eWEEK: SSH Claims for New Secure Shell Draw Open-Source Ire

Contributed by dhartmei on 2005-09-27 from the yapping-from-the-underdog dept.

Steven J. Vaughan-Nichols writes on eWEEK:

Byron Rashed, senior marketing communications manager of SSH Communications Security, claimed that SSH's product is better suited for enterprise-scale business applications than a similar open-source product from OpenSSH.
[...]
These comments raised the ire of Theo de Raadt, leader of the OpenBSD operating system and a member of the OpenSSH development team.
"OpenSSH is built into all Unix and Linux vendor operating systems, and is also built into almost all larger managed network switches, from Cisco through Foundry. It comes on Linksys and D-Link wireless and security routers too," said de Raadt.

Rashed's points don't seem to impress. Indemnity insurances? Those don't cover you getting owned through holes in rarely-used, barely-audited closed source, do they?

(Comments are closed)

Comments

By Noryungi (213.41.135.193) n o r y u n g i @ y a h o o . c o m on 2005-09-27 13:19

Seriously, though, the claims made in the article by the product manager of SSH Communications are laughable.

According to the article, OpenSSH represents 87% of the SSH servers. SSH Communications is only 7%. So who is the market leader?

Even if you don't believe these numbers, ask yourself this question: do you know anyone who actually uses SSH Communications products? Even on Windows, most people I know use PuTTY, and not the free SSH client. Let's not even get into the server domain, where OpenSSH beats the pants off SSH Communications. For instance I have 20+ machines here and all of them run OpenSSH, including the Solaris servers.

Frankly, this type of provocative declaration smells like desperation to me: they have seen their market share go from 100% in 1999 (when OpenSSH was first released) to 7% today. That must hurt. And so, they send out someone who probably has no idea what he is talking about to tout their superior software. Right. And you expect me to believe this?

As far as the indemnification goes, this is again ridiculous: most laws cited in the article (Sarbanes-Oaxley) as far as I know cover the privacy of personal data, and not the connection to a given server. Not that there is anything wrong in using OpenSSH to protect data transit, but [Closed|Open] SSH is certainly not enough on its own to satisfy the law's requirements.

All in all, that type of posturing is totally empty. SSH Communications has lost. OpenSSH has won. End of story. Reading this article made me understand why Theo comes off as angry so often.
Comments
1. By Anonymous Coward (194.29.97.139) on 2005-09-27 13:44
  
  One thing I would like to see for openSSH is some sort of central management : Right now I am at a site with around 100 unix servers (mostly AIX and Tru64) and every time I have to work for the first time on a certain server or as a certain user, I have to set up the key authentication...
  Comments
  1. By Anonymous Coward (206.186.114.231) on 2005-09-27 14:00
    
    Yes, but it is more secure after you initially set it up. If it really bothers you that much, then a few clever scripts can automate most of the hassle.
  2. By djm@ (203.217.30.86) on 2005-09-27 22:26
    
    Keep a central repository of configuration files (e.g. in CVS) and rdist them out? Should take all of 15 minutes to set up.
  3. By Anonymous Coward (81.164.83.151) on 2005-09-28 23:22
    
    man keynote
    
    there's an entire full-fledged trust management system built into a base openbsd install, which is already nicely used by isakmpd for example. keynote allows keys as variables in arbitrary policies and credentials, as well as regex's and other nice things
    
    it's a pity this is never seen in use on an openbsd install...
  4. By Tim Adams (82.153.185.73) tim.adams@proatria.com on 2005-11-10 14:06 www.proatria.com
    
    We have released a product for this purpose (sorry to say it is commercial but has a radical pricing structure).
2. By Anonymous Coward (194.103.189.24) on 2005-09-27 14:22
  
  There is actually one platform, to my knowledge, where OpenSSH can't run and that's OpenVMS... And I must work against a few machines that runs this enigmatic OS.
  
  While the SSH server and client says that they're copyrighted by HP, a simple comparision shows the truth: the actual implementation comes from ssh.com.
  
  It's so unbelievable featureless, badly coded and badly documented, that running OpenSSH under Windows makes you feel like at home... And that's bad.
  
