Slashdot Mirror
SSH-Based Solutions - Looking for Industry Proof?
mcwop asks: "My company's IT department is trying to set up secure FTP with a vendor. It would be set up on a Sun box (not running Solaris 9). I emailed suggesting they look at OpenSSH. The response I received stated that they don't like to use freeware, but only consider industry proven and supported software. I have found one commercial version
at SSH. What other commercial versions are out there (I know Solaris 9 comes with SSH)? But more importantly, what are some commercial successes? What large organizations are implementing SSH?"
Tera Term on Windows is the best.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Perhaps I'm confused, but isn't OpenSSH a rather well-proven program?
Kein Mitleid für die Mehrheit.
You're going to be hard-pressed to find a commercial solution which is more widely used (and therefore proven in the industry) than OpenSSH.
Why don't you talk to the openssh team? I'm sure that for some nominal fee you can get extra priority support. OpenSSH is (IMHO) the best ssh implementation out there, and its from a dedicated team where security supercedes even functionality. The newest version of OpenSSH promises to be very hard to exploit.
Mac OS X (and X Server) ship with OpenSSH. Those are considered commercial OS's. I bet Solaris 9's SSH is also OpenSSH (don't know for sure though). Sounds like your managers have their heads where the sun doesn't shine.
In 1994, I took a job at a bank in Oklahoma. My boss at the time had the attitude "We're a bank, we pay for software".
:-)
Then I showed him screen. Suddenly the light went on in his head-- "Hey, I don't have to use 2 phone lines and 2 modems to get 2 shells at work!" To him, it was the greatest thing since sliced bread.
After that, he didn't have any problems letting me install emacs.
At least mafia-owned pizzarias make excellent pizza. Compare to Bill Gates.
so we can 0wn them. ;-)
seriously, any unix admin worth their paycheck isn't using unsecure telnet or ftp.. i sure know i'm not. (and i don't get paid enough)
abcdefghijklmnopqrstuvwxyz
OpenSSH is far more widely used than any commercial variant. You'd be hard pressed to find a fortune 500 company that isn't using it somewhere. Almost any provider of IT services or network services uses it, unless they have no *nix boxes at all and provide no services on anything other than a windows platform. Try a quick survey of network security companies and ask how they do remote access/filetransfer -- no matter how big, scp/ssh will be the answer, and it will be openssh for a majority of them.
Most businesses goes with SSH communications, www.ssh.com. They also have a low-memory-fotprint version, ipsec, tunneling software and some other stuff.
Both SSH (Company) and F-Secure sells commerical products of SSH. But maybe if you word it differently, your management should accept OpenSSH since it is being used by many companies. My company (a smaller 100+ person) uses OpenSSH extensively.
I'd point them to the Netcraft survey.
More than half the sites with SSH are using OpenSSH.. Tell them to go get a clue instead.
http://www.openssh.org/users.html
Also Nokia's IPSO (on their Checkpoint based firewalls uses openssh.
As you can see Sun uses it. Good enough. I thought so.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
...has a version of SSH available for Unices, Windows, Macs, even the Nokia 200. Don't know how good it is, but they've got a fair amount of info on the site.
F-Secure makes a rather kick-ass line of SSH products. We use them in production here (major tire manufacturer.), and it is FIPS 140-1 compliant. The client-side portion is pretty schweeeeeeet (esp the Windows client), even if you don't use the server portion.
http://www.f-secure.com/products/ssh/
List of platforms:
Server
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows 2000, Windows NT 4.0
Client
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows XP
Windows 2000
Windows NT 4.0
Windows 95
Windows 98
Windows ME
MacOS
Nokia 9200 Series Communicators
One of our software vendors recommended the use of F-Secure for their support dept. to get a remote connection to our AIX-based accounting system. We replied and asked them why we can't use OpenSSH, since f-secure's license is about $500. They replied they'll look into it, but it's not a high priority. Since SSH is a standard protocol, couldn't we just use OpenSSH despite whatever implementation of SSH they're using on their end? I know my boss doesn't care, his favorite phrase is, "We like free." (But we use Windows NT for everything but our accounting system... Go fig.)
we used ssh on all servers at excite@home.
gnab.net [ click less, spank more ]
in fact, have them buy the cd. that'll lend some weight to your argument
https://https.openbsd.org/cgi-bin/order
besides, it's the right thing to do. =)
-Triumph
vodka, straight up, thank you!
Not sure what the requirements are, but if you are looking for secure access, you may want to consider a web-based file repository with an SSL front-end on it. You could have your choice of Apache & mod_ssl, or Stronghold (Apache derivative)
If using OpenSSH is questionable, using the #1 webserver shouldn't be. If Apache isn't proven or reliable in their eyes, then you have a really tough uphill battle.
We use OpenSSH and F-Secure ssh daemons on Solaris 7 and 8. Its easy to use, and we've never had a successful penetration. Their url is: http://www.fsecure.com
I had the exact same situation about 6 months ago. I won, sorta. I simply said our industry is going through hard times right now and using OpenSSH will save your $500k in licensing fees.
We ended up compromising. They wanted vendor software, I wanted free. For the mission critical systems, we chose FSecure (fsecure.com) and for the high-importance and below (to include desktops), we went with OpenSSH.
Worked out well. With FSecure we also purchased Windows clients for the developers and if anything ever happened, they had the support they were looking for the vendor software. With everything else, OpenSSH did the job along with PuTTY on the peasants computers.
I am shocked that people think that SSH (OpenSSH) is not a industry standard. Here is a good client for windows. And of course you can get the server for free here.
~Shane
For all the benefits of using SSH, you're not likely to get a huge response of "Oh yes, I'm with Company X and we love it here", particularly right now. First, those who use it are security conscious, and we don't like others knowing our defenses. Second, there was a rather serious bug announced about some versions of OpenSSH that, when configured and compiled in a certain way, would grant root access remotely. Given the timing of your question, it would seem to the, um, overtly paranoid, that this was a troll for vulnerable hosts.
