Slashdot Mirror
SSH Claims Draw Open Source Ire
JDStone writes to tell us eWeek is reporting that claims of OpenSSH not being an 'enterprise-class product' by SSH Communications, the creators of SSH, is being met with a great deal of resistance. Theo de Raadt, of OpenBSD fame and a member of the OpenSSH development team was quoted saying "OpenSSH is built into all Unix and Linux vendor operating systems, and is also built into almost all larger managed network switches, from Cisco through Foundry. It comes on Linksys and D-Link wireless and security routers too."
I'm sure SSH Communications stands to make more money if they can discredit a free, opensource product.
They are selling a product and they will say that to sell their product. Come on what else would you expect. This is like MS saying Windows is more Secure than Linux even though everybody knows the truth.
Are they implyinng the DOD isn't an Enterprise class network?
They claim that it's an enterprise product, another class of software than OpenSSH. They don't seem to have much of an argument for why it's so much different. The only comparison they manage to draw is that OpenSSH doesn't have very good SFTP, which they neglect to back by any comparison to their own. Straw man at best it seems. Anyway, what is so 'enterprise' about it that OpenSSH doesn't have? Seems to me that every 'enterprise' server running a *nix has it, so doesn't that make it enterprise enough?
The only way to tell the difference between a hamster and a gerbil is that the hamster has more white meat.
In other news, Axe body spray doesn't get you laid, and Red Bull doesn't give you wings.
Hey, I'm all for OpenSSH - use it every day on almost any PC I touch, but "ready for enterprise" can have more meanings than just how secure/usable a product is.
... which it sounds like the Commercial SSH version may offer.
What may be missing from OpenSSH (and I'm not claiming to be an expert - just a user) is an enterprise manager
I'm sure there's a way to enterprise-manage ssh other than passing keys around. But it doesn't seem to come out-of-the-box with OpenSSH just yet.
"The large print giveth, and the small print taketh away" -- "Step Right Up", Tom Waits
that "Enterprise class" is management-speak for pay-through-the-nose. There has and always will be a deep suspicion against low-cost or free(as in beer) products. There's plenty of stuff on the market that people can't give away that is sold to schmucks everywhere.
I realise I'm displaying my ignorance here but it should hopefully prove a point. I've used OpenSSH for years and until now I had no idea they didn't develop the protocol or that a commercial variant existed.
Couple that with the sheer number of servers and distributions using OpenSSH and the statements by Byron Rashed seem to have the ring of sour grapes.
Enterprise-class is management speak for "has a pretty GUI that a monkey can use". If one is managing thousands or tens of thousands of accounts, one doesn't want to pay somebody big bucks to do it using Open Source if said open source requires an $80k/yr person to administer it. It's a TCO calculation, nothing more.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Not that I'm defending SSH, but it really depends on what specifically you are speaking of when it comes to comparing the offering of OpenSSH and SSH Communications. The two products are fairly similiar for base installs and function about the same. The problems with OpenSSH come into play in the enterprise when you want to manage the SSH installs globally or integrate the SSH server with other products.
Two examples from my own experience. We attempted integration with RSA and OpenSSH had significant problems that we had to resolve and in the end we could not resolve the final problem which was a session would hang after exiting the shell if the session was authenticated using the RSA PAM module.
The other example is related to distribution and configuration managment. We have started using SSH communications central management center to distribute new versions of Tectia server as well as centrally manage the configuration for Tectia/ssh. This has reduced our management overhead considerably. This is an "enterprise" feature.
--russ
Did Darl finally move on to another project and change his name?
s/It comes on Linksys and D-Link wireless and security routers too/Don't forget about Poland
Come on. Stop feeding the troll. He's a marketing droid. He comes from a tradition of making outlandish claims or at best distortion of truth. It's his job to drive sales for SSH. We should treat what marketing people say the same way we treat any advertisement. Take it with a block of salt. Obviously an open source implementation of SSH competes, and have done so very successfuly, with SSH. This is their attempt to win back the market. It's not worth giving too much thought to.
EvilCON - Made Famous by
Telltale Games: Bone, Sam and Max
You can tell the difference between news and Public Relations fairly easily these days. Either can look at a controversy like "SSH is enterprise-class software" (whatever that means, exactly). PR publishes a story about how one party claims it isn't, and another party irately claims it is, without telling the story of whether, in fact (or even in reliable opinion), it is or not. Actual news reporters investigate what "enterprise-class software" is, compare SSH to that, and tell the story of the software. Even including the opinions of experts, and inexpert stakeholders in the debate.
