Contributed by dhartmei on from the yapping-from-the-underdog dept.
Byron Rashed, senior marketing communications manager of SSH Communications Security, claimed that SSH's product is better suited for enterprise-scale business applications than a similar open-source product from OpenSSH.Rashed's points don't seem to impress. Indemnity insurances? Those don't cover you getting owned through holes in rarely-used, barely-audited closed source, do they?[...]
These comments raised the ire of Theo de Raadt, leader of the OpenBSD operating system and a member of the OpenSSH development team.
"OpenSSH is built into all Unix and Linux vendor operating systems, and is also built into almost all larger managed network switches, from Cisco through Foundry. It comes on Linksys and D-Link wireless and security routers too," said de Raadt.
(Comments are closed)
By Noryungi (213.41.135.193) n o r y u n g i @ y a h o o . c o m on
Seriously, though, the claims made in the article by the product manager of SSH Communications are laughable.
According to the article, OpenSSH represents 87% of the SSH servers. SSH Communications is only 7%. So who is the market leader?
Even if you don't believe these numbers, ask yourself this question: do you know anyone who actually uses SSH Communications products? Even on Windows, most people I know use PuTTY, and not the free SSH client. Let's not even get into the server domain, where OpenSSH beats the pants off SSH Communications. For instance I have 20+ machines here and all of them run OpenSSH, including the Solaris servers.
Frankly, this type of provocative declaration smells like desperation to me: they have seen their market share go from 100% in 1999 (when OpenSSH was first released) to 7% today. That must hurt. And so, they send out someone who probably has no idea what he is talking about to tout their superior software. Right. And you expect me to believe this?
As far as the indemnification goes, this is again ridiculous: most laws cited in the article (Sarbanes-Oaxley) as far as I know cover the privacy of personal data, and not the connection to a given server. Not that there is anything wrong in using OpenSSH to protect data transit, but [Closed|Open] SSH is certainly not enough on its own to satisfy the law's requirements.
All in all, that type of posturing is totally empty. SSH Communications has lost. OpenSSH has won. End of story. Reading this article made me understand why Theo comes off as angry so often.
Comments
By Anonymous Coward (194.29.97.139) on
Comments
By Anonymous Coward (206.186.114.231) on
By djm@ (203.217.30.86) on
By Anonymous Coward (81.164.83.151) on
there's an entire full-fledged trust management system built into a base openbsd install, which is already nicely used by isakmpd for example. keynote allows keys as variables in arbitrary policies and credentials, as well as regex's and other nice things
it's a pity this is never seen in use on an openbsd install...
By Tim Adams (82.153.185.73) tim.adams@proatria.com on www.proatria.com
By Anonymous Coward (194.103.189.24) on
There is actually one platform, to my knowledge, where OpenSSH can't run and that's OpenVMS... And I must work against a few machines that runs this enigmatic OS.
While the SSH server and client says that they're copyrighted by HP, a simple comparision shows the truth: the actual implementation comes from ssh.com.
It's so unbelievable featureless, badly coded and badly documented, that running OpenSSH under Windows makes you feel like at home... And that's bad.
In the first release sftp wouldn't even connect between different OpenVMS servers... I almost went into a ballistic trajectory.
Comments
By Anonymous Coward (141.157.218.229) on
By Anonymous Coward (141.149.196.50) on
Comments
By Byron Rashed (68.225.248.57) on
By Anonymous Coward (24.89.16.143) on
Yes the federal government.
They have thousands of hpux machines running tectia, and I hate working with all of them.
hp and ssh must of had good salesmen I guess.
Comments
By Byron Rashed (68.225.248.57) on
By Han (82.73.147.65) on
Comments
By Byron Rashed (68.225.248.57) on
Comments
By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on http://www.benzedrine.cx/dhartmei.html
Comments
By Byron Rashed (68.225.248.57) on
Comments
By SH (82.182.103.172) on
Comments
By Byron Rashed (68.225.248.57) on
Comments
By Luiz Gustavo (200.142.97.50) on http://hades.uint8t.org
Comments
By Byron Rashed (68.225.248.57) on
By Chas (147.154.235.53) on
Let's face it, SSH Communications sealed their own fate when they took their codebase private. They could have offered a basic, open version of SSH for free (and a paid version with more features), and OpenSSH probably never would have gotten off the ground.