Having said that, you really should press forward with your process. The idea of using unencrypted protocols is going the way of the buggy whip. While I won't reveal where I work, I will say that I am working vigourously here to eliminate any use of a protocol which passes userids and passwords in cleartext. Period.
Our company had similar requirements:
1) Encrypted file transfer
2) User authentication
3) chroot jail environment
After initally looking at F-Secure's ssh server for Windows to match the system standards. We found out that certain SSH subsystems (namely sftp) we not 100% compatible with all clients. I'd put the openssh code up against commercial offerings if you can spend a little bit of time configuring.
In the end we waived standards and used Linux, openssh+openssl+ldap. It did require patching the sftp subsystem for chroot access that was obtained off of the openssh mailing list. This does require a suid executable, but since our customers are [semi] trusted, the risk of them smashing the stack is manageable.
Customers can now sftp or scp in and are rooted to the ~username directory. At present, implementation has be as easy as our dedicated line FTP customers. Ironically, we recommend commerical SSH clients...
There are several options for commercial SSH vendors. I found myself in a similar position a couple of years ago. I worked at a company that provided 24/7 security support to hundreds of companies, and _had_ to have a commercially supported SSH for both insurance and customer relation purposes. We started out using F-Secure, but the licensing and support was terrible. On top of that we found out that F-Secure simply licensed SSH.com's code and rebranded it. We worked a fantastic deal with ssh.com that allowed us to deploy SSH enterprise wide. On top of the good deal, we found the support to be excellent. At one point we needed some LDAP integration done and SSH.com had it done by the next release. I have also found SSH.com to be better security wise (since they do this to make money) than OpenSSH, check their track record. Anyhow, F-Secure, SSH.com and a couple of other companies offer SSH commercially. Good luck.
> What large organizations are implementing SSH?
All of them.
Slashdot? Oh, I just read it for the articles.
I will sell you TpsSSH for $5000 (site license). It is fully compatible with OpenSSH.
Karma: Good (despite my invention of the Karma: sig)
Let's see. Their argument is that freeware stuff isn't secure? Exactly what is their proof of this? They DO have some evidence to back up their claims, don't they?
How many hundreds (thousands??) of products and devices would they need as proof of security? How many code audits must OpenSSH submit to before it is suddenly (magically) now secure?
It does not logically follow that having the source code in the public view makes a product insecure. One only need look at Microsoft's Outlook products versus Evolution to see the evidence to shoot that argument down.
Ron Gage - Westland, MI
OpenSSH is by far the best SSH implementation available; the fact that it's freeware is a horrible reason not to use it. Explain to your employers that for a fee (and probably a smaller fee than most corporations would want) the OpenSSH team would most likely provide your company with expert support and services.
;D).
Don't to roll over and allow your firm to adopt a second-rate (and more expensive) security product simply because they don't trust open source. The answer to your problem, as uncomfortable a situation as it may be, is to try to inform the higher-ups of why they're misguided (without losing your job
They have .depot's available for 11.00 and 11i, and they are officially supporting it. That's a commerical OS/backing.
Moderation: Put your hand inside the puppet head!
http://www.openssh.org/usage/index.html
The OpenSSH team has put together a great page with a number of different usage statistics for SSH.
Here is the extra link to the parent. SSH Client for Windows ;)
Whoops
~Shane
While it would be somewhat more complicated from an administrative and support standpoint to implement, a 'Kerberized' ftp daemon (I believe that one comes with the stock MIT KerberosV distribution) could possibly be a solution to your problem. Kerberos, while technically 'freeware' has been around for quite some time, has existed in several major UNIX distributions, and is used quite extesnivly in many major orginizations. Otherwise, if security is a concern, why not just set up a VPN between the client and your company and have the FTP go through that?
The company I work for ("a little hardware vendor in the Valley") switched from the Commercial ssh client and server package to OpenSSH for all of our servers. OpenSSH proved more robust and easier to support - not to mention much, much, less expensive. And yes, I'm including the "cost" of our SysAdmin's time and the time of the person who manages distribution of our 'approved' OpenSSH package.
There really is no reason to use a commercial product unless the management is stuck on the "We need someone to sue if it breaks" business model of software acquisition.
Never attribute to malice what can as easily be the result of incompetence...
ala FreeBSD, OpenBSD (One remote hole in the default install, in nearly 6 years!) , OpenSSH, Apache, etc.
Instead, let's use proprietary "secure" software, ala Win2000, IIS, etc.
We had a partnership with AOL and were setting up a secure file drop probably similar to what you wanted. We started with ssh.fi's commercial server and AOL actually told us they wanted us to use OpenSSH instead. Maybe that would provide some weight to your argument? :-)
(Posted anonymously for various potential disclosure issues. Sorry.)
Sigh,
n In quiry.asp?userid=18DJH2Q01P&isbn=0066620023
So much software gets shifted because someone is actively pushing it. Not because its good, useful or well supported but because someone is out there at trade shows, advertising in trade mags, shipping out trial licenses etc, actively recruiting early adopters.
Maybe there is a need for an idiots guide like "Crossing the Chasm"
http://search.barnesandnoble.com/booksearch/isb
If I was marketing a utility like OpenSSH I would make sure it was "on the list" in every place that someone might look for secure remote connection software. This might mean
* Tie-up deals with other suppliers to get the software shipped and trialled
* Presentations at banking industry seminars
* White papers to learned security journals
* Following up downloads and trial licences in big companies
* Printing case studies and success stories
On a side note I probably wouldn't call it freeware so much as "its a commodity these days, why would anyone pay for it"
You read the subject correct.
the ssh package that Sun provides is openssh.
I've installed I know
While I can respect the company's policy of only wanting to deal with "respected and proven" commercial software, many commercial apps critical to secure operations are not "proven". Even SSH is relatively far behind the development curve of OpenSSH, its open-source counterpart. Nor is it in use in as many types of environments.