  In the first release sftp wouldn't even connect between different OpenVMS servers... I almost went into a ballistic trajectory.
  Comments
  1. By Anonymous Coward (141.157.218.229) on 2005-09-27 18:57
    
    And Plan9. I must say though that F-Secure's SSH server is well enough for most people's needs (from what I have seen in running VMS boxes) on OpenVMS
3. By Anonymous Coward (141.149.196.50) on 2005-09-28 13:19
  
  You are a moron. SOX has nothing to do with personal information. 404 of SOX has to do with internal controls over financial reporting. Sarbanes is about corporations not your mom's SSN. Your boxen probably get 0wned nightly if you admin them the same way that you read... Please do not vote
  Comments
  1. By Byron Rashed (68.225.248.57) on 2005-09-28 21:17
    
    Regretfully you are half right...SOX 404 does have implications about securing confidential data, understand, laws are interpreted, and sometimes the outcomes are very different. I would also appreciate if you would please keep your comments about me a bit more polite as I am doing to you...I would appreciate that.
4. By Anonymous Coward (24.89.16.143) on 2005-09-29 23:24
  
  "do you know anyone who actually uses SSH Communications products?"
  
  Yes the federal government.
  They have thousands of hpux machines running tectia, and I hate working with all of them.
  
  hp and ssh must of had good salesmen I guess.
  Comments
  1. By Byron Rashed (68.225.248.57) on 2005-09-29 23:39
    
    Many of the fortune 500, major universities, governments and healthcare facilities are the top clientele and do like the product.
By Han (82.73.147.65) on 2005-09-27 13:24

Don't expect a salesman to speak the truth.
Comments
1. By Byron Rashed (68.225.248.57) on 2005-09-28 21:51
  
  Engineer by trade, sorry to disappoint you!
  Comments
  1. By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on 2005-09-28 23:48 http://www.benzedrine.cx/dhartmei.html
    
    According to this, you're "Senior Marketing Manager". That counts as "salesman". BTW, why post from a generic residential IP?
    
    Comments
    
    By Byron Rashed (68.225.248.57) on 2005-09-29 14:06
    
    Yes, but my roots are in engineering, I just support sales as well as the technical people when needed. I'm not hiding, I have responded to most of the concerns as you can see.
    
    Comments
    
    By SH (82.182.103.172) on 2005-09-29 19:47
    
    Having roots in engineering are common in Scandinavia. I'm sure that having an engineering background is very helpfull, but a sales person is still a sales person.
    
    Comments
    
    By Byron Rashed (68.225.248.57) on 2005-09-29 21:27
    
    I'm a US Citizen, born and raised.
    
    Comments
    
    By Luiz Gustavo (200.142.97.50) on 2005-09-29 21:29 http://hades.uint8t.org
    
    I can see that certain features of ssh.com can be interesting for some kinds of enterprise customers, but downplaying OpenSSH could be a mistake.
    
    Comments
    
    By Byron Rashed (68.225.248.57) on 2005-09-29 21:39
    
    Hello Luiz, As you can see, I am trying to answer the concerns here on the article and have been very pro-active. In no way intentionally was I downplaying OpenSSH, please see my comments on OpenSSH and Open Source, I do have quite a bit of respect for these organizations, there are some very brilliant people that work on these project. Byron
By Chas (147.154.235.53) on 2005-09-27 17:13

Let's face it, SSH Communications sealed their own fate when they took their codebase private. They could have offered a basic, open version of SSH for free (and a paid version with more features), and OpenSSH probably never would have gotten off the ground.

Instead, they closed and then harassed the fork (remember the trademark dispute here, and here, and here?). Honestly, what did they think would happen, other than ensuring their own irrelevance?
Comments
1. By DS (206.132.94.6) on 2005-09-27 19:15
  
  Desperation, pure and simple.
  
  I wish they could leave it at the fact that their product provides so little value over the BSD-licensed OpenSSH that they will have to dwell in their now niche market. I'm surprised that we have to resort to pulling out things like OpenVMS and Plan9 to show cases where there are legitimate uses for their product. Cheers to OpenSSH and the devs that produce it. It is an impressive application and for obvious reasons has knocked ssh.com's product out of the stands.
  
  As for the bit about Enterprise-wide management, is it *really* so difficult to log into a server the first time and set up your key? I thought for a time about setting up my siteXX.tgz file with a pre-populated home directory, complete with public key, so I could avoid it... but it turns out to be too much effort for something that simple.
  Comments
  1. By Anonymous Coward (171.161.96.10) on 2005-09-27 21:29
    
