Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Software

SSH Claims Draw Open Source Ire 377

JDStone writes to tell us eWeek is reporting that claims of OpenSSH not being an 'enterprise-class product' by SSH Communications, the creators of SSH, is being met with a great deal of resistance. Theo de Raadt, of OpenBSD fame and a member of the OpenSSH development team was quoted saying "OpenSSH is built into all Unix and Linux vendor operating systems, and is also built into almost all larger managed network switches, from Cisco through Foundry. It comes on Linksys and D-Link wireless and security routers too."
This discussion has been archived. No new comments can be posted.

SSH Claims Draw Open Source Ire

Comments Filter:
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Wednesday September 28, 2005 @05:43PM (#13671275)
    Comment removed based on user account deletion
    • Thank you much, Mr. Obvious!
    • I'm sure SSH Communications stands to make more money if they can discredit a free, opensource product.

      Unfortunately, Theo de Raadt chose to counter his claims with "installed base" numbers, which do absolutely nothing to discredit their statements. Of course, the article doesn't have any of those statements either.

      • THE PRESS RELEASE FROM http://www.ssh.com/ [ssh.com]

        On May 10, 2005, The New York Times published an article concerning a breach at Cisco System, in which an intruder seized programming instructions for many of the computers that control the flow of Internet traffic. The attention was focused on a 16-year-old in Uppsala, Sweden, who was charged in March with breaking into university computers in his hometown. The crucial element in the attack that provided access at Cisco and elsewhere was the intruder's use of a vul
      • by Anonymous Coward on Wednesday September 28, 2005 @06:08PM (#13671495)

        Unfortunately, Theo de Raadt chose to counter his claims with "installed base" numbers, which do absolutely nothing to discredit their statements.

        They claimed OpenSSH was not "enterprise ready". Pointing out that many, many enterprises not only use it, but build it into their products is a fairly compelling rebuttal.

        They are either using their own private definition of "enterprise" that doesn't include organisations like Cisco, or they are lying. Either way, they are discredited.

  • by CSHARP123 ( 904951 ) on Wednesday September 28, 2005 @05:45PM (#13671289)
    Byron Rashed, senior marketing communications manager of SSH Communications Security, claimed that SSH's product is better suited for enterprise-scale business applications than a similar open-source product from OpenSSH.


    They are selling a product and they will say that to sell their product. Come on what else would you expect. This is like MS saying Windows is more Secure than Linux even though everybody knows the truth.

    • by Husgaard ( 858362 ) on Wednesday September 28, 2005 @06:10PM (#13671513)
      They are selling a product and they will say that to sell their product. Come on what else would you expect.
      We no longer just accept that corporations tell lies to the public. Now we also expect it...

      Doesn't truth matter anymore?

      • Not to corporations. Corporations are psychotic entities. If they were human beings they would be rapists, mass murderers, thieves, and all around criminals.

        recently somebody did a study of mass murderers and found out that virtually every single one of them could not perform a simple test that measured impulse control. It seems like inability to control impulses is a necessary trait (although not sufficient) for mass murderers. Corporations also can not control their impulses. They have no concept of delay
        • They're groups of people. They get together and decide what to do. Usually the controlling body of shareholders says "do wtf you want as long as I make oodles of money".

          People hide within the group and don't care if they have Nike shares and Nike abuses child labour (an example from the 90's). The people say "great, more money for me"; then when it becomes public they say "oh shame on Nike".

          What is possibly worse is that we, as consumers, say "your doing great" by buying the mega-corps products. There are f
          • by Mr. Slippery ( 47854 ) <tms@infamous.n3.14et minus pi> on Wednesday September 28, 2005 @08:25PM (#13672423) Homepage
            They're groups of people. They get together and decide what to do. Usually the controlling body of shareholders says "do wtf you want as long as I make oodles of money".

            They're not just groups of people, they are legal entities created by the state in a way that makes them unable to do anything but seek profit.

            A business corporation that fails to screw over anyone it can in the name of profit can be sued by investors. Since for large corporations, those investors are often other profit-seeking-monster corporations, such suits would be a given if the corporation didn't plunder to within an inch of what the law allows - and even beyond what the law allows, if the penalty is less than the profit.

            The modern large for-profit corporation is a Frankenstein's monster constructed of law rather than of corpses; and it's only by changing the law that we can tame these beasts.

