Slashdot Mirror
SSH Claims Draw Open Source Ire
JDStone writes to tell us eWeek is reporting that claims of OpenSSH not being an 'enterprise-class product' by SSH Communications, the creators of SSH, is being met with a great deal of resistance. Theo de Raadt, of OpenBSD fame and a member of the OpenSSH development team was quoted saying "OpenSSH is built into all Unix and Linux vendor operating systems, and is also built into almost all larger managed network switches, from Cisco through Foundry. It comes on Linksys and D-Link wireless and security routers too."
I'm sure SSH Communications stands to make more money if they can discredit a free, opensource product.
This means that paying for a product is going to make it better?
Users of the world: We're here to help you, but help us help you. (your IT dept)
They are selling a product and they will say that to sell their product. Come on what else would you expect. This is like MS saying Windows is more Secure than Linux even though everybody knows the truth.
Are they implyinng the DOD isn't an Enterprise class network?
They claim that it's an enterprise product, another class of software than OpenSSH. They don't seem to have much of an argument for why it's so much different. The only comparison they manage to draw is that OpenSSH doesn't have very good SFTP, which they neglect to back by any comparison to their own. Straw man at best it seems. Anyway, what is so 'enterprise' about it that OpenSSH doesn't have? Seems to me that every 'enterprise' server running a *nix has it, so doesn't that make it enterprise enough?
The only way to tell the difference between a hamster and a gerbil is that the hamster has more white meat.
In other news, Axe body spray doesn't get you laid, and Red Bull doesn't give you wings.
Hey, I'm all for OpenSSH - use it every day on almost any PC I touch, but "ready for enterprise" can have more meanings than just how secure/usable a product is.
... which it sounds like the Commercial SSH version may offer.
What may be missing from OpenSSH (and I'm not claiming to be an expert - just a user) is an enterprise manager
I'm sure there's a way to enterprise-manage ssh other than passing keys around. But it doesn't seem to come out-of-the-box with OpenSSH just yet.
"The large print giveth, and the small print taketh away" -- "Step Right Up", Tom Waits
that "Enterprise class" is management-speak for pay-through-the-nose. There has and always will be a deep suspicion against low-cost or free(as in beer) products. There's plenty of stuff on the market that people can't give away that is sold to schmucks everywhere.
http://www.google.com/intl/xx-klingon/
This appears to be no different. They are obviously trying to come up with a reason why you shouldn't compare the two products as theirs will fair so badly.
Google agrees that Klingon is a real language, but Elvish is pushing it.
When you're afraid to download music illegally in your own home, then the terrorists have won!
I realise I'm displaying my ignorance here but it should hopefully prove a point. I've used OpenSSH for years and until now I had no idea they didn't develop the protocol or that a commercial variant existed.
Couple that with the sheer number of servers and distributions using OpenSSH and the statements by Byron Rashed seem to have the ring of sour grapes.
Enterprise-class is management speak for "has a pretty GUI that a monkey can use". If one is managing thousands or tens of thousands of accounts, one doesn't want to pay somebody big bucks to do it using Open Source if said open source requires an $80k/yr person to administer it. It's a TCO calculation, nothing more.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Not that I'm defending SSH, but it really depends on what specifically you are speaking of when it comes to comparing the offering of OpenSSH and SSH Communications. The two products are fairly similiar for base installs and function about the same. The problems with OpenSSH come into play in the enterprise when you want to manage the SSH installs globally or integrate the SSH server with other products.
Two examples from my own experience. We attempted integration with RSA and OpenSSH had significant problems that we had to resolve and in the end we could not resolve the final problem which was a session would hang after exiting the shell if the session was authenticated using the RSA PAM module.
The other example is related to distribution and configuration managment. We have started using SSH communications central management center to distribute new versions of Tectia server as well as centrally manage the configuration for Tectia/ssh. This has reduced our management overhead considerably. This is an "enterprise" feature.
--russ
Did Darl finally move on to another project and change his name?
If you block cookies, it just shows you the flash premercial page over and over. (Yes, I block flash also.) I've tested this by accepting the cookie to see the article. I've searched for friendly copies elsewhere on the net, but failed to find any.
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
s/It comes on Linksys and D-Link wireless and security routers too/Don't forget about Poland
Come on. Stop feeding the troll. He's a marketing droid. He comes from a tradition of making outlandish claims or at best distortion of truth. It's his job to drive sales for SSH. We should treat what marketing people say the same way we treat any advertisement. Take it with a block of salt. Obviously an open source implementation of SSH competes, and have done so very successfuly, with SSH. This is their attempt to win back the market. It's not worth giving too much thought to.
EvilCON - Made Famous by
Telltale Games: Bone, Sam and Max
WHAT A PIECE OF F'ING CRAP.
I'm really not trying to post flamebait here, but GAH, the people who work on that thing should hang their heads in embarrassment. Spaghetti code, no comments -- I'm talking a total mess. I was actually just looking for the code that clears the screen when you log out of a session (because I actually hate the automatic clear screen, and was hoping there was an option for it). I finally gave up in disgust.
Now, I'm not saying that proprietary source is always golden (I mean, we know it isn't), but the worst code I've ever developed in my life is better than that rat's nest. I'd fire any programmer who dared to bring me such a horrible mess.
Any, a big "thank you" to the universe for getting this story posted. :)
Sometimes it's best to just let stupid people be stupid.
You can tell the difference between news and Public Relations fairly easily these days. Either can look at a controversy like "SSH is enterprise-class software" (whatever that means, exactly). PR publishes a story about how one party claims it isn't, and another party irately claims it is, without telling the story of whether, in fact (or even in reliable opinion), it is or not. Actual news reporters investigate what "enterprise-class software" is, compare SSH to that, and tell the story of the software. Even including the opinions of experts, and inexpert stakeholders in the debate.