Instead, they closed and then harassed the fork (remember the trademark dispute here, and here, and here?). Honestly, what did they think would happen, other than ensuring their own irrelevance?
Comments
By DS (206.132.94.6) on
I wish they could leave it at the fact that their product provides so little value over the BSD-licensed OpenSSH that they will have to dwell in their now niche market. I'm surprised that we have to resort to pulling out things like OpenVMS and Plan9 to show cases where there are legitimate uses for their product. Cheers to OpenSSH and the devs that produce it. It is an impressive application and for obvious reasons has knocked ssh.com's product out of the stands.
As for the bit about Enterprise-wide management, is it *really* so difficult to log into a server the first time and set up your key? I thought for a time about setting up my siteXX.tgz file with a pre-populated home directory, complete with public key, so I could avoid it... but it turns out to be too much effort for something that simple.
Comments
By Anonymous Coward (171.161.96.10) on
Comments
By djm@ (203.217.30.86) on
Comments
By Anonymous Coward (194.103.189.24) on
And OpenSSHs sftp client happends to be the only one (that I tried) that worked against the ssh mess on OpenVMS. Flawlessly. Kudos for that.
For those that doesn't know their VMS: the filesystem doesn't look like anything you've seen before. Most clients barfed on that...
By DS (70.176.59.72) on
Yes, there probably is a place for SSH.com's implementation. There will always be enterprisey shops looking for enterprisey, feel-good software that gives them meaningless warm fuzzies. The claim that they are better suited for the Enterprise based on the reasons they give is plain FUD:
* different class of product that is more suitable for business-critical applications
* [OpenSSH] does not provide very good SFTP or application connectivity usage
* customers are now looking for Secure Shell programs with support and liability protection "due to compliance regulations and security audits."
Come on already... has the guy ever actually *used* openssh or seen it in action? Has their indemnification bit ever been put to the test? Has OpenSSH's lack of indemnification ever been put to the test?
This is really nothing more than trying to stir some controversy to help generate some market buzz around their new release.
Comments
By Byron Rashed (68.225.248.57) on
Comments
By Luiz Gustavo (200.142.97.50) on http://hades.uint8t.org
Better luck next time.
By Byron Rashed (68.225.248.57) on
By Byron Rashed (68.225.248.57) on
By Anonymous Coward (141.157.218.229) on
By Anonymous Coward (195.224.109.30) on
Yes they are, or they would not have mentioned it
Comments
By Byron Rashed (68.225.248.57) on
By Willem (81.204.188.152) on
By Byron Rashed (68.225.248.57) on
Comments
By Wim (194.78.167.231) on
Comments
By Byron Rashed (68.225.248.57) on
By Bob Beck (129.128.11.43) beck@openbsd.org on
Comments
By Anonymous Coward (63.192.41.46) on
While comments above have more or less stated that indemnification is worthless...please keep in mind rather than defending against a weak or baseless claim, a large org can foist off all litigation on the vendor should it ever arise. And win or lose, it still costs $$ to defend. Yes it is sad but the bean counters and risk managment people see it as a benefit, and it helps when confronted with regulatory things to be able to off load risk.
And, conceptually any self respecting geek has no problem saying up front "hey we can patch and deploy in a jiffy...no prob". The reality is in a large environment, its a lot harder than it sounds, and having a managment piece that can do upgrades and ticket routing/approvals to assist with very strict change control requirements is pretty important.
And things like the "tectia connector" with the ability to centrally manage an L-User sales/business dork's ssh tunnels is pretty nice.