We know that eWeek, like most IT press, is PR. But it's instructive to compare eWeek's obvious PR to "mainstream media", which is now mostly just PR. Real reporting keeps the "fairness and balance" in the process of determining the real story. Then tells the real story, with evidence and witnesses to back it up. PR, and most MSM, just spouts endless hourse of newscycle reiteration of "sources" promoting their versions of the story.
--
make install -not war
That's because almost everything that's 'enterprise-class' is crap.
Sheesh. If I had a nickel for every time upper management was impressed into buying a 3-million dollar equivelent of syslog, I'd be back in the dot-com boom.
_______
2B1ASK1
for quite a number of years. In networks both big,(huge) and small. (just to the room next door) And to be honest the are both pretty much configure and forget. But if I were deploying a world class enterprise, I'd stick with OpenSSH. If for no other reason than it is an off-shoot of the OpenBSD project and using that has conviced me what a truly first class OS looks like. OpenSSH is enterprise ready enough for virtually anyone on this planet.
--
Simulated Sig
Why are you so afraid of cookies? Just mark the file read-only or immutable (via chattr). You get the benefit of the cookie while your browser is open, but close the browser and re-open it and your previous sessions cookies are all gone.
Don't blame me, I voted for Kodos
Marketdroids call things "Enterprise class" to appeal to PhB's who grew up with Star Trek.
Good, inexpensive web hosting
Your informed opinion has no place in a Slashdot discussion.
I believe that I applied for an exemption for this term when I originally set up the ad with AdWords, but it's been running for months quite happily without bothering anyone.
When I Google for "enterprise-level" I (of course) get loads of hits discussing enterprise-ready email, whether Linux is enterprise-ready, firewalls & stuff, but I see the only advertiser is Enterprise Rent-A-Car UK. That makes me extremely tempted to trademark the term in the context of ADSL modems & then file a complaint about the Ford-pimping bastards. At least that way I might get a dialogue going with Google - as it is I confidently expect any complaints or protests about the matter to be ignored or get auto-responses; if I create a new advert with the words it gets suspended within half an hour.
If there's anyone reading this who works at Google then I'd be extremely grateful if you could have a little word with your censorship department for me, or give me a direct email address for them. Having an advert claiming "Outstanding Linux-support" simply doesn't satisfy me the way "Enterprise-level Linux support" does. And hey! Linux is a trademark, so I guess they'll be censoring that next week!!
Thank you for ignoring this rant. Please moderate it "funny" because i surely won't be so miffed at Google next week.
You've been trolled. The openssh code base has plenty of comments, and it's a joy to read for most C programmers. It's nicely formatted, with plenty of consistency and thought put into the layout.
Thats funny. I just looked at the source myself, and I saw plenty of comments. Not only that, but it was the furthest thing I could imagine from "spaghetti code". Very modular with a clean API.
/* Initializes the buffer structure. */ - clearly not what we want. Looking down we see buffer_append(). That sounds promising. But we can't expect people modifying the code to actually take the time to read and understand it, can we? So lets look at the comment to make certain sure. /* Appends data to the buffer, expanding it if necessary. */ I'm not sure, but I THINK that might just do what we wanted.
But since this is slashdot I think concrete examples are in order. Lets say we want to find out about the buffer routines, where do we go? Oh, buffer.c. I wonder what is in that file?
Well, look at that! Its the buffer management API! WOW! Who would have thought it!
So, we want to add some data to an existing buffer. What function should we use? buffer_init() no...comment says
WOW that was SO hard, not helped one bit by all that blatant spaghetti code and total lack of comments!
This is just stupid. There are open source products out there that are clearly good enough to be used in "enterprise" settings and OpenSSH is one of them (Apache, Perl, Linux being some others). I've looked at what commercial SSH vs OpenSSH offers and I honestly can't think of a reason to use the commercial product. I agree (for once) with Theo and ask if it's not "enterprise class", why would O/S vendors include it in their products (Sun, Redhat etc)? For the record, all of my Solaris systems run OpenSSH supplied by Blastwave and the Linux machines have it already. It's all about the right tool for the job and open vs commercial is a secondary consideration (IMHO) over utility. In this case, the open source offering is at least as good as the commercial product.