We know that eWeek, like most IT press, is PR. But it's instructive to compare eWeek's obvious PR to "mainstream media", which is now mostly just PR. Real reporting keeps the "fairness and balance" in the process of determining the real story. Then tells the real story, with evidence and witnesses to back it up. PR, and most MSM, just spouts endless hourse of newscycle reiteration of "sources" promoting their versions of the story.
--
make install -not war
(Sites that will trap you in an infinite redirect loop if you refuse their cookies are intolerable. I'm reprinting article in the clear here to protest this behavior.)
SSH Claims for New Secure Shell Draw Open-Source Ire
By Steven J. Vaughan-Nichols
September 27, 2005
SSH Communications Security Corp., a provider of enterprise security solutions and end-to-end communications security and the original developer of the Secure Shell protocol, announced this week the availability of Version 5.0 of its SSH Tectia client/server solution and SSH Tectia Manager 2.0.
Secure Shell programs provide a transport-level protocol for administrators and remote users to securely log into remote servers for management, work and FTP (file transfer protocol) transfers. It's most often used for remote administration purposes.
The SSH Tectia is available on Windows, Unix, Linux and IBM mainframe z/OS environments. SSH Tectia can be centrally managed with SSH Tectia Manager.
Byron Rashed, senior marketing communications manager of SSH Communications Security, claimed that SSH's product is better suited for enterprise-scale business applications than a similar open-source product from OpenSSH.
"OpenSSH is not an enterprise-class product that is needed for the demands of a large-scale deployment. We do not compare OpenSSH to our SSH Tectia solution, since it's far from the same," Rashed said.
However, OpenSSH is very popular and is commonly deployed in almost all BSD, Unix and Linux systems. More than 87 percent of Internet-facing servers were using OpenSSH, according to an OpenSSH Internet scan in September 2004.
Rashed acknowledged this but added, "Many vendors use it because it is free and they can use it without a license, so the number of users for remote access is quite large, but it does not provide very good SFTP or application connectivity usage."
In any case, "OpenSSH certainly has its place, and we are not competing with them. We truly have a different class of product that is more suitable for business-critical applications" that customers ask about, said Rashed.
These comments raised the ire of Theo de Raadt, leader of the OpenBSD operating system and a member of the OpenSSH development team.
"OpenSSH is built into all Unix and Linux vendor operating systems, and is also built into almost all larger managed network switches, from Cisco through Foundry. It comes on Linksys and D-Link wireless and security routers too," said de Raadt.
"It is just the most commonly installed security software used anywhere in the world," he said. According to OpenSSH's numbers, the SSH product line is on less than 7 percent of servers, and most of that comes from SSH-1.5, with 5.38 percent.
"It is only when you get to their SSH-1.99 and SSH-2.0 versions, at 0.32 percent and 1.22 percent of the market, that you are talking about modern SSH commercial versions," said De Raadt.
Rashed contends that business customers are now looking for Secure Shell programs with support and liability protection "due to compliance regulations and security audits." Specifically, "we have heard lots about SOX 404 [Sarbanes-Oxley], CA SB 1386 [California Information Practice Act], HIPAA [Health Insurance Portability and Accountability Act] and others along with internal audits that are driving customers to SSH Tectia," Rashed said.
"Liability is also an issue that companies are worried about. Open-source software usually does not have any indemnity insurances associated with them."
This misses "the point that the two are not exclusive. You can go to any number of OS vendors [like Red Hat or Novell] and pay for accountability and support for an OS that includes OpenSSH," countered Mark Cox, a Red Hat Inc. consulting engineer and founding member of the OpenSSL group.
as whatever our product has that the competition doesn't.
Elivish ISN'T a real language. Elvish, on the other hand, is centuries old, and real. Like the Easter Bunny.
That's because almost everything that's 'enterprise-class' is crap.
Sheesh. If I had a nickel for every time upper management was impressed into buying a 3-million dollar equivelent of syslog, I'd be back in the dot-com boom.
_______
2B1ASK1
for quite a number of years. In networks both big,(huge) and small. (just to the room next door) And to be honest the are both pretty much configure and forget. But if I were deploying a world class enterprise, I'd stick with OpenSSH. If for no other reason than it is an off-shoot of the OpenBSD project and using that has conviced me what a truly first class OS looks like. OpenSSH is enterprise ready enough for virtually anyone on this planet.
--
Simulated Sig
"OpenSSH is an enterprise-class product that is needed for the demands of a large-scale deployment. We think OpenSSH compares very favourably to our SSH Tectia. In fact, there really is no reason for enterprise users, or any users for that matter, to purchase our SSH Tectia product."
Does anyone really expect Rashed to say that?
"Anyone that has ever gotten an idea based on any of my work and done something better with it-good for you."--J.Carmack
Don't forget the poor documentation for the OpenSSL API. Last time I saw (and that was a couple of months ago), some functions were still "to be documented in the future". :-(
Name one non-ficticious native speaker of either one, and we'll call it a day. They're creoles at best.
I believe that I applied for an exemption for this term when I originally set up the ad with AdWords, but it's been running for months quite happily without bothering anyone.
When I Google for "enterprise-level" I (of course) get loads of hits discussing enterprise-ready email, whether Linux is enterprise-ready, firewalls & stuff, but I see the only advertiser is Enterprise Rent-A-Car UK. That makes me extremely tempted to trademark the term in the context of ADSL modems & then file a complaint about the Ford-pimping bastards. At least that way I might get a dialogue going with Google - as it is I confidently expect any complaints or protests about the matter to be ignored or get auto-responses; if I create a new advert with the words it gets suspended within half an hour.
