SSH Claims Draw Open Source Ire

JDStone writes to tell us eWeek is reporting that claims of OpenSSH not being an 'enterprise-class product' by SSH Communications, the creators of SSH, is being met with a great deal of resistance. Theo de Raadt, of OpenBSD fame and a member of the OpenSSH development team was quoted saying "OpenSSH is built into all Unix and Linux vendor operating systems, and is also built into almost all larger managed network switches, from Cisco through Foundry. It comes on Linksys and D-Link wireless and security routers too."

but what about enterprise administration?

[louzerr]

Hey, I'm all for OpenSSH - use it every day on almost any PC I touch, but "ready for enterprise" can have more meanings than just how secure/usable a product is.

What may be missing from OpenSSH (and I'm not claiming to be an expert - just a user) is an enterprise manager ... which it sounds like the Commercial SSH version may offer.

I'm sure there's a way to enterprise-manage ssh other than passing keys around. But it doesn't seem to come out-of-the-box with OpenSSH just yet.

Re:but what about enterprise administration?

[Zak3056]

Think Microsoft GUIs and the absolutely terrible configuration options when you think about how bad this can become.

While, personally, I'm alot more comfortable doing things the *nix way (for example, I find httpd.conf to be a much better administrative interface than MS's IIS Manager) Microsoft's MMC based tools are pretty good these days--they cover about 95% of everything your average admin is going to do in the lifetime of the application. They're "good enough" to get the job done, and I think that most people who say otherwise probably haven't used them recently... or are simply more comfortable using different tools to do the job and just aren't willing to sit down and learn the MS way of doing things.

Name recognition

[shudde]

I realise I'm displaying my ignorance here but it should hopefully prove a point. I've used OpenSSH for years and until now I had no idea they didn't develop the protocol or that a commercial variant existed.

Couple that with the sheer number of servers and distributions using OpenSSH and the statements by Byron Rashed seem to have the ring of sour grapes.

No, it's no

[winkydink]

Enterprise-class is management speak for "has a pretty GUI that a monkey can use". If one is managing thousands or tens of thousands of accounts, one doesn't want to pay somebody big bucks to do it using Open Source if said open source requires an $80k/yr person to administer it. It's a TCO calculation, nothing more.

Define enterprise

[russg]

Not that I'm defending SSH, but it really depends on what specifically you are speaking of when it comes to comparing the offering of OpenSSH and SSH Communications. The two products are fairly similiar for base installs and function about the same. The problems with OpenSSH come into play in the enterprise when you want to manage the SSH installs globally or integrate the SSH server with other products.

Two examples from my own experience. We attempted integration with RSA and OpenSSH had significant problems that we had to resolve and in the end we could not resolve the final problem which was a session would hang after exiting the shell if the session was authenticated using the RSA PAM module.

The other example is related to distribution and configuration managment. We have started using SSH communications central management center to distribute new versions of Tectia server as well as centrally manage the configuration for Tectia/ssh. This has reduced our management overhead considerably. This is an "enterprise" feature.

--russ

Re:Man, the universe loves me. :)

could you give a more specific example? Could you provide a few snipits?

Re:Man, the universe loves me. :)

[Nimrangul]

Gentlemen, behold! A troll being marked Insightful on Slashdot! OpenBSD are the ones with KNF, that's Kernel Normal Form, the style that all code in the base operating system (which includes OpenSSH) must conform to.

It does not help...

[jd]

...that a number of patches exist for OpenSSH (speedups, code cleanups, extensions, etc) that aren't getting folded into the baseline. Even if the patches (as they stand) don't meet the coding standards for OpenSSH (there are some?), you really should be seeing efforts to either get the patch writers to reformat to standards OR have core developers recode them.

OpenSSH is limited to IPv4 and IPv6. Limited? Well, yes. Linux supports many non-IP stacks, as do other *nix OS'. So long as you have some component to handle the making of connections and the sending of packets, the rest of OpenSSH doesn't need to care what sort of network you're using or what the transport mechanism is.

I believe OpenSSH can take advantage of some crypto hardware, but I don't recall seeing any announcements that it could use crypto drivers (or crypto functions) in the OS. It links to OpenSSL, but I don't recall seeing any provision for GnuTLS.

Is it the best crypto package out there (SSL included)? Yes. Is it the best it could be? Not by a long shot. Is it the best that it should be, given the code available (both for OpenSSH and as related libraries)? Not even close.

OpenSSH is every bit as "enterprise" as SSH - in fact, for some things, I'd say more so. Does that give the OpenSSH team any excuse to slack off? No - they should be so far ahead, by now, that SSH seems as ancient as the Pyramids and as user-friendly as a unicycle NASCAR.