It may sound silly to suggest it again, but consider mentioning OpenSSH in your spread of possibilities. Even though it did have a possible remote root exploit exposed recently, look how fast working updates and/or workarounds were released. You'd be very hard pressed to find that in a commercial product.
They probably want you to use SSL FTP for your secure connection with their FTP server. We ran into the same problem and had to purchase WS_FTP PRO to get a 'secure' connection with our vendor.
Yes, I'm an agent of Satan, but my duties are largely ceremonial.
...use IPSEC based VPN's. Most firewals will do this, just make sure they use a common key exchange method (i.e. don't use anything from Novell)
If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.
So how do they feel about Apache? I mean, IBM will sell it to you can IBM HTTPD, but it's still Apache. Or Java? Or... grrr
I take it you mean a company with legal backing, rather than one with technical backing?
Sun themselves recommend OpenSSH. Just search http://www.sun.com.
s sh.pdfH .pdf
Some notable links:
http://www.sun.com/blueprints/0102/config
http://www.sun.com/blueprints/0701/openSS
The scripts for an automated package creation have been very useful for me over the past few months, as OpenSSH has blazed through the 3.x versions.
When I worked at Cambridge Uni I had to use ssh and scp to access my work machines from home. I'd have been horrified if they'd had ftp and telnet access into that network.
Regards,
Denny
Police State UK - news and
It supports many other protocols besides SSH too.
Goto: www.vandyke.com/products/securefx
I use SecureCRT everyday and it rocks! I've never used SecureFX (thier premier file transfer program), but I get what I need from CRT and it's $30 cheaper (it's a terminal, but has z-modem).
I worked for Harvard Law School for a year as one of my coop assignments and we used a chroot patch I picked up maintenance for to mimic ftp's chrooting (chrootssh.sourceforge.net if yer interested. We found it to work flawlessly and have been using ssh.com's ssh/sftp client for all our users, which include professor's and various employee's maintaining websites. Seeing as those types of users aren't really technical it was great to see they had no problems using our ftp replacement. Good luck!
Ok, this is what you do:
Register a company called "Secure Products Inc.", and make a quick website, fake some letterhead, etc. Then, tell your boss you found a great SSH product from Secure Products for only $50 per seat. Then, download the newest version of OpenSSH, change the name to SPISSH and watch the $$$$ roll in!
Word.
Our routers also have a built-in ssh client (your ios must have a crypto feature set) so it's another incentive to use it.
I have run into the same situation myself, where the vendor I need to work with wants to transfer critical, sensitive or otherwise private data across the internet, using the very insecure FTP protocol.
I have suggested SSH to these vendors and each time they cite reasons relating to their use of Microsoft Windows (often a managed server at some hosting company like AT&T), or their refusal to use non-mainstream-commercial software. They also tend to try to argue that FTP is good enough, and that the law doesn't require anything more secure. As we all should know, this is just plain senseless, and dangerous.
In my hunt for an alternative that would be acceptable to them as well as me, AND would be able to be automated, I realized that good old HTTP over SSL (HTTPS) would work just fine for transferring the data. Not only would it be secure enough (at 128-bit) but I could automate the entire thing with OSS tools from my side, and they already had everything they would need to make it work on their end under Windows.
With just a little configuration on each end, and a simple little perl script, we have a secure transfer mechanism.
In our case our internal policy states that we initiate all secure data transfers from our side so making our transfers "bi-directional" was easy, but for others who do not have this policy, or where it would be inappropriate, it is quite simple to set up an http server on the local side to handle inbound transfers, even on a Windows server/host.
There are of course other possibilities including using a TLS enabled ftp client/server, and they all come with other considerations including some relating to compatibility. I highly suggest that you personally review each of the alternatives yourself and do not rely purely on the advice gleaned here on Slashdot, as accurate (or not) as it may be.
Hope this helps!
-Anon
Solaris 9 comes with a slightly modified OpenSSH (according to Sun).
The only commercial Unix ssh server that I'm aware of is from SSH.com
(it is resold be several companies like F-Secure IIRC).
Compaq^WHP supplies SSH.com's ssh for Tru64 Unix (free download from
Compaq's site, and I think will be included with Tru64 5.1B).
SSH is a proprietery product from SSH.COM. It is an outstanding technology that has been adopted by the open movement and SSH "tolerates" Open SSH. However, all other commercial products must license it from SSH. So, if you must get it from a commercial vendor then why not get it from the horses mouth, as it were.
Now, to answer your question regarding Open SSH specifically. The only major and well known company that I know for sure that uses Open SSH is Cisco. There are certainly many others but, there are probably few who use it as a matter of policy. But, that doesn't mean that their engineers, having half a brain, haven't all acquired a copy and rely heavily on Open SSH. Part of the problem with free software is that it doesn't show up on the radar unless it is used very heavily but, that doesn't mean that it isn't used by many.
You've got a tough sell ahead of you as you must sell mind share, which is very difficult. It's far eaisier to sell SSH on technical merit but, that's already been done for you. To add further insult, if anyone does take you seriously and checks into Open SSH they will likely find a couple of recent vulnerabilities which, although already fixed, won't help your arguement.
I'd say let it go. If they want to pay for SSH then let them. Comfort yourself in thinking that that money will be used by SSH to advance the product and some of those advancements will make it into OpenSSH too.
And has docs on it. Use things like sendmail and bind (DNS) as examples of opensource in practice. Also, show them the prices for a commercial SSH implementation on a large scale. Very little beats the bottom line of free, as in beer/books.
SecureFX implements FTP-over-SSH2 and SFTP. All I had to do was turn on "Subsystem SFTP" on the servers, give each exec a DSA key and install this program. It was ~$60/seat when we bought it - we only bought 5 seats, one for each consultant - and it's easy enough for our Windoze users handle.
Basically, it looks just like and FTP client to the user. I just set the initial directory to our samba-shared directory path and bingo! You can drag-and-drop and whatnot. Only thing to worry about is getting users to upload the file again when they've made their changes (we've had files get out of sync that way).
