SSH-Based Solutions - Looking for Industry Proof?

mcwop asks: "My company's IT department is trying to set up secure FTP with a vendor. It would be set up on a Sun box (not running Solaris 9). I emailed suggesting they look at OpenSSH. The response I received stated that they don't like to use freeware, but only consider industry proven and supported software. I have found one commercial version at SSH. What other commercial versions are out there (I know Solaris 9 comes with SSH)? But more importantly, what are some commercial successes? What large organizations are implementing SSH?"

Client side

[Archangel+Michael]

Tera Term on Windows is the best.

Re:Client side

[sql*kitten]

Tera Term on Windows is the best.

It's good, but I've switched to PuTTY, mainly because it can heartbeat an SSH connection with an empty packet every minute to prevent sessions being timed out by over-zealous firewalls - very convenient if you need to monitor several machines.

Ssh communications.

Most businesses goes with SSH communications, www.ssh.com. They also have a low-memory-fotprint version, ipsec, tunneling software and some other stuff.

Re:Ssh communications.

[alsta]

Well, Solaris 9 has an SSH implementation which in fact is OpenSSH. They've modified a few things though; such as the reported version string;

Escape character is '^]'.
SSH-2.0-Sun_SSH_1.0
^]
telnet>q

Everything else (config files, library dependencies etc.) speaks of OpenSSH so much that there is no other possible option. Sun probably took OpenSSH and modified a few things and released it as their own, as they are allowed to by the BSD license.

These configure options should get you an identical setup to that of the layout on Solaris 9;

CC=cc \
CFLAGS="-g -I/tmp/foo/include" \
LDFLAGS="-L/tmp/foo/lib -R/tmp/foo/lib" \
./configure \
--prefix=/tmp/foo \
--bindir=/usr/bin \
--sbindir=/usr/lib/ssh \
--localstatedir=/var/run \
--libdir=/usr/lib \
--includedir=/usr/include \
--mandir=/usr/share/man \
--with-ssl-dir=/tmp/foo \
--sysconfdir=/etc/ssh \
--libexecdir=/usr/lib/ssh \
--datadir=/usr/lib/ssh \
--with-pid-dir=/var/run \
--with-prngd-socket=/var/run/prng-socket \
--with-zlib=/tmp/foo \
--disable-wtmp \
--disable-utmp

The $CC variable is to build with Sun Forte, substitute with gcc as you please. Note the LDFLAGS and CFLAGS though. This configure expects to find zlib and openssl headers in /tmp/foo/include and _static_ libraries /tmp/foo/lib. Don't dynamically link with anything unless it's available on the system itself when it comes to Solaris. You'll introduce nasty inter-dependancies which you'll regret in the long run. Trust me, installing shared libraries on 500 machines isn't that fun.

F-Secure, SSH, or OpenSSH

[edyu]

Both SSH (Company) and F-Secure sells commerical products of SSH. But maybe if you word it differently, your management should accept OpenSSH since it is being used by many companies. My company (a smaller 100+ person) uses OpenSSH extensively.

Data Fellows...

[Helmholtz+Coil]

...has a version of SSH available for Unices, Windows, Macs, even the Nokia 200. Don't know how good it is, but they've got a fair amount of info on the site.

Re:OpenSSH

[questionlp]

Solaris 9 does use OpenSSH for its "Solaris Secure Shell". They mention it on this page.

F-Secure SSH

[Medieval]

F-Secure makes a rather kick-ass line of SSH products. We use them in production here (major tire manufacturer.), and it is FIPS 140-1 compliant. The client-side portion is pretty schweeeeeeet (esp the Windows client), even if you don't use the server portion.

http://www.f-secure.com/products/ssh/

List of platforms:

Server
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows 2000, Windows NT 4.0

Client
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows XP
Windows 2000
Windows NT 4.0
Windows 95
Windows 98
Windows ME
MacOS
Nokia 9200 Series Communicators

Lots of Options

There are several options for commercial SSH vendors. I found myself in a similar position a couple of years ago. I worked at a company that provided 24/7 security support to hundreds of companies, and _had_ to have a commercially supported SSH for both insurance and customer relation purposes. We started out using F-Secure, but the licensing and support was terrible. On top of that we found out that F-Secure simply licensed SSH.com's code and rebranded it. We worked a fantastic deal with ssh.com that allowed us to deploy SSH enterprise wide. On top of the good deal, we found the support to be excellent. At one point we needed some LDAP integration done and SSH.com had it done by the next release. I have also found SSH.com to be better security wise (since they do this to make money) than OpenSSH, check their track record. Anyhow, F-Secure, SSH.com and a couple of other companies offer SSH commercially. Good luck.

HPUX has an official OpenSSH-based implementation

[Marx_Mrvelous]

They have .depot's available for 11.00 and 11i, and they are officially supporting it. That's a commerical OS/backing.

Usage Stats

[rwash]

http://www.openssh.org/usage/index.html

The OpenSSH team has put together a great page with a number of different usage statistics for SSH.

SSH is the original

[ddstreet]

The SSH protocol was created by ssh.com, and in the past they have tried to stop openSSH from using the SSH name (see here and here and here). The SSH product from ssh.com was created before any SSH standard existed, and its protocols became the defacto way to communicate securely. It was (and according to the license agreement, still is) available for free (as in beer) for non-commercial and educational use. It's available at their ftp site or a mirror.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

Re:Well proven?

[bolverk]

You mean the "very similar to the Netcraft Web Server Survey" done by the OpenSSH people?

Couldn't find anything at Netcraft, so I assumed this is what you were talking about.