SSH Claims Draw Open Source Ire 377
JDStone writes to tell us eWeek is reporting that claims of OpenSSH not being an 'enterprise-class product' by SSH Communications, the creators of SSH, is being met with a great deal of resistance. Theo de Raadt, of OpenBSD fame and a member of the OpenSSH development team was quoted saying "OpenSSH is built into all Unix and Linux vendor operating systems, and is also built into almost all larger managed network switches, from Cisco through Foundry. It comes on Linksys and D-Link wireless and security routers too."
Comment removed (Score:5, Insightful)
Re:Well it makes perfect sense (Score:2, Funny)
Comment removed (Score:4, Funny)
Re:Well it makes perfect sense (Score:2)
Re:Well it makes perfect sense (Score:3, Informative)
Unfortunately, Theo de Raadt chose to counter his claims with "installed base" numbers, which do absolutely nothing to discredit their statements. Of course, the article doesn't have any of those statements either.
Re:Well it makes perfect sense (Score:3, Informative)
On May 10, 2005, The New York Times published an article concerning a breach at Cisco System, in which an intruder seized programming instructions for many of the computers that control the flow of Internet traffic. The attention was focused on a 16-year-old in Uppsala, Sweden, who was charged in March with breaking into university computers in his hometown. The crucial element in the attack that provided access at Cisco and elsewhere was the intruder's use of a vul
Re:Well it makes perfect sense (Score:5, Insightful)
Unfortunately, Theo de Raadt chose to counter his claims with "installed base" numbers, which do absolutely nothing to discredit their statements.
They claimed OpenSSH was not "enterprise ready". Pointing out that many, many enterprises not only use it, but build it into their products is a fairly compelling rebuttal.
They are either using their own private definition of "enterprise" that doesn't include organisations like Cisco, or they are lying. Either way, they are discredited.
Re:But they failed misserably (Score:3, Insightful)
One part is -- translating this from TFA:
into this headline from TFA and the /. post:
Drawing Theo's ire and drawing "Open Source Ire" are very different things; everything draws Theo's ire. As a whole, the OSS community is much more tolerant.
Centralised management is not necessarily good (Score:3, Interesting)
What else would SSH Communications say? (Score:5, Insightful)
They are selling a product and they will say that to sell their product. Come on what else would you expect. This is like MS saying Windows is more Secure than Linux even though everybody knows the truth.
Re:What else would SSH Communications say? (Score:5, Insightful)
Doesn't truth matter anymore?
Re:What else would SSH Communications say? (Score:2)
recently somebody did a study of mass murderers and found out that virtually every single one of them could not perform a simple test that measured impulse control. It seems like inability to control impulses is a necessary trait (although not sufficient) for mass murderers. Corporations also can not control their impulses. They have no concept of delay
Corporations are people ...!! (Score:3, Informative)
People hide within the group and don't care if they have Nike shares and Nike abuses child labour (an example from the 90's). The people say "great, more money for me"; then when it becomes public they say "oh shame on Nike".
What is possibly worse is that we, as consumers, say "your doing great" by buying the mega-corps products. There are f
Re:Corporations are people ...!! (Score:5, Insightful)
They're not just groups of people, they are legal entities created by the state in a way that makes them unable to do anything but seek profit.
A business corporation that fails to screw over anyone it can in the name of profit can be sued by investors. Since for large corporations, those investors are often other profit-seeking-monster corporations, such suits would be a given if the corporation didn't plunder to within an inch of what the law allows - and even beyond what the law allows, if the penalty is less than the profit.
The modern large for-profit corporation is a Frankenstein's monster constructed of law rather than of corpses; and it's only by changing the law that we can tame these beasts.
Re:Corporations are people ...!! (Score:5, Insightful)
You may have heard of a study done where it was shown that people are willing to deliver deadly amount of shocks to subjects if they can remain anonymous. Humans are like that. When relieved of responsibility and guaranteed anonymity they can be incredibly savage and cruel.
Corporations were invented to shirk responsiblity and to diffuse responsibility enough to maintain anonymity. Within the context of corporations human beings act in incredibly vile ways. This is why it's so easy to for a corporation to kill hundreds of people just to save 50 cents on a part.
