Slashdot Mirror
SSH-Based Solutions - Looking for Industry Proof?
mcwop asks: "My company's IT department is trying to set up secure FTP with a vendor. It would be set up on a Sun box (not running Solaris 9). I emailed suggesting they look at OpenSSH. The response I received stated that they don't like to use freeware, but only consider industry proven and supported software. I have found one commercial version
at SSH. What other commercial versions are out there (I know Solaris 9 comes with SSH)? But more importantly, what are some commercial successes? What large organizations are implementing SSH?"
You're going to be hard-pressed to find a commercial solution which is more widely used (and therefore proven in the industry) than OpenSSH.
Why don't you talk to the openssh team? I'm sure that for some nominal fee you can get extra priority support. OpenSSH is (IMHO) the best ssh implementation out there, and its from a dedicated team where security supercedes even functionality. The newest version of OpenSSH promises to be very hard to exploit.
In 1994, I took a job at a bank in Oklahoma. My boss at the time had the attitude "We're a bank, we pay for software".
:-)
Then I showed him screen. Suddenly the light went on in his head-- "Hey, I don't have to use 2 phone lines and 2 modems to get 2 shells at work!" To him, it was the greatest thing since sliced bread.
After that, he didn't have any problems letting me install emacs.
At least mafia-owned pizzarias make excellent pizza. Compare to Bill Gates.
OpenSSH is far more widely used than any commercial variant. You'd be hard pressed to find a fortune 500 company that isn't using it somewhere. Almost any provider of IT services or network services uses it, unless they have no *nix boxes at all and provide no services on anything other than a windows platform. Try a quick survey of network security companies and ask how they do remote access/filetransfer -- no matter how big, scp/ssh will be the answer, and it will be openssh for a majority of them.
Not sure what the requirements are, but if you are looking for secure access, you may want to consider a web-based file repository with an SSL front-end on it. You could have your choice of Apache & mod_ssl, or Stronghold (Apache derivative)
If using OpenSSH is questionable, using the #1 webserver shouldn't be. If Apache isn't proven or reliable in their eyes, then you have a really tough uphill battle.
For all the benefits of using SSH, you're not likely to get a huge response of "Oh yes, I'm with Company X and we love it here", particularly right now. First, those who use it are security conscious, and we don't like others knowing our defenses. Second, there was a rather serious bug announced about some versions of OpenSSH that, when configured and compiled in a certain way, would grant root access remotely. Given the timing of your question, it would seem to the, um, overtly paranoid, that this was a troll for vulnerable hosts.
Having said that, you really should press forward with your process. The idea of using unencrypted protocols is going the way of the buggy whip. While I won't reveal where I work, I will say that I am working vigourously here to eliminate any use of a protocol which passes userids and passwords in cleartext. Period.
OpenSSH is by far the best SSH implementation available; the fact that it's freeware is a horrible reason not to use it. Explain to your employers that for a fee (and probably a smaller fee than most corporations would want) the OpenSSH team would most likely provide your company with expert support and services.
;D).
Don't to roll over and allow your firm to adopt a second-rate (and more expensive) security product simply because they don't trust open source. The answer to your problem, as uncomfortable a situation as it may be, is to try to inform the higher-ups of why they're misguided (without losing your job
While it would be somewhat more complicated from an administrative and support standpoint to implement, a 'Kerberized' ftp daemon (I believe that one comes with the stock MIT KerberosV distribution) could possibly be a solution to your problem. Kerberos, while technically 'freeware' has been around for quite some time, has existed in several major UNIX distributions, and is used quite extesnivly in many major orginizations. Otherwise, if security is a concern, why not just set up a VPN between the client and your company and have the FTP go through that?
The company I work for ("a little hardware vendor in the Valley") switched from the Commercial ssh client and server package to OpenSSH for all of our servers. OpenSSH proved more robust and easier to support - not to mention much, much, less expensive. And yes, I'm including the "cost" of our SysAdmin's time and the time of the person who manages distribution of our 'approved' OpenSSH package.
There really is no reason to use a commercial product unless the management is stuck on the "We need someone to sue if it breaks" business model of software acquisition.
Never attribute to malice what can as easily be the result of incompetence...
While I can respect the company's policy of only wanting to deal with "respected and proven" commercial software, many commercial apps critical to secure operations are not "proven". Even SSH is relatively far behind the development curve of OpenSSH, its open-source counterpart. Nor is it in use in as many types of environments.
It may sound silly to suggest it again, but consider mentioning OpenSSH in your spread of possibilities. Even though it did have a possible remote root exploit exposed recently, look how fast working updates and/or workarounds were released. You'd be very hard pressed to find that in a commercial product.