What extra features do you need out of SSH anyway? I ask not to be a smart arse, but as a genuine inquiry.
Gentlemen, behold! A troll being marked Insightful on Slashdot! OpenBSD are the ones with KNF, that's Kernel Normal Form, the style that all code in the base operating system (which includes OpenSSH) must conform to.
I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
OpenSSH is limited to IPv4 and IPv6. Limited? Well, yes. Linux supports many non-IP stacks, as do other *nix OS'. So long as you have some component to handle the making of connections and the sending of packets, the rest of OpenSSH doesn't need to care what sort of network you're using or what the transport mechanism is.
I believe OpenSSH can take advantage of some crypto hardware, but I don't recall seeing any announcements that it could use crypto drivers (or crypto functions) in the OS. It links to OpenSSL, but I don't recall seeing any provision for GnuTLS.
Is it the best crypto package out there (SSL included)? Yes. Is it the best it could be? Not by a long shot. Is it the best that it should be, given the code available (both for OpenSSH and as related libraries)? Not even close.
OpenSSH is every bit as "enterprise" as SSH - in fact, for some things, I'd say more so. Does that give the OpenSSH team any excuse to slack off? No - they should be so far ahead, by now, that SSH seems as ancient as the Pyramids and as user-friendly as a unicycle NASCAR.
Of course, we could settle the dispute by bribing^H^H^H^H^H^H^Hlobbying to make IPSec a Federally-mandated standard for all Internet-based computers. Then application-level crypto would cease to be important and we could get onto something useful, like Microsoft-bashing.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I'm sure there's a way to enterprise-manage ssh other than passing keys around. But it doesn't seem to come out-of-the-box with OpenSSH just yet.
Kerberos. It's implementation in OpenSSH is a good example of how they specifically support enterprise admin. Kerberos is fairly poor security wise, using symmetric encryption and hence holding copies of user passwords on the server. It's poor security according to those with high standards, and inferior to PKI according to everybody. But OpenSSH supports it, because Kerberos is the most popular single sign on method used at corporates.
Interestingly, OpenSSH's market share is something like 76% of all SSH servers.
I'm really not trying to post flamebait here, but GAH, the people who work on that thing should hang their heads in embarrassment. Spaghetti code, no comments -- I'm talking a total mess. I was actually just looking for the code that clears the screen when you log out of a session (because I actually hate the automatic clear screen, and was hoping there was an option for it). I finally gave up in disgust.
.bash_logout.
And this comes from a person who looks into OpenSSH source instead of
It must be credible source review, really...
Byron Rashed, senior marketing communications manager of SSH Communications Security, claimed that SSH's product is better suited for enterprise-scale business applications than a similar open-source product from OpenSSH.
Since when do we care what a Marketing manager says about anything.
Enjoy,
It's just the normal noises in here.
Often it's "enterprise" because it makes managing your enterpirse easier. Not something home users would care much about, but in a large environtment it's valuable. Like we use Ghost Enterprise Server here for PC work. The way it works is you install a Ghost client on the computers (if they run a supported OS) or boot from a Ghost boot CD/USB key (if they don't) and then the server can start ghost tasks. It can pull and push images to many systems at one all remotely. So if someone screws up a system (which happens in student labs) we can get it back up quickly, if we need to switch a lab over for something (like switch a Windows lab to Linux for a presentation), no problem.
Now it's nothing we couldn't do by hand, of course, and something we could probably hack together from freely available software. However the advantage here is that it's ready to go as is. Given that we do not have the time to mess with this kind of thing, it's worth the money to us.
Now I'm sure some enterprise software is pure fluff, but often the "non-enterprise" solution is woefully short on capabilities. It'll have all the technical stuff it needs, but lack in the ease of configuration, use and management. If you are running one server for yourself, you can tinker with nit pickey shit as much as is required. However when you run 1000 systems that's just not the case. You don't have that kind of time. You need to be able to centrally deploy and manage shit easily.