Of course, we could settle the dispute by bribing^H^H^H^H^H^H^Hlobbying to make IPSec a Federally-mandated standard for all Internet-based computers. Then application-level crypto would cease to be important and we could get onto something useful, like Microsoft-bashing.

Re:Man, the universe loves me. :)

[Suicyco]

What a dumbass.

If you can't figure out how to keep your screen from clearning (hint, NOT because of ssh) then what judge are you on the source code?

Ever seen the source code of the commercial SSH? Hmm. Is it even using the proper encryption algorithms? Is there a back door? We are talking heavy duty ENTERPRISE security here. You trust that level of security to a product that claims to protect your communications? Why not trust it to a product you KNOW protects your communications, because you can look right there in the source and then compile it yourself.

I might be off here, however...

The article states:
Keeping OpenSSH environments secure requires constantly updating the environment with latest security patches. However, updating OpenSSH servers involves an extremely laborious and time-consuming process of source-code compilation, testing, installation, and configuration. In large-scale environments this leads to a heavy administrative burden and increased costs. As a result, during the times of constrained IT budgets many organizations have been forced to neglect frequent security patches and software updates making them vulnerable.

Even if organizations are willing to go through the costly process of manually maintaining the software on a regular basis, lack of centralized management can still present a risk.

In my case, I don't see where the rocket science is in:
gentoo# emerge -u
or in
gentoo# emerge --update --world

Now, our production boxes are running gentoo, but most of the other package systems (with the exception of RPM) are equally adept at managing upgrade etc very easily. Seems to me like the fine folks at SSH are getting a little desperate?

wanna sell ssh? Then make it better!

[Danathar]

If they want people to buy a commercial version of SSH then they should provide something of value that OpenSSH does not provide!

Ideas...

1. How bout a hardware based SSH accelerator for fast SFTP/SCP transfers?

2. GUI configuration in X/QT/GTK...ect...

3. Performance monitoring tools

I pulled these out of my ass in 3 seconds. None of them may be worth the time but you get the idea!

Not much more protection than OpenSource

[cant_get_a_good_nick]

Though TFA mentions extra protection for rule sets like SOX and others, actually checking the license shows them pretty fairly lacking. Like most EULAs, you give up pretty much everything. This is what you get from: http://www.ssh.com/support/downloads/tectia-client /evaluation.mpl It looks like it is their normal license, plus an amendment for the temporary license period. I extracted some parts on liability, yadda yadda.

8. WARRANTY

LICENSOR EXPRESSLY DISCLAIMS, TO THE EXTENT PERMITTED BY APPLICABLE LAW, ALL WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS, AND ANY WARRANTY THAT MAY ARISE BY REASON OF TRADE USAGE, CUSTOM OR COURSE OF DEALING. LICENSOR DOES NOT WARRANT THAT THE SOFTWARE WILL BE FREE FROM BUGS OR THAT ITS USE WILL BE UNINTERRUPTED NOR THAT THE SOFTWARE WILL OPERATE WITH ANY HARDWARE AND/OR OTHER SOFTWARE OR REGARDING THE USE, OR THE RESULTS OF THE USE, OF THE SOFTWARE OR DOCUMENTATION IN TERMS OF CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE. WITHOUT LIMITING THE FOREGOING, YOU ACKNOWLEDGE THAT THE SOFTWARE IS PROVIDED "AS IS," WITHOUT WARRANTY OF ANY KIND.

9. LIMITATION OF LIABILITY

THE ENTIRE RISK AS TO RESULTS AND PERFORMANCE OF THE SOFTWARE IS ASSUMED BY YOU. ANY LIABILITY OF LICENSOR WITH RESPECT TO THE SOFTWARE, THE PERFORMANCE THEREOF OR DEFECTS THEREIN, OR UNDER THIS AGREEMENT, UNDER ANY WARRANTY, NEGLIGENCE, STRICT LIABILITY OR OTHER LEGAL THEORY SHALL BE LIMITED EXCLUSIVELY TO PRODUCT REPLACEMENT OR, IF REPLACEMENT IS INADEQUATE AS A REMEDY, OR, IN LICENSOR'S SOLE OPINION, IMPRACTICAL, TO A REFUND OF THE ACTUAL AMOUNT PAID BY YOU TO LICENSOR, IF ANY, FOR THE SOFTWARE OR SERVICES GIVING RISE TO THE CLAIM.

