SSH-Based Solutions - Looking for Industry Proof?

mcwop asks: "My company's IT department is trying to set up secure FTP with a vendor. It would be set up on a Sun box (not running Solaris 9). I emailed suggesting they look at OpenSSH. The response I received stated that they don't like to use freeware, but only consider industry proven and supported software. I have found one commercial version at SSH. What other commercial versions are out there (I know Solaris 9 comes with SSH)? But more importantly, what are some commercial successes? What large organizations are implementing SSH?"

Client side

[Archangel+Michael]

Tera Term on Windows is the best.

Re:Client side

[|<amikaze]

or putty. it's a 200k executable and is available on tucows

Re:Client side

[sql*kitten]

Tera Term on Windows is the best.

It's good, but I've switched to PuTTY, mainly because it can heartbeat an SSH connection with an empty packet every minute to prevent sessions being timed out by over-zealous firewalls - very convenient if you need to monitor several machines.

Re:Client side

[Clue4All]

Tera Term is most definitely NOT the best Windows SSH client. Besides being less configurable and scriptable than PuTTY, the terminal emulation is often poor, and most importantly, it doesn't support SSH v2 in the SSH add-on. If there's someone between you and your server with a sniffer, SSH v1 is no more secure than telnet, literally. You might as well put a sign up on the side of your house with your password.

Re:Client side

I think its time for your heatbeat. Putty supports port forwarding right now.That how I monitor my web servers control panel from behind a company firewall that only leaves http, telnet and ftp ports open

Ssh communications.

Most businesses goes with SSH communications, www.ssh.com. They also have a low-memory-fotprint version, ipsec, tunneling software and some other stuff.

Re:Ssh communications.

[alsta]

Well, Solaris 9 has an SSH implementation which in fact is OpenSSH. They've modified a few things though; such as the reported version string;

Escape character is '^]'.
SSH-2.0-Sun_SSH_1.0
^]
telnet>q

Everything else (config files, library dependencies etc.) speaks of OpenSSH so much that there is no other possible option. Sun probably took OpenSSH and modified a few things and released it as their own, as they are allowed to by the BSD license.

These configure options should get you an identical setup to that of the layout on Solaris 9;

CC=cc \
CFLAGS="-g -I/tmp/foo/include" \
LDFLAGS="-L/tmp/foo/lib -R/tmp/foo/lib" \
./configure \
--prefix=/tmp/foo \
--bindir=/usr/bin \
--sbindir=/usr/lib/ssh \
--localstatedir=/var/run \
--libdir=/usr/lib \
--includedir=/usr/include \
--mandir=/usr/share/man \
--with-ssl-dir=/tmp/foo \
--sysconfdir=/etc/ssh \
--libexecdir=/usr/lib/ssh \
--datadir=/usr/lib/ssh \
--with-pid-dir=/var/run \
--with-prngd-socket=/var/run/prng-socket \
--with-zlib=/tmp/foo \
--disable-wtmp \
--disable-utmp

The $CC variable is to build with Sun Forte, substitute with gcc as you please. Note the LDFLAGS and CFLAGS though. This configure expects to find zlib and openssl headers in /tmp/foo/include and _static_ libraries /tmp/foo/lib. Don't dynamically link with anything unless it's available on the system itself when it comes to Solaris. You'll introduce nasty inter-dependancies which you'll regret in the long run. Trust me, installing shared libraries on 500 machines isn't that fun.

F-Secure, SSH, or OpenSSH

[edyu]

Both SSH (Company) and F-Secure sells commerical products of SSH. But maybe if you word it differently, your management should accept OpenSSH since it is being used by many companies. My company (a smaller 100+ person) uses OpenSSH extensively.

Data Fellows...

[Helmholtz+Coil]

...has a version of SSH available for Unices, Windows, Macs, even the Nokia 200. Don't know how good it is, but they've got a fair amount of info on the site.

Re:OpenSSH

[questionlp]

Solaris 9 does use OpenSSH for its "Solaris Secure Shell". They mention it on this page.