If there's anyone reading this who works at Google then I'd be extremely grateful if you could have a little word with your censorship department for me, or give me a direct email address for them. Having an advert claiming "Outstanding Linux-support" simply doesn't satisfy me the way "Enterprise-level Linux support" does. And hey! Linux is a trademark, so I guess they'll be censoring that next week!!
Thank you for ignoring this rant. Please moderate it "funny" because i surely won't be so miffed at Google next week.
I reported a problem with Eudora a couple of years ago that Qualcomm support eventually attributed to a "bug" in OpenSSH. While it's true that we'd recently installed a new version of OpenSSH to address a security exposure, pointing out the widespread use of OpenSSH and the fact that every other POP3 client that I used with it worked just fine seemed to have no impact on them. It was quite clear from their responses that they didn't think we should be using OpenSSH - or open anything, as far as I could tell.
That's when I discovered that Thunderbird was reaching the point where it was a quite competent replacement for Eudora. I've taken great delight in pointing that out to anyone who asks about Eudora upgrades.
I'll wager you don't even know what a creole is. Quenya and Sindarin are certainly languages, though they have limited vocabularies. As to Klingon, my understanding is that it is a language as well. Just because they are artificial is no reflection on whether they are languages or not.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Keeping OpenSSH environments secure requires constantly updating the environment with latest security patches. However, updating OpenSSH servers involves an extremely laborious and time-consuming process of source-code compilation, testing, installation, and configuration. In large-scale environments this leads to a heavy administrative burden and increased costs. As a result, during the times of constrained IT budgets many organizations have been forced to neglect frequent security patches and software updates making them vulnerable.
Hmm... if any of these corporations hire a moran who can't run make on one system and distribute the binary throughout a network, they deserve what they get. I doubt Tectia can make it simpler than that. Hell, one could write a friggin' perl script to do it for them.
It seems that SSH Communications assumes retarded sysadmins are the norm in IT.
This is just stupid. There are open source products out there that are clearly good enough to be used in "enterprise" settings and OpenSSH is one of them (Apache, Perl, Linux being some others). I've looked at what commercial SSH vs OpenSSH offers and I honestly can't think of a reason to use the commercial product. I agree (for once) with Theo and ask if it's not "enterprise class", why would O/S vendors include it in their products (Sun, Redhat etc)? For the record, all of my Solaris systems run OpenSSH supplied by Blastwave and the Linux machines have it already. It's all about the right tool for the job and open vs commercial is a secondary consideration (IMHO) over utility. In this case, the open source offering is at least as good as the commercial product.
What extra features do you need out of SSH anyway? I ask not to be a smart arse, but as a genuine inquiry.
If SSH Comm. uses OpenSSH in their products. I mean, maybe all they're doing is slapping some lipstick on a pig and calling it Paris Hilton.
What those who want activist courts fear is rule by the people.
OpenSSH is limited to IPv4 and IPv6. Limited? Well, yes. Linux supports many non-IP stacks, as do other *nix OS'. So long as you have some component to handle the making of connections and the sending of packets, the rest of OpenSSH doesn't need to care what sort of network you're using or what the transport mechanism is.
I believe OpenSSH can take advantage of some crypto hardware, but I don't recall seeing any announcements that it could use crypto drivers (or crypto functions) in the OS. It links to OpenSSL, but I don't recall seeing any provision for GnuTLS.
Is it the best crypto package out there (SSL included)? Yes. Is it the best it could be? Not by a long shot. Is it the best that it should be, given the code available (both for OpenSSH and as related libraries)? Not even close.
OpenSSH is every bit as "enterprise" as SSH - in fact, for some things, I'd say more so. Does that give the OpenSSH team any excuse to slack off? No - they should be so far ahead, by now, that SSH seems as ancient as the Pyramids and as user-friendly as a unicycle NASCAR.
Of course, we could settle the dispute by bribing^H^H^H^H^H^H^Hlobbying to make IPSec a Federally-mandated standard for all Internet-based computers. Then application-level crypto would cease to be important and we could get onto something useful, like Microsoft-bashing.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
True, you can't buy it !
I'm sure there's a way to enterprise-manage ssh other than passing keys around. But it doesn't seem to come out-of-the-box with OpenSSH just yet.
Kerberos. It's implementation in OpenSSH is a good example of how they specifically support enterprise admin. Kerberos is fairly poor security wise, using symmetric encryption and hence holding copies of user passwords on the server. It's poor security according to those with high standards, and inferior to PKI according to everybody. But OpenSSH supports it, because Kerberos is the most popular single sign on method used at corporates.
Interestingly, OpenSSH's market share is something like 76% of all SSH servers.
Until someone reorganizes the code into a library that can be linked into other applications, then I'm not sure how useful it is for an "enterprise". Sure I can use OpenSSH to log in to other machines and run command-line apps, but that's all I can use it for. If I want to develop a client/server app that leverages SSH technology then OpenSSH doesn't help me very much. Even if they did make a shared library out of it, if I linked it into my app then would my whole app need to go open source?
a default openbsd install comes with keynote, a fully-fledged distributed trust management system, which is automatically used by eg. isakmpd and such.
Because when we looked at it a few years ago it said something that amounted to
"This may or may not contain someone else's code so if someone comes after you legally, you're on your own."
Our lawyers did not like that one bit.
Maybe you need to use a different scent, but it works for me.
Byron Rashed, senior marketing communications manager of SSH Communications Security, claimed that SSH's product is better suited for enterprise-scale business applications than a similar open-source product from OpenSSH.
Since when do we care what a Marketing manager says about anything.
Enjoy,
It's just the normal noises in here.