    Well, I think they both do have their place. Tectia manager does a lot more than upload keys. I am not trolling for tectia by any stretch, I like OpenSSH a lot, but the reality is in a large enterprise environment with regulatory requirements, strict change control, and admin ratios of 1 admin per 100-150 servers, maintaining openssh/openssl gets to be quite a chore especially when you are dealing with 8-9 different unix platforms that all have to compile and package the portable version...and windows servers need to go to a 3rd party altogether. While proactive security is outstanding with OpenSSH, its only as good as an organizations ability to keep the software up to date. By default OpenSSH doesnt use IETF keys, and SCP does not conform to IETF SEC-SH either. Even RedHat has raised Theo's ire by removing ciphers. And OpenSSH is not available from the project for windows. And OpenSSH doesnt do PKI with digital certificates, doesnt use subconfigs, which are different that user specific configs. IdleTimout does not exist in OpenSSH its left up to the user's shell. When you get a chance look at the crypticore offering which SSH has but OpenSSH does not http://www.cryptico.com/Default.asp?ID=10 Anyway all I am trying to convey is that in some cases, the needs are different and there is really not a one size fits all solution, and to blast the company that lays claim to "inventing" ssh is sort lacking in merrit especially when Tatu's code is all over openssh.
    
    Comments
    
    By djm@ (203.217.30.86) on 2005-09-27 22:23
    
    There is no ietf spec for scp. You might be referring to the ietf spec for sftp, and we conform just fine to one of its older versions - the newer versions are unbelievably bloated, so we haven't bothered to implement them.
    
    Comments
    
    By Anonymous Coward (194.103.189.24) on 2005-09-28 13:34
    
    And OpenSSHs sftp client happends to be the only one (that I tried) that worked against the ssh mess on OpenVMS. Flawlessly. Kudos for that.
    
    For those that doesn't know their VMS: the filesystem doesn't look like anything you've seen before. Most clients barfed on that...
    
    By DS (70.176.59.72) on 2005-09-28 03:14
    
    Why support Windows? Its not like there is a terribly useful shell environment to interact with, or X to support X11Forwarding with, and furthermore why doesn't Microsoft implement it and build it into their OS since the code is there and licensed for their taking? Don't act like you expect a development team that codes for a UNIX system to try to port their code to an environment they have no control over nor interest in. As stated earlier, there is no IETF spec for scp. Crypticore, blah blah, subconfigs blah blah, X.509 blah blah... if something's missing, by all means, submit a patch.
    
    Yes, there probably is a place for SSH.com's implementation. There will always be enterprisey shops looking for enterprisey, feel-good software that gives them meaningless warm fuzzies. The claim that they are better suited for the Enterprise based on the reasons they give is plain FUD:
    
    * different class of product that is more suitable for business-critical applications
    * [OpenSSH] does not provide very good SFTP or application connectivity usage
    * customers are now looking for Secure Shell programs with support and liability protection "due to compliance regulations and security audits."
    
    Come on already... has the guy ever actually *used* openssh or seen it in action? Has their indemnification bit ever been put to the test? Has OpenSSH's lack of indemnification ever been put to the test?
    
    This is really nothing more than trying to stir some controversy to help generate some market buzz around their new release.
    
    Comments
    
    By Byron Rashed (68.225.248.57) on 2005-09-28 21:51
    
    Actually I was not trying to create publicity, I was approached by two journalists on our press release, believe me, I'm not opposed or go out of my way to discredit OpenSSH, these were questions asked to me by the author.
    
    Comments
    
    By Luiz Gustavo (200.142.97.50) on 2005-09-29 21:31 http://hades.uint8t.org
    
    Another victim of hype journalists looking for blood and FUD.
    
    Better luck next time.
    
    By Byron Rashed (68.225.248.57) on 2005-09-28 22:29
    
    Actually I have seen and used OpenSSH, so the answer is yes. I have also used and do use SSH Tectia. Both have great points to them, and again comments like indemnity are not coming from me, they are coming from customers that I meet and see monthly. There are many features in SSH Tectia that are extrememly useful for enterprise customers, and they do like them. If they did not, we would not be around for long. Basically, my comments are not my own, but customers that DO have great concern for liability and management.
    
    By Byron Rashed (68.225.248.57) on 2005-09-28 21:34
    
    Thank you, exactly my point!! They both have their place. You make some good points with SSH Tectia and OpenSSH. SSH Tectia Manager is the pivot of the enterprise, and when you have tens of thousands of hosts, it's difficult to manage them. In reality as I'm sure all of you know, most users don't really keep up with new versions (wheather it be OpenSSH or SSH Tectia or another SSH product). The internal auditors are having a field day over this!! And this was my point of the article, not to say OpenSSH is bad or put it down in any way, just that SSH Tectia is more suited for the enterprise. Thank you for your comments and for really reading it carefully!
  2. By Anonymous Coward (141.157.218.229) on 2005-09-28 03:48
    
    They don't support OpenVMS nor Plan9: OpenVMS uses F-Secure's ssh server, and Plan9 has its own ssh (which is broken, although a request is out to add support for sshv2).
By Anonymous Coward (195.224.109.30) on 2005-09-28 09:11

> "OpenSSH certainly has its place, and we are not competing with them. " said Rashed.