F-Secure SSH

[Medieval]

F-Secure makes a rather kick-ass line of SSH products. We use them in production here (major tire manufacturer.), and it is FIPS 140-1 compliant. The client-side portion is pretty schweeeeeeet (esp the Windows client), even if you don't use the server portion.

http://www.f-secure.com/products/ssh/

List of platforms:

Server
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows 2000, Windows NT 4.0

Client
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows XP
Windows 2000
Windows NT 4.0
Windows 95
Windows 98
Windows ME
MacOS
Nokia 9200 Series Communicators

Re:F-Secure SSH

We used f-secure on half our DNS caching servers. When our NOC started migrating to Linux workstations, scp (secure copy) would not work from the workstation to DNS server. Apparently was an underlying f-secure issue using SSH-1 or something (their statements, many e-mails). Anyway, for this *paid* support, we received little help on some type of resolution.
OUR SOLUTION....We scrapped f-secure and went OpenSSH (BSD version anyway). We been very happy, and have save thousands of $$ in maintaince fees. Example: The recently posted problem with SSH had a newsgroup workaround posted within the same day. I tested the workaround and upgraded our machines by that evening. Anyway, that's truly....schweeeeeet!

SSH for secure file transfers

[bastion_xx]

Our company had similar requirements:

1) Encrypted file transfer
2) User authentication
3) chroot jail environment

After initally looking at F-Secure's ssh server for Windows to match the system standards. We found out that certain SSH subsystems (namely sftp) we not 100% compatible with all clients. I'd put the openssh code up against commercial offerings if you can spend a little bit of time configuring.

In the end we waived standards and used Linux, openssh+openssl+ldap. It did require patching the sftp subsystem for chroot access that was obtained off of the openssh mailing list. This does require a suid executable, but since our customers are [semi] trusted, the risk of them smashing the stack is manageable.

Customers can now sftp or scp in and are rooted to the ~username directory. At present, implementation has be as easy as our dedicated line FTP customers. Ironically, we recommend commerical SSH clients...

Lots of Options

There are several options for commercial SSH vendors. I found myself in a similar position a couple of years ago. I worked at a company that provided 24/7 security support to hundreds of companies, and _had_ to have a commercially supported SSH for both insurance and customer relation purposes. We started out using F-Secure, but the licensing and support was terrible. On top of that we found out that F-Secure simply licensed SSH.com's code and rebranded it. We worked a fantastic deal with ssh.com that allowed us to deploy SSH enterprise wide. On top of the good deal, we found the support to be excellent. At one point we needed some LDAP integration done and SSH.com had it done by the next release. I have also found SSH.com to be better security wise (since they do this to make money) than OpenSSH, check their track record. Anyhow, F-Secure, SSH.com and a couple of other companies offer SSH commercially. Good luck.

HPUX has an official OpenSSH-based implementation

[Marx_Mrvelous]

They have .depot's available for 11.00 and 11i, and they are officially supporting it. That's a commerical OS/backing.

Usage Stats

[rwash]

http://www.openssh.org/usage/index.html

The OpenSSH team has put together a great page with a number of different usage statistics for SSH.

AOL does, why not you?

We had a partnership with AOL and were setting up a secure file drop probably similar to what you wanted. We started with ssh.fi's commercial server and AOL actually told us they wanted us to use OpenSSH instead. Maybe that would provide some weight to your argument? :-)

(Posted anonymously for various potential disclosure issues. Sorry.)

Solaris ships with OpenSSH

You read the subject correct.
the ssh package that Sun provides is openssh.

I've installed I know

SSH is the original

[ddstreet]

The SSH protocol was created by ssh.com, and in the past they have tried to stop openSSH from using the SSH name (see here and here and here). The SSH product from ssh.com was created before any SSH standard existed, and its protocols became the defacto way to communicate securely. It was (and according to the license agreement, still is) available for free (as in beer) for non-commercial and educational use. It's available at their ftp site or a mirror.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

Just point them to Sun

[hexile]

Sun themselves recommend OpenSSH. Just search http://www.sun.com.

Some notable links:
http://www.sun.com/blueprints/0102/configs sh.pdf
http://www.sun.com/blueprints/0701/openSSH .pdf

The scripts for an automated package creation have been very useful for me over the past few months, as OpenSSH has blazed through the 3.x versions.

Cisco uses ssh

I work at Cisco, we use ssh internally on our Unix machines. We recently dropped telnet on all workstations for remote access.

Our routers also have a built-in ssh client (your ios must have a crypto feature set) so it's another incentive to use it.

SSH Alternatives (or HTTP/SSL?)

I have run into the same situation myself, where the vendor I need to work with wants to transfer critical, sensitive or otherwise private data across the internet, using the very insecure FTP protocol.

I have suggested SSH to these vendors and each time they cite reasons relating to their use of Microsoft Windows (often a managed server at some hosting company like AT&T), or their refusal to use non-mainstream-commercial software. They also tend to try to argue that FTP is good enough, and that the law doesn't require anything more secure. As we all should know, this is just plain senseless, and dangerous.