Re:What else would SSH Communications say? (Score:5, Insightful)
In my "enterprise", we prefer the open-source far-more-used-and-debugged combination of OpenSSH and PuTTY. SSH Communications is probably going to attack PuTTY next, spouting about how it's not as good as their shitty windows terminal either.
Re:What else would SSH Communications say? (Score:4, Insightful)
Hypocrite.
Re:What else would SSH Communications say? (Score:3, Insightful)
Nope. This is more like saying Mac OS X is more secure when used by an average desktop user than Linux. While it isn't always true, it isn't always false. It depends on the Linux variant. Similarly, the issue of enterprise readiness depends on what mechanism was used to install OpenSSH.
This software (assuming I read their ad copy correctly) provides built-in support for enterprise-wide deployment and dete
Re:What else would SSH Communications say? (Score:3, Insightful)
Not all of them. [sourceforge.net] And recall that the product in question is predominantly for Windows deployment, which makes these Windows side ports the only thing worth considering as far as this subject is concerned.
I totally disagree that application update is the responsibility of the OS. Updating the OS and its components i
Er... (Score:5, Funny)
Re:Er... (Score:2, Funny)
*cue groaning*
Enterprise Product? (Score:4, Informative)
Re:Enterprise Product? (Score:5, Informative)
My experience is that the word "Enterprise" placed on any product means that the price gets multiplied by 10 or so. Sometimes they add some glitzy splash screen or GUI checkboxes so the "enterprise" admin can show off the shiny new software to the PHB's. But believe me, if it says "Product XYZ, Enterprise Edition" it means they figgered how to add another zero or two to the price of XYZ, without adding any other functionality.
Of course, I haven't RTFA yet, so I could be completely wrong about this.
Re:Enterprise Product? (Score:5, Funny)
Re:Enterprise Product? (Score:3, Funny)
Either that, or it's complicated enough that only Scotty or Geordi can keep it from undergoing a warp core breach once a week.
Re:Enterprise Product? (Score:5, Insightful)
Good question. It seems very enterprising to claim that a closed software product is "in a different class by itself" -- tantamount to saying it is more secure than an open source product.
The crucial difference for me is whether I can check the source code for gaping security holes. With open source software, it is relatively easy. At least you can get a third party to vouch for the lack of obvious security holes in an open source product. With a closed product, you get only the vendor's assurance. Maybe the vendor could leave some secret exploits in there to convince people that they need to upgrade every so often? You would have no choice but to pay up, after all, your "enterprise" depends on it now.
But does closed software retain some security through obscurity? Can blackhat hackers reverse engineer a closed software product anyway? Yes, they can, and I wonder if it is a coincidence if this happens close to a product upgrade cycle.
IMHO, they are using the enterprise buzzword to try to evoke images of an "Enterprise class" warship, bristling with weapons and rotating radars and the latest bleeping control center screens, roaming your coastline defending you against any possible attack. The only trouble is you are not allowed to inspect the ship to see if it has a leak, and if the ship sinks, they'd rather you didn't tell anyone because they might not meet their sales target for that quarter.... :)
This is my surprised face. (Score:5, Funny)
Re:This is my surprised face. (Score:5, Funny)
Damn. There goes Plan A.
Re:This is my surprised face. (Score:2)
Re:This is my surprised face. (Score:2)
but what about enterprise administration? (Score:2, Interesting)
What may be missing from OpenSSH (and I'm not claiming to be an expert - just a user) is an enterprise manager
I'm sure there's a way to enterprise-manage ssh other than passing keys around. But it doesn't seem to come out-of-the-box with OpenSSH just yet.
Re:but what about enterprise administration? (Score:2)
Re:but what about enterprise administration? (Score:5, Insightful)
Having all this crap built into one thing needlessly complicates things (Optional knee jerk for those who think the additional commands are the complications), and makes things a nightmare later on. Think Microsoft GUIs and the absolutely terrible configuration options when you think about how bad this can become.
Re:but what about enterprise administration? (Score:5, Interesting)
While, personally, I'm alot more comfortable doing things the *nix way (for example, I find httpd.conf to be a much better administrative interface than MS's IIS Manager) Microsoft's MMC based tools are pretty good these days--they cover about 95% of everything your average admin is going to do in the lifetime of the application. They're "good enough" to get the job done, and I think that most people who say otherwise probably haven't used them recently... or are simply more comfortable using different tools to do the job and just aren't willing to sit down and learn the MS way of doing things.
