]

The "security" admin there wanted to load F-Secure on everything.
Except he didn't know how to load it. I was tasked with "implementing SSH..."
I loaded OpenSSH on all the Sun boxes (90+). Loaded up putty for all the developers and started shutting off telnet/ftp.
The F-Secure sales rep called me to see "how things were going".
I told him we were going to go with OpenSSH. He asked about support... I laughed at him. 2 weeks later a major hole surfaced in SSH
(OpenSSH was not vulnerable to this one.) and F-Secure was the LAST vendor to come out with a fix, ala 2+ weeks later.

I have OpenSSH running on my HPUX box, all my Sun boxes, all my Linux boxes, and of course my OpenBSD boxes.
If OpenSSH is good enough for Sun/HP/Redhat it ought to be good enough for your managers. If not it might be time to go Bofh on them....
Just load it on there and then tell them you *didn't realize* it was already on there.... Then stuff them in a tape safe...

Re:I saved my previous company $60K with OpenSSH

[VValdo]

I saved my previous company $60K with OpenSSH

Cool! Like, did the CEO of the company personally walk to your cubicle with his minions and hand you a large oversized check?

They DO do that, right?

W

Re:I saved my previous company $60K with OpenSSH

>>I saved my previous company $60K with OpenSSH

>Cool! Like, did the CEO of the company
>personally walk to your cubicle with his minions
>and hand you a large oversized check?

>They DO do that, right?

Actually, they do if you play the game right.

You've written a proposal that will generate a cost savings, while having previously negotiated your contract to grant you bonuses based directly on profit/loss factors.

Re:I saved my previous company $60K with OpenSSH

[oobeleck]

I couldn't even get them to spend $60 for donation/t-shirts/posters ANYTHING to the OpenBSD/OpenSSH project.
Cheap jerks. So I spent some money with them myself.... The wife looks good in an OpenBSD t-shirt...

Re:I saved my previous company $60K with OpenSSH

[hyperturbopete]

The wife looks good in an OpenBSD t-shirt...

hehe she must really love you then :-)
her friends probably make fun of her

Commercial Use at CapitalOne Financial

[Alascom]

For reference, I installed and configured an SSH server while employed with CapitalOne financial to facilitate the secure SFTP/SCP transfer of data between CapitalOne and its numberous vendors. I utilized F-Secure SSH which is a commercial SSH software package with both Unix and Windows ports. Sun Solaris on the Sparc platform was used as the foundation for the Server.

I am not sure if the solution is still in use since I am no longer employed there but the solution worked well at the time with one exception, there was no Macintosh port at the time which limited the use with some of CapitalOne's marketing/graphic vendors (all those artsy fartsy types love the Mac!)

-Alascom

Re:Commercial Use at CapitalOne Financial

Its pretty stupid to name the company you did this for.

And it is very available...

[gosand]

If you are on a Windows based machine somewhere, and you need to use ssh, you can quickly get PuTTY from the net. It is small (220k), so you could even keep it with you on a floppy. And it is only a single executable. PuTTY is THE ssh client for Windows, IMO.

You're giving them business...

[An+IPv6+obsessed+guy]

Everyone's "They're idiots, they should use OpenSSH" aside (I do agree with that), you said these people are your vendors? Unless they're the only vendor in the world that can meet your needs, mention that not only is OpenSSH a commercial solution, but that another vendor really wants your business and is willing to use OpenSSH.

Answers for all your questions.

[Ashurnasipal]

Both OpenSSH and SSH are industry proven and supported software. SSH is supported by the original author of the protocol, Tatu Ylonen, among others. OpenSSH is supported by acknowleged Open Source security experts including Markus Friedl, Dug Song, and Theo de Raadt.

The version of SSH that Sun is shipping with Solaris is in fact OpenSSH. Sun is not trying to hide this, they are proud of shipping it because it is an excellent program.

Most major insurance companies run SSH (if they are Microsoft shops) or OpenSSH (if they are not). Most hospitals run OpenSSH.

I use both products. Support is superb for both; but SSH.com has friendly, personable phone support while the OpenSSH support comes mostly from Usenet and Email (and can be fiery if you ask exceptionally stupid questions). OpenSSH fixes bugs faster than SSH.Com, but both products have had about the same number of problems, and all have been quickly and effectively resolved.

Popular clients for windows include putty and Teraterm SSH. Make sure you get a recent version, however, older versions of those programs use versions of SSH ( v 1.5) that have known bugs.

If you are dealing with a company that thinks commercial software is "better" than "freeware" you should be careful how you approach this project. If there is a single person who has created this mindset, that person is likely to be both powerful and not very analytical - a dangerous combination.

Slashdot ate my "less than" sign

[Ashurnasipal]

I meant the prior post to say that versions of the SSH protocol prior to 1.5 are vulnerable to certain rare and obscure forms of attack. Should've used "preview", eh Taco?

Fallacy of "support" and continuity

The pothole that corporate types are still
falling into is the idea that a purchased
product will have a company behind it forever.

However, in today's economy, you cannot count on
that. As an example, there have been tons of
commercial e-mail packages. Some of those
companies went belly-up and their customers went
scrambling for alternatives. Where is HP
OpenMail these days? I forget if that one got
released to the community or not.

However, the open-source software like sendmail
and so forth are the only ones you can be sure
will continue to thrive and survive and if
nothing else you are free to hire your own
programmers to extend it for your needs.

Similarly with ssh. It's very easy I think for a
corporate accountant to consider only what it
costs this year. Consider what it costs when
suddenly you are paying overtime and buying a
new product all over again when company A goes
belly up and you have to buy from company B.

Re:Fallacy of "support" and continuity

[waferhead]

Openmail was picked up by Samsung IIRC. (one of its biggest users, now owns it, support IS available)

Proven and Supported? HA HA HA HA HA

[simetra]

The response I received stated that they don't like to use freeware, but only consider industry proven and supported software.