It's:
/. - guess I was wrong...
a) The kids who graduated from the elementary school held on the ship.
b) The stiff upper lip kept by Picard and crew in the face of extreme danger.
c) The next class after Galaxy.
d) The schooling you get by the geek army if you think Picard could kick Kirk's arse.
sheesh - I thought there were actual nerds on
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d Capitalization really works: i helped my uncle jack off a horse
I was ready to jump all over this until I RTFA. This paragraph is truth, anyone who works with enterprise level systems know SOX and HIPPA are taken so seriously by the C-level execs of companies that they are desperate for someone to provide liability protection. That and management are important, and nowhere in the article did I see them say that SSH is no secure. Those of us who work with C-level people know that SSH Tectia has a point in seperating themselves from openssh, I just hope my CIO does not see this ;)
Often it's "enterprise" because it makes managing your enterpirse easier. Not something home users would care much about, but in a large environtment it's valuable. Like we use Ghost Enterprise Server here for PC work. The way it works is you install a Ghost client on the computers (if they run a supported OS) or boot from a Ghost boot CD/USB key (if they don't) and then the server can start ghost tasks. It can pull and push images to many systems at one all remotely. So if someone screws up a system (which happens in student labs) we can get it back up quickly, if we need to switch a lab over for something (like switch a Windows lab to Linux for a presentation), no problem.
Now it's nothing we couldn't do by hand, of course, and something we could probably hack together from freely available software. However the advantage here is that it's ready to go as is. Given that we do not have the time to mess with this kind of thing, it's worth the money to us.
Now I'm sure some enterprise software is pure fluff, but often the "non-enterprise" solution is woefully short on capabilities. It'll have all the technical stuff it needs, but lack in the ease of configuration, use and management. If you are running one server for yourself, you can tinker with nit pickey shit as much as is required. However when you run 1000 systems that's just not the case. You don't have that kind of time. You need to be able to centrally deploy and manage shit easily.
That's the whole point of things like LDAP (or Microsoft's version of it, Active Directory). Sure, you could keep a local user DB on each computer, and just update it as needed. Works fine, needs no new software. However that gets to be a bitch if you are talking 500 computers and 3000 users. Much better to have a central system. In our case, we pay Sun for a product that synchs our Active Directory to our Sun LDAP database. Could we do it manually? Sure. Could something have been hacked to do it? Ya, but we lack the time, and the personel to do that. Better to just pay Sun for it.
What extra features do you need out of SSH anyway? I ask not to be a smart arse, but as a genuine inquiry.
Security?
Secunia Advisories:
SSH Communications
- SSH Secure Shell for Servers 2.x
- SSH Secure Shell for Servers 3.x
- SSH Secure Shell for Windows Servers 3.x
- SSH Secure Shell for Workstations 2.x
- SSH Secure Shell for Workstations 3.x
- SSH Sentinel 1.x
- SSH Tectia Client 4.x
- SSH Tectia Server 4.x
OpenBSD
- OpenSSH 3.x
- OpenSSH 4.x
OpenBSD has a pretty good reputation for being secure and I didn't see anything in the advisories above that made me worry. I don't think this pay-to-play ssh is going to give me more security. I think I'll stick with OpenSSH.
-Joe
Mod parent funny & overrated -- this is an oft-repeated joke on /. that seems to be regurgitated in some form every day...
Pirate Party UK
The OpenSSH developers don't have any problem pushing back enterprise features such as partial authentication. In fact, they aren't even SLIGHTLY interested in supporting it even though there are patches out there that implement such a feature.
to the clueless mod who modded this up: it is an old template Mac troll.
Snowden and Manning are heroes.
Key-generation: there are TONS of ways to generate a key. All of them will give you a key in the end, but the process leading up to it can be done in different, and varying secure ways. Faster ones will use a Pseudo-RNG (insecure), while slower ones will use network events (semi-real-random, and far more secure), or something like mouse movements. Really, you can't compare the two.
File copying: again, it's MOSTLY a function of the encryption algorithm. If you're using a simpler, and less-secure algorithm, you'll get faster transfers, and less CPU utilisation doing those transfers.
It's this kind of thing that Microsoft uses when comparing, for example, IIS and Apache. Their comparisons using HTTPS were done with different hash and encryption algorithms, which make up a HUGE portion of the resource utilisation.
Let me start out by saying i've used openssh more that ssh communications. I've NEVER had a problem with open ssh it always acts how i configure it. I will however attach ssh communication on there claim based on my experience with there windows client. It's down right horrid. The free version is buggy as all hell and tends to crash only once in a while. If the free version is crapware the paid version is crapware as well. I see how they stand to make money on this.. To bad it won't be as much as intisipated as they just don't have a superior product.
I responded to a troll.... shame on me :)
They're groups of people. They get together and decide what to do. Usually the controlling body of shareholders says "do wtf you want as long as I make oodles of money".
... that's because the individuals don't bring their souls into their finances. Spending power can change the world. Look at the Fair Trade movement (http://www.fairtrade.org.uk/) ... heck don't just look, do something about it.
People hide within the group and don't care if they have Nike shares and Nike abuses child labour (an example from the 90's). The people say "great, more money for me"; then when it becomes public they say "oh shame on Nike".
What is possibly worse is that we, as consumers, say "your doing great" by buying the mega-corps products. There are few markets where there isn't a _more_ ethical alternative.
If the corporations, the groups of people are soul-less
This guy has a short memory. Wasn't it SSH version 3.0 that let you authenticate under an existing user account, just by typing any two-character string for the password?
#DeleteChrome
We attempted integration with RSA and OpenSSH had significant problems that we had to resolve and in the end we could not resolve the final problem which was a session would hang after exiting the shell if the session was authenticated using the RSA PAM module.