Re:but what about enterprise administration? (Score:2)
Mod him up, mod him up!
--LWM
OpenSSH specifically supports enterprise admin (Score:4, Informative)
Kerberos. It's implementation in OpenSSH is a good example of how they specifically support enterprise admin. Kerberos is fairly poor security wise, using symmetric encryption and hence holding copies of user passwords on the server. It's poor security according to those with high standards, and inferior to PKI according to everybody. But OpenSSH supports it, because Kerberos is the most popular single sign on method used at corporates.
Interestingly, OpenSSH's market share is something like 76% of all SSH servers.
Anyone in business knows.. (Score:5, Insightful)
No, it's no (Score:5, Interesting)
Re:No, it's no (Score:2)
And you would have a 80k/year person taking care of your accounts.
hmmm....
As opposed to having a 30k/year + some licensing money, and then having a less qualified admin.
I believe there is some value associated to having competent people that you can put in your TCO calculation.
Re:No, it's no (Score:5, Informative)
Re:No, it's no (Score:2)
Re:No, it's no (Score:3, Insightful)
Sounds like I need a raise.
Depends (Score:5, Insightful)
Now it's nothing we couldn't do by hand, of course, and something we could probably hack together from freely available software. However the advantage here is that it's ready to go as is. Given that we do not have the time to mess with this kind of thing, it's worth the money to us.
Now I'm sure some enterprise software is pure fluff, but often the "non-enterprise" solution is woefully short on capabilities. It'll have all the technical stuff it needs, but lack in the ease of configuration, use and management. If you are running one server for yourself, you can tinker with nit pickey shit as much as is required. However when you run 1000 systems that's just not the case. You don't have that kind of time. You need to be able to centrally deploy and manage shit easily.
That's the whole point of things like LDAP (or Microsoft's version of it, Active Directory). Sure, you could keep a local user DB on each computer, and just update it as needed. Works fine, needs no new software. However that gets to be a bitch if you are talking 500 computers and 3000 users. Much better to have a central system. In our case, we pay Sun for a product that synchs our Active Directory to our Sun LDAP database. Could we do it manually? Sure. Could something have been hacked to do it? Ya, but we lack the time, and the personel to do that. Better to just pay Sun for it.
Re:Depends (Score:4, Informative)
As for OpenLDAP, talk to the Solaris admin, not my jursdiction. However I think you'd have a hard sell convincing the department to replace all the Solaris hardware, espically considering the apps we need are Sparc only in a number of cases. Same thing with replacing the Windows workstations, until you can find Linux versions of all the important apps (I'd say 1 in 20 has a Linux version) that's right out.
Ghost is excellent because it's lower level than an OS. I can have any OS or combination of OSes I like on an image. The management of any of the PC workstations is the same, I just pick the image I want and push it out.
My point isn't that Ghost is the only way to do things, my point is this is the reason someone would pay for the Enterprise version. This is what it does that normal Ghost does not, and it's something that doesn't ahve any readily available equivalant I'm aware of, except for other commercial, enterprise products like it.
I know that the DIY mentality is really popular on Slashdot, my point is that it doesn't always work. I DIY my systems at home, including hardware. I don't care to have an OEM dictate to me what kind of parts I'll have, or what will come installed on my computer. However at work, we buy OEM. Why? Well we lack the time to build systems ourselves, and the time to deal with RMAs on broken parts. RMAs for peicemeal hardware is a pain, usually if something breaks at home I buy a replacement, and then put the replacement part in another box when I finally get it. Can't do that at work so we buy OEM and if something breaks, an e-mail is all it takes to have a replacement part there next day.
Basically I'm just trying to help people see the situations where things like better, easier management really does matter. When you work in a small environment, it's easy to scoff at the waste of money these things are. I mean who the hell would pay $750 for an SSH server when OpenSSH is really pretty easy to set up, all said and done? However when you work in a larger environment, you often discover that the "easy" task is taking up an amazing amount of your time, and automating it would take even more time. It ends up being better to pay for a product that already does it, and that you know works.