Where I work, for example we use a mix of commercial and openssh, and sadly the OpenSSH stuff is about 0% (with about 8k servers running on just about any unix you can name) compliant with the organization's patching requirements (which are pretty lax to begin with). Thats not to knock OpenSSH, it speaks more to an uber large shop's ability to maintain and deploy software. And in the end, the uber large shop can pay...so sometimes they do...(but they never pay full price either, not so bad when stuff can be had for 20-30% MSRP and EULA crushing contract )
Comments
By Byron Rashed (68.225.248.57) on
By Byron Rashed (68.225.248.57) on
Comments
By Terrell Prude', Jr. (151.188.0.233) on
You haven't answered Mr. Beck's question. What, specifically, is the "liability protection" that is included with the purchase of your SSH Tectia software? What, specifically, are the financial or criminal recourses that can be taken against your firm and its officers if a security hole is found in it and exploited? I'd like to see your actual, written liability-protection clause in your EULA. Would you please post it?
Thanks,
--TP
Comments
By Byron Rashed (68.225.248.57) on
By Peter W. Osel (12.36.118.167) pwo@Infineon.COM on http://pwo.de/
> other versions of SSH
So, in what ways? What are the enterprise-class features that your product offers?
Comments
By Byron Rashed (68.225.248.57) on
Comments
By DS (206.132.94.6) on
Look at your FIPS-140-2 for example. SSH.com docs say that running in FIPS mode supports the following ciphers:
* aes128
* aes192
* aes256
* 3des
* des
Not exactly different from any other modern encryption product, including OpenSSH. Where's the overwhelming advantage provided by being FIPS 140-2 certified? Oh, you can sell to the US government. What does the customer get? The same thing that OpenSSH can give them, right? FIPS 140-2? Advantage? No, meaningless buzzword.
One you might be able to ride on is the centralized management. To my knowledge, OpenSSH provides no centralized management console with a pretty Windows GUI that allows you to remotely do whatever it is you do from the centralized location. But what I do have is a slew of tools along the lines of rdist, cfengine, and *gasp* OpenSSH with public key auth that lets me "centrally" administer large groups of UNIX systems for patch applications and even OpenSSH package distribution. What I'm saying is I just don't see the centralized administration bit to be something that's difficult and therefore it doesn't constitute a value-add in your product for me. What I do value, be I an individual or a player in the large Enterprise I work for, is the ability to get access to source code, roll my own packages, and deploy according to how I want to, without being bound by a commercial entity's ridiculous license. I doubt anyone has to go into the relative advantages of OSS with you, given your background.
Blanketing a statement like "it's better for the Enterprise" is nothing more than sales speak. Beancounters and C-level executives will *always* fall prey to that because they are dumb and don't understand technology to the point they need to to make fully informed decisions. If indemnification is an option for certain large organizations, and SSH.com's license can be overturned by that, why can't it be extended to any customers, including those that don't want to line your pockets in order to get fair treatment for using your software, which they no doubt pay a premium for? Telling intelligent admins who do manage their enterprise's IT systems with some open source software and a good bit of ingenuity, innovation, and creativity that OpenSSH is not suited for them and SSH.com's is is insulting. Furthermore, that kind of crap statement makes our jobs harder on them because then our boss and our boss's boss come to us and say "hey, SSH.com says that they are better. Shouldn't we use that instead?" And then we have to (yet again) explain to them that they already decided months ago that there was no comparative advantage WRT to the cost and that we *still* have things in control. (Now if we had VMS or Plan9 systems or whatever, there would be an obvious advantage, no question.)
I'd like to put to the test what was proposed earlier by Terrell Prude', Jr.: "What, specifically, is the "liability protection" that is included with the purchase of your SSH Tectia software? What, specifically, are the financial or criminal recourses that can be taken against your firm and its officers if a security hole is found in it and exploited?"
Anyway, look, Byron, this is no attack on you. You seem like a pleasant enough guy and a few people here would probably even join you for a beer. But being where I am in IT, I just have to shake my head when vendors like SSH get stuff like this published.
Comments
By Byron Rashed (68.225.248.57) on
Comments
By petard (66.93.101.100) on
RSA:
http://csrc.nist.gov/cryptval/dss/rsaval.html
AES:
http://csrc.nist.gov/cryptval/aes/aesval.html
SHA:
http://csrc.nist.gov/cryptval/shs/shaval.htm
And a new certificate is in progress:
http://csrc.nist.gov/cryptval/140PreVal.pdf
OpenSSH, if built against a validated version of the OpenSSL "cryptographic module" would indeed be considered to have been FIPS validated.