So how do they feel about Apache? I mean, IBM will sell it to you can IBM HTTPD, but it's still Apache. Or Java? Or... grrr
neither of these are commercial products, and both are decided less professional than openssh. And as far as I know, are only clients. Vandyke.com has secureCRT plus secure terminal and FTP servers for windows. Also checkout FSecure from Datafellow.s
The response I received stated that they don't like to use freeware, but only consider industry proven and supported software.
Then your company needs to fire its IT management staff since it is apparent they have absolutely no idea what they're talking about. In the meantime, you can tell them that OpenSSH is NOT Freeware. I wouldn't trust freeware either. The difference? Freeware is typically closed source software that the authors refuse to release to code to because they think they're really "eleet" or some similar childish reason. I would also ask you: if you're a talented geek (assumption), why are you working for some lame company that refuses to touch Open Source software? Go somewhere where you're gonna make a difference. If you have the skills, you'll find plenty of jobs doing what you'd really like to do.
The "security" admin there wanted to load F-Secure on everything.
Except he didn't know how to load it. I was tasked with "implementing SSH..."
I loaded OpenSSH on all the Sun boxes (90+). Loaded up putty for all the developers and started shutting off telnet/ftp.
The F-Secure sales rep called me to see "how things were going".
I told him we were going to go with OpenSSH. He asked about support... I laughed at him. 2 weeks later a major hole surfaced in SSH
(OpenSSH was not vulnerable to this one.) and F-Secure was the LAST vendor to come out with a fix, ala 2+ weeks later.
I have OpenSSH running on my HPUX box, all my Sun boxes, all my Linux boxes, and of course my OpenBSD boxes.
If OpenSSH is good enough for Sun/HP/Redhat it ought to be good enough for your managers. If not it might be time to go Bofh on them....
Just load it on there and then tell them you *didn't realize* it was already on there.... Then stuff them in a tape safe...
Both OpenSSH and SSH are industry proven and supported software. SSH is supported by the original author of the protocol, Tatu Ylonen, among others. OpenSSH is supported by acknowleged Open Source security experts including Markus Friedl, Dug Song, and Theo de Raadt.
The version of SSH that Sun is shipping with Solaris is in fact OpenSSH. Sun is not trying to hide this, they are proud of shipping it because it is an excellent program.
Most major insurance companies run SSH (if they are Microsoft shops) or OpenSSH (if they are not). Most hospitals run OpenSSH.
I use both products. Support is superb for both; but SSH.com has friendly, personable phone support while the OpenSSH support comes mostly from Usenet and Email (and can be fiery if you ask exceptionally stupid questions). OpenSSH fixes bugs faster than SSH.Com, but both products have had about the same number of problems, and all have been quickly and effectively resolved.
Popular clients for windows include putty and Teraterm SSH. Make sure you get a recent version, however, older versions of those programs use versions of SSH ( v 1.5) that have known bugs.
If you are dealing with a company that thinks commercial software is "better" than "freeware" you should be careful how you approach this project. If there is a single person who has created this mindset, that person is likely to be both powerful and not very analytical - a dangerous combination.
the problem with telnetd is that user id's and passwords are sent in clear text. anyone with a sniffer on your network will be reading them as easily as reading the newspaper.
firewalled off or not why take the risk? ssh does everything telnet does and more (like X and port forwarding, file transfers with scp). everything that goes through is encrypted.
the risk goes up even further if you're happily using an unencrypted network at home, behind a firewall. anyone sitting outside your house can watch you telnet from box to box! even encrypted 802.11b transmissions can be broken with time.
why take any chances when protection is so simple? it's also good to simply practice safe computing.
abcdefghijklmnopqrstuvwxyz
If you are using windows I have seen f-secure at large corporations and medium to small businesses that I have worked at and supported.
I have likewise seen, used and implemented openssh at the same companies. To exclude OpenSSH because it is OpenSource (freeware that hopefully gets creative and monetary contributions to it on a regular basis), is quite frankly ignorant and beyond all common business sense.
Just because it doesn't have a big 'M' (microsoft) or a big 'I' (intel) or a big 'O' (Oracle) or a big 'C' (Cisco) on it doesn't mean that it sucks. Take a look at the movie Tommy Boy 'Chris Farley' I think they summed up "Warranty" very nicely.
:-( --- argh. Despair, I owe again.
point out that openssh ****IS**** industry-proven.
if you can't argue with your boss about something that you're RIGHT about, then your career won't evolve.
You're right, he's wrong. The only encryption software I trust in that respect is OPENssh, rather than CLOSEDssh, which is closed. End of story. You're the techie, he's the luser. How many other ways can this be put?
Use Openssh if you want your network to be secure.