10. DISCLAIMER OF DAMAGES

UNDER NO CIRCUMSTANCES WILL LICENSOR OR ITS LICENSORS BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES OF ANY KIND OR NATURE WHATSOEVER, WHETHER BASED ON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, ARISING OUT OF OR IN ANY WAY RELATED TO THE SOFTWARE, THIS AGREEMENT, WHETHER DUE TO A BREACH OF LICENSOR'S OBLIGATIONS HEREUNDER OR OTHERWISE, EVEN IF LICENSOR OR ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE OR IF SUCH DAMAGE COULD HAVE BEEN REASONABLY FORESEEN, AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY EXCLUSIVE REMEDY PROVIDED IN THIS AGREEMENT. SUCH LIMITATION ON DAMAGES INCLUDES, BUT IS NOT LIMITED TO, DAMAGES FOR LOSS OF GOODWILL, LOST PROFITS, LOSS OF DATA OR SOFTWARE, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION OR IMPAIRMENT OF OTHER GOODS. IN NO EVENT WILL LICENSOR OR ITS LICENSORS BE LIABLE FOR THE COSTS OF PROCUREMENT OF SUBSTITUTE SOFTWARE OR SERVICES.

YOU ACKNOWLEDGE THAT THIS SOFTWARE IS NOT DESIGNED OR LICENSED FOR USE IN ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS SUCH AS OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR CONTROL, OR LIFE-CRITICAL APPLICATIONS. LICENSOR EXPRESSLY DISCLAIMS ANY LIABILITY RESULTING FROM USE OF THE SOFTWARE IN ANY SUCH ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS AND ACCEPTS NO LIABILITY IN RESPECT OF ANY ACTIONS OR CLAIMS BASED ON THE USE OF THE SOFTWARE IN ANY SUCH ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS BY YOU. FOR PURPOSES OF THIS PARAGRAPH, THE TERM "LIFE-CRITICAL APPLICATION" MEANS AN APPLICATION IN WHICH THE FUNCTIONING OR MALFUNCTIONING OF THE SOFTWARE MAY RESULT DIRECTLY OR INDIRECTLY IN PHYSICAL INJURY OR LOSS OF HUMAN LIFE.

Not sure what Online in Hazardous environments means. There's only a partial explanation; one additional interpretaion would have all of the Internet hazardous because of crackers. I like how some companies beat you over the head with "you can't sue anybody" then neglect to meantion you can't really sue them either. It's a true statement of most OSI licenses, but it's no worse than theirs in that regard.

Centralised management is not necessarily good

[grahammm]

As far as security is concerned, is centralised (update and configuration) management not an additional vulnerability? If an attacker can attack the centralised control then they have just subverted all the systems managed by it.

Re:Well it makes perfect sense

[Atrus5]

"Keeping OpenSSH environments secure requires constantly updating the environment with latest security patches."
This is the only mention of the frequency of patches. They never claim that you have to patch their version less often.

However, updating OpenSSH servers involves an extremely laborious and time-consuming process of source-code compilation, testing, installation, and configuration.
This is the statement that upsets me the most. Distributions usually provide binaries. How are are these binaries different from recieving a binary from anywhere else? How does recieving a binary remove the need for testing? The only case I see the proprietary solution is when you have the same environment that the binary was tested in.

The remainder of that paragraph just claims that exorbitant costs ensue when you test updates. The obvious thing to do is, in some way, compare the values for each product:
(number of releases) * (cost of testing each release) + (probability of threat between releases) * (cost of compromise)

Re:I am sorely tempted...

[jd]

I respect Theo as someone who gets things done, as someone who is great on the frontier of computer security, and as someone who is absolutely essential if software security is to be done right.

I neither respect him OR those who follow him for their attitudes, however. I don't know how long Theo's been in programming, but I believe it likely that I've hacked for longer, better and over a wider range of architectures and programming languages. I've probably worked on a wider range of networking infrastructures, a wider range of Operating Systems and in far more countries than most of the OpenBSD and OpenSSH folk.

Does that give me airs? No. Does that give me the right to question tactice? Oh, certainly. What use is having breadth of knowledge if you never employ it to correct those with depth of specialised knowledge? Specialists are great, nothing wrong with them and you often NEED them, but specialists need generalists in order to make the best use of their skills. Too limited a horizon can make for bad decisions that simply aren't visible to specialists.

A broad horizon, on its own, is equally useless, as you don't get the depth of vision. The ideal is for generalists and specialists to work together, each complimenting the other's skill sets. When that does not happen, the specialist needs to go first, the generalist can then make adjustments, but eventually you'll need to go back to a specialist to progress beyond a certain point.

The FOLK version of OpenSSH is the generalist stage. It will work towards making a more generalized OpenSSH, with a greater range of features, but sooner or later it will need to either re-merge with the classical OpenSSH -or- have a Theo-like person to take over, to drive it to where it needs to go. This is merely a course correction fork.

Re:What else would SSH Communications say?

[bnjf]

So when will PuTTY have a "start file transfer here" option?

Oh right, when I write it!!