SSH-Based Solutions - Looking for Industry Proof?

mcwop asks: "My company's IT department is trying to set up secure FTP with a vendor. It would be set up on a Sun box (not running Solaris 9). I emailed suggesting they look at OpenSSH. The response I received stated that they don't like to use freeware, but only consider industry proven and supported software. I have found one commercial version at SSH. What other commercial versions are out there (I know Solaris 9 comes with SSH)? But more importantly, what are some commercial successes? What large organizations are implementing SSH?"

Client side

[Archangel+Michael]

Tera Term on Windows is the best.

Re:Client side

[sql*kitten]

Tera Term on Windows is the best.

It's good, but I've switched to PuTTY, mainly because it can heartbeat an SSH connection with an empty packet every minute to prevent sessions being timed out by over-zealous firewalls - very convenient if you need to monitor several machines.

Re:Client side

neither of these are commercial products, and both are decided less professional than openssh. And as far as I know, are only clients. Vandyke.com has secureCRT plus secure terminal and FTP servers for windows. Also checkout FSecure from Datafellow.s

Confused

[awgy]

Perhaps I'm confused, but isn't OpenSSH a rather well-proven program?

Good luck...

[adam613]

You're going to be hard-pressed to find a commercial solution which is more widely used (and therefore proven in the industry) than OpenSSH.

Re:Good luck...

[Nailer]

The response I received stated that they don't like to use freeware, but only consider industry proven and supported software

I agree with the poster above. Since when are these mutually exclusive? That people refer to proprietary software as `commercial' is a fault of their logic. Chances are they are already relying in soem way or another on one of the following Open Source applications that are either produced for commercial reasons and have some kind of backing. Oh, did I mention that each of these apps is the markt leader in their field?

• the Bind DNS Server
  
• Sendmail
  
• Apache
  
• Squid
  
• WU FTPd (yes, I know it sucks, but its still the world most popular FTP)
  

Silly

[rmassa]

Why don't you talk to the openssh team? I'm sure that for some nominal fee you can get extra priority support. OpenSSH is (IMHO) the best ssh implementation out there, and its from a dedicated team where security supercedes even functionality. The newest version of OpenSSH promises to be very hard to exploit.

Re:Silly

[Camel+Pilot]

All open source (teams|foundations|etc) should have a means with which to accept payment and set a standardized "corporate quality distribution fee" for those who must pay to feel good about the transaction.

I have run into this snobbish attitude also in my consulting work. I have been told on occasions "sorry son, we only use corporate quality software here". ...ha ha lol... What ever the heck that means! I always try to contain my mirth.

If when proposing a particular solution I could quickly add that a site licencing fee is only $850 most corporate customers would not even flinch and would somehow feel more comfortable that they are not using some "freeware" or "shareware" product to run their business.

OpenSSH

[scorpioX]

Mac OS X (and X Server) ship with OpenSSH. Those are considered commercial OS's. I bet Solaris 9's SSH is also OpenSSH (don't know for sure though). Sounds like your managers have their heads where the sun doesn't shine.

Re:OpenSSH

[questionlp]

Solaris 9 does use OpenSSH for its "Solaris Secure Shell". They mention it on this page.

Been there, done that

[bee]

In 1994, I took a job at a bank in Oklahoma. My boss at the time had the attitude "We're a bank, we pay for software".

Then I showed him screen. Suddenly the light went on in his head-- "Hey, I don't have to use 2 phone lines and 2 modems to get 2 shells at work!" To him, it was the greatest thing since sliced bread.

After that, he didn't have any problems letting me install emacs. :-)

Re:Been there, done that

[Wanker]

I would have fired you for installing Emacs.

Yeah, when is that thing going to achieve sentience?

Sssh! You'll make it angry!

openSSH

[MattW]

OpenSSH is far more widely used than any commercial variant. You'd be hard pressed to find a fortune 500 company that isn't using it somewhere. Almost any provider of IT services or network services uses it, unless they have no *nix boxes at all and provide no services on anything other than a windows platform. Try a quick survey of network security companies and ask how they do remote access/filetransfer -- no matter how big, scp/ssh will be the answer, and it will be openssh for a majority of them.

Ssh communications.

Most businesses goes with SSH communications, www.ssh.com. They also have a low-memory-fotprint version, ipsec, tunneling software and some other stuff.

Re:Ssh communications.

[alsta]

Well, Solaris 9 has an SSH implementation which in fact is OpenSSH. They've modified a few things though; such as the reported version string;

Escape character is '^]'.
SSH-2.0-Sun_SSH_1.0
^]
telnet>q

Everything else (config files, library dependencies etc.) speaks of OpenSSH so much that there is no other possible option. Sun probably took OpenSSH and modified a few things and released it as their own, as they are allowed to by the BSD license.