Like Microsoft software? That's funny. Really, people assume that if you purchase something, it's good, supported, etc. What a load of crap.

Anyway, why not just set up a directory on your ftp server as write-only by the ftp user, and have them use PGP to encrypt the files themselves?

Solaris /dev/random

[Phibz]

On Solaris 7 and 8 I use a kernel space /dev/random from Andreas Maier. I have successfully compiled it on both 32bit and 64bit machines using the SunPRO 5.0 compiler. To use it with OpenSSH, install the package, recompile OpenSSL and OpenSSH.

In my opinion using the kernel space /dev/random removes most of the negative issues associated with running OpenSSH on Solaris.

Trey

Re:Solaris /dev/random

[Bigbambo]

Sun provides a /dev/random and a /dev/urandom now. Check out Patch 112438-01 for Sparc, or 112439-01 for X86 on sunsolve.sun.com

Solaris 9 ssh IS OpenSSH

With a few Solaris specific enhancments. I think that's a pretty "comercial" endorsement. BTW, what's their position on bind or sendmail? They are also "freeware" solutions. I suppose they have a problem with them as well.

They should be looking for the BEST solution, not the most expensive IMO.

At Cisco, we use OpenSSH for everything.

We switched -away- from commercial ssh because OpenSSH is better.

Then, along came the privilege-separation thing . . .

;)

Seriously, we use OpenSSH for all our host access, ssh gateways, etc. Wouldn't consider using anything at this point.

Openness of OpenSSH likely not the issue.

It's not likely you'll change your IT department's mind. More likely than "well proven commercial software" is that they want to have someone to sue (or merely yell at) if the software really does fail. It's one of the reasons my company rejected LINUX and went with VxWorks.

Just use OpenSSH

[cca93014]

It's secure. I mean, er, 2.9 is secure.

No wait. 3.1 is secure. Oh, no make that 3,3...Er, 3.4. Yeah, that's it. 3.4.

The larger issue

[ajs]

You've asked the smaller question with a really awesome example (OpenSSH is one of the highest quality software products available, IMHO).

However, the larger question is this: how do you convince your boss that you should be allowed to use lots of free software off the net. The answer is you should not, and he should not approve such a thing. What you should be doing is picking a vendor that will do things like chase down security updates, while also providing you with the kinds of features that you need.

Of course, this brings into question the entire spectrum of software that you run. Should you switch OS vendors to someone who embraces Open Source Software (e.g. a Linux vendor like Red Hat, Caldera, SuSe, etc.).

If you need high-quality software with the latest feature-set, you should be looking at who will give you what you need and support it well.

Can of worms you say? Well, yes but when you start talking about Linux these days you have a lot of amunition. IBM is shipping Linux-based systems. Everybody and his brother is using Linux-based servers in production (unless they're using BSD :)

OpenSSH is hard to argue against, and you'll probably win that battle hands-down. But what happens when you want remote management via VNC or OpenLDAP has some features you want or you need a quick-and-dirty database and don't want to spend $thousands?

Get an OS that comes with the best software already installed. Get Linux.

BULL! Most Fortune 500 use commercial SSH!

You are just an OpenSSH troll. OpenSSH is great, but don't spread BS and FUD about commercial businesses using it. Most, if not all, use commercial SSH which has a far better security record and much better performance.

bzzzzt!

[kevin+lyda]

wrong question.

the correct question is, "should i get a new job?" and the answer is yes.

i'm totally serious. it's as if 100 or so years ago you worked at a overland transport company that said, "ah, that mechanical train thing is never going to catch on, i'm sticking to wagons!"

let your current employer waste their time and while you humor them with whatever they think they want to hear, go find a more sane place to work while you have the luxury of time.

Re:bzzzzt!

>go find a more sane place to work

You make that sound a hell of a lot easier than it actually is.

Fortunately, I'm blessed with a job at a thoroughly clueful place where these problems don't exist. Well, at least there are always valid reasons when the software debate rages.

But it's not 1994. Changing jobs isn't as simple as you make it sound, period. I'm hoping the high-tech bubble will finish it's bursting, and then IT and business software dev can go back to being a down-to-earth career that only people with passion will pursue.

Lemmings

[sfgoth]

they don't like to use freeware, but only consider industry proven and supported software.

What, do they live under a rock? You'd be hard pressed to find another free software project used _more_ than OpenSSH.

Maybe you should forward a note to your CEO about how your clueless IT department is needlessly racking up support and licensing costs, while remaining ignorant of common IT practices.

-pmb

Change the main-frame ways ...

[theBunkinator]

That's what I've been trying to push for my company. I'm amazed by how many companies (including mine) use ftp batch jobs to exchange data, usually comma delimited or even fixed width.
Financial institutions just love their main frames and their main frame thinking. Then follows the "Hey i sent you the file, did you get it?" and "OK we processed the file, you can pick it up" emails.

Instead, just post your data (in XML, of course) to a servlet/ASP/cgi over SSL. But that would be too elegant.

For what it's worth...

[carlos_benj]

I've been with my present employer since Oct. of 1999. Every time we have a meeting where we discuss ways to accomplish some task I waited for an opportunity to say, "I could write a shell script to do that" or "We could do that with a Linux box". Early on it always got a big laugh. Then my technical lead started saying, "We could do that with a shell script." Now they're asking questions about using Linux for server consolidation. Some things take time. Patience my young apprentice.

Ah yes

[The+Cat]

but only consider industry proven and supported software.

...the thin, whiny sound of an incompetent, bumbling, empire-building middle manager, easily identified by the unhyphenated buzz-phrase "industry-proven" which is part of the Management 2.0 Service Pack upgrade along with "customer-focused" and "memory-hungry."

It really is unfair to have such a staggering advantage over the competition.

No, please. PLEASE go overpay for your "industry-proven" version of the exact same thing everyone with a clue already has. Just don't lay off anyone when your budget runs out.