One annoyance - it uses SSH.COM's SSH engine so you have to generate DSA keys with the client program and convert the public key to OpenSSH format for use on the server. Minor annoyance.
Who has a company which can charge these people?
Preferrably one with credit card processing facilities to make it painless as possible for them. Once the charge goes through; you could then take most of the money and dole it out to some of the big OpenSSH contributors...
Superior Pornographic Industrial Sex Sex House would hereby like to sue you for infringing use of our trademarked "SPISSH" name. But we can't 'cause the bitch took all the money. So just act like we sued you, and give us some cash.
-- 'The' Lord and Master Bitman On High, Master Of All
Email me, I can give you names and number for people using OpenSSH in a corporate envionment. (I am posting this to the main commments since the article poster doesn't have an email address).
I am willing to bet that when they said "freeware" they were thinking TuCows and fly-by-wire or 13-year-old VB h4x0r in his basement.
I'm sure your boss(es) need a good clue-bat to the head and they'll be fine.
In Soviet Russia...michael would be rotting in Siberia!
hmmm
well I can say that the insurance company I work for (name withheld) uses SSH.
Also the old ASP I worked for, Interliant (now Interland) uses SSH for stuff.
I can't believe for an instant these managers want something "proven". What are the alternatives? TELNET????
--those are my two cents, fish in the change return for more
The response I received stated that they don't like to use freeware, but only consider industry proven and supported software.
Then your company needs to fire its IT management staff since it is apparent they have absolutely no idea what they're talking about. In the meantime, you can tell them that OpenSSH is NOT Freeware. I wouldn't trust freeware either. The difference? Freeware is typically closed source software that the authors refuse to release to code to because they think they're really "eleet" or some similar childish reason. I would also ask you: if you're a talented geek (assumption), why are you working for some lame company that refuses to touch Open Source software? Go somewhere where you're gonna make a difference. If you have the skills, you'll find plenty of jobs doing what you'd really like to do.
"SSH is now the de-facto standard for remote administration over the Internet. It is used in more than 50 countries by thousands of organizations, including e.g. MCI, Stanford University, Lawrence Livermore National Laboratories, and NASA."
Get your Unix fortune now!
The "security" admin there wanted to load F-Secure on everything.
Except he didn't know how to load it. I was tasked with "implementing SSH..."
I loaded OpenSSH on all the Sun boxes (90+). Loaded up putty for all the developers and started shutting off telnet/ftp.
The F-Secure sales rep called me to see "how things were going".
I told him we were going to go with OpenSSH. He asked about support... I laughed at him. 2 weeks later a major hole surfaced in SSH
(OpenSSH was not vulnerable to this one.) and F-Secure was the LAST vendor to come out with a fix, ala 2+ weeks later.
I have OpenSSH running on my HPUX box, all my Sun boxes, all my Linux boxes, and of course my OpenBSD boxes.
If OpenSSH is good enough for Sun/HP/Redhat it ought to be good enough for your managers. If not it might be time to go Bofh on them....
Just load it on there and then tell them you *didn't realize* it was already on there.... Then stuff them in a tape safe...
For reference, I installed and configured an SSH server while employed with CapitalOne financial to facilitate the secure SFTP/SCP transfer of data between CapitalOne and its numberous vendors. I utilized F-Secure SSH which is a commercial SSH software package with both Unix and Windows ports. Sun Solaris on the Sparc platform was used as the foundation for the Server.
I am not sure if the solution is still in use since I am no longer employed there but the solution worked well at the time with one exception, there was no Macintosh port at the time which limited the use with some of CapitalOne's marketing/graphic vendors (all those artsy fartsy types love the Mac!)
-Alascom
If you are on a Windows based machine somewhere, and you need to use ssh, you can quickly get PuTTY from the net. It is small (220k), so you could even keep it with you on a floppy. And it is only a single executable. PuTTY is THE ssh client for Windows, IMO.
My beliefs do not require that you agree with them.
Everyone's "They're idiots, they should use OpenSSH" aside (I do agree with that), you said these people are your vendors? Unless they're the only vendor in the world that can meet your needs, mention that not only is OpenSSH a commercial solution, but that another vendor really wants your business and is willing to use OpenSSH.
Both OpenSSH and SSH are industry proven and supported software. SSH is supported by the original author of the protocol, Tatu Ylonen, among others. OpenSSH is supported by acknowleged Open Source security experts including Markus Friedl, Dug Song, and Theo de Raadt.
The version of SSH that Sun is shipping with Solaris is in fact OpenSSH. Sun is not trying to hide this, they are proud of shipping it because it is an excellent program.
Most major insurance companies run SSH (if they are Microsoft shops) or OpenSSH (if they are not). Most hospitals run OpenSSH.
I use both products. Support is superb for both; but SSH.com has friendly, personable phone support while the OpenSSH support comes mostly from Usenet and Email (and can be fiery if you ask exceptionally stupid questions). OpenSSH fixes bugs faster than SSH.Com, but both products have had about the same number of problems, and all have been quickly and effectively resolved.
Popular clients for windows include putty and Teraterm SSH. Make sure you get a recent version, however, older versions of those programs use versions of SSH ( v 1.5) that have known bugs.
If you are dealing with a company that thinks commercial software is "better" than "freeware" you should be careful how you approach this project. If there is a single person who has created this mindset, that person is likely to be both powerful and not very analytical - a dangerous combination.
I meant the prior post to say that versions of the SSH protocol prior to 1.5 are vulnerable to certain rare and obscure forms of attack. Should've used "preview", eh Taco?
The response I received stated that they don't like to use freeware, but only consider industry proven and supported software.
Like Microsoft software? That's funny. Really, people assume that if you purchase something, it's good, supported, etc. What a load of crap.
Anyway, why not just set up a directory on your ftp server as write-only by the ftp user, and have them use PGP to encrypt the files themselves?