Comments
By Byron Rashed (68.225.248.57) on
Comments
By Anonymous Coward (149.72.27.130) on
By Jaws (195.176.20.45) on
It's possible to "incrementally FIPS-validate" a library-using app that provides no cryptographic functionality on its own, with some effort, based on the library's own FIPS. (Would be very easy if one had access to the library's own FIPS documentation and report.) This is actually a trivial exercise, but still needs official involvement of a testing lab and other non-zero effort.
Unfortunately, openssh does contribute non-trivial cryptographic functionality, which in turn has to be FIPS validated (key management, key generation usw.).
By Byron Rashed (68.225.248.57) on
Comments
By Anonymous Coward (149.72.27.130) on
By Nagilum (85.180.39.26) undeadly@nagilum.org on
Ok, so lets have a look at the EULA (tectia-client):
8. WARRANTY
LICENSOR EXPRESSLY DISCLAIMS, TO THE EXTENT PERMITTED BY APPLICABLE LAW, ALL WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS, AND ANY WARRANTY THAT MAY ARISE BY REASON OF TRADE USAGE, CUSTOM OR COURSE OF DEALING. LICENSOR DOES NOT WARRANT THAT THE SOFTWARE WILL BE FREE FROM BUGS OR THAT ITS USE WILL BE UNINTERRUPTED NOR THAT THE SOFTWARE WILL OPERATE WITH ANY HARDWARE AND/OR OTHER SOFTWARE OR REGARDING THE USE, OR THE RESULTS OF THE USE, OF THE SOFTWARE OR DOCUMENTATION IN TERMS OF CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE. WITHOUT LIMITING THE FOREGOING, YOU ACKNOWLEDGE THAT THE SOFTWARE IS PROVIDED "AS IS," WITHOUT WARRANTY OF ANY KIND.
9. LIMITATION OF LIABILITY
THE ENTIRE RISK AS TO RESULTS AND PERFORMANCE OF THE SOFTWARE IS ASSUMED BY YOU. ANY LIABILITY OF LICENSOR WITH RESPECT TO THE SOFTWARE, THE PERFORMANCE THEREOF OR DEFECTS THEREIN, OR UNDER THIS AGREEMENT, UNDER ANY WARRANTY, NEGLIGENCE, STRICT LIABILITY OR OTHER LEGAL THEORY SHALL BE LIMITED EXCLUSIVELY TO PRODUCT REPLACEMENT OR, IF REPLACEMENT IS INADEQUATE AS A REMEDY, OR, IN LICENSOR'S SOLE OPINION, IMPRACTICAL, TO A REFUND OF THE ACTUAL AMOUNT PAID BY YOU TO LICENSOR, IF ANY, FOR THE SOFTWARE OR SERVICES GIVING RISE TO THE CLAIM.
10. DISCLAIMER OF DAMAGES
UNDER NO CIRCUMSTANCES WILL LICENSOR OR ITS LICENSORS BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES OF ANY KIND OR NATURE WHATSOEVER, WHETHER BASED ON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, ARISING OUT OF OR IN ANY WAY RELATED TO THE SOFTWARE, THIS AGREEMENT, WHETHER DUE TO A BREACH OF LICENSOR'S OBLIGATIONS HEREUNDER OR OTHERWISE, EVEN IF LICENSOR OR ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE OR IF SUCH DAMAGE COULD HAVE BEEN REASONABLY FORESEEN, AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY EXCLUSIVE REMEDY PROVIDED IN THIS AGREEMENT. SUCH LIMITATION ON DAMAGES INCLUDES, BUT IS NOT LIMITED TO, DAMAGES FOR LOSS OF GOODWILL, LOST PROFITS, LOSS OF DATA OR SOFTWARE, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION OR IMPAIRMENT OF OTHER GOODS. IN NO EVENT WILL LICENSOR OR ITS LICENSORS BE LIABLE FOR THE COSTS OF PROCUREMENT OF SUBSTITUTE SOFTWARE OR SERVICES.