Cisco Systems & SSH

[_Sprocket_]

What large organizations are implementing SSH?"

Cisco Systems uses SSH extensively. You can find SSH supported in some of their commercial products. And internally, SSH is becoming one of the standards for remote access. It might be interesting to note that they use a combination of SSH2 from SSH, Inc AND OpenSSH with both being officially sanctioned solutions.

If you are the customer ...

[kperrier]

tell them that you don't support closed source security products due to the problems getting security updates. Remind them that the customer is always right....

Kent

email

so erm... how do I retrieve my email securely using OpenSSH ?

Re:email

Host pop
LocalForward 110 pop:110

And configure your email client to point to localhost:110.

Vendor or IT Dept?

My company's IT department is trying to set up secure FTP with a vendor.

It's not clear from your writeup if the OpenSSH idea was shot down by the vendor or by your own IT department. If the vendor says that don't want to use it, tell them tough shit. They are the vendor, and you are the customer, that means you get to dictate what tools are available for them to use. Unless the license agreement or contract or whatever you have between you specifically states that they will not be required to use "freeware", then they can either use it or you can take your bidness elsewhere. Simple.

If your IT department is the source of the veto, then find a new job. The people you work for are idiots.

Re:BULL! Most Fortune 500 use commercial SSH!

Lemme guess. You haven't worked since the economy downturn. I can guarantee you that OpenSSH is being used in the biggest of big companies.

Waah

Is there any way to bludgeon the person who said they don't use "freeware"?

Re:Waah

A.C. wrote:

> Is there any way to bludgeon the person
> who said they don't use "freeware"?

Sic Richard Stallman on them! I've heard he's like one of those dogs that once they chomp onto your leg, they don't let go. You ever heard him argue about "GNU/Linux"?

Drop them!

[markbthomas]

Drop the vendor: they obviously haven't got a clue what they're talking about.

1) They should read their vendors' EULA's (and probably their own). No software these days is supported. ("This software is provided "AS IS"...).

2) Lots of free software is very much industry proven.

Perhaps you could try a little education.

Check out the press that OpenSSH DOES get

[runswithd6s]

http://www.openssh.com/press.html

Harvard Law School

Harvard University Law School is about to roll out both SFTP (FTP over SSH) and SPOP (POP3 over SSL). OpenSSH server is used on the Unix machines. SSH is also already in active use in the IT department for terminal and X sessions.

Re:Stupid managers: fire them

[ahaning]

why are you working for some lame company that refuses to touch Open Source software?

Perhaps [s]he can get them to "see the light."

for secure FTP, try SafeTP

[chongo]

My company's IT department is trying to set up secure FTP with a vendor

To secure FTP traffic, I highly recommend SafeTP from the folks at Berkeley. SafeTP is an RFC 2228 compliant FTP Security Extension that uses Public Key Crypto to authenticate and secure the link.

SafeTP is supported under Unix / Linux as well as Windows 95/98/ME/NT/2000/etc. Source code for Unix and compiled code for Windows is available free of cost.

This quote from the Berkeley folks may be useful:

How is SafeTP better than existing FTP systems?

First and foremost, SafeTP secures the FTP control channel to ensure the privacy of the user password, thereby providing secure authentication. This in itself is a huge improvement over the traditional FTP protocol, which sends user passwords (and everything else) in the clear (see RFC 959).

SafeTP protects the control and data channels against a number of attacks, including eavesdropping attacks, modification attacks, and replay attacks. SafeTP provides this security through a public-key crypto-system based on the ElGamal, DSA and TripleDES security algorithms, and is implemented as an RFC 2228 security mechanism. The security negotiation is similar to the one used by ssh and SSL - see the X-SafeTP1 protocol specification for details.


SafeTP has several advantages over most existing FTP security systems (such as kerberos or ssh tunnelling):

• Transparent - the windows client automatically and transparently secures FTP connections from within the OS - which means the user can continue using their favorite FTP client, without ever having to think about it again. No need to tweak any settings in their client, no need to setup any tricky proxy or port forwarding software.
• Interoperable - the client software (windows and UNIX) automatically works with both secure and insecure (legacy) servers. The server software always accepts secure connections, and can be configured to allow or disallow insecure connections.
• Data security and integrity configuration - SafeTP always secures the control channel (which includes the username/password login sequence), but the client can be configured to provide privacy, integrity and authentication for the transferred file data as well. The user may also choose to disable data encryption to maximize performance.

We have found SafeTP to be both user friendly and expert friendly. We have been successfully using it now for several years. It works well behind firewalls. The code is both well written and stable.

Why not use Microsoft SSH

[dudemaster]

Doesn't Micro$oft, the industry leader in super-secure - get whatcha pay for software, have a version you could pitch to your dain bramaged mgmt?

You don't mean commercial. You mean proprietary.

[Nailer]

Using commercial as a synonym for proprietary isn't logical. There's plenty of Open Source applications which have been produced for the primary aim of making money (RPM, Zope) and there's plenty of closed soruce apps which are produced for non-commercial reasons (eg, PowerArchiver back when it was called easyzip). The word proprietary is a much more accurate description of the software.

You're the customer

If you're the customer you dictate to THEM your policies. If your policy includes using OpenSSH on your server then they should abide by your rules. If not look for another vendor. If they just need client software on there end there's plenty of commercial clients out there. SecureCRT, TeraTerm are the one's I'm familiar with.

Re:HPUX has an official OpenSSH-based implementati

[Wanker]

Wow. And here I've been building my own depots all this time.

http://www.software.hp.com/cgi-bin/swdepot_parser. cgi/cgi/displayProductInfo.pl?productNumber=T1471A A

Thanks for the tip, Marx!

Use what is appropriate to the need.

[h8macs]

If you are using windows I have seen f-secure at large corporations and medium to small businesses that I have worked at and supported.