Yes they are, or they would not have mentioned it
Comments
1. By Byron Rashed (68.225.248.57) on 2005-09-28 21:18
  
  Well, let me tell you we don't. The reason I mentioned it is because I was asked by the author.
By Willem (81.204.188.152) on 2005-09-28 21:04

Time to listen to that OBSD 3.6 song again it seems to me :-)
By Byron Rashed (68.225.248.57) on 2005-09-28 21:13

Interesting comments...please read the article again. As stated, we do not compete against OpenSSH, but rather our products are different. Admitingly, again, read the article, OpenSSH does have a larger base of users, no question. I think Theo might have misinterpreted the article and what it was saying. Liability is an issue as stated by numerous customers, this is fact. Internal audits have risen the need for an alternative (right, wrong or indifferent, that is what is going on, you and I don't make the rules). We provide an enterprise-class product that goes a bit further than other versions of SSH (including other commercial versions). That is what the article was truly about. OpenSSH certainly has its place (as I stated very clearly), my personal opinion is that there are many talented individuals that work in the open source community, and OpenSSH is no exception. I meet a number of open source contributors, and I do like sharing ideas and opinions with them, again, they are very intelligent individuals whom I respect their opinion, and we have been very polite and light hearted about our discussions. I hope I have clarifed our postion on this. Actually I have an engineering degree and I am not a salesperson as stated in one of the threads, just to clarify.
Comments
1. By Wim (194.78.167.231) on 2005-09-28 23:48
  
  Yes you are right, from the market share numbers you are not competing with OpenSSH. You are loosing
  Comments
  1. By Byron Rashed (68.225.248.57) on 2005-09-29 13:56
    
    Well, it's not a win/loss issue at all. OpenSSH has nothing to win, we have nothing to loose. OpenSSH is not a competitive company, it's a widely used utility plain and simple. SSH Tectia is not a utility, and that was the point. Understand, the article was just to show that SSH Tectia is different than OpenSSH and the issues we see, that is all.
2. By Bob Beck (129.128.11.43) beck@openbsd.org on 2005-09-28 23:57
  
  >Liability is an issue as stated by numerous customers If by this you are referring to the good old issue of "who do you blame/sue for problems" - This is a classic vendor mind trick to get your accountants and auditors to say that somehow a commercial corporation will be there and accountable when their product doesn't work for you. All this while at the same time having a usage agreement on the product which (I'm sure, although I haven't seen it) that says the product is not fit for any particular purpose, it is used at your own risk and you can't sue them over anything. Seriously. Show me the money. Let's whip 'em out and compare em right now. Where is the "Liability" advantage to using your product - Do you warantee your product as being fit for a particular purpose, and do your customers have recourses against your company if for example, a security hole is found or used in it? We'll freely admit that OpenSSH is free - we don't provide any guarantees other than our reputations. But if you are truly going to start talking about "Liability" - what are you really bringing to the table there? Or are you actually changing the software industry by providing a warantee for your product against defect or unintioned side effect. (If you truly are, I applaud you for it, something no commercial company I've seen has the balls to do - but I'm pretty sure you're not. Prove me wrong) -Bob
  Comments
  1. By Anonymous Coward (63.192.41.46) on 2005-09-29 07:14
    
    Actually, they do. It is common practice for large organizations to toss the EULA, and force the vendor into a contract that defines specific remidies for things like indemnification, and fitness and merchantability. The point of the contract is to control the relationship. Basically the EULA is for suckers, and a large org can run the table there.
    
    While comments above have more or less stated that indemnification is worthless...please keep in mind rather than defending against a weak or baseless claim, a large org can foist off all litigation on the vendor should it ever arise. And win or lose, it still costs $$ to defend. Yes it is sad but the bean counters and risk managment people see it as a benefit, and it helps when confronted with regulatory things to be able to off load risk.
    
    And, conceptually any self respecting geek has no problem saying up front "hey we can patch and deploy in a jiffy...no prob". The reality is in a large environment, its a lot harder than it sounds, and having a managment piece that can do upgrades and ticket routing/approvals to assist with very strict change control requirements is pretty important.
    