That's the whole point of things like LDAP (or Microsoft's version of it, Active Directory). Sure, you could keep a local user DB on each computer, and just update it as needed. Works fine, needs no new software. However that gets to be a bitch if you are talking 500 computers and 3000 users. Much better to have a central system. In our case, we pay Sun for a product that synchs our Active Directory to our Sun LDAP database. Could we do it manually? Sure. Could something have been hacked to do it? Ya, but we lack the time, and the personel to do that. Better to just pay Sun for it.
What a dumbass.
If you can't figure out how to keep your screen from clearning (hint, NOT because of ssh) then what judge are you on the source code?
Ever seen the source code of the commercial SSH? Hmm. Is it even using the proper encryption algorithms? Is there a back door? We are talking heavy duty ENTERPRISE security here. You trust that level of security to a product that claims to protect your communications? Why not trust it to a product you KNOW protects your communications, because you can look right there in the source and then compile it yourself.
Key-generation: there are TONS of ways to generate a key. All of them will give you a key in the end, but the process leading up to it can be done in different, and varying secure ways. Faster ones will use a Pseudo-RNG (insecure), while slower ones will use network events (semi-real-random, and far more secure), or something like mouse movements. Really, you can't compare the two.
File copying: again, it's MOSTLY a function of the encryption algorithm. If you're using a simpler, and less-secure algorithm, you'll get faster transfers, and less CPU utilisation doing those transfers.
It's this kind of thing that Microsoft uses when comparing, for example, IIS and Apache. Their comparisons using HTTPS were done with different hash and encryption algorithms, which make up a HUGE portion of the resource utilisation.
They're groups of people. They get together and decide what to do. Usually the controlling body of shareholders says "do wtf you want as long as I make oodles of money".
... that's because the individuals don't bring their souls into their finances. Spending power can change the world. Look at the Fair Trade movement (http://www.fairtrade.org.uk/) ... heck don't just look, do something about it.
People hide within the group and don't care if they have Nike shares and Nike abuses child labour (an example from the 90's). The people say "great, more money for me"; then when it becomes public they say "oh shame on Nike".
What is possibly worse is that we, as consumers, say "your doing great" by buying the mega-corps products. There are few markets where there isn't a _more_ ethical alternative.
If the corporations, the groups of people are soul-less
We attempted integration with RSA and OpenSSH had significant problems that we had to resolve and in the end we could not resolve the final problem which was a session would hang after exiting the shell if the session was authenticated using the RSA PAM module.
I had that problem too... we fixed it by turning on PrivilegeSeparation (I know the RSA docs say to turn it off, but ignore that).
In any event, that's a problem with RSA's buggy PAM module, not OpenSSH.
the commercial ssh.com site appears to draw a bigger audience (and thus, a better alexa ranking) than the free openssh.com site. if the more popular, better-known software (ssh, commercial) wants to call attention to a free competitor (openssh, free), that's their mistake, and i hope the openssh community benefits from it!
about sean dreilinger
Procrastination -- because good things come to those who wait.
Out of every company in the world, what's the last you would expect to not provide a crytographically signed package?
RSA's own PAM modules for RHEL are distributed as an unsigned tarball. Along with the stuff you're telling me above, I don't really have much trust in RSA as a security company (and hence any trust in RSA at all).
There's a lot of exaggeration and vagueness on both sides of this little
tempest. What suffices for one enterprise may not for another, so it is
certainly silly for ssh.com to claim that OpenSSH is not
"enterprise-class" -- as Theo and others rightly point out, OpenSSH is
used successfully in many large contexts. On the other hand, it is a fact
that Tectia has a number of features OpenSSH lacks, some of which are
particularly relevant to large organizations (which is not the same as
simple widespread use). Here are a few of them:
* PKI support
Tectia can use X.509 certificates for both client and server
authentication. To add a new SSH server or change an existing one's host
key, all you need do is issue a certificate for it. Clients need only
have a copy of a single public key: the issuing CA certificate. No
constantly shifting mess of per-user and per-host known-host files to try
to keep in sync, no spurious "unknown host" or "host key changed messages"
confusing users and teaching them to ignore security warnings. It just
works.
For client authentication, there are no burgeoning copies of
authorized_keys files lying around, unmanaged, needing to be individually
tracked down whenever you want to turn off someone's access: instead, you
can simply revoke the user's certificate. And flexible rules can grant
access based on certificate attributes, like "anyone in the Foo Department
can log into this host."