"Would it kill you to put down the toilet seat?" -- Maya Angelou
On Solaris 7 and 8 I use a kernel space /dev/random from Andreas Maier. I have successfully compiled it on both 32bit and 64bit machines using the SunPRO 5.0 compiler. To use it with OpenSSH, install the package, recompile OpenSSL and OpenSSH.
/dev/random removes most of the negative issues associated with running OpenSSH on Solaris.
In my opinion using the kernel space
Trey
We switched -away- from commercial ssh because OpenSSH is better.
.
Then, along came the privilege-separation thing . .
;)
Seriously, we use OpenSSH for all our host access, ssh gateways, etc. Wouldn't consider using anything at this point.
It's secure. I mean, er, 2.9 is secure.
No wait. 3.1 is secure. Oh, no make that 3,3...Er, 3.4. Yeah, that's it. 3.4.
Invoicing, Time Tracking, Reporting
You've asked the smaller question with a really awesome example (OpenSSH is one of the highest quality software products available, IMHO).
:)
However, the larger question is this: how do you convince your boss that you should be allowed to use lots of free software off the net. The answer is you should not, and he should not approve such a thing. What you should be doing is picking a vendor that will do things like chase down security updates, while also providing you with the kinds of features that you need.
Of course, this brings into question the entire spectrum of software that you run. Should you switch OS vendors to someone who embraces Open Source Software (e.g. a Linux vendor like Red Hat, Caldera, SuSe, etc.).
If you need high-quality software with the latest feature-set, you should be looking at who will give you what you need and support it well.
Can of worms you say? Well, yes but when you start talking about Linux these days you have a lot of amunition. IBM is shipping Linux-based systems. Everybody and his brother is using Linux-based servers in production (unless they're using BSD
OpenSSH is hard to argue against, and you'll probably win that battle hands-down. But what happens when you want remote management via VNC or OpenLDAP has some features you want or you need a quick-and-dirty database and don't want to spend $thousands?
Get an OS that comes with the best software already installed. Get Linux.
wrong question.
the correct question is, "should i get a new job?" and the answer is yes.
i'm totally serious. it's as if 100 or so years ago you worked at a overland transport company that said, "ah, that mechanical train thing is never going to catch on, i'm sticking to wagons!"
let your current employer waste their time and while you humor them with whatever they think they want to hear, go find a more sane place to work while you have the luxury of time.
US Citizen living abroad? Register to vote!
Openmail was picked up by Samsung IIRC. (one of its biggest users, now owns it, support IS available)
they don't like to use freeware, but only consider industry proven and supported software.
What, do they live under a rock? You'd be hard pressed to find another free software project used _more_ than OpenSSH.
Maybe you should forward a note to your CEO about how your clueless IT department is needlessly racking up support and licensing costs, while remaining ignorant of common IT practices.
-pmb
That's what I've been trying to push for my company. I'm amazed by how many companies (including mine) use ftp batch jobs to exchange data, usually comma delimited or even fixed width.
Financial institutions just love their main frames and their main frame thinking. Then follows the "Hey i sent you the file, did you get it?" and "OK we processed the file, you can pick it up" emails.
Instead, just post your data (in XML, of course) to a servlet/ASP/cgi over SSL. But that would be too elegant.
I've been with my present employer since Oct. of 1999. Every time we have a meeting where we discuss ways to accomplish some task I waited for an opportunity to say, "I could write a shell script to do that" or "We could do that with a Linux box". Early on it always got a big laugh. Then my technical lead started saying, "We could do that with a shell script." Now they're asking questions about using Linux for server consolidation. Some things take time. Patience my young apprentice.
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
but only consider industry proven and supported software.
...the thin, whiny sound of an incompetent, bumbling, empire-building middle manager, easily identified by the unhyphenated buzz-phrase "industry-proven" which is part of the Management 2.0 Service Pack upgrade along with "customer-focused" and "memory-hungry."
It really is unfair to have such a staggering advantage over the competition.
No, please. PLEASE go overpay for your "industry-proven" version of the exact same thing everyone with a clue already has. Just don't lay off anyone when your budget runs out.
Cisco Systems uses SSH extensively. You can find SSH supported in some of their commercial products. And internally, SSH is becoming one of the standards for remote access. It might be interesting to note that they use a combination of SSH2 from SSH, Inc AND OpenSSH with both being officially sanctioned solutions.
tell them that you don't support closed source security products due to the problems getting security updates. Remind them that the customer is always right....
Kent
Lemme guess. You haven't worked since the economy downturn. I can guarantee you that OpenSSH is being used in the biggest of big companies.
Drop the vendor: they obviously haven't got a clue what they're talking about.
1) They should read their vendors' EULA's (and probably their own). No software these days is supported. ("This software is provided "AS IS"...).
2) Lots of free software is very much industry proven.
Perhaps you could try a little education.
http://www.openssh.com/press.html
assert(expired(knowledge));
why are you working for some lame company that refuses to touch Open Source software?
Perhaps [s]he can get them to "see the light."
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
To secure FTP traffic, I highly recommend SafeTP from the folks at Berkeley. SafeTP is an RFC 2228 compliant FTP Security Extension that uses Public Key Crypto to authenticate and secure the link.
SafeTP is supported under Unix / Linux as well as Windows 95/98/ME/NT/2000/etc. Source code for Unix and compiled code for Windows is available free of cost.
This quote from the Berkeley folks may be useful:
We have found SafeTP to be both user friendly and expert friendly. We have been successfully using it now for several years. It works well behind firewalls. The code is both well written and stable.
chongo (was here)
Doesn't Micro$oft, the industry leader in super-secure - get whatcha pay for software, have a version you could pitch to your dain bramaged mgmt?
Using commercial as a synonym for proprietary isn't logical. There's plenty of Open Source applications which have been produced for the primary aim of making money (RPM, Zope) and there's plenty of closed soruce apps which are produced for non-commercial reasons (eg, PowerArchiver back when it was called easyzip). The word proprietary is a much more accurate description of the software.