    And things like the "tectia connector" with the ability to centrally manage an L-User sales/business dork's ssh tunnels is pretty nice.
    
    Where I work, for example we use a mix of commercial and openssh, and sadly the OpenSSH stuff is about 0% (with about 8k servers running on just about any unix you can name) compliant with the organization's patching requirements (which are pretty lax to begin with). Thats not to knock OpenSSH, it speaks more to an uber large shop's ability to maintain and deploy software. And in the end, the uber large shop can pay...so sometimes they do...(but they never pay full price either, not so bad when stuff can be had for 20-30% MSRP and EULA crushing contract )
    
    Comments
    
    By Byron Rashed (68.225.248.57) on 2005-09-29 13:59
    
    Yes, you have it right. It's not a knock at all on OpenSSH, your points about SSH Tectia is exactly what the article was about. Thank you for your comment.
  2. By Byron Rashed (68.225.248.57) on 2005-09-29 13:52
    
    Hello Bob. Thank you for your comments and questions. There is actually limited indemnity clauses and insurances that are available, so yes it is true, I would not say it if it was not. Software contracts vary, but I have personally seen this. The issue does not stem from SSH Communications Security, it comes from customers and their management. Again, if this was not what was happening, it would have not been mentioned. The author asked about this since I'm sure he got some wind of internal audits, etc. and I answered truthfully.
    
    Comments
    
    By Terrell Prude', Jr. (151.188.0.233) on 2005-09-29 17:49
    
    Mr. Rashed,
    
    You haven't answered Mr. Beck's question. What, specifically, is the "liability protection" that is included with the purchase of your SSH Tectia software? What, specifically, are the financial or criminal recourses that can be taken against your firm and its officers if a security hole is found in it and exploited? I'd like to see your actual, written liability-protection clause in your EULA. Would you please post it?
    
    Thanks,
    
    --TP
    
    Comments
    
    By Byron Rashed (68.225.248.57) on 2005-09-29 21:08
    
    Hello TP, again it depending on the contract, so it can vary. I would not, nor would I recommend to anyone to post a legal document anywhere unless they receive permission. There is usually quite a bit of negotiations during contract phase, and again it really does depend on many factors.
3. By Peter W. Osel (12.36.118.167) pwo@Infineon.COM on 2005-09-29 05:20 http://pwo.de/
  
  > We provide an enterprise-class product that goes a bit further than
  > other versions of SSH
  
  So, in what ways? What are the enterprise-class features that your product offers?
  Comments
  1. By Byron Rashed (68.225.248.57) on 2005-09-29 14:03
    
    Hello Peter. SSH Tectia is a modular solution. One of the components is SSH Tectia Manager. You can configure, deploy, update and patch from a central location (again, ideal for large-scale deployments). SSH Connector is an invisible lightweight client that works nicely for network-based applications. Many organizations are now requiring a FIPS 140-2 certified crypto algorithm and there is an optional one in SSH Tectia. There is some nice information on the SSH Website that gives nice detail. These are the major reasons why it's more suited for the enterprise.
    
    Comments
    
    By DS (206.132.94.6) on 2005-09-29 20:14
    
    Byron, you are certainly more patient than any salesman I've ever talked with. Salesman you are, nonetheless. You're talking now with a group of technical folks that aren't easily swayed by buzzwords or empty bits of corporate FUD. Certainly like in any situation where two products meet the same requirements and provide similar benefit, there will be times when one is better suited for a given organization or individual that another. The only meaningful statement I've really heard is that OpenSSH has its place. It has a very big place. SSH.com's product no doubt has its place, as has been evidenced by some of the bigger companies that lent their voice to the discussion. I've never used Tectia, and I never will if I am met with empty statements such as "it's better for the Enterprise" or "it's got indemnity advantages."
    
    Look at your FIPS-140-2 for example. SSH.com docs say that running in FIPS mode supports the following ciphers:
    
    * aes128
    * aes192
    * aes256
    * 3des
    * des
    
    Not exactly different from any other modern encryption product, including OpenSSH. Where's the overwhelming advantage provided by being FIPS 140-2 certified? Oh, you can sell to the US government. What does the customer get? The same thing that OpenSSH can give them, right? FIPS 140-2? Advantage? No, meaningless buzzword.
    