I have likewise seen, used and implemented openssh at the same companies. To exclude OpenSSH because it is OpenSource (freeware that hopefully gets creative and monetary contributions to it on a regular basis), is quite frankly ignorant and beyond all common business sense.

Just because it doesn't have a big 'M' (microsoft) or a big 'I' (intel) or a big 'O' (Oracle) or a big 'C' (Cisco) on it doesn't mean that it sucks. Take a look at the movie Tommy Boy 'Chris Farley' I think they summed up "Warranty" very nicely.

OS X/SSH 2

[Frobozz0]

My company has just migrated from in-house to out-of-house serving. We now require secure transfer of files, so we use SSH 2. Luckily, my main design/development machine is running OS X. Not only does OS X have a built in command line SSH client, but there is a nice commercial app called rBrowser that slaps a nice GUI on it. It's $50/seat.

Re:OS X/SSH 2

Yeah, guess what. It's OpenSSH.

www.appgate.com

The guys at www.appgate.com make an ssh gateway and windows client which is (I believe) based on openssh, but is a commercial product.

If your bosses want to pay for software, then go ahead and let them - it's their money. With openssh available, make sure you don't allow them to decide not to use any ssh just because they can't afford it.

They can't afford not to.

(However, for what you really want to do - send files to and from another company, an SSL web server might be a better solution)

Engineering Workstation Labs

[withak]

The University of Illinois at Urbana-Champaign Engineering Workstation (EWS) labs are phasing out remote access methods that use clear-text passwords starting this fall (telnet, ftp, rsh, remsh, rexec, and rlogin, also insecure POP and IMAP eventually).

More info on the changeover and the clients they are recommending can be found here.

There are tons of SSH solutions...

[tuxlove]

There are jillions of SSH solutions. All of the ones I've used (including OpenSSH) are far, far more secure than any FTP server I've ever seen. FTP is an ancient protocol, inherently insecure, and FTP servers are constantly showing up on Bugtraq with buffer overflows, etc. SSH shows up there too, but not nearly as often and usually with less severe problems. Any boss not willing to use a freeware SSH is ignorant, but any boss not willing to at least use a commercial one is incompetent. (Ignoring the fact that commercial != better.)

BTW, for a bitchin' Windows SSH client, check out "putty". Awesome. Puts Tera Term to shame.

Sprint PCS 3 OpenSSH

[NitroWolf]

I work in a pre-field lab environment, where we make sure all our equipment going onto our network isn't going to blow anything up.

All of my machines are standard with OpenSSH now, and I know that all the new machines coming in are required to have SSH in place of Telnet... and OpenSSH is the defacto standard, although we will accept a commercial implimentation if the vendor provides it.

Anything Sprint PCS provided, though, is OpenSSH. Telnet as been officially "banned" from all new equipment, even if people are breaking this rule (much to my chagrin) on occasion.

Re:Trivial Slashdot News While Cities Revolt

You make it sound like there are citizen uprisings in those cities. It turns out that the article you link to is merely about the LEADERS (not even the citizens) of a few cities passing a few silly resolutions that don't have the effect of undermining the government's authority one bit.

AND NOW FOR SOMETHING COMPLETELY ON-TOPIC.

I'd rather read the trivial news about SSH. The company mentioned that "doesn't use freeware" is just being stupid. The FSF has a link to a paper that debunks their fear about OpenSSH and other open-source "freeware" being "unsupported".

Also, like nearly everyone else, I recommend PuTTY if you need a Windows SSH client. Too bad that it's "freeware" too. I guess your company will have to settle for an inferior proprietary alternative.

Re:Stupid managers: fire them

I would also ask you: if you're a talented geek (assumption), why are you working for some lame company that refuses to touch Open Source software?

You clearly have never worked a job you needed in order to eat or keep your house, and you clearly have no children or family of your own.

Experience these and you will understand why talented and intelligent people work for companies that pay them well, without their first priority being how "cool" the company's open source policy is.

The Written Word

[DaveBarr]

Check out The Written Word.

They have builds of OpenSSH (and tons of other free software) for a variety of UNIX platforms, and they offer commercial support for them. I used them at my last employer, and was extremely satisfied with them. On several occasions they integrated or wrote fixes when I came across bugs, and submitted their fixes upstream to the maintainers. Their response was also much faster than the maintainers.

Re:And it is very available...,even in Africa.

[erice]

In late January, my server rebooted for reasons unknown (probably a power outage). The web server didn't come up properly. And that means no email.

I sat down at a Nairobi internet cafe and downloaded putty off the net. After about an hour of painful editing and debug, I had the problem fixed.

Originally, I thought I would carry around a floppy with putty on it. But I discovered that it didn't really help. If it was at all possible to use putty, it was easy and fast enough to download it.

Stop being spineless

point out that openssh ****IS**** industry-proven.

if you can't argue with your boss about something that you're RIGHT about, then your career won't evolve.

You're right, he's wrong. The only encryption software I trust in that respect is OPENssh, rather than CLOSEDssh, which is closed. End of story. You're the techie, he's the luser. How many other ways can this be put?

Use Openssh if you want your network to be secure.

Sun uses ssh

[hubertf]

Sun Professional Services uses SSH to access the machines they are administrating. I guess if it's secure for all their customers, it should be good enough for the application in question too.

- Hubert

SSH solutions (extremely bitter sarcasm within)

[inode_buddha]

Wow, maybe I'm a bit cynical, or maybe it's really troll time for me. Whatever. I'm at the point of simply throwing up my (virtual) hands at this sort of crap. Ask yourself this: In the last 5 years, how many tech-oriented businesses have tanked because technical decisions were made by the decidedly non-technical? Perhaps this is the real heart of the problem: a simple culture clash. It's perhaps time for senior manglement to learn when to really listen. My stock response nowadays is to simply give them whatever they really wanted to begin with, regardless of the suckiness of it. After all, the customer is always right, no? Guaranteed, I've never gotten a single negative response from this approach -- many people can't admit to themselves that they were asses, either. Instead, I simply shake and nod my head sympathetically, charge for a few more hours, and go about my business.