In my hunt for an alternative that would be acceptable to them as well as me, AND would be able to be automated, I realized that good old HTTP over SSL (HTTPS) would work just fine for transferring the data. Not only would it be secure enough (at 128-bit) but I could automate the entire thing with OSS tools from my side, and they already had everything they would need to make it work on their end under Windows.

With just a little configuration on each end, and a simple little perl script, we have a secure transfer mechanism.

In our case our internal policy states that we initiate all secure data transfers from our side so making our transfers "bi-directional" was easy, but for others who do not have this policy, or where it would be inappropriate, it is quite simple to set up an http server on the local side to handle inbound transfers, even on a Windows server/host.

There are of course other possibilities including using a TLS enabled ftp client/server, and they all come with other considerations including some relating to compatibility. I highly suggest that you personally review each of the alternatives yourself and do not rely purely on the advice gleaned here on Slashdot, as accurate (or not) as it may be.

Hope this helps!
-Anon

Solaris 9 ssh IS OpenSSH

[Burdell]

Solaris 9 comes with a slightly modified OpenSSH (according to Sun).
The only commercial Unix ssh server that I'm aware of is from SSH.com
(it is resold be several companies like F-Secure IIRC).

Compaq^WHP supplies SSH.com's ssh for Tru64 Unix (free download from
Compaq's site, and I think will be included with Tru64 5.1B).

Re:openSSH

[Bloem]

Even though recently some security issues are found in openssh, it can be regarded as one of the more stable and secure implementations of the ssh protocol.

Make sure that when openssh is used, it is configured properly.
e.g.
- no root login
- SSH2 instead of SSH1
- use login with key instead of passwords

There are more configuration options, please read the man pages for those.

Re:Well proven?

[ddstreet]

What survey are you talking about? The Secure Server Survey? That's not SSH...

If you really mean a SSH (not SSL) survey, by Netcraft, I don't know about it and can't find it on their website...where is it?

Re:Well proven?

[bolverk]

You mean the "very similar to the Netcraft Web Server Survey" done by the OpenSSH people?

Couldn't find anything at Netcraft, so I assumed this is what you were talking about.

At Cisco, we use OpenSSH for everything.

We switched -away- from commercial ssh because OpenSSH is better.

Then, along came the privilege-separation thing . . .

;)

Seriously, we use OpenSSH for all our host access, ssh gateways, etc. Wouldn't consider using anything at this point.

Re:If I am not mistaken.

[akeru]

well, you are, in part, mistaken. SSH is a proprietary product from SSH.com (I don't know what the exact company name is ATM) and while it is an outstanding technology (well, v2 of the protocol is, v1 . . . not so much) it was not "adopted" by the open movement. SSH (the company) has had the protocol ratified as a standard, and OpenSSH is an implementation of that standard (well, Internet-Draft at the moment) and SSH.com "tolerates" OpenSSH only in that it has no alternative as it initially submitted SSH to the IETF. So if they want it to be a standard, they can't inhibit other implementations of said standard. This is also the reason they lost (and horribly, I might add) their battle over the "SSH" trademark. SSH is the name of a standard protocol (at their own doing) so the company lost the right to use it exclusively.

Re:Solaris /dev/random

[Bigbambo]

Sun provides a /dev/random and a /dev/urandom now. Check out Patch 112438-01 for Sparc, or 112439-01 for X86 on sunsolve.sun.com

Re:BULL! Most Fortune 500 use commercial SSH!

Lemme guess. You haven't worked since the economy downturn. I can guarantee you that OpenSSH is being used in the biggest of big companies.

Re:Trivial Slashdot News While Cities Revolt

You make it sound like there are citizen uprisings in those cities. It turns out that the article you link to is merely about the LEADERS (not even the citizens) of a few cities passing a few silly resolutions that don't have the effect of undermining the government's authority one bit.

AND NOW FOR SOMETHING COMPLETELY ON-TOPIC.

I'd rather read the trivial news about SSH. The company mentioned that "doesn't use freeware" is just being stupid. The FSF has a link to a paper that debunks their fear about OpenSSH and other open-source "freeware" being "unsupported".

Also, like nearly everyone else, I recommend PuTTY if you need a Windows SSH client. Too bad that it's "freeware" too. I guess your company will have to settle for an inferior proprietary alternative.

Re:OpenSSH _is_ industry-proven.

[autechre]

No, the current version (3.4) of OpenSSH has not only fixed the remote exploit, but also defaults to having privelege separation turned on.