YOU ACKNOWLEDGE THAT THIS SOFTWARE IS NOT DESIGNED OR LICENSED FOR USE IN ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS SUCH AS OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR CONTROL, OR LIFE-CRITICAL APPLICATIONS. LICENSOR EXPRESSLY DISCLAIMS ANY LIABILITY RESULTING FROM USE OF THE SOFTWARE IN ANY SUCH ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS AND ACCEPTS NO LIABILITY IN RESPECT OF ANY ACTIONS OR CLAIMS BASED ON THE USE OF THE SOFTWARE IN ANY SUCH ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS BY YOU. FOR PURPOSES OF THIS PARAGRAPH, THE TERM "LIFE-CRITICAL APPLICATION" MEANS AN APPLICATION IN WHICH THE FUNCTIONING OR MALFUNCTIONING OF THE SOFTWARE MAY RESULT DIRECTLY OR INDIRECTLY IN PHYSICAL INJURY OR LOSS OF HUMAN LIFE.
Hmm, I wonder if that leaves ANY situation where I could hold SSH liable, probably not, so the advantage is again what?
> Actually I have an engineering degree and I am not a salesperson as
> stated in one of the threads, just to clarify.
Well, then you must have spend too much time among salespersons if you really think you can impress anyone here with repeating void phrases like:
> We provide an enterprise-class product that goes a bit further than
> other versions of SSH (including other commercial versions).
By Anonymous Coward (211.30.155.97) on
open-source to get some advertising dollars" these last few days.
Example : One of their bloggers, George Ou, has been pointlessly picking
on Firefox browser's security and comparing it to IE, as well as doing
pointless benchmarks comparing OpenOffice and MS Office.
=> http://blogs.zdnet.com/Ou/
(You'll see what I mean by "pointless" if you happen to run into those
articles).
So I suggest you ignore what eWeek's opinions and bloggers say. Only read
the actual technical news, and ignore their writer's comments. Their full
of sh*t (pardon my french), and they want to start crap to perk up the ad
dollars for their site.
Comments
By DS (70.176.59.72) on
By Joe Mama (12.25.129.94) on
Other vendors on the market that sell commercial SSH software are Van Dyke software and Attachmate. Both companies are based in the United States. Van Dyke has a very nice GUI interface and integrates very nicely with Active Directory. Attachmate has had an SSH client since the late 90's but a few years ago acquired the SSH business from F-Secure. Attachmate has deep pockets, a very profitable run business and is known in the software industry for having the best tech support around. The key is there are freeware options such as OpenSSH that meet many peoples needs, and their are commercial vendors available such as Attachmate, SSH.COM and VanDyke that offer products with support if you need it. What you are basically paying for when you buy commercial products is technical support and someone to call when something breaks. Lets be realistic there are a lot of companies who can afford to pay for software and if something is broke or they need help implementing the software, they want to pick up the phone and have someone on the other line that can help them out, especially if a system is mission critical.
The commercial vendors also provide binaries for almost all the platforms so lets imagine a large organization with 20 different platforms they have to compile binaries for every time there is a new security threat vulnerability found in the software. This happens frequently.
OpenSSH uses the OpenSSL for FIPS 140-2 certification but the OpenSSL certification has recently had their certificate pulled because of some unorthodox testing methods done in the lab. Since the certification process cost a lot of money, I mean a lot of money and time I do not see a strong financial commitment for the OpenSSL certificate to stay maintained. These security modules always need upgrading and testing. An example is they adding eliptical curve encryption algorithms and they are coming out with FIPS 140-3.
So what you choose in regards to OpenSSH vs Attachmate, SSH.com, VanDyke does generally come down to special needs (certain PKI support and specialization), compiled binaries ready to go, and technical support.
I do not see managing clients as being a big issue for which way to go because you can manage peoples SSH setting files and certificates with a desktop management product like Microsoft SMS or WinInstall.
So to go commercial it comes down to one or more of these specific needs. FIPS certification and keeping it up to date, pre-compiled binaries for multiple types of systems, and great technical support. Thats it, any other reason someone is blowing smoke.
Joe Mama