I had that problem too... we fixed it by turning on PrivilegeSeparation (I know the RSA docs say to turn it off, but ignore that).
In any event, that's a problem with RSA's buggy PAM module, not OpenSSH.
If you're running an SSH server you'll want to use DenyHosts. It will help keep script kiddies and evil doers from having a party on your server. http://denyhosts.sourceforge.net/.
I can't for those two, but there are native Esperanto speakers. Like George Soros.
Please, for the good of Humanity, vote Obama.
the commercial ssh.com site appears to draw a bigger audience (and thus, a better alexa ranking) than the free openssh.com site. if the more popular, better-known software (ssh, commercial) wants to call attention to a free competitor (openssh, free), that's their mistake, and i hope the openssh community benefits from it!
about sean dreilinger
That might work if the free software was not as good as the commercial competitor. As it is, they just made themselves look like morons and I'll never consider anything they have worth the money because of it. OpenBSD is always ahead of commercial software in terms of actual security.
No, it's not the reporter. There's no way you can cover up babbling stupidity about "Enterprise" solutions and dissing OpenBSD.
Friends don't help friends install M$ junk.
If OpenSSH's team are worthy enough, then people will stay with them and the fork will fade into history. If, as I suspect, OpenSSH is mostly popular because there are no serious competitors (the rest are infinitely worse), then the moment serious alternatives exist, those alternatives will supplant OpenSSH as the secure system to use.
Anyone can be on top of the heap, when there's no meaningful heap to speak of.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Would someone please tell me what D-Link and Linksys products come with OpenSSH *by default*?
The best I've ever seen is that *some* can have a telnet server enabled by trickery.
"Evil will always triumph because good is dumb." -- Dark Helmet
The article states:
Keeping OpenSSH environments secure requires constantly updating the environment with latest security patches. However, updating OpenSSH servers involves an extremely laborious and time-consuming process of source-code compilation, testing, installation, and configuration. In large-scale environments this leads to a heavy administrative burden and increased costs. As a result, during the times of constrained IT budgets many organizations have been forced to neglect frequent security patches and software updates making them vulnerable.
Even if organizations are willing to go through the costly process of manually maintaining the software on a regular basis, lack of centralized management can still present a risk.
In my case, I don't see where the rocket science is in:
gentoo# emerge -u
or in
gentoo# emerge --update --world
Now, our production boxes are running gentoo, but most of the other package systems (with the exception of RPM) are equally adept at managing upgrade etc very easily. Seems to me like the fine folks at SSH are getting a little desperate?
... the pointy haired boss who's knows jack about security and dictates policy that (s)he know nothing about.
Security through obscurity just doesn't work.
I'll take the quality I know I'll get from the OpenBSD/SSH guys over profiteering gluttons any day.
I figure I have to say it. SSH has its uses, but some people try to use it as a substitute for kerberized, encrypted telnet. IME, kerberized, encrypted telnet is far more flexible in a corporate environment (and it can be configured to require both kerberized authentication and session encryption if you know what you are doing).
Telnet is not insecure. It is usually just implimented that way.
IMO, SSH in general is handy as a light-weight VPN, and it is handy for certain ad-hoc network tunneling, but it is really a jack of all trades and master of none. Personally I don't consider any version of SSH by any vendor (including SSH.com) to be a heavy-duty component of a network infrastructure (for tunneling, use IPSec, or GRE through IPSec, for remote access use encrypted telnet with kerberized authentication, as it is often a bit more scriptable).
LedgerSMB: Open source Accounting/ERP
Out of every company in the world, what's the last you would expect to not provide a crytographically signed package?
RSA's own PAM modules for RHEL are distributed as an unsigned tarball. Along with the stuff you're telling me above, I don't really have much trust in RSA as a security company (and hence any trust in RSA at all).
Theo and OpenSSH have a problem, brute force attacks. When asked about it he doesn't want to do the extra work to make OpenSSH more secure. Yea, it's a multi threading problem and he says just go use some other software that will mask his problem by putting up a firewall rule in front of his OpenSSH code.
Then try talking to him about passphrases. This guy is a danger to everyone's security. OpenSSH should be replaced or forked as soon as possible (open source only please).
Try asking him, watch what you get back.
http://www.openssh.com/list.html
Their marketing guy may claim their stuff is enterprise level and all, but Google ranks openssh.com higher than ssh.com! http://www.google.ca/search?hl=en&q=ssh&btnG=Googl e+Search&meta=
So there!
There's a lot of exaggeration and vagueness on both sides of this little
tempest. What suffices for one enterprise may not for another, so it is
certainly silly for ssh.com to claim that OpenSSH is not
"enterprise-class" -- as Theo and others rightly point out, OpenSSH is
used successfully in many large contexts. On the other hand, it is a fact
that Tectia has a number of features OpenSSH lacks, some of which are
particularly relevant to large organizations (which is not the same as
simple widespread use). Here are a few of them:
* PKI support
Tectia can use X.509 certificates for both client and server
authentication. To add a new SSH server or change an existing one's host
key, all you need do is issue a certificate for it. Clients need only
have a copy of a single public key: the issuing CA certificate. No
constantly shifting mess of per-user and per-host known-host files to try
to keep in sync, no spurious "unknown host" or "host key changed messages"
confusing users and teaching them to ignore security warnings. It just
works.
For client authentication, there are no burgeoning copies of
authorized_keys files lying around, unmanaged, needing to be individually
tracked down whenever you want to turn off someone's access: instead, you
can simply revoke the user's certificate. And flexible rules can grant
access based on certificate attributes, like "anyone in the Foo Department
can log into this host."
