Slashdot Mirror
SSH Claims Draw Open Source Ire
JDStone writes to tell us eWeek is reporting that claims of OpenSSH not being an 'enterprise-class product' by SSH Communications, the creators of SSH, is being met with a great deal of resistance. Theo de Raadt, of OpenBSD fame and a member of the OpenSSH development team was quoted saying "OpenSSH is built into all Unix and Linux vendor operating systems, and is also built into almost all larger managed network switches, from Cisco through Foundry. It comes on Linksys and D-Link wireless and security routers too."
I'm sure SSH Communications stands to make more money if they can discredit a free, opensource product.
They are selling a product and they will say that to sell their product. Come on what else would you expect. This is like MS saying Windows is more Secure than Linux even though everybody knows the truth.
that "Enterprise class" is management-speak for pay-through-the-nose. There has and always will be a deep suspicion against low-cost or free(as in beer) products. There's plenty of stuff on the market that people can't give away that is sold to schmucks everywhere.
Come on. Stop feeding the troll. He's a marketing droid. He comes from a tradition of making outlandish claims or at best distortion of truth. It's his job to drive sales for SSH. We should treat what marketing people say the same way we treat any advertisement. Take it with a block of salt. Obviously an open source implementation of SSH competes, and have done so very successfuly, with SSH. This is their attempt to win back the market. It's not worth giving too much thought to.
EvilCON - Made Famous by
You're missing the point. Popularity doesn't exactly equate to 'enterprise class'. Look at nmap, everyone knows and uses it. Is it enterprise class? No. Enterprise class means it's designed to be deployed across an entire enterprise/organization with centralized management, out of the box.
Telltale Games: Bone, Sam and Max
for quite a number of years. In networks both big,(huge) and small. (just to the room next door) And to be honest the are both pretty much configure and forget. But if I were deploying a world class enterprise, I'd stick with OpenSSH. If for no other reason than it is an off-shoot of the OpenBSD project and using that has conviced me what a truly first class OS looks like. OpenSSH is enterprise ready enough for virtually anyone on this planet.
--
Simulated Sig
That's the whole thing about Linux/Unix. SSH isn't meant to have those types of tools. Just like grep shouldn't have a field separator (awk) or a line counter (though it now does:)). My configs are handled by rdist, rsync or cfengine.
Having all this crap built into one thing needlessly complicates things (Optional knee jerk for those who think the additional commands are the complications), and makes things a nightmare later on. Think Microsoft GUIs and the absolutely terrible configuration options when you think about how bad this can become.
This is just stupid. There are open source products out there that are clearly good enough to be used in "enterprise" settings and OpenSSH is one of them (Apache, Perl, Linux being some others). I've looked at what commercial SSH vs OpenSSH offers and I honestly can't think of a reason to use the commercial product. I agree (for once) with Theo and ask if it's not "enterprise class", why would O/S vendors include it in their products (Sun, Redhat etc)? For the record, all of my Solaris systems run OpenSSH supplied by Blastwave and the Linux machines have it already. It's all about the right tool for the job and open vs commercial is a secondary consideration (IMHO) over utility. In this case, the open source offering is at least as good as the commercial product.
What extra features do you need out of SSH anyway? I ask not to be a smart arse, but as a genuine inquiry.
You're here whining, perhaps you should be at a terminal putting OpenSSH so far ahead that SSH.com seems like the ancient pyramids instead of complaining that people are working hard to put together something like OpenSSH at all.
OpenSSH's developers refuse shitty patches until they are sent in a manner that conform to the code standards and goal's of the project, if the people sending patches are too stupid to read and code properly before hand, why should the developers then hold hands and recode every shittily cobbled patch for them?
If you have a bug, you submit a report, if you want a feature you submit the patch - it's that simple.
You people just don't understand how to put up or shut up.
I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
I'm really not trying to post flamebait here, but GAH, the people who work on that thing should hang their heads in embarrassment. Spaghetti code, no comments -- I'm talking a total mess. I was actually just looking for the code that clears the screen when you log out of a session (because I actually hate the automatic clear screen, and was hoping there was an option for it). I finally gave up in disgust.
.bash_logout.
And this comes from a person who looks into OpenSSH source instead of
It must be credible source review, really...
Byron Rashed, senior marketing communications manager of SSH Communications Security, claimed that SSH's product is better suited for enterprise-scale business applications than a similar open-source product from OpenSSH.
Since when do we care what a Marketing manager says about anything.
Enjoy,
It's just the normal noises in here.
Often it's "enterprise" because it makes managing your enterpirse easier. Not something home users would care much about, but in a large environtment it's valuable. Like we use Ghost Enterprise Server here for PC work. The way it works is you install a Ghost client on the computers (if they run a supported OS) or boot from a Ghost boot CD/USB key (if they don't) and then the server can start ghost tasks. It can pull and push images to many systems at one all remotely. So if someone screws up a system (which happens in student labs) we can get it back up quickly, if we need to switch a lab over for something (like switch a Windows lab to Linux for a presentation), no problem.
Now it's nothing we couldn't do by hand, of course, and something we could probably hack together from freely available software. However the advantage here is that it's ready to go as is. Given that we do not have the time to mess with this kind of thing, it's worth the money to us.
Now I'm sure some enterprise software is pure fluff, but often the "non-enterprise" solution is woefully short on capabilities. It'll have all the technical stuff it needs, but lack in the ease of configuration, use and management. If you are running one server for yourself, you can tinker with nit pickey shit as much as is required. However when you run 1000 systems that's just not the case. You don't have that kind of time. You need to be able to centrally deploy and manage shit easily.