    One you might be able to ride on is the centralized management. To my knowledge, OpenSSH provides no centralized management console with a pretty Windows GUI that allows you to remotely do whatever it is you do from the centralized location. But what I do have is a slew of tools along the lines of rdist, cfengine, and *gasp* OpenSSH with public key auth that lets me "centrally" administer large groups of UNIX systems for patch applications and even OpenSSH package distribution. What I'm saying is I just don't see the centralized administration bit to be something that's difficult and therefore it doesn't constitute a value-add in your product for me. What I do value, be I an individual or a player in the large Enterprise I work for, is the ability to get access to source code, roll my own packages, and deploy according to how I want to, without being bound by a commercial entity's ridiculous license. I doubt anyone has to go into the relative advantages of OSS with you, given your background.
    
    Blanketing a statement like "it's better for the Enterprise" is nothing more than sales speak. Beancounters and C-level executives will *always* fall prey to that because they are dumb and don't understand technology to the point they need to to make fully informed decisions. If indemnification is an option for certain large organizations, and SSH.com's license can be overturned by that, why can't it be extended to any customers, including those that don't want to line your pockets in order to get fair treatment for using your software, which they no doubt pay a premium for? Telling intelligent admins who do manage their enterprise's IT systems with some open source software and a good bit of ingenuity, innovation, and creativity that OpenSSH is not suited for them and SSH.com's is is insulting. Furthermore, that kind of crap statement makes our jobs harder on them because then our boss and our boss's boss come to us and say "hey, SSH.com says that they are better. Shouldn't we use that instead?" And then we have to (yet again) explain to them that they already decided months ago that there was no comparative advantage WRT to the cost and that we *still* have things in control. (Now if we had VMS or Plan9 systems or whatever, there would be an obvious advantage, no question.)
    
    I'd like to put to the test what was proposed earlier by Terrell Prude', Jr.: "What, specifically, is the "liability protection" that is included with the purchase of your SSH Tectia software? What, specifically, are the financial or criminal recourses that can be taken against your firm and its officers if a security hole is found in it and exploited?"
    
    Anyway, look, Byron, this is no attack on you. You seem like a pleasant enough guy and a few people here would probably even join you for a beer. But being where I am in IT, I just have to shake my head when vendors like SSH get stuff like this published.
    
    Comments
    
    By Byron Rashed (68.225.248.57) on 2005-09-29 21:26
    
    Hello DS, thank you for your kind words, and if you ever go to any of the security events, let's make sure we have that beer! SSH Tectia Manager like I said is the crux of why it's suited for large-scale environments. It actually does quite a bit to help system administrators to take control of the environment. I don't think there is any debating that. Like I said, OpenSSH certainly has it's place, and with SSH Tectia Manager and SSH Tectia Connector, it is better suited for the enterprise. Everyone certainly has a choice wheather to use OpenSSH or SSH Tectia or another commercial version, it's what is best to suit your needs. I respect your opinion on your points. On the FIPS status, I know the crypto library went through months of rigrous testing, etc. before becoming certified. OpenSSH uses OpenSSL crypto libraries. The actually libraries (not algorithms) were written by SSH and were tested by NIST to meet the standard. It's not the algorithm that is certified it's the crypto libraries, so there is the difference. Documentation, development cycles, etc. are looked at, and OpenSSH does not meet the NIST requirements (it has to be a legal entity, it's difficult to explain, but that is the reason). Like I said before, I meet quite a bit of people involved in Open Source and we do get along very nicely, they like our giveaways!! lol. I hope I have answered your questions.
    
    Comments
    
    By petard (66.93.101.100) on 2005-09-30 03:31
    
    Of course, the crypto in OpenSSL has been validated by NIST on a few occasions as well:
    
    RSA:
    http://csrc.nist.gov/cryptval/dss/rsaval.html
    
    AES:
    http://csrc.nist.gov/cryptval/aes/aesval.html
    
    SHA:
    http://csrc.nist.gov/cryptval/shs/shaval.htm
    
    And a new certificate is in progress:
    http://csrc.nist.gov/cryptval/140PreVal.pdf
    
    OpenSSH, if built against a validated version of the OpenSSL "cryptographic module" would indeed be considered to have been FIPS validated.
    
    Comments
    
    By Byron Rashed (68.225.248.57) on 2005-09-30 16:34
    
    Yes, but there are guidlines on this and I'm not sure exactly what they are, the NIST site might have them.
    
    Comments
    
    By Anonymous Coward (149.72.27.130) on 2005-09-30 20:17
    
    http://csrc.nist.gov/ & http://csrc.nist.gov/CryptoToolkit/ might be useful...
    
    By Jaws (195.176.20.45) on 2005-10-13 11:40
    
    No it's not. If an application uses a FIPS validated library, the compound or the library-using application _is not_ FIPS validated.
    