The distributed-trust problem has been addressed abstractly by systems
like PKI and Kerberos. In a large (or even medium) scale environment, you
want to tie applications such as SSH into these systems, not have each one
use its own ad-hoc mechanism.
Note that both OpenSSH and Tectia support Kerberos. There is some
variation in how well they use it to address the above problems, though,
and I won't get into that here.
* Greater configuration flexibility
With the Tectia SSH server you can:
+ Modify almost all server parameters based on the client hostname and
address, or properties of the requested account (username and group
membership). Thus you can arrange that, accounts in one group permit
password authentication, while those in another group require
public-key -- or that connections coming from your internal network
allow a wide range of ciphers, while those coming from the outside
require a smaller, stronger set. You can accomplish some of this type
of thing with OpenSSH, but generally you have to run multiple
instances of the server on different ports.
+ Exert finer-grained control over what kinds of SSH services you
provide. You can forbid terminal access while still allowing sftp,
for example, by simply rejecting the corresponding SSH protocol
requests (shell and exec channels), rather than resorting to custom
shells or other hacks that have unwanted side effects.
+ Control port forwarding with ACLs that include permit/deny statements
and patterns matching user, target hostname, IP address, etc.
+ Require multiple forms of authentication for access (e.g. password and
public-key).
* SOCKS support for outgoing SSH connections (note this is different from
the OpenSSH -D feature, which Tectia has also).
* "chroot"-ed logins
* integrated support for RADIUS authentication
* Support for Windows-native Kerberos. Although OpenSSH can be built with
Kerberos support on Windows (with Cygwin), it does not
... that "Enterprise Class Product" refers to the license cost, not quality or features. SSH Communications is right. OpenSSH doesn't cost enough to be "Enterprise Class".
Actually hamsters have more dark meat. Guinea pigs have more white meat.
eWeek's article is just simply dumb! Every single Agency/Department on the US Federal government and every single small, mid and large company in the world with an actual network uses it at one level or another. If this is not enterprise level, I don't know what is it!
If they want people to buy a commercial version of SSH then they should provide something of value that OpenSSH does not provide!
Ideas...
1. How bout a hardware based SSH accelerator for fast SFTP/SCP transfers?
2. GUI configuration in X/QT/GTK...ect...
3. Performance monitoring tools
I pulled these out of my ass in 3 seconds. None of them may be worth the time but you get the idea!
Actually hamsters have more dark meat. Guinea pigs have more white meat.
I'm sorry, I didn't quite catch the name of your kabob place?
Free Adam Smith! (Or best offer.)
So yeah, that's why the SSH guy is saying, "We do not compare OpenSSH to our SSH Tectia solution, since it's far from the same." In other words, here you have OpenSSH. It secures the wire. Here you have our commercial product. It secures the wire and lets you manage things centrally. Naturally, this is a better fit for your centrally managed enterprise. I don't think they are saying "OpenSSH is shit." I believe they are saying, "We're easier to use." And for an IT dept. staffed with the finest MCSEs money can buy, that can be a strong selling tool.
The "We're everywhere therefore we're better" response is just retarded. Windows is everywhere too. Is it better? I'm guessing these guys were misquoted or their quote was taken out of context.
The commercial company isn't selling the SSH part so much as they are selling the central management aspect of it, which to my knowledge is not part of OpenSSH because that is the way it is supposed to be. Unix tools in general are supposed to be that way. You do not allow feature creep to dilute the value of a tool. Want a new feature? Write a new tool that provides that feature and that feature only, and does it well. Then string the two together with a shell script or a little C app. OpenSSH does one thing well and one thing only. Secure Shells. If you want a central management app, you write one that makes use of OpenSSH libraries or you find one being offered by someone else.
The discussion should be, "What open source SSH management solutions are available and how do they stack up against this commercial solution?" The whole article should be modded troll. It seems whoever submitted the article is the same kid who instigated fights on the playground when I was a wee lad.
not plane, nor bird, nor even frog...
Well, considering how many compromised Linux machines are running SSH password crackers looking for other badly configured setups, incompetent sysadmins are the norm.
Oh well, what the hell...
In other news, Ford claims Japanese automobiles aren't real automobiles... "They weren't here in the 50's when we had some bad ass cars -- and our powerful mustang is the real deal" cites the CEO of Ford. He continued with "How can we even put those cars in the same class? I mean, damn, they last longer, are better built, but their engine light comes on when the gas cap isn't screwed on tightly enough. What kind of car does that? Doesn't sound like a real automobile to me."
sheesh.
yes, sounds like a troll. never thought i'd stoop...
We're like rats, in some experiment! -- George Costanza
Not sure what Online in Hazardous environments means. There's only a partial explanation; one additional interpretaion would have all of the Internet hazardous because of crackers. I like how some companies beat you over the head with "you can't sue anybody" then neglect to meantion you can't really sue them either. It's a true statement of most OSI licenses, but it's no worse than theirs in that regard.
Whenever you hear enterprise you can be assured someone in marketing is trying to BS you. It's really a keyword to denote that there is no good reason why something is better or bigger, merely that someone is trying to con you. It's almost as bad as synergy.
The other marketing BS keyword is "technology", when used in the form "foo technology". An engineer would never say "HTML technology". He's familiar with HTML, he says "HTML" every day, so he has no reason to tack on the entirely useless "technology" on the end. Marketroids, on the other hand, know that "technology" has positive connotations, so they ram it on the end of every tech-related thing. I find that the "technology" filter, along with the "enterprise" filter, work pretty well in reducing the amount of useless things I need to read.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Enterprise class means it's designed to be deployed across an entire enterprise/organization with centralized management, out of the box.
You're awfully generous to the vendors out there. Let's take a look:
Seagate sells "enterprise class" Cheetah hard drives. How one would deploy a hard drive across an entire organization with centralized management does not immediately jump to mind.