          • by killjoe ( 766577 ) on Wednesday September 28, 2005 @11:20PM (#13673335)
            "They're groups of people. They get together and decide what to do. Usually the controlling body of shareholders says "do wtf you want as long as I make oodles of money"."

            You may have heard of a study done where it was shown that people are willing to deliver deadly amount of shocks to subjects if they can remain anonymous. Humans are like that. When relieved of responsibility and guaranteed anonymity they can be incredibly savage and cruel.

            Corporations were invented to shirk responsiblity and to diffuse responsibility enough to maintain anonymity. Within the context of corporations human beings act in incredibly vile ways. This is why it's so easy to for a corporation to kill hundreds of people just to save 50 cents on a part.
    • by Rodness ( 168429 ) on Wednesday September 28, 2005 @06:15PM (#13671562)
      Of course, "enterprise-scale" is a buzzword used by cathedral-style development houses who want to sell their products to "enterprise-scale" pointy-haired middle managers who have absolutely no idea how to parse buzzwords and hype with any degree of skepticism.

      In my "enterprise", we prefer the open-source far-more-used-and-debugged combination of OpenSSH and PuTTY. SSH Communications is probably going to attack PuTTY next, spouting about how it's not as good as their shitty windows terminal either.
    • This is like MS saying Windows is more Secure than Linux even though everybody knows the truth.

      Nope. This is more like saying Mac OS X is more secure when used by an average desktop user than Linux. While it isn't always true, it isn't always false. It depends on the Linux variant. Similarly, the issue of enterprise readiness depends on what mechanism was used to install OpenSSH.

      This software (assuming I read their ad copy correctly) provides built-in support for enterprise-wide deployment and dete

  • Er... (Score:5, Funny)

    by Sanjuro ( 9253 ) on Wednesday September 28, 2005 @05:46PM (#13671301)
    Are they implyinng the DOD isn't an Enterprise class network?
    • Re:Er... (Score:2, Funny)

      by Anonymous Coward
      I don't think it even qualifies as a Constitution class network.

      *cue groaning*
  • Enterprise Product? (Score:4, Informative)

    by emandres ( 857332 ) on Wednesday September 28, 2005 @05:48PM (#13671320)
    They claim that it's an enterprise product, another class of software than OpenSSH. They don't seem to have much of an argument for why it's so much different. The only comparison they manage to draw is that OpenSSH doesn't have very good SFTP, which they neglect to back by any comparison to their own. Straw man at best it seems. Anyway, what is so 'enterprise' about it that OpenSSH doesn't have? Seems to me that every 'enterprise' server running a *nix has it, so doesn't that make it enterprise enough?
    • by abirdman ( 557790 ) <abirdmanNO@SPAMmaine.rr.com> on Wednesday September 28, 2005 @05:59PM (#13671415) Homepage Journal

      My experience is that the word "Enterprise" placed on any product means that the price gets multiplied by 10 or so. Sometimes they add some glitzy splash screen or GUI checkboxes so the "enterprise" admin can show off the shiny new software to the PHB's. But believe me, if it says "Product XYZ, Enterprise Edition" it means they figgered how to add another zero or two to the price of XYZ, without adding any other functionality.

      Of course, I haven't RTFA yet, so I could be completely wrong about this.

    • by UnapprovedThought ( 814205 ) on Wednesday September 28, 2005 @08:10PM (#13672361) Journal

      Anyway, what is so 'enterprise' about it that OpenSSH doesn't have?

      Good question. It seems very enterprising to claim that a closed software product is "in a different class by itself" -- tantamount to saying it is more secure than an open source product.

      The crucial difference for me is whether I can check the source code for gaping security holes. With open source software, it is relatively easy. At least you can get a third party to vouch for the lack of obvious security holes in an open source product. With a closed product, you get only the vendor's assurance. Maybe the vendor could leave some secret exploits in there to convince people that they need to upgrade every so often? You would have no choice but to pay up, after all, your "enterprise" depends on it now.

      But does closed software retain some security through obscurity? Can blackhat hackers reverse engineer a closed software product anyway? Yes, they can, and I wonder if it is a coincidence if this happens close to a product upgrade cycle.