If expense equals quality then

[spress]

Set up your own company, rebrand Open SSH by changing a few comment lines and titles, then sell it to them for $20,000 or so. Eveyone wins!

CNN.com uses (or used) SSH

[Arkham]

I worked for CNN.com for two years (1998 - 2000). We used SSH there to transfer news feeds between servers as part of our automated processing. A template would generate the data (XML, html, JavaScript, whatever), and then a Perl or shell script would scp (secure copy, a part of ssh) the file to the remote server using an ssh-agent.

When I left CNN, I went to a startup called ZapMedia. It was a much smaller company, but we used SSH for all communications to our production boxes (which were colocated at Exodus outside of our company LAN). We even did remote CVS checkouts over SSH as part of our code release process. The use of SSH was completely secure and worked very well.

SSH In major companies

HP (Compaq/Digital) Tru64 Unix includes SSH in v5.1a and above.

I'm unable to speak officially for them but I know that VoiceStream Wireless and MCI Telecom both have used SSH for secure file transfers.

We are using openSSH and we are rather large

[gelfling]

We are (an unnamed) large computer services company and we use openSSH but the licence made our legal department throw fits. The wording in it is strange and basically says "I'm not sure what's in this code and there may be things that are or are not someone else's intellectual property but if anyone comes after you legally than I'm out of it..."

Before that we used F-Secure's SSH as a commercial version. It works great but is clearly more expensive than FREE.

Industrial Espionage

How come there are so many different version of free and open source SSH derived from commercial version of SSH originated in Finland. There must be a lot of industrial espionage to steal the code and take out the licenses part of the software.

Re:Industrial Espionage

>How come there are so many different version of
>free and open source SSH derived from commercial
>version of SSH originated in Finland. There must be
>a lot of industrial espionage to steal the code and
>take out the licenses part of the software.

dude, you need some serious help. OpenSSH did not develop in Finland. The original SSH did by Tatu Ylonen, who is a Finn who doesn't work for the Finnish govt. duh

SSH.com server and client...

[stirfry714]

This is one of those situations where I've actually been pleasantly surprised by both the commercial (SSH.com) and non-commerical (OpenSSH) products. I've used both, almost interchangeably, and like them both. It's really a toss-up for me.

Some people might point to the recent OpenSSH security holes trying to discredit them, but look at how quick the turnaround on patches was.. amazing.

One thing I did want to point out was the SSH.com Windows client. I really like it. It might not be worth the money, but if you fall into one of the categories where you get a free license (allows university use and non-commercial use according to their website), it's quite good. I especially like the ease in opening additional sessions or secure file transfer, etc. Worth checking out..

(And definitely don't use the TeraTerm SSH client. It's still SSH version 1, and is just a hack on top of TeraTerm... never seemed like the greatest solution to me, even if it did work)

Re:SSH.com server and client...

[Ristretto]

The best ssh-enabled terminal program I've used is puTTY, which is free and indeed much better than TeraTerm. Links to puTTY are on my nix site, a collection of "UNIX" tools for Windows.

SSH use

Genuity uses SSH. They're an ISP/Web Hosting/VOIP provider. In a past life they were GTE Internetworking and BBN Planet before that (when the internet was ARPAnet).

They use SSH everywhere. If you want to login to your hosted system, you need to use an SSH client. They use F-secure recompiled with patches.

Of course, they use SSH internally too.

In case you didn't figure it out, nearly every system they have is on the internet & outside the firewall.

I built one

I built one with ssh.com's version. OpenSSH and thus Sun's SSH is plagued with numerous problems.

ssh.com's is not.

Run, don't walk -- far away from these bozos!

[phliar]

... they don't like to use freeware, but only consider industry proven and supported software.

If a person this clueless is in charge of security, it's not a good sign for the company.

You cannot find anything commercial that is more proven or better supported than OpenSSH. There may be commercial packages that are as good -- although I don't know of any -- but there can be none that are better. Support from commercial companies is, too often, a joke.

Case in point: very recently a bug was discovered in OpenSSH: if you used a certain form of challenge-response authentication, a remote compromise may be possible. Within days of the bug being announced, there was a workaround; and versions post-3.3 are not affected since they UsePrivilegeSeparation by default. This is the only significant bug I can remember off-hand.

In any case, SSH is a commercial product and is done by Tatu Ylonen, who was the original SSH guy; OpenSSH is the free version that the OpenBSD guys forked when SSH went commercial.

Here

[TheCabal]

We deal with customers transferring large amounts of sensitive data to us. Our requirements are that the control and data streams be encrypted, and that the customers are confined to only their upload directories. We use SSH so we can do sftp and chroot the users to their own little jail. For our customers that use Windows, we supply a copy of CuteFTP, and a VBScript written by yours truly to automate the data transfer (the latest CuteFTP supports sftp and ssl-ftp). We're very happy with this setup as it's secure and easy to use for our customers. We'd use OpenSSH, but it doesn't do user chrooting without some heavy modification. Because of SSH, we've been able to ditch our aging NT4.0 Server running WS-FTP with SSL enabled for our data transfers.

Pointy Haired Morons - take advantage of 'em

[iceaxe]

Hey, no problem. Sell it to them.

See, now it's not free, and it's definitely proven in the industry.

Problem solved, plus money in your pocket.

THIS IS NOT A JOKE.
Thousands of consultants all over the world sell open source solutions to people who don't know how to do it themselves. It makes the pointy haired bosses feel good to think about how much money they are spending to get the very best that money can't buy.

The best part is, you don't have to feel sleazy about it, because you really are setting them up with the best solution for their needs. They are paying you for your knowledge and expertise.

Then you can turn around and help out with the project that made you some money, by coding, testing, documenting, or DONATING!