Intel makes "enterprise class" chipsets.
Logitech's V500 Cordless Notebook Mouse is apparently a true enterprise-class wireless solution.
I just chose three companies at random and plonked in "site:companyname.com enterprise-class" into Google.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
IBM zSeries Mainframes come with and support the use of OpenSSH under Unix System Services.
You cannot get any more "enterprise" than Big Blue's Big Iron.
End of Discussion.
Your "homepage" points at http://localhost/. For most normal network devices, the hostname "localhost" will resolve to the same device, typically using IP address 127.0.0.1. That means that if anyone clicks on your link, they'll be connecting to themselves!
Do you see how explaining at length a readily apparent joke is neither funny nor insightful? That indeed it is scarcely worth the time it takes to type and certainly contributes nothing to the signal-to-noise ratio here? You have a five digit uid, you can do better than this.
You're welcome
SSH Communications still exitsts!?!?!?
For as long as I've used SSH, OpenSSH was the SSH server. I didn't even know there was another until a few years after. On the client side there's PuTTY if your're stuck on windows but it's OpenSSH shipping on everything else... especially MacOS X, Linux and BSD.
That there are proprietary software SSH solutions out there making money comes as a surprise to me.
And why would anybody with half a brain trust encryption software they can't audit if need be? C'mon: the cryptosystem has to mathematically so whoopass that wether or not an attacker has the source makes no difference. Proprietary is talking the talk. FOSS is walking the walk.
It doesn't surprise me that these guys would use FUD to sell their wares. Have they any other choice?
"Let him go, Ralph. He knows what he's doing." --Otto Mann (simpsons)
As far as security is concerned, is centralised (update and configuration) management not an additional vulnerability? If an attacker can attack the centralised control then they have just subverted all the systems managed by it.
You must be not new here
And that's why the software costs ten times as much is it, because all the services you describe are included, at no extra charge?
/*rolls eyes*/
Sorry but they are correct in what they say. I wouldn't dream of using anything other than SSH myself, but in the large enterprises I have worked in - the commercial product would be more suited. It is more user friendly - MUCH - more user friendly to begin with, which reduces training costs.
There is a commerical entity behind it, which is simply required in a lot of large organisations in certain contracts and interal policies. I worked for a bank that in some policies it stated that any product used must have an accountable supplier. And I'm sure that isn't the only place that does that.
I wouldn't question the quality of OpenSSH, but this guy isn't saying anything a lot of people don't already know. I just get the feeling sometimes that a lot (although not all) of the supporters of free software have little experience of how large organisations work...
What are you talking about? Red Hat has had auto-updates for ages. Debian, which is totally free, has had auto-updates for even longer. Windows was a latecomer to this. Why should every single applications update themselves, when it should be a sub-system (daemon/service) on the OS doing this?
On MY setup, auto-updates are performed every night, with everything taken care of without my supervision. With errors mailed to me, I sleep well at night. Yes, this is a Debian system. When finally set up, which is what the vendor/supplier should do properly, it is much less hassle than Windows XP.
Your post didn't make sense, at all.
And what excactly is "Enterprise Ready" anyways?
If you want to block out old protocols, you can do so in OpenSSH, by editing the configuration. The protocol is probably logged to a log-file too, if you're really interested.
But I don't think you really are. Either you're trolling, or a company whore. Because your post doesn't really have any useful statements that I can find.
But the initial drop is indeed there. It's nothing extensive, at the moment - the last snapshot of OpenSSH, with a bunch of patches thrown in, but the fork does exist and it is more than just baseline. I'm calling it openssh-folk, as the FOLK project is specifically for the purpose of severely overloaded software (which is the direction I intend to take this fork).
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Creoles are contact languages (pidgins, to be more precise) that have become native to at least some of their speakers.
Therefore, if they are creoles - which they most certainly are not - they have native speakers. Q.E.D.
The are not pidgins, either - they are actually not contact languages at all.
OK, so Klingon can serve as a lingua franca at Star Trek conventions, but that's beside the point ;)
(Yeah, I know this is offtopic, but I just can't let this kind of thing go unpunished.)
Ignore this signature. By order.
From TFA: [Byron Rashed, senior marketing communications manager of SSH Communications Security said] "Liability is also an issue that companies are worried about. Open-source software usually does not have any indemnity insurances associated with them." (emphasis mine)
Google search: indemnity site:www.ssh.com
Your search - indemnity site:www.ssh.com - did not match any documents.
Thank you, I didn't know that. Maybe the story title should have said it draws Theo's ire, not open source ire, if they are just as open (of course it depends on the other specific license restrictions, etc.)
Then again, reporting that something draws Theo's ire wouldn't be big news :)
My purpose is to do this the Right Way (by Software Engineering standards), which means getting the code feature-complete FIRST. The purpose of software engineering principles is not to have "neat" code, it is to have complete code. And, yes, that likely means the codebase will be larger. Is this bloat? No - bloat is unnecessary code. If it is necessary, it cannot be bloat, no matter how large the sourcefile becomes.
Once the codebase is complete, THEN you can worry about refactoring, optimising, cleaning out redundancy, etc. You can't decide what is unnecessary, though, until you know what IS necessary. If you cannot define one, you cannot define either.
Seeing bloat where none exists is a common form of myopia amongst certain groups of hackers. You can tell who suffers from it, because their skill-sets don't grow as quickly. You can't learn new technologies or new approaches when you're convinced that they're useless by definition. Such hackers are absolutely brilliant at their specialist fields, precisely because they're undistractable, but they're like a fish in hard vaccuum when confronted with anything they're unfamiliar with.