    It's possible to "incrementally FIPS-validate" a library-using app that provides no cryptographic functionality on its own, with some effort, based on the library's own FIPS. (Would be very easy if one had access to the library's own FIPS documentation and report.) This is actually a trivial exercise, but still needs official involvement of a testing lab and other non-zero effort.
    
    Unfortunately, openssh does contribute non-trivial cryptographic functionality, which in turn has to be FIPS validated (key management, key generation usw.).
  2. By Byron Rashed (68.225.248.57) on 2005-09-29 14:17
    
    Oh, one more thing...SSH Tectia for IBM Mainframe.
    
    Comments
    
    By Anonymous Coward (149.72.27.130) on 2005-09-30 20:13
    
    Because, as we all know, Z/OS and the like from IBM are suddenly going to take over vast amounts of the installed systems base. It's a nice feature to have if you need it, but for most people this is an obscure & out of touch system they will almost never see or use. Besides, it does not mean that OpenSSH could not be ported to the arch (with considerable effort), just that you already have support. -
4. By Nagilum (85.180.39.26) undeadly@nagilum.org on 2005-10-09 08:16
  
  > Liability is an issue as stated by numerous customers, this is fact.
  Ok, so lets have a look at the EULA (tectia-client):
  
  8. WARRANTY
  
  LICENSOR EXPRESSLY DISCLAIMS, TO THE EXTENT PERMITTED BY APPLICABLE LAW, ALL WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS, AND ANY WARRANTY THAT MAY ARISE BY REASON OF TRADE USAGE, CUSTOM OR COURSE OF DEALING. LICENSOR DOES NOT WARRANT THAT THE SOFTWARE WILL BE FREE FROM BUGS OR THAT ITS USE WILL BE UNINTERRUPTED NOR THAT THE SOFTWARE WILL OPERATE WITH ANY HARDWARE AND/OR OTHER SOFTWARE OR REGARDING THE USE, OR THE RESULTS OF THE USE, OF THE SOFTWARE OR DOCUMENTATION IN TERMS OF CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE. WITHOUT LIMITING THE FOREGOING, YOU ACKNOWLEDGE THAT THE SOFTWARE IS PROVIDED "AS IS," WITHOUT WARRANTY OF ANY KIND.
  
  9. LIMITATION OF LIABILITY
  
  THE ENTIRE RISK AS TO RESULTS AND PERFORMANCE OF THE SOFTWARE IS ASSUMED BY YOU. ANY LIABILITY OF LICENSOR WITH RESPECT TO THE SOFTWARE, THE PERFORMANCE THEREOF OR DEFECTS THEREIN, OR UNDER THIS AGREEMENT, UNDER ANY WARRANTY, NEGLIGENCE, STRICT LIABILITY OR OTHER LEGAL THEORY SHALL BE LIMITED EXCLUSIVELY TO PRODUCT REPLACEMENT OR, IF REPLACEMENT IS INADEQUATE AS A REMEDY, OR, IN LICENSOR'S SOLE OPINION, IMPRACTICAL, TO A REFUND OF THE ACTUAL AMOUNT PAID BY YOU TO LICENSOR, IF ANY, FOR THE SOFTWARE OR SERVICES GIVING RISE TO THE CLAIM.
  
  10. DISCLAIMER OF DAMAGES
  
  UNDER NO CIRCUMSTANCES WILL LICENSOR OR ITS LICENSORS BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES OF ANY KIND OR NATURE WHATSOEVER, WHETHER BASED ON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, ARISING OUT OF OR IN ANY WAY RELATED TO THE SOFTWARE, THIS AGREEMENT, WHETHER DUE TO A BREACH OF LICENSOR'S OBLIGATIONS HEREUNDER OR OTHERWISE, EVEN IF LICENSOR OR ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE OR IF SUCH DAMAGE COULD HAVE BEEN REASONABLY FORESEEN, AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY EXCLUSIVE REMEDY PROVIDED IN THIS AGREEMENT. SUCH LIMITATION ON DAMAGES INCLUDES, BUT IS NOT LIMITED TO, DAMAGES FOR LOSS OF GOODWILL, LOST PROFITS, LOSS OF DATA OR SOFTWARE, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION OR IMPAIRMENT OF OTHER GOODS. IN NO EVENT WILL LICENSOR OR ITS LICENSORS BE LIABLE FOR THE COSTS OF PROCUREMENT OF SUBSTITUTE SOFTWARE OR SERVICES.
  