Everybody wins.

Go get 'em.

OpenSSH and VNC -- Kill your PCAnywhere

[blunderwerkz]

The organization I work for is moving toward managing over 1400 remote M$FT boxes using nothing more than SSH Tunnels and the OpenSSH Windoze port available here.

Saves a ton of $$$ in PCAnywhere licenses every year...

Re:OpenSSH and VNC -- Kill your PCAnywhere

[blunderwerkz]

Ok...first post in three years and I make myself look like an ass...

I meant to say that we are managing the 1400 remote M$FT boxes using nothing more than good ol' VNC and the Windoze port on OpenSSH

Yeesh...LART me!

Re:exploit

You forgot the link to gaping holes.

Oh come on, someone has to say it!

> I emailed suggesting they look at OpenSSH .
> The response I received stated that they don't
> like to use freeware, but only consider industry
> proven and supported software.

If they're that braindead, screw 'em! Let them set up some proprietary "secure" ftp server with no security auditing (unlike OpenSSH/OpenBSD) and lots o' holes.

If the top brass thinks *BSD/Linux = "freeware" = "bad", let them suffer accordingly. I might feel more inclined to educate them if this were 1999, but it's well past the time they should've gotten with the program.

It's time for the knowledgeable people at the bottom of the power structure to stop meekly trying to improve things by begging the idiotic management. Get a group together and start your own company.

open source gardening

--I've been gardening since I was 4 years old, every single year I've had one. This is more than several decades now, I'd say I got a bit of experience and am a pretty fair garden sys admin. For quite a long time now I have used "open source" seeds, ie, seeds that were freely developed and offered for use to gardeners going way way way back in time, no patents on them, non-hybrids, open pollinated herilooms. In fact, they are so old, I have no idea what they were called originally, I just call them "the tomatoes" sort of a catchy phrase. Anyway.....

I'd stack my "open source " tomatoes up against ANY closed source propietary named-brand tomatoes on the market at your local grocery store any day.

Company bosses = "tards", bet they go under eventually with an attitude like that outlined in the description.

Good luck working for them, don't take a big chunk of your pay in magic beans "stock" from them either, would be my advice.

Not a troll against you, you are smart, you offered the more intelligent reponse to them first, did your job in the correct manner as they hired you for brains, ie, open source of good quality, something that does the job, you can custom tweak it, go on to the next project. This is laudable, their opinion that because it's open source then it's no good automatically is laughably naieve. I bet they pull a lot of other boners as well, this country is rife with that sort of "management" now. Throw other people's money at projects until they go bankrupt. "enronitis"

Disney Internet Group uses OpenSSH

[Crag]

I've been working at dig.com since April, and we use OpenSSH on all our unix boxes. We use a bunch of other free software, and nobody thinks it's risky or anything. We could certainly afford commercial software if it provided anything we couldn't get in free software.

As it turns out, the prevailing attitude is that with commercial software we have to involve the vendor every time we want to do anything remotely unusual. If we improve the tool, the vendor probably won't support it. If the vendor improves the tool, they will probably require more money and a needlessly complicated upgrade for us to benefit from it.

Stand up to your managers. Don't just tell them that Free Is Better, show them.

Van Dyke Technologies

[s2r]

Did anybody mention Secure CRT?
The latest is 3.4.5.

Re:Van Dyke Technologies

[TheShadow]

Yes... that piece of software rocks. Best telnet/ssh client for Windows ever. It is definately worth the money.

What kind of answer are you expecting?

[p3d0]

Something like this, perhaps?

Hi. I'm a Slashdot-reading Linux advocate, and I think it's outrageous that anyone could be so ignorant as to think that OpenSSH is not secure just because it is Open Source (tm). (Note that it's not freeware. Allow me to list ten differences between freeware and Open Source (tm) ...)

Furthermore, OpenSSH is definitely industry-proven and supported. Here are some links to back this up: ...

Sheesh. Shame on Cliff for posting this troll.

I believe they meant SSH *protocol*

.. not the product.

Re:I believe they meant SSH *protocol*

[ImaLamer]

oops, I think you are right.

Here's your proof

I just recently left the Army corps of Engineers Network Operations Center. We use OpenSSH extensively on out network. Being fairly security conscious, we tend to deride any thing else *shrug*. 40,000 User network, only one compromised system in the last two years.

Brian

Re:Stupid managers: fire them

[exceed]

would also ask you: if you're a talented geek (assumption), why are you working for some lame company that refuses to touch Open Source software? Go somewhere where you're gonna make a difference. If you have the skills, you'll find plenty of jobs doing what you'd really like to do.

Your remark is simply idiotic. The whole world doesn't revolve around spreading open source around. He/She needs to make a living, make some cash, and he/she's not going to give up his/her job because his/her company doesn't want to run open source software.

And, what makes you think going to a company that does touch open source will help "make a difference?" What? He's going to make a difference at the companies that DON'T touch it by convincing them to do so.

And having 'leet programming skills' doesn't have anything to do with whether you support open source or not. And maybe he/she likes the job they already do, regardless of the SSH daemon they use. That's one hell of a reason to quit your job.

Commercial Support for Open Source

[billstewart]

Your managers aren't totally clueless - they want to be able to use software that has someone commercially supporting it, who can be expected to continue to produce new versions that do what the market needs, and who can be paid to fix bugs - because there _will_ be bugs, and because security bugs are one of the worst kinds, and because unless you're in the security-software business, you're not the best people to be fixing that kind of software - you're in the widget business or the somethingware business.

That's fine. There are people who do commercial support for open source. Hire them and pay them! Cygnus Support was the classic business following this model, and they've been bought by Red Hat, so get support contracts from Red Hat. Or SuSe, or a few other similar companies. You get the software you want, with a source license, and you get someone to fix stuff for you for your money. Works just fine.

Re:Commercial Support for Open Source

[MadAhab]

Good point.