That's the whole point of things like LDAP (or Microsoft's version of it, Active Directory). Sure, you could keep a local user DB on each computer, and just update it as needed. Works fine, needs no new software. However that gets to be a bitch if you are talking 500 computers and 3000 users. Much better to have a central system. In our case, we pay Sun for a product that synchs our Active Directory to our Sun LDAP database. Could we do it manually? Sure. Could something have been hacked to do it? Ya, but we lack the time, and the personel to do that. Better to just pay Sun for it.
You are completely correct. This is OpenSSH's problem. Patches not getting folded in, responses like "where's YOUR patch, pickledick?", and the utter lack of OpenSSH programmers taking the initiative to fix stupid problems like cross-platform compiling on a non-target CPU.
I don't doubt that OpenSSH is enterprise-class when compared with the likes of Microsoft's offerings or SSH Corp., but immature responses from the supposed "OpenSSH developers" that don't further to solve the problems really put people off.
If OpenSSH would clean house of the wannabes and show some initiative and maturity, the OpenSSH team might get more respect from the outsiders.
We attempted integration with RSA and OpenSSH had significant problems that we had to resolve and in the end we could not resolve the final problem which was a session would hang after exiting the shell if the session was authenticated using the RSA PAM module.
I had that problem too... we fixed it by turning on PrivilegeSeparation (I know the RSA docs say to turn it off, but ignore that).
In any event, that's a problem with RSA's buggy PAM module, not OpenSSH.
the commercial ssh.com site appears to draw a bigger audience (and thus, a better alexa ranking) than the free openssh.com site. if the more popular, better-known software (ssh, commercial) wants to call attention to a free competitor (openssh, free), that's their mistake, and i hope the openssh community benefits from it!
about sean dreilinger
Procrastination -- because good things come to those who wait.
Good question. It seems very enterprising to claim that a closed software product is "in a different class by itself" -- tantamount to saying it is more secure than an open source product.
The crucial difference for me is whether I can check the source code for gaping security holes. With open source software, it is relatively easy. At least you can get a third party to vouch for the lack of obvious security holes in an open source product. With a closed product, you get only the vendor's assurance. Maybe the vendor could leave some secret exploits in there to convince people that they need to upgrade every so often? You would have no choice but to pay up, after all, your "enterprise" depends on it now.
But does closed software retain some security through obscurity? Can blackhat hackers reverse engineer a closed software product anyway? Yes, they can, and I wonder if it is a coincidence if this happens close to a product upgrade cycle.
IMHO, they are using the enterprise buzzword to try to evoke images of an "Enterprise class" warship, bristling with weapons and rotating radars and the latest bleeping control center screens, roaming your coastline defending you against any possible attack. The only trouble is you are not allowed to inspect the ship to see if it has a leak, and if the ship sinks, they'd rather you didn't tell anyone because they might not meet their sales target for that quarter.... :)
They're not just groups of people, they are legal entities created by the state in a way that makes them unable to do anything but seek profit.
A business corporation that fails to screw over anyone it can in the name of profit can be sued by investors. Since for large corporations, those investors are often other profit-seeking-monster corporations, such suits would be a given if the corporation didn't plunder to within an inch of what the law allows - and even beyond what the law allows, if the penalty is less than the profit.
The modern large for-profit corporation is a Frankenstein's monster constructed of law rather than of corpses; and it's only by changing the law that we can tame these beasts.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Out of every company in the world, what's the last you would expect to not provide a crytographically signed package?
RSA's own PAM modules for RHEL are distributed as an unsigned tarball. Along with the stuff you're telling me above, I don't really have much trust in RSA as a security company (and hence any trust in RSA at all).
... that "Enterprise Class Product" refers to the license cost, not quality or features. SSH Communications is right. OpenSSH doesn't cost enough to be "Enterprise Class".
Sounds like I need a raise.
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
RFC 1925
"They're groups of people. They get together and decide what to do. Usually the controlling body of shareholders says "do wtf you want as long as I make oodles of money"."
You may have heard of a study done where it was shown that people are willing to deliver deadly amount of shocks to subjects if they can remain anonymous. Humans are like that. When relieved of responsibility and guaranteed anonymity they can be incredibly savage and cruel.
Corporations were invented to shirk responsiblity and to diffuse responsibility enough to maintain anonymity. Within the context of corporations human beings act in incredibly vile ways. This is why it's so easy to for a corporation to kill hundreds of people just to save 50 cents on a part.
evil is as evil does
If you have different goals, start your own project.
If you're unable to spend the time to know how to properly submit a patch then it's your problem, not theirs, it's their project.
If you are wanting something to be accepted into it, you have to make it work the way the developers want it to work.
Your attitude is completely asshat backwards, it's not up to them to help you get what you want, it's up to you to get them what you want. But if you want to add in support for an algorithm that is patened, too bad, it won't happen. If you want to start favouring PAM, too bad. If you want to have it support the GnuTLS, too bad.
How hard is it to conform to the KNF? Are you saying it's so hard to conform to good coding guidelines that it's not worth adding the functionality you want? Fine, the functionality won't be added.
This isn't forcing their personal view on anyone, it's enforcing their views on their own project. No one is forcing you to be a user, there is no knife held to your neck waiting for the second you download lsh.
Don't like it? Go cry to your mother, maybe she can make it all better.
I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.