Slashdot Mirror
SSH-Based Solutions - Looking for Industry Proof?
mcwop asks: "My company's IT department is trying to set up secure FTP with a vendor. It would be set up on a Sun box (not running Solaris 9). I emailed suggesting they look at OpenSSH. The response I received stated that they don't like to use freeware, but only consider industry proven and supported software. I have found one commercial version
at SSH. What other commercial versions are out there (I know Solaris 9 comes with SSH)? But more importantly, what are some commercial successes? What large organizations are implementing SSH?"
Why don't you talk to the openssh team? I'm sure that for some nominal fee you can get extra priority support. OpenSSH is (IMHO) the best ssh implementation out there, and its from a dedicated team where security supercedes even functionality. The newest version of OpenSSH promises to be very hard to exploit.
Mac OS X (and X Server) ship with OpenSSH. Those are considered commercial OS's. I bet Solaris 9's SSH is also OpenSSH (don't know for sure though). Sounds like your managers have their heads where the sun doesn't shine.
In 1994, I took a job at a bank in Oklahoma. My boss at the time had the attitude "We're a bank, we pay for software".
:-)
Then I showed him screen. Suddenly the light went on in his head-- "Hey, I don't have to use 2 phone lines and 2 modems to get 2 shells at work!" To him, it was the greatest thing since sliced bread.
After that, he didn't have any problems letting me install emacs.
At least mafia-owned pizzarias make excellent pizza. Compare to Bill Gates.
OpenSSH is far more widely used than any commercial variant. You'd be hard pressed to find a fortune 500 company that isn't using it somewhere. Almost any provider of IT services or network services uses it, unless they have no *nix boxes at all and provide no services on anything other than a windows platform. Try a quick survey of network security companies and ask how they do remote access/filetransfer -- no matter how big, scp/ssh will be the answer, and it will be openssh for a majority of them.
Both SSH (Company) and F-Secure sells commerical products of SSH. But maybe if you word it differently, your management should accept OpenSSH since it is being used by many companies. My company (a smaller 100+ person) uses OpenSSH extensively.
http://www.openssh.org/users.html
Also Nokia's IPSO (on their Checkpoint based firewalls uses openssh.
As you can see Sun uses it. Good enough. I thought so.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
F-Secure makes a rather kick-ass line of SSH products. We use them in production here (major tire manufacturer.), and it is FIPS 140-1 compliant. The client-side portion is pretty schweeeeeeet (esp the Windows client), even if you don't use the server portion.
http://www.f-secure.com/products/ssh/
List of platforms:
Server
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows 2000, Windows NT 4.0
Client
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows XP
Windows 2000
Windows NT 4.0
Windows 95
Windows 98
Windows ME
MacOS
Nokia 9200 Series Communicators
I had the exact same situation about 6 months ago. I won, sorta. I simply said our industry is going through hard times right now and using OpenSSH will save your $500k in licensing fees.
We ended up compromising. They wanted vendor software, I wanted free. For the mission critical systems, we chose FSecure (fsecure.com) and for the high-importance and below (to include desktops), we went with OpenSSH.
Worked out well. With FSecure we also purchased Windows clients for the developers and if anything ever happened, they had the support they were looking for the vendor software. With everything else, OpenSSH did the job along with PuTTY on the peasants computers.
Tera Term on Windows is the best.
It's good, but I've switched to PuTTY, mainly because it can heartbeat an SSH connection with an empty packet every minute to prevent sessions being timed out by over-zealous firewalls - very convenient if you need to monitor several machines.
The company I work for ("a little hardware vendor in the Valley") switched from the Commercial ssh client and server package to OpenSSH for all of our servers. OpenSSH proved more robust and easier to support - not to mention much, much, less expensive. And yes, I'm including the "cost" of our SysAdmin's time and the time of the person who manages distribution of our 'approved' OpenSSH package.
There really is no reason to use a commercial product unless the management is stuck on the "We need someone to sue if it breaks" business model of software acquisition.
Never attribute to malice what can as easily be the result of incompetence...
The response I received stated that they don't like to use freeware, but only consider industry proven and supported software.
Then your company needs to fire its IT management staff since it is apparent they have absolutely no idea what they're talking about. In the meantime, you can tell them that OpenSSH is NOT Freeware. I wouldn't trust freeware either. The difference? Freeware is typically closed source software that the authors refuse to release to code to because they think they're really "eleet" or some similar childish reason. I would also ask you: if you're a talented geek (assumption), why are you working for some lame company that refuses to touch Open Source software? Go somewhere where you're gonna make a difference. If you have the skills, you'll find plenty of jobs doing what you'd really like to do.