These configure options should get you an identical setup to that of the layout on Solaris 9;

CC=cc \
CFLAGS="-g -I/tmp/foo/include" \
LDFLAGS="-L/tmp/foo/lib -R/tmp/foo/lib" \
./configure \
--prefix=/tmp/foo \
--bindir=/usr/bin \
--sbindir=/usr/lib/ssh \
--localstatedir=/var/run \
--libdir=/usr/lib \
--includedir=/usr/include \
--mandir=/usr/share/man \
--with-ssl-dir=/tmp/foo \
--sysconfdir=/etc/ssh \
--libexecdir=/usr/lib/ssh \
--datadir=/usr/lib/ssh \
--with-pid-dir=/var/run \
--with-prngd-socket=/var/run/prng-socket \
--with-zlib=/tmp/foo \
--disable-wtmp \
--disable-utmp

The $CC variable is to build with Sun Forte, substitute with gcc as you please. Note the LDFLAGS and CFLAGS though. This configure expects to find zlib and openssl headers in /tmp/foo/include and _static_ libraries /tmp/foo/lib. Don't dynamically link with anything unless it's available on the system itself when it comes to Solaris. You'll introduce nasty inter-dependancies which you'll regret in the long run. Trust me, installing shared libraries on 500 machines isn't that fun.

F-Secure, SSH, or OpenSSH

[edyu]

Both SSH (Company) and F-Secure sells commerical products of SSH. But maybe if you word it differently, your management should accept OpenSSH since it is being used by many companies. My company (a smaller 100+ person) uses OpenSSH extensively.

Did you think at all?

[SquadBoy]

http://www.openssh.org/users.html

Also Nokia's IPSO (on their Checkpoint based firewalls uses openssh.
As you can see Sun uses it. Good enough. I thought so.

Data Fellows...

[Helmholtz+Coil]

...has a version of SSH available for Unices, Windows, Macs, even the Nokia 200. Don't know how good it is, but they've got a fair amount of info on the site.

F-Secure SSH

[Medieval]

F-Secure makes a rather kick-ass line of SSH products. We use them in production here (major tire manufacturer.), and it is FIPS 140-1 compliant. The client-side portion is pretty schweeeeeeet (esp the Windows client), even if you don't use the server portion.

http://www.f-secure.com/products/ssh/

List of platforms:

Server
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows 2000, Windows NT 4.0

Client
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows XP
Windows 2000
Windows NT 4.0
Windows 95
Windows 98
Windows ME
MacOS
Nokia 9200 Series Communicators

Other thoughts

[tsetem]

Not sure what the requirements are, but if you are looking for secure access, you may want to consider a web-based file repository with an SSL front-end on it. You could have your choice of Apache & mod_ssl, or Stronghold (Apache derivative)

If using OpenSSH is questionable, using the #1 webserver shouldn't be. If Apache isn't proven or reliable in their eyes, then you have a really tough uphill battle.

Been there, done that

[gr8fulnded]

I had the exact same situation about 6 months ago. I won, sorta. I simply said our industry is going through hard times right now and using OpenSSH will save your $500k in licensing fees.

We ended up compromising. They wanted vendor software, I wanted free. For the mission critical systems, we chose FSecure (fsecure.com) and for the high-importance and below (to include desktops), we went with OpenSSH.

Worked out well. With FSecure we also purchased Windows clients for the developers and if anything ever happened, they had the support they were looking for the vendor software. With everything else, OpenSSH did the job along with PuTTY on the peasants computers.

Lots of Options

There are several options for commercial SSH vendors. I found myself in a similar position a couple of years ago. I worked at a company that provided 24/7 security support to hundreds of companies, and _had_ to have a commercially supported SSH for both insurance and customer relation purposes. We started out using F-Secure, but the licensing and support was terrible. On top of that we found out that F-Secure simply licensed SSH.com's code and rebranded it. We worked a fantastic deal with ssh.com that allowed us to deploy SSH enterprise wide. On top of the good deal, we found the support to be excellent. At one point we needed some LDAP integration done and SSH.com had it done by the next release. I have also found SSH.com to be better security wise (since they do this to make money) than OpenSSH, check their track record. Anyhow, F-Secure, SSH.com and a couple of other companies offer SSH commercially. Good luck.

OpenSSH _is_ industry-proven.

[mesozoic]

OpenSSH is by far the best SSH implementation available; the fact that it's freeware is a horrible reason not to use it. Explain to your employers that for a fee (and probably a smaller fee than most corporations would want) the OpenSSH team would most likely provide your company with expert support and services.

Don't to roll over and allow your firm to adopt a second-rate (and more expensive) security product simply because they don't trust open source. The answer to your problem, as uncomfortable a situation as it may be, is to try to inform the higher-ups of why they're misguided (without losing your job ;D).

HPUX has an official OpenSSH-based implementation

[Marx_Mrvelous]

They have .depot's available for 11.00 and 11i, and they are officially supporting it. That's a commerical OS/backing.