  YOU ACKNOWLEDGE THAT THIS SOFTWARE IS NOT DESIGNED OR LICENSED FOR USE IN ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS SUCH AS OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR CONTROL, OR LIFE-CRITICAL APPLICATIONS. LICENSOR EXPRESSLY DISCLAIMS ANY LIABILITY RESULTING FROM USE OF THE SOFTWARE IN ANY SUCH ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS AND ACCEPTS NO LIABILITY IN RESPECT OF ANY ACTIONS OR CLAIMS BASED ON THE USE OF THE SOFTWARE IN ANY SUCH ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS BY YOU. FOR PURPOSES OF THIS PARAGRAPH, THE TERM "LIFE-CRITICAL APPLICATION" MEANS AN APPLICATION IN WHICH THE FUNCTIONING OR MALFUNCTIONING OF THE SOFTWARE MAY RESULT DIRECTLY OR INDIRECTLY IN PHYSICAL INJURY OR LOSS OF HUMAN LIFE.
  
  Hmm, I wonder if that leaves ANY situation where I could hold SSH liable, probably not, so the advantage is again what?
  
  > Actually I have an engineering degree and I am not a salesperson as
  > stated in one of the threads, just to clarify.
  
  Well, then you must have spend too much time among salespersons if you really think you can impress anyone here with repeating void phrases like:
  
  > We provide an enterprise-class product that goes a bit further than
  > other versions of SSH (including other commercial versions).
By Anonymous Coward (211.30.155.97) on 2005-10-01 17:43

Bare in mind people, eWeek have been doing the "spark controversy against
open-source to get some advertising dollars" these last few days.

Example : One of their bloggers, George Ou, has been pointlessly picking
on Firefox browser's security and comparing it to IE, as well as doing
pointless benchmarks comparing OpenOffice and MS Office.
=> http://blogs.zdnet.com/Ou/
(You'll see what I mean by "pointless" if you happen to run into those
articles).

So I suggest you ignore what eWeek's opinions and bloggers say. Only read
the actual technical news, and ignore their writer's comments. Their full
of sh*t (pardon my french), and they want to start crap to perk up the ad
dollars for their site.
Comments
1. By DS (70.176.59.72) on 2005-10-02 18:15
  
  Or better yet, ignore any of the pseudo-technical blathering corporate-friendly meaningless garbage that eWeek spits out anyway. The publication is there to give CIOs and CTOs something to make them feel like they are still technically proficient and up to date with technology, not to present meaningful information on real developments in IT.
By Joe Mama (12.25.129.94) on 2006-08-18 19:42

Freeware vs commercial

Other vendors on the market that sell commercial SSH software are Van Dyke software and Attachmate. Both companies are based in the United States. Van Dyke has a very nice GUI interface and integrates very nicely with Active Directory. Attachmate has had an SSH client since the late 90's but a few years ago acquired the SSH business from F-Secure. Attachmate has deep pockets, a very profitable run business and is known in the software industry for having the best tech support around. The key is there are freeware options such as OpenSSH that meet many peoples needs, and their are commercial vendors available such as Attachmate, SSH.COM and VanDyke that offer products with support if you need it. What you are basically paying for when you buy commercial products is technical support and someone to call when something breaks. Lets be realistic there are a lot of companies who can afford to pay for software and if something is broke or they need help implementing the software, they want to pick up the phone and have someone on the other line that can help them out, especially if a system is mission critical.

The commercial vendors also provide binaries for almost all the platforms so lets imagine a large organization with 20 different platforms they have to compile binaries for every time there is a new security threat vulnerability found in the software. This happens frequently.

OpenSSH uses the OpenSSL for FIPS 140-2 certification but the OpenSSL certification has recently had their certificate pulled because of some unorthodox testing methods done in the lab. Since the certification process cost a lot of money, I mean a lot of money and time I do not see a strong financial commitment for the OpenSSL certificate to stay maintained. These security modules always need upgrading and testing. An example is they adding eliptical curve encryption algorithms and they are coming out with FIPS 140-3.

So what you choose in regards to OpenSSH vs Attachmate, SSH.com, VanDyke does generally come down to special needs (certain PKI support and specialization), compiled binaries ready to go, and technical support.

I do not see managing clients as being a big issue for which way to go because you can manage peoples SSH setting files and certificates with a desktop management product like Microsoft SMS or WinInstall.

So to go commercial it comes down to one or more of these specific needs. FIPS certification and keeping it up to date, pre-compiled binaries for multiple types of systems, and great technical support. Thats it, any other reason someone is blowing smoke.

Joe Mama

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]