This goes double if you don't have programmers on staff. I'm not sure where the misunderstanding that all or even most admins are competent programmers. Actually I find the opposite to be true. Most of the competent admins I know are at best mediocre programmers and most of the competent programmers I know are at best mediocre admins. There are a couple exceptions, but it seems for the most part when you spend your time doing one well, you don't have as much time to be good at doing the other. So if you staff is all support, no programmers, it makes even more sense to use off the shelf solutions. Better to spend $10,000 on a product that works than have 2 of your staff have 3 very unproductive months hacking something together that only sort of works.
Name recognition (Score:4, Interesting)
I realise I'm displaying my ignorance here but it should hopefully prove a point. I've used OpenSSH for years and until now I had no idea they didn't develop the protocol or that a commercial variant existed.
Couple that with the sheer number of servers and distributions using OpenSSH and the statements by Byron Rashed seem to have the ring of sour grapes.
Re:Name recognition (Score:2, Insightful)
Define enterprise (Score:5, Interesting)
Two examples from my own experience. We attempted integration with RSA and OpenSSH had significant problems that we had to resolve and in the end we could not resolve the final problem which was a session would hang after exiting the shell if the session was authenticated using the RSA PAM module.
The other example is related to distribution and configuration managment. We have started using SSH communications central management center to distribute new versions of Tectia server as well as centrally manage the configuration for Tectia/ssh. This has reduced our management overhead considerably. This is an "enterprise" feature.
--russ
Re:Define enterprise (Score:2)
One example from my own experience: I ran ssh-keygen from OpenSSH, copied the RSA public keys around, and it just worked. I do believe you've had different luck, but I suspect my case is more typical.
The other exa
RSA PAM (Score:5, Insightful)
I had that problem too... we fixed it by turning on PrivilegeSeparation (I know the RSA docs say to turn it off, but ignore that).
In any event, that's a problem with RSA's buggy PAM module, not OpenSSH.
On the topic of RSA PAM, and security in general (Score:5, Insightful)
RSA's own PAM modules for RHEL are distributed as an unsigned tarball. Along with the stuff you're telling me above, I don't really have much trust in RSA as a security company (and hence any trust in RSA at all).
Re:Define enterprise (Score:5, Funny)
Shades of McBride (Score:2, Funny)
Site won't let me in without a cookie. (Score:2)
Re:Site won't let me in without a cookie. (Score:2)
Re:Site won't let me in without a cookie. (Score:3, Informative)
Re:Site won't let me in without a cookie. (Score:2)
Theo for President! (Score:2, Funny)
Obviously... (Score:4, Insightful)
Come on. Stop feeding the troll. He's a marketing droid. He comes from a tradition of making outlandish claims or at best distortion of truth. It's his job to drive sales for SSH. We should treat what marketing people say the same way we treat any advertisement. Take it with a block of salt. Obviously an open source implementation of SSH competes, and have done so very successfuly, with SSH. This is their attempt to win back the market. It's not worth giving too much thought to.
There *is* a license! (Score:4, Insightful)
Re:There *is* a license! (Score:3, Informative)
Re:There *is* a license! (Score:5, Informative)
Of course you can. [wikipedia.org]
That grants you permission to distribute copies. You already have the right to use it. Free Software licenses like the BSD-style licenses aren't EULAs, they only come into play when you want to distribute copies.
Re:There *is* a license! (Score:2)
Re:There *is* a license! (Score:3, Informative)
Why do people keep saying that FOSS products don't have licenses?
I suppose because I can use most FOSS products without a license. The GPL is a license relating to copying the code, it has nothing to do with usage. I can use it any way that I want, the license specifically states that you don't have to accept it to use the software.
He Said, She Said (Score:3, Informative)
We know that eWeek, like most IT press, is PR. But it's instructive to compare eWeek's obvious PR to "mainstream media", which is now mostly just PR. Real reporting keeps the "fairness and balance" in the process of determining the real story. Then tells the real story, with evidence and witnesses to back it up. PR, and most MSM, just spouts endless hourse of newscycle reiteration of "sources" promoting their versions of the story.
Makes sense to me (Score:3, Funny)
That's because almost everything that's 'enterprise-class' is crap.