Wow. And here I've been building my own depots all this time.
. cgi/cgi/displayProductInfo.pl?productNumber=T1471A A
http://www.software.hp.com/cgi-bin/swdepot_parser
Thanks for the tip, Marx!
If you are using windows I have seen f-secure at large corporations and medium to small businesses that I have worked at and supported.
I have likewise seen, used and implemented openssh at the same companies. To exclude OpenSSH because it is OpenSource (freeware that hopefully gets creative and monetary contributions to it on a regular basis), is quite frankly ignorant and beyond all common business sense.
Just because it doesn't have a big 'M' (microsoft) or a big 'I' (intel) or a big 'O' (Oracle) or a big 'C' (Cisco) on it doesn't mean that it sucks. Take a look at the movie Tommy Boy 'Chris Farley' I think they summed up "Warranty" very nicely.
:-( --- argh. Despair, I owe again.
My company has just migrated from in-house to out-of-house serving. We now require secure transfer of files, so we use SSH 2. Luckily, my main design/development machine is running OS X. Not only does OS X have a built in command line SSH client, but there is a nice commercial app called rBrowser that slaps a nice GUI on it. It's $50/seat.
"Politicians find new names for institutions which under old names have become odious to the people."
More info on the changeover and the clients they are recommending can be found here.
There are jillions of SSH solutions. All of the ones I've used (including OpenSSH) are far, far more secure than any FTP server I've ever seen. FTP is an ancient protocol, inherently insecure, and FTP servers are constantly showing up on Bugtraq with buffer overflows, etc. SSH shows up there too, but not nearly as often and usually with less severe problems. Any boss not willing to use a freeware SSH is ignorant, but any boss not willing to at least use a commercial one is incompetent. (Ignoring the fact that commercial != better.)
BTW, for a bitchin' Windows SSH client, check out "putty". Awesome. Puts Tera Term to shame.
I work in a pre-field lab environment, where we make sure all our equipment going onto our network isn't going to blow anything up.
All of my machines are standard with OpenSSH now, and I know that all the new machines coming in are required to have SSH in place of Telnet... and OpenSSH is the defacto standard, although we will accept a commercial implimentation if the vendor provides it.
Anything Sprint PCS provided, though, is OpenSSH. Telnet as been officially "banned" from all new equipment, even if people are breaking this rule (much to my chagrin) on occasion.
You make it sound like there are citizen uprisings in those cities. It turns out that the article you link to is merely about the LEADERS (not even the citizens) of a few cities passing a few silly resolutions that don't have the effect of undermining the government's authority one bit.
AND NOW FOR SOMETHING COMPLETELY ON-TOPIC.
I'd rather read the trivial news about SSH. The company mentioned that "doesn't use freeware" is just being stupid. The FSF has a link to a paper that debunks their fear about OpenSSH and other open-source "freeware" being "unsupported".
Also, like nearly everyone else, I recommend PuTTY if you need a Windows SSH client. Too bad that it's "freeware" too. I guess your company will have to settle for an inferior proprietary alternative.
They have builds of OpenSSH (and tons of other free software) for a variety of UNIX platforms, and they offer commercial support for them. I used them at my last employer, and was extremely satisfied with them. On several occasions they integrated or wrote fixes when I came across bugs, and submitted their fixes upstream to the maintainers. Their response was also much faster than the maintainers.
In late January, my server rebooted for reasons unknown (probably a power outage). The web server didn't come up properly. And that means no email.
I sat down at a Nairobi internet cafe and downloaded putty off the net. After about an hour of painful editing and debug, I had the problem fixed.
Originally, I thought I would carry around a floppy with putty on it. But I discovered that it didn't really help. If it was at all possible to use putty, it was easy and fast enough to download it.
point out that openssh ****IS**** industry-proven.
if you can't argue with your boss about something that you're RIGHT about, then your career won't evolve.
You're right, he's wrong. The only encryption software I trust in that respect is OPENssh, rather than CLOSEDssh, which is closed. End of story. You're the techie, he's the luser. How many other ways can this be put?
Use Openssh if you want your network to be secure.
Sun Professional Services uses SSH to access the machines they are administrating. I guess if it's secure for all their customers, it should be good enough for the application in question too.
- Hubert
Wow, maybe I'm a bit cynical, or maybe it's really troll time for me. Whatever. I'm at the point of simply throwing up my (virtual) hands at this sort of crap. Ask yourself this: In the last 5 years, how many tech-oriented businesses have tanked because technical decisions were made by the decidedly non-technical? Perhaps this is the real heart of the problem: a simple culture clash. It's perhaps time for senior manglement to learn when to really listen. My stock response nowadays is to simply give them whatever they really wanted to begin with, regardless of the suckiness of it. After all, the customer is always right, no? Guaranteed, I've never gotten a single negative response from this approach -- many people can't admit to themselves that they were asses, either. Instead, I simply shake and nod my head sympathetically, charge for a few more hours, and go about my business.
C|N>K
Set up your own company, rebrand Open SSH by changing a few comment lines and titles, then sell it to them for $20,000 or so. Eveyone wins!
Subverting the meta-moderating system since 2003
I worked for CNN.com for two years (1998 - 2000). We used SSH there to transfer news feeds between servers as part of our automated processing. A template would generate the data (XML, html, JavaScript, whatever), and then a Perl or shell script would scp (secure copy, a part of ssh) the file to the remote server using an ssh-agent.
When I left CNN, I went to a startup called ZapMedia. It was a much smaller company, but we used SSH for all communications to our production boxes (which were colocated at Exodus outside of our company LAN). We even did remote CVS checkouts over SSH as part of our code release process. The use of SSH was completely secure and worked very well.
- Vincit qui patitur.
We are (an unnamed) large computer services company and we use openSSH but the licence made our legal department throw fits. The wording in it is strange and basically says "I'm not sure what's in this code and there may be things that are or are not someone else's intellectual property but if anyone comes after you legally than I'm out of it..."