Though the managers are definitely mostly completely clueless. The fact is that as long as there is a market, there will be commercial versions. But as long as they need it, there will be open source versions. The liability issue is a total red herring, because software licenses generally close off all hope of suing anyone if something goes wrong. And just because you are willing to pay commercial vendors doesn't mean it will sustain their business. But open source support - that's available as long as there is a user base and a few people - or even one - who know what to do.

I've used commercial SSH clients, and I wasn't terribly impressed. But I keep a floppy with Putty on hand.

Woe unto thee

for you are entering into a relationship with idiots and are sure to suffer. OpenSSH is *the* standard in ssh. They are already running Solaris right? Well, that can be had for free and the next version includes OpenSSH. Pick better partners, these people are fucking stupid.

Big accounting firm using openssh

I know that one of the top 4 accounting firms makes major use of openssh to for various remote operations for their Unix and Linux platforms.
I also have friends at another one of the top firms and they also make use of openssh for remote administration.
And no, neither of them is Arthur Anderson.

TSSHd

[octogen]

There is a derivate called "TSSH" (Trusted SSH) which comes with Argus-enhanced Trusted Operating Systems.

Trusted SSH is aware of TCSEC B1 security mechanisms (like Mandatory Access Control), Argus' privilege/authorizations concepts and ASN (Advanced Secure Networking).

You can find a short TSSH FAQ (mostly about its advantages over other commonly used SSH servers) here.

WebDAV with SSL and the right Authentication

Just use WebDAV with SSL and the right authentication mechanism. There's a WebDAV client for many OSes (Linux, BSD, MacOS, Windows, . . .) and most OSes have it bundled with the stock installation - no messing around trying to purchase and distribute additional software.

WebDAV, along with SSL, are even a standard part of Apache 2.0 as mod_dav and mod_ssl, respectively.

If you need a remote shell then it's SSH all the way, if you only need something for remote file manipulation for the unwashed masses then go with a WebDAV solution today! It's an (augmented) HTTP protocol which means you don't have to fiddle with firewalls.

Use OpenSSH

Their idiots if they don't know that OpenSSH is the defacto for SSH now-a-days. I use OpenSSH with Secure Ixplore from my windows machines with easy and security in mind :)

SSH history

[gr8guy]

I would just like to point that the roots of SSH go to SSH Communications Security - and more specifically to Mr. Ylönen, the CTO of the company. I consider their implementation the best as they have the most knowledge of the product and they have very skilled programmers.

As quoted from "In 1995, Mr. Ylönen invented Secure Shell for remote logins. From that time, Secure Shell has been available to download from the Internet and free for noncommercial use. The program became immediately very popular."

,gr8guy

So why aren't they using Solaris 9?

That question seemed to get glossed over pretty quickly. Solaris 9 comes with integrated and supported SSH (derived from OpenSSH), as mentioned many times before, along with a ton of other security enhancements beyond what prior releases had.

Re:BULL! Most Fortune 500 use commercial SSH!

[@madeus]

A lot of large companies (like AOL TimeWarner, Sony and even Microsoft) run OpenSSH on BSD systems.

For example, at my previous company I did work for AOL, and we used FreeBSD servers to preprare user billing data for AOL - with OpenSSH of course. Personally I would have prefered Linux, but the other 2 systems engineers were FreeBSD fan's and I can respect that :-).

The only - and I mean only - reason to have a commercial SSH client is if you need support for a trusted operating environment (i.e. Trusted Solaris, Argus Pitbull) and you typically purchase these from the vendor that sold you the OS in the first place - though with privliage seperation now present in OpenSSH, this could be a thing of the past.

If you've worked in big business you see how many use BSD and OpenSSH - though not to Linux, as most have reservations about it's sutibility for a corporate environment - and the use of free (as in beer) software is increasing as the cost benifits of a no-cost OS and cheap commodity Intel hardware are encoraging companies to move away from Sun hardware in certain situations.

Commercialised products

[Smid]

We to this day have commercial department problems with using things like emacs, perl and g++, not to mention linux. The attitude being "we want a supported product".

I say "hang on, isn't this how GNU/Linux was supposed to be making the money?"

Ok, so the source developers are probably too busy to do it, but surely the distros could sell product by product support contracts for a very lucrative price. Their paid support could feed back into the original source...

Ding Ding Ding!

Slashdot Poster creates some simple C code, gets it right! Film at 11!

The Written Word

[S+O+U+L+B+O+Y]

www.thewrittenword.com....

Provide opensource/GNU stuff that is commercially packaged....
They also frequently release up-to-date versions so that you can keep your software at the current releases....

Or use the version that sun releases, and use the money for Sun Support....

So your bosses can pay for openssh, then have a coke and a smile and shut the f*** up....

and as pointed out above, since Sun and Apple release commercial versions of openssh, and everyone and their mom also uses it, it seems stupid to think it's "unproven"...

Good list of SSH implementations

[AYeomans]

An excellent collection of links to SSH client and server products is maintained by FreeSSH. Includes free and fee versions.

What Compaq did with Tru64 (Digital Unix)

When this question came up for what to include in Tru64 Compaq went with SSH.com's product (and paid a lot of money for it) the reasons were both technical and support related. Being able to buy IPSec and SSH from the same place helped, along with the idea that the bug fixing can be done by a third party under contract. Tru64 and the Converged Unix will have to move towards OpenSSH since HP has already taken that position and the SSH.com license is locked to the Alpha platform so they would have to pay again for Itanium rights (not very likely.)

At this point though it seems like the technical issues have all been cleared up, using the open projects (OpenSSH, OpenBSD, OpenSSL, OpenCA) one could tailor a fairly secure network for their own site, and save a lot of money doing it.

openssh

[munro]

Eh? Everyone uses openssh!