Sheesh. If I had a nickel for every time upper management was impressed into buying a 3-million dollar equivelent of syslog, I'd be back in the dot-com boom.
I've used both... (Score:2, Insightful)
--
Simulated Sig
Well, what do you expect them to say? (Score:2)
Does anyone really expect Rashed to say that?
"Enterprise-class" is a trademark. (Score:2, Funny)
I believe that I applied for an exemption for this term when I originally set up the ad with AdWords, but it's been running for months quite happily without bothering anyone.
When I Google for "enterprise-level" I (of course) get loads of hits discussing ente
Yeah, not enterprise class like Apache isn't... (Score:3, Insightful)
What extra features do you need out of SSH anyway? I ask not to be a smart arse, but as a genuine inquiry.
I'd be curious to know . . . (Score:2)
Re:I'd be curious to know . . . (Score:2)
I hope they fixed the licence (Score:2)
"This may or may not contain someone else's code so if someone comes after you legally, you're on your own."
Our lawyers did not like that one bit.
Marketing Manager to /dev/null (Score:5, Insightful)
Since when do we care what a Marketing manager says about anything.
Enjoy,
No one knows what Enterprise class is? (Score:2)
a) The kids who graduated from the elementary school held on the ship.
b) The stiff upper lip kept by Picard and crew in the face of extreme danger.
c) The next class after Galaxy.
d) The schooling you get by the geek army if you think Picard could kick Kirk's arse.
sheesh - I thought there were actual nerds on
Not too much toflip out about.. (Score:2)
I was ready to jump all over this until I RTFA. This paragraph is
a few facts (Score:5, Informative)
tempest. What suffices for one enterprise may not for another, so it is
certainly silly for ssh.com to claim that OpenSSH is not
"enterprise-class" -- as Theo and others rightly point out, OpenSSH is
used successfully in many large contexts. On the other hand, it is a fact
that Tectia has a number of features OpenSSH lacks, some of which are
particularly relevant to large organizations (which is not the same as
simple widespread use). Here are a few of them:
* PKI support
Tectia can use X.509 certificates for both client and server
authentication. To add a new SSH server or change an existing one's host
key, all you need do is issue a certificate for it. Clients need only
have a copy of a single public key: the issuing CA certificate. No
constantly shifting mess of per-user and per-host known-host files to try
to keep in sync, no spurious "unknown host" or "host key changed messages"
confusing users and teaching them to ignore security warnings. It just
works.
For client authentication, there are no burgeoning copies of
authorized_keys files lying around, unmanaged, needing to be individually
tracked down whenever you want to turn off someone's access: instead, you
can simply revoke the user's certificate. And flexible rules can grant
access based on certificate attributes, like "anyone in the Foo Department
can log into this host."
The distributed-trust problem has been addressed abstractly by systems
like PKI and Kerberos. In a large (or even medium) scale environment, you
want to tie applications such as SSH into these systems, not have each one
use its own ad-hoc mechanism.
Note that both OpenSSH and Tectia support Kerberos. There is some
variation in how well they use it to address the above problems, though,
and I won't get into that here.
* Greater configuration flexibility
With the Tectia SSH server you can:
+ Modify almost all server parameters based on the client hostname and
address, or properties of the requested account (username and group
membership). Thus you can arrange that, accounts in one group permit
password authentication, while those in another group require
public-key -- or that connections coming from your internal network
allow a wide range of ciphers, while those coming from the outside
require a smaller, stronger set. You can accomplish some of this type
of thing with OpenSSH, but generally you have to run multiple
instances of the server on different ports.
+ Exert finer-grained control over what kinds of SSH services you
provide. You can forbid terminal access while still allowing sftp,
for example, by simply rejecting the corresponding SSH protocol
requests (shell and exec channels), rather than resorting to custom
shells or other hacks that have unwanted side effects.
+ Control port forwarding with ACLs that include permit/deny statements
and patterns matching user, target hostname, IP address, etc.
+ Require multiple forms of authentication for access (e.g. password and
public-key).
* SOCKS support for outgoing SSH connections (note this is different from
the OpenSSH -D feature, which Tectia has also).