The distributed-trust problem has been addressed abstractly by systems
like PKI and Kerberos. In a large (or even medium) scale environment, you
want to tie applications such as SSH into these systems, not have each one
use its own ad-hoc mechanism.
Note that both OpenSSH and Tectia support Kerberos. There is some
variation in how well they use it to address the above problems, though,
and I won't get into that here.
* Greater configuration flexibility
With the Tectia SSH server you can:
+ Modify almost all server parameters based on the client hostname and
address, or properties of the requested account (username and group
membership). Thus you can arrange that, accounts in one group permit
password authentication, while those in another group require
public-key -- or that connections coming from your internal network
allow a wide range of ciphers, while those coming from the outside
require a smaller, stronger set. You can accomplish some of this type
of thing with OpenSSH, but generally you have to run multiple
instances of the server on different ports.
+ Exert finer-grained control over what kinds of SSH services you
provide. You can forbid terminal access while still allowing sftp,
for example, by simply rejecting the corresponding SSH protocol
requests (shell and exec channels), rather than resorting to custom
shells or other hacks that have unwanted side effects.
+ Control port forwarding with ACLs that include permit/deny statements
and patterns matching user, target hostname, IP address, etc.
+ Require multiple forms of authentication for access (e.g. password and
public-key).
* SOCKS support for outgoing SSH connections (note this is different from
the OpenSSH -D feature, which Tectia has also).
* "chroot"-ed logins
* integrated support for RADIUS authentication
* Support for Windows-native Kerberos. Although OpenSSH can be built with
Kerberos support on Windows (with Cygwin), it does not
... that "Enterprise Class Product" refers to the license cost, not quality or features. SSH Communications is right. OpenSSH doesn't cost enough to be "Enterprise Class".
If they want people to buy a commercial version of SSH then they should provide something of value that OpenSSH does not provide!
Ideas...
1. How bout a hardware based SSH accelerator for fast SFTP/SCP transfers?
2. GUI configuration in X/QT/GTK...ect...
3. Performance monitoring tools
I pulled these out of my ass in 3 seconds. None of them may be worth the time but you get the idea!
Not sure what Online in Hazardous environments means. There's only a partial explanation; one additional interpretaion would have all of the Internet hazardous because of crackers. I like how some companies beat you over the head with "you can't sue anybody" then neglect to meantion you can't really sue them either. It's a true statement of most OSI licenses, but it's no worse than theirs in that regard.
Your "homepage" points at http://localhost/. For most normal network devices, the hostname "localhost" will resolve to the same device, typically using IP address 127.0.0.1. That means that if anyone clicks on your link, they'll be connecting to themselves!
Do you see how explaining at length a readily apparent joke is neither funny nor insightful? That indeed it is scarcely worth the time it takes to type and certainly contributes nothing to the signal-to-noise ratio here? You have a five digit uid, you can do better than this.
You're welcome
As far as security is concerned, is centralised (update and configuration) management not an additional vulnerability? If an attacker can attack the centralised control then they have just subverted all the systems managed by it.
I neither respect him OR those who follow him for their attitudes, however. I don't know how long Theo's been in programming, but I believe it likely that I've hacked for longer, better and over a wider range of architectures and programming languages. I've probably worked on a wider range of networking infrastructures, a wider range of Operating Systems and in far more countries than most of the OpenBSD and OpenSSH folk.
Does that give me airs? No. Does that give me the right to question tactice? Oh, certainly. What use is having breadth of knowledge if you never employ it to correct those with depth of specialised knowledge? Specialists are great, nothing wrong with them and you often NEED them, but specialists need generalists in order to make the best use of their skills. Too limited a horizon can make for bad decisions that simply aren't visible to specialists.
A broad horizon, on its own, is equally useless, as you don't get the depth of vision. The ideal is for generalists and specialists to work together, each complimenting the other's skill sets. When that does not happen, the specialist needs to go first, the generalist can then make adjustments, but eventually you'll need to go back to a specialist to progress beyond a certain point.
The FOLK version of OpenSSH is the generalist stage. It will work towards making a more generalized OpenSSH, with a greater range of features, but sooner or later it will need to either re-merge with the classical OpenSSH -or- have a Theo-like person to take over, to drive it to where it needs to go. This is merely a course correction fork.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)