This is exactly why you need generalists. These are people who know how to link ideas together, know what ideas you should even TRY to link together, and are willing to explore the fringes of possibility in an effort to squeeze even one more drop of usefulness out of something.
If you want the absolute best design, you get a generalist. If you want the absolute best implementation of that design, you get a specialist. Specialists can't design to save their life (which is why the Shuttle is a piece of crap), generalists without specialist knowledge are too distractible to produce a good implementation (which is why you don't see many top Software Engineers in industry) and generalists WITH specialist knowledge tend to be the legends of the industry.
The ideal is to have teams with both types of people, so you can get the benefit of both types of skill without having to rely on having any legends around. Legends are too rare to rely on and impossible to replace if they quit or die. This isn't just true of computing - look at the music industry. A good 90% of all the top composers were in partnerships (Lennon/McCartney, for example) where the extreme gifts complemented each other rather than competed. The other 10% were gifted ENOUGH that they could cover both the breadth and depth at the same time.
If a partnership is impossible (as is blatantly obvious to anyone reading the AC replies to my posts!) then you have to apply the approach in layers. Use specialist and generalist skills alternately, to gain the maximum functionality, the minimum footprint, the maximum usability and the minimum risk. The OpenSSH team, as it stands, isn't capable of this. They're specialists, with a specialist mindset, and the egos you invariably get with specialist thinking. They're good coders, but they are intrinsically incapable of recognising the worth of others or the worth of avenues outside of their own fields.
When Theo was interviewed on Slashdot, I asked him about OpenBSD as a distributed kernel. He had no idea what that was and was clearly not about to find out.
For those interested, a distributed kernel is an OS kernel that runs on a cluster as a single kernel, not as a collection of independent kernels. If you want maximum performance on the cluster, you absolutely don't want the overheads of running code you don't want. This means you absolutely don't want the full OS on each node, you only want the bits that are actually needed on a local basis. (If a node is running a single program, you wouldn't even want
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Where is this "free market capitalism" of which you speak? It seems mega-corporations won't even set up factories in UK without substantial government funding; then they expect to be bailed out when they're failing, even though they continue to give money to the shareholders. So part of my tax $currencyUnit goes to make someone who is hugely rich a bit richer whilst I can't afford to eat anything but mince and pasta.
These businesses that pay out to shareholders when they can't afford to should go out of business but they get held up by government for fear of global labour markets.
Ultimately it seems all systems however good get brought down by greedy people. But then if you're an evolutionist that's what should happen - screw the weakling poor and prosper the strong rich.
"There is no other definition of communism valid for us than that of the abolition of the exploitation of man by man." - Che Guevara
In contrast capitalism is all about increased exploitation (ad absurdum). I think the reason capitalistic societies prosper fiscally is that everyone expects everyone else to be a lying scoundrel hell-bent on screwing them over - that way your guard is up. If everyone is expecting benevolence and human-kind-ness then it's easy for someone to sweep in and grab what they wish.
And THAT, my dear, has been my point all along. You CANNOT seek to do something you know nothing about. THAT is why generalists are essential, because only a generalist knows enough subjects to be able to expand the horizons of a project to the logical conclusion. It is ALSO why specialists are essential, because only a specialist knows enough about a given element to see it to completion and to do it right.
"But what if a project doesn't want to expand?"
If that is the correct approach, then the new variant will die off. "Survival of the fittest" applies to computer programs, just as much as it does to biological entities. If it is the wrong approach, the more restrictive original branch will die off. You will also get situations where BOTH variants can survive, and often this is the preferred result, particularly if the variants coexist peaceably. Actually, this is how you tell if something IS feature-complete - if a variant dies, then it is either too restrictive OR too extensive. Feature-complete variants will always be preferred by natural selection. When two variants have different domains, provided BOTH are feature-complete within their domains, they will both survive. If one is feature-complete and the other not, then the one that is not will be selected against.
(There is one, and only one, exception to this. Arrogantly assuming you are the be-all and end-all. There will ALWAYS be someone that little bit smarter, that little bit quicker and/or that little bit more flexible in their thinking. If they are welcomed as a friend - however alien their thoughts - then your pool of talent will always grow and you will never stagnate and rot in thought. If they are cast aside as though they were inferior, then at best you WILL stagnate. At worst, they'll take the best of what you have, build something so far beyond anything you've ever imagined that you will never seriously compete, and your project will be doomed to the dustbins of history.)
"We can't do one -and- the other! Don't be stupid!"
Let us use the example of a distributed kernel, because that's a nice, extreme example and it's not something anyone is doing right now so isn't politically hot. The lowest levels of the OS would need to be the same - the hardware hasn't changed. The uppermost layers of the OS would need to remain the same - distribution done right is going to be transparent to the applications. Only the middle would need changing, then.
CVS supports branches, but it's not so hot on branches of only a subset of a project. What we're wanting here is to make use of all development, avoiding unnecessary duplication of effort. The initial effort in producing a distributed kernel would be in allowing the whole of that middle layer of the kernel to be executed in parallel. That would probably be best maintained as a patch set, relative to the baseline OS.
Once that is done, you'd create a second fork. This second fork would be a patch-set relative to the initial parallelization effort, and would be concerned with efficient communication between parallel threads within the kernel. If threads are on the same physical machine, you want to use memory. That is fast and efficient. If the threads are on DIFFERENT machines, you want to be able to pass data as efficiently as physically possible.
Once that is done, you'd create a third fork. The third fork would allow the communications to take place between different kernels as if they were the same kernel. You now have transparent clustering, but you're still not truly distributed as these are still different kernels. You'd need a fourth fork, where redundancy could be eliminated on-the-fly and where you could have multiple instances of a single component - some local,
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)