* "chroot"-ed logins
* integrated support for RADIUS authentication
* Support for Windows-native Kerberos. Although OpenSSH can be built with
Kerberos support on Windows (with Cygwin), it does not
wanna sell ssh? Then make it better! (Score:3, Interesting)
Ideas...
1. How bout a hardware based SSH accelerator for fast SFTP/SCP transfers?
2. GUI configuration in X/QT/GTK...ect...
3. Performance monitoring tools
I pulled these out of my ass in 3 seconds. None of them may be worth the time but you get the idea!
Not much more protection than OpenSource (Score:3, Interesting)
Not sure what Online in Hazardous environments means. There's only a partial explanation; one additional interpretaion would have all of the Internet hazardous because of crackers. I like how some companies beat you over the head with "you can't sue anybody" then neglect to meantion you can't really sue them either. It's a true statement of most OSI licenses, but it's no worse than theirs in that regard.
Re:clear screen (Score:5, Informative)
Re:Man, the universe loves me. :) (Score:2)
Re:Man, the universe loves me. :) (Score:2)
Re:Man, the universe loves me. :) (Score:4, Funny)
Re:Man, the universe loves me. :) (Score:2)
Phew! Lucky it was actually a troll!
Cheers
Stor
Don't forget... (Score:2)
Re:Man, the universe loves me. :) (Score:2, Informative)
But since this is slashdot I think concrete examples are in order. Lets say we want to find out about the buffer routines, where do we go? Oh, buffer.c. I wonder what is in that file?
Well, look at that! Its the buffer management API! WOW! Who would have thought it!
So, we want to add some data to an existing buffer. Wh
Re:Man, the universe loves me. :) (Score:2)
You've obviously never seen professionally documented source code. That it has a couple of useless comments doesn't make it well-documented.
Re:Man, the universe loves me. :) (Score:3, Interesting)
Re:Man, the universe loves me. :) (Score:2)
Have you actually looked at the code? Don't call me a troll unless you've actually looked at it.
It does not help... (Score:3, Interesting)
OpenSSH is limited to IPv4 and IPv6. Limited? Well, yes. Linux supports many non-IP stacks, as do other *nix OS'. So long as you have some component
Re:It does not help... (Score:3, Insightful)
You're here whining, perhaps you should be at a terminal putting OpenSSH so far ahead that SSH.com seems like the ancient pyramids instead of complaining that people are working hard to put together something like OpenSSH at all.
OpenSSH's developers refuse shitty patches until they are sent in a manner that conform to the code standards and goal's of the project, if the people sending patches are too stupid to read and code properly before hand, why should the developers
Re:It does not help... (Score:3, Insightful)
If you have different goals, start your own project.
If you're unable to spend the time to know how to properly submit a patch then it's your problem, not theirs, it's their project.
If you are wanting something to be accepted into it, you have to make it work the way the developers want it to work.
Your att
Re:I am sorely tempted... (Score:3, Interesting)
I neither respect him OR those who follow him for their attitudes, however. I don't know how long Theo's been in programming, but I believe it likely that I've hacked for longer, better and over a wider range of architectures and programming languages. I've probably worked on a wider range of networking infrastructur
Re:Man, the universe loves me. :) (Score:2)
Re:Man, the universe loves me. :) (Score:3, Insightful)
And this comes from a person who looks into OpenSSH source instead of
It must be credible s
Re:Man, the universe loves me. :) (Score:4, Interesting)
If you can't figure out how to keep your screen from clearning (hint, NOT because of ssh) then what judge are you on the source code?
Ever seen the source code of the commercial SSH? Hmm. Is it even using the proper encryption algorithms? Is there a back door? We are talking heavy duty ENTERPRISE security here. You trust that level of security to a product that claims to protect your communications? Why not trust it to a product you KNOW protects your communications, because you can look right there in the source and then compile it yourself.
Re:Man, the universe loves me. :) (Score:5, Funny)
Re:hmmm... this sounds familiar... (Score:3, Informative)
File copying: again, it's MOSTLY a function of the encryption algorithm. If you're using a simpler, and less-secure algorithm, y
Re:Enterprise - the key word of marketing BS (Score:3, Funny)
Re:That's like saying... (Score:2, Offtopic)
Re:I've had this same problem with Qualcomm (Score:2)