Before that we used F-Secure's SSH as a commercial version. It works great but is clearly more expensive than FREE.
This is one of those situations where I've actually been pleasantly surprised by both the commercial (SSH.com) and non-commerical (OpenSSH) products. I've used both, almost interchangeably, and like them both. It's really a toss-up for me.
Some people might point to the recent OpenSSH security holes trying to discredit them, but look at how quick the turnaround on patches was.. amazing.
One thing I did want to point out was the SSH.com Windows client. I really like it. It might not be worth the money, but if you fall into one of the categories where you get a free license (allows university use and non-commercial use according to their website), it's quite good. I especially like the ease in opening additional sessions or secure file transfer, etc. Worth checking out..
(And definitely don't use the TeraTerm SSH client. It's still SSH version 1, and is just a hack on top of TeraTerm... never seemed like the greatest solution to me, even if it did work)
You cannot find anything commercial that is more proven or better supported than OpenSSH. There may be commercial packages that are as good -- although I don't know of any -- but there can be none that are better. Support from commercial companies is, too often, a joke.
Case in point: very recently a bug was discovered in OpenSSH: if you used a certain form of challenge-response authentication, a remote compromise may be possible. Within days of the bug being announced, there was a workaround; and versions post-3.3 are not affected since they UsePrivilegeSeparation by default. This is the only significant bug I can remember off-hand.
In any case, SSH is a commercial product and is done by Tatu Ylonen, who was the original SSH guy; OpenSSH is the free version that the OpenBSD guys forked when SSH went commercial.
Unlimited growth == Cancer.
We deal with customers transferring large amounts of sensitive data to us. Our requirements are that the control and data streams be encrypted, and that the customers are confined to only their upload directories. We use SSH so we can do sftp and chroot the users to their own little jail. For our customers that use Windows, we supply a copy of CuteFTP, and a VBScript written by yours truly to automate the data transfer (the latest CuteFTP supports sftp and ssl-ftp). We're very happy with this setup as it's secure and easy to use for our customers. We'd use OpenSSH, but it doesn't do user chrooting without some heavy modification. Because of SSH, we've been able to ditch our aging NT4.0 Server running WS-FTP with SSL enabled for our data transfers.
Hey, no problem. Sell it to them.
See, now it's not free, and it's definitely proven in the industry.
Problem solved, plus money in your pocket.
THIS IS NOT A JOKE.
Thousands of consultants all over the world sell open source solutions to people who don't know how to do it themselves. It makes the pointy haired bosses feel good to think about how much money they are spending to get the very best that money can't buy.
The best part is, you don't have to feel sleazy about it, because you really are setting them up with the best solution for their needs. They are paying you for your knowledge and expertise.
Then you can turn around and help out with the project that made you some money, by coding, testing, documenting, or DONATING!
Everybody wins.
Go get 'em.
WALSTIB!
The organization I work for is moving toward managing over 1400 remote M$FT boxes using nothing more than SSH Tunnels and the OpenSSH Windoze port available here.
Saves a ton of $$$ in PCAnywhere licenses every year...
I've been working at dig.com since April, and we use OpenSSH on all our unix boxes. We use a bunch of other free software, and nobody thinks it's risky or anything. We could certainly afford commercial software if it provided anything we couldn't get in free software.
As it turns out, the prevailing attitude is that with commercial software we have to involve the vendor every time we want to do anything remotely unusual. If we improve the tool, the vendor probably won't support it. If the vendor improves the tool, they will probably require more money and a needlessly complicated upgrade for us to benefit from it.
Stand up to your managers. Don't just tell them that Free Is Better, show them.
Sheesh. Shame on Cliff for posting this troll.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
would also ask you: if you're a talented geek (assumption), why are you working for some lame company that refuses to touch Open Source software? Go somewhere where you're gonna make a difference. If you have the skills, you'll find plenty of jobs doing what you'd really like to do.
Your remark is simply idiotic. The whole world doesn't revolve around spreading open source around. He/She needs to make a living, make some cash, and he/she's not going to give up his/her job because his/her company doesn't want to run open source software.
And, what makes you think going to a company that does touch open source will help "make a difference?" What? He's going to make a difference at the companies that DON'T touch it by convincing them to do so.
And having 'leet programming skills' doesn't have anything to do with whether you support open source or not. And maybe he/she likes the job they already do, regardless of the SSH daemon they use. That's one hell of a reason to quit your job.
void women (int money, time_t time);
That's fine. There are people who do commercial support for open source. Hire them and pay them! Cygnus Support was the classic business following this model, and they've been bought by Red Hat, so get support contracts from Red Hat. Or SuSe, or a few other similar companies. You get the software you want, with a source license, and you get someone to fix stuff for you for your money. Works just fine.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There is a derivate called "TSSH" (Trusted SSH) which comes with Argus-enhanced Trusted Operating Systems.
Trusted SSH is aware of TCSEC B1 security mechanisms (like Mandatory Access Control), Argus' privilege/authorizations concepts and ASN (Advanced Secure Networking).
You can find a short TSSH FAQ (mostly about its advantages over other commonly used SSH servers) here.
I would just like to point that the roots of SSH go to SSH Communications Security - and more specifically to Mr. Ylönen, the CTO of the company. I consider their implementation the best as they have the most knowledge of the product and they have very skilled programmers.
As quoted from "In 1995, Mr. Ylönen invented Secure Shell for remote logins. From that time, Secure Shell has been available to download from the Internet and free for noncommercial use. The program became immediately very popular."
,gr8guy
A lot of large companies (like AOL TimeWarner, Sony and even Microsoft) run OpenSSH on BSD systems.
:-).
For example, at my previous company I did work for AOL, and we used FreeBSD servers to preprare user billing data for AOL - with OpenSSH of course. Personally I would have prefered Linux, but the other 2 systems engineers were FreeBSD fan's and I can respect that
The only - and I mean only - reason to have a commercial SSH client is if you need support for a trusted operating environment (i.e. Trusted Solaris, Argus Pitbull) and you typically purchase these from the vendor that sold you the OS in the first place - though with privliage seperation now present in OpenSSH, this could be a thing of the past.