Usage Stats

[rwash]

http://www.openssh.org/usage/index.html

The OpenSSH team has put together a great page with a number of different usage statistics for SSH.

OpenSSH vs Commercial SSH

[Bagheera]

The company I work for ("a little hardware vendor in the Valley") switched from the Commercial ssh client and server package to OpenSSH for all of our servers. OpenSSH proved more robust and easier to support - not to mention much, much, less expensive. And yes, I'm including the "cost" of our SysAdmin's time and the time of the person who manages distribution of our 'approved' OpenSSH package.

There really is no reason to use a commercial product unless the management is stuck on the "We need someone to sue if it breaks" business model of software acquisition.

Re:OpenSSH vs Commercial SSH

[_Sprocket_]

There really is no reason to use a commercial product unless the management is stuck on the "We need someone to sue if it breaks" business model of software acquisition.

SSH, Inc.'s Windows server offering had much better system integration than any of the Windows OpenSSH projects. Granted - this may no longer be the case (last I looked at this issue was over a year ago).

Yep, let's not use freeware

[unformed]

ala FreeBSD, OpenBSD (One remote hole in the default install, in nearly 6 years!) , OpenSSH, Apache, etc.

Instead, let's use proprietary "secure" software, ala Win2000, IIS, etc.

SSH is the original

[ddstreet]

The SSH protocol was created by ssh.com, and in the past they have tried to stop openSSH from using the SSH name (see here and here and here). The SSH product from ssh.com was created before any SSH standard existed, and its protocols became the defacto way to communicate securely. It was (and according to the license agreement, still is) available for free (as in beer) for non-commercial and educational use. It's available at their ftp site or a mirror.

If you want a "industry proven and supported" product that supports SSH protocols, then the original SSH is what you want, but you'll (obviously) have to pay.

Dude, you could make some serious cash

[RedRun]

Ok, this is what you do:

Register a company called "Secure Products Inc.", and make a quick website, fake some letterhead, etc. Then, tell your boss you found a great SSH product from Secure Products for only $50 per seat. Then, download the newest version of OpenSSH, change the name to SPISSH and watch the $$$$ roll in!

Word.

Stupid managers: fire them

[Ogerman]

The response I received stated that they don't like to use freeware, but only consider industry proven and supported software.

Then your company needs to fire its IT management staff since it is apparent they have absolutely no idea what they're talking about. In the meantime, you can tell them that OpenSSH is NOT Freeware. I wouldn't trust freeware either. The difference? Freeware is typically closed source software that the authors refuse to release to code to because they think they're really "eleet" or some similar childish reason. I would also ask you: if you're a talented geek (assumption), why are you working for some lame company that refuses to touch Open Source software? Go somewhere where you're gonna make a difference. If you have the skills, you'll find plenty of jobs doing what you'd really like to do.

I saved my previous company $60K with OpenSSH

[oobeleck]

The "security" admin there wanted to load F-Secure on everything.
Except he didn't know how to load it. I was tasked with "implementing SSH..."
I loaded OpenSSH on all the Sun boxes (90+). Loaded up putty for all the developers and started shutting off telnet/ftp.
The F-Secure sales rep called me to see "how things were going".
I told him we were going to go with OpenSSH. He asked about support... I laughed at him. 2 weeks later a major hole surfaced in SSH
(OpenSSH was not vulnerable to this one.) and F-Secure was the LAST vendor to come out with a fix, ala 2+ weeks later.

I have OpenSSH running on my HPUX box, all my Sun boxes, all my Linux boxes, and of course my OpenBSD boxes.
If OpenSSH is good enough for Sun/HP/Redhat it ought to be good enough for your managers. If not it might be time to go Bofh on them....
Just load it on there and then tell them you *didn't realize* it was already on there.... Then stuff them in a tape safe...

Re:Well proven?

[bolverk]

You mean the "very similar to the Netcraft Web Server Survey" done by the OpenSSH people?

Couldn't find anything at Netcraft, so I assumed this is what you were talking about.

SSH.com server and client...

[stirfry714]

This is one of those situations where I've actually been pleasantly surprised by both the commercial (SSH.com) and non-commerical (OpenSSH) products. I've used both, almost interchangeably, and like them both. It's really a toss-up for me.

Some people might point to the recent OpenSSH security holes trying to discredit them, but look at how quick the turnaround on patches was.. amazing.

One thing I did want to point out was the SSH.com Windows client. I really like it. It might not be worth the money, but if you fall into one of the categories where you get a free license (allows university use and non-commercial use according to their website), it's quite good. I especially like the ease in opening additional sessions or secure file transfer, etc. Worth checking out..

(And definitely don't use the TeraTerm SSH client. It's still SSH version 1, and is just a hack on top of TeraTerm... never seemed like the greatest solution to me, even if it did work)