SSH

[hache_the_boss]

Sun is using SSH to access their Servers... At the same time most of the Government departments in Argentina are Using SSH to access their servers, and I know that many of the IBM Global services projects are using SSH to work from home at them. Cheers.- Hache

Re:Stupid managers: fire them

[cduffy]

It's not as if the suggestion is being made that this fellow quit his present job immediately and job hunt full-time until he finds somewhere with a more enlightened attitude -- merely that he switch; this can (easily) mean finding a new employer, and only then resigning from his present position. Unless his family is particularly large, or he's financially prevented from moving (ie. making payments on a house, unable to cover rent elsewhere in addition), one can still reasonably switch jobs presuming good pay and coverage of relocation expenses.

Working at an open source company is extremely rewarding -- I can say this having been employed by one for three years now. Some of my coworkers signed up because of the ability to work on OSS and get paid; others signed up for more conventional reasons. As for my coworkers, they're almost uniformly brilliant at what they do; the engineering group includes big-name kernel hacks and has highly clued management -- and it's well worth noting that at least some of the best of them (the engineers, not the management) signed up specifically because of the opportunity to be paid for working on open source (even better, in at least one case, on a tree which they already maintained).

Good pay is nice. Good pay in a place with brilliant co-workers and fun projects (which OSS-based companies are more likely than average to be) is nicer. What better than to be given money to do full time what you already do in your spare time?!

Re:Stupid managers: fire them

[cduffy]

It's not what they use, it's what they let you use. A workplace which lets you use the Right Tool For The Job (at least in the cases where choosing wrongly won't have dire consequences down the road) is much more rewarding than one which dictates what you can do and how you can do it. Being allowed to use open source software (and extend open source software to do what the company needs, when appropriate) is indicative of a more flexible (and thus enjoyable) work environment than is otherwise available.

Yes, your engineers have to be diciplined and responsible people to do that right -- but I'd far rather work at a company where I'm expected (even required!) to be diciplined and responsible but given a measure of design control in return than one where I have no power to misuse -- and I say this having worked in both.

Finally, let me submit that those with truly 'leet programming skills' are, on average, more inclined to care about having control over how they do what they do than those without such skills. The best of coders (at least among those I've met) are those that love their work; who code not only to pay the bills but also because doing so is part of who they are. I've met more of these people inside the open source community than outside of it.

Give em my name.

[dilvish_the_damned]

I will sell it to them. In fact, for significant fee I will supply them with the 'Professional' version complete with the word 'Professional' written all over it.

Sun thinks OpenSSH is proven!

[smoyer]

Starting with Solaris 8, Sun has released OpenSSH as part of its offering. I think that a valid argument would be: "If Sun's research and development department believes OpenSSH is stable, why can't we use it as well".

PuTTY is a great client for M$ ( ---- free bonus ).

smoyer

Re:Sun thinks OpenSSH is proven!

[RazzleDazzle]

According to this it is starting with Solaris 9 but sneakily renamed SunSSH. Maybe they will even give OpenSSH credit for it creating OpenSSH?

Re:BULL! Most Fortune 500 use commercial SSH!

[ExtremeSims]

I work for AOL, managing ICQ and AOL Mobile Ops, and we do use OpenSSH. Yes, we have commercial SSH in some places, but a lot of our infrastructure is built on OpenSSH.
Relying totally on SSH/OpenSSH to secure a host is bad SA practice. Building a security model that has several layers and components is the only way to fly.

Sure we don't use ssh

[The+Impossible]

Officially that is... Oh, without it you can't get into the systems for management.

The biggest problem here was getting the admins to use it. (it's all firewalled, so why should we...) The buffer overflow helped a bit, but we now mainly use it because of the easy to use (pointy clicky) user interface.

Since a year or 2 we have a tcl/tk menu wich allows you to log into a system without having to type ssh (telling that it was less work to type then telnet didn't work, aix has the tn alias... :-() and everybody now uses ssh.

In some corporations you have to misuse the lazyness of humans instead of their sence of security to get things done.

I'm now glad the internal network is almost as safe as my home net... (big organisations are hard to convince)

try this ... disguises

[cascadingstylesheet]

Put on a fake mustasche, and a visitor's badge. Meet with your management, call yourself ... er ... Mr. Ricardo from Super Security Inc.

Don't tell them that OpenSSH is free, just sell it to them, for 1/2 the price of whatever commercial solution they are considering. Enjoy your bonus :)

AppGate

[fsn]

The AppGate system is a VPN-kind-of system based on OpenSSH. Might be worth a look.

Also, their Java ssh client Mindterm kicks ass, but they have been changing their licensing several times the last year.

Take a look at Valicert Secure Transport

http://www.valicert.com/

It is expensive but it is a good secure file transfer solution.

Major brokerage uses it

I work at A. G. Edwards and we went through the whole process of selecting the "best" SSH and have implemented it on every Unix host in our home office. We will shortly be going back to disable telent/r*/ftp on all hosts. We discovered OpenSSH to be at least as good as any of the commercial versions and at least as well supported. For instance, F-Secure's unix server didn't handle >2 GB file transfers. OpenSSH does. They also have more of a leadership attitude (i.e. privsep).

Would support for OpenSource work?

[kireK]

ITSupported provides supprt for opensource products. Could you use something like that, and pay a support fee for packages etc. but keep OpenSSH?

Just a thought.

US Army

The US Army uses OpenSSH extensivly for secure access to critical systems. I have set it up myself. I post anonymously because I have to. If your company doesn't think OpenSSH is good enough tell them there's nothing they do that more importent, more critical than what the US Army is doing WRT these systems.

OSE seems to think so...

FWIW, OSE is one of the few embedded real-time OSes fully certified for use in mission critical applications. If you check their website, they list a company called Interpeak in their partners program. Interpeak is a VAR that sells binaries/support for their distro of... (drum roll)... OpenSSL.

Now I can't say for sure, but this sounds a lot to me like OSE is implying that OpenSSL is suitable for mission critical applications...