If you've worked in big business you see how many use BSD and OpenSSH - though not to Linux, as most have reservations about it's sutibility for a corporate environment - and the use of free (as in beer) software is increasing as the cost benifits of a no-cost OS and cheap commodity Intel hardware are encoraging companies to move away from Sun hardware in certain situations.
We to this day have commercial department problems with using things like emacs, perl and g++, not to mention linux. The attitude being "we want a supported product".
I say "hang on, isn't this how GNU/Linux was supposed to be making the money?"
Ok, so the source developers are probably too busy to do it, but surely the distros could sell product by product support contracts for a very lucrative price. Their paid support could feed back into the original source...
www.thewrittenword.com....
Provide opensource/GNU stuff that is commercially packaged....
They also frequently release up-to-date versions so that you can keep your software at the current releases....
Or use the version that sun releases, and use the money for Sun Support....
So your bosses can pay for openssh, then have a coke and a smile and shut the f*** up....
and as pointed out above, since Sun and Apple release commercial versions of openssh, and everyone and their mom also uses it, it seems stupid to think it's "unproven"...
An excellent collection of links to SSH client and server products is maintained by FreeSSH. Includes free and fee versions.
Andrew Yeomans
Eh? Everyone uses openssh!
Sun is using SSH to access their Servers... At the same time most of the Government departments in Argentina are Using SSH to access their servers, and I know that many of the IBM Global services projects are using SSH to work from home at them. Cheers.- Hache
It's not as if the suggestion is being made that this fellow quit his present job immediately and job hunt full-time until he finds somewhere with a more enlightened attitude -- merely that he switch; this can (easily) mean finding a new employer, and only then resigning from his present position. Unless his family is particularly large, or he's financially prevented from moving (ie. making payments on a house, unable to cover rent elsewhere in addition), one can still reasonably switch jobs presuming good pay and coverage of relocation expenses.
Working at an open source company is extremely rewarding -- I can say this having been employed by one for three years now. Some of my coworkers signed up because of the ability to work on OSS and get paid; others signed up for more conventional reasons. As for my coworkers, they're almost uniformly brilliant at what they do; the engineering group includes big-name kernel hacks and has highly clued management -- and it's well worth noting that at least some of the best of them (the engineers, not the management) signed up specifically because of the opportunity to be paid for working on open source (even better, in at least one case, on a tree which they already maintained).
Good pay is nice. Good pay in a place with brilliant co-workers and fun projects (which OSS-based companies are more likely than average to be) is nicer. What better than to be given money to do full time what you already do in your spare time?!
It's not what they use, it's what they let you use. A workplace which lets you use the Right Tool For The Job (at least in the cases where choosing wrongly won't have dire consequences down the road) is much more rewarding than one which dictates what you can do and how you can do it. Being allowed to use open source software (and extend open source software to do what the company needs, when appropriate) is indicative of a more flexible (and thus enjoyable) work environment than is otherwise available.
Yes, your engineers have to be diciplined and responsible people to do that right -- but I'd far rather work at a company where I'm expected (even required!) to be diciplined and responsible but given a measure of design control in return than one where I have no power to misuse -- and I say this having worked in both.
Finally, let me submit that those with truly 'leet programming skills' are, on average, more inclined to care about having control over how they do what they do than those without such skills. The best of coders (at least among those I've met) are those that love their work; who code not only to pay the bills but also because doing so is part of who they are. I've met more of these people inside the open source community than outside of it.
I will sell it to them. In fact, for significant fee I will supply them with the 'Professional' version complete with the word 'Professional' written all over it.
I think you underestimate just how much I just dont care.
Starting with Solaris 8, Sun has released OpenSSH as part of its offering. I think that a valid argument would be: "If Sun's research and development department believes OpenSSH is stable, why can't we use it as well".
PuTTY is a great client for M$ ( ---- free bonus ).
smoyer
Yes... that piece of software rocks. Best telnet/ssh client for Windows ever. It is definately worth the money.
--
"What do you want me to do? Whack a guy? Off a guy? Whack off a guy? Cause I'm married."
I work for AOL, managing ICQ and AOL Mobile Ops, and we do use OpenSSH. Yes, we have commercial SSH in some places, but a lot of our infrastructure is built on OpenSSH.
Relying totally on SSH/OpenSSH to secure a host is bad SA practice. Building a security model that has several layers and components is the only way to fly.
Officially that is... Oh, without it you can't get into the systems for management.
:-() and everybody now uses ssh.
The biggest problem here was getting the admins to use it. (it's all firewalled, so why should we...) The buffer overflow helped a bit, but we now mainly use it because of the easy to use (pointy clicky) user interface.
Since a year or 2 we have a tcl/tk menu wich allows you to log into a system without having to type ssh (telling that it was less work to type then telnet didn't work, aix has the tn alias...
In some corporations you have to misuse the lazyness of humans instead of their sence of security to get things done.
I'm now glad the internal network is almost as safe as my home net... (big organisations are hard to convince)
... Wenn ist das Nunstruck git und Slotermeyer? Ja!... Beiherhund das Oder die Flipperwaldt gersput!
Put on a fake mustasche, and a visitor's badge. Meet with your management, call yourself ... er ... Mr. Ricardo from Super Security Inc.
Don't tell them that OpenSSH is free, just sell it to them, for 1/2 the price of whatever commercial solution they are considering. Enjoy your bonus :)
Also, their Java ssh client Mindterm kicks ass, but they have been changing their licensing several times the last year.
Sometimes after an electrical storm I can see in five dimensions. --Cornfed, Duckman
ITSupported provides supprt for opensource products. Could you use something like that, and pay a support fee for packages etc. but keep OpenSSH?
Just a thought.
oops, I think you are right.
Get your Unix fortune now!