      IMHO, they are using the enterprise buzzword to try to evoke images of an "Enterprise class" warship, bristling with weapons and rotating radars and the latest bleeping control center screens, roaming your coastline defending you against any possible attack. The only trouble is you are not allowed to inspect the ship to see if it has a leak, and if the ship sinks, they'd rather you didn't tell anyone because they might not meet their sales target for that quarter.... :)

  • by mosch ( 204 ) on Wednesday September 28, 2005 @05:49PM (#13671323) Homepage
    In other news, Axe body spray doesn't get you laid, and Red Bull doesn't give you wings.
  • Hey, I'm all for OpenSSH - use it every day on almost any PC I touch, but "ready for enterprise" can have more meanings than just how secure/usable a product is.

    What may be missing from OpenSSH (and I'm not claiming to be an expert - just a user) is an enterprise manager ... which it sounds like the Commercial SSH version may offer.

    I'm sure there's a way to enterprise-manage ssh other than passing keys around. But it doesn't seem to come out-of-the-box with OpenSSH just yet.
    • CFEngine [cfengine.org] is an excellent tool for managing OpenSSH or any other system tool configuration.
    • by fimbulvetr ( 598306 ) on Wednesday September 28, 2005 @06:21PM (#13671617)
      That's the whole thing about Linux/Unix. SSH isn't meant to have those types of tools. Just like grep shouldn't have a field separator (awk) or a line counter (though it now does:)). My configs are handled by rdist, rsync or cfengine.
      Having all this crap built into one thing needlessly complicates things (Optional knee jerk for those who think the additional commands are the complications), and makes things a nightmare later on. Think Microsoft GUIs and the absolutely terrible configuration options when you think about how bad this can become.
      • by Zak3056 ( 69287 ) * on Wednesday September 28, 2005 @07:41PM (#13672194) Journal
        Think Microsoft GUIs and the absolutely terrible configuration options when you think about how bad this can become.

        While, personally, I'm alot more comfortable doing things the *nix way (for example, I find httpd.conf to be a much better administrative interface than MS's IIS Manager) Microsoft's MMC based tools are pretty good these days--they cover about 95% of everything your average admin is going to do in the lifetime of the application. They're "good enough" to get the job done, and I think that most people who say otherwise probably haven't used them recently... or are simply more comfortable using different tools to do the job and just aren't willing to sit down and learn the MS way of doing things.

    • Oooo, ooo! Someone who has dealt with administering large numbers of machines at once!

      Mod him up, mod him up!

      --LWM
    • by Nailer ( 69468 ) on Wednesday September 28, 2005 @06:30PM (#13671691)
      I'm sure there's a way to enterprise-manage ssh other than passing keys around. But it doesn't seem to come out-of-the-box with OpenSSH just yet.

      Kerberos. It's implementation in OpenSSH is a good example of how they specifically support enterprise admin. Kerberos is fairly poor security wise, using symmetric encryption and hence holding copies of user passwords on the server. It's poor security according to those with high standards, and inferior to PKI according to everybody. But OpenSSH supports it, because Kerberos is the most popular single sign on method used at corporates.

      Interestingly, OpenSSH's market share is something like 76% of all SSH servers.
  • by svvampy ( 576225 ) on Wednesday September 28, 2005 @05:49PM (#13671328)
    that "Enterprise class" is management-speak for pay-through-the-nose. There has and always will be a deep suspicion against low-cost or free(as in beer) products. There's plenty of stuff on the market that people can't give away that is sold to schmucks everywhere.
    • No, it's no (Score:5, Interesting)

      by winkydink ( 650484 ) * <sv.dude@gmail.com> on Wednesday September 28, 2005 @05:54PM (#13671364) Homepage Journal
      Enterprise-class is management speak for "has a pretty GUI that a monkey can use". If one is managing thousands or tens of thousands of accounts, one doesn't want to pay somebody big bucks to do it using Open Source if said open source requires an $80k/yr person to administer it. It's a TCO calculation, nothing more.

    • Depends (Score:5, Insightful)

      by Sycraft-fu ( 314770 ) on Wednesday September 28, 2005 @07:04PM (#13671963)
      Often it's "enterprise" because it makes managing your enterpirse easier. Not something home users would care much about, but in a large environtment it's valuable. Like we use Ghost Enterprise Server here for PC work. The way it works is you install a Ghost client on the computers (if they run a supported OS) or boot from a Ghost boot CD/USB key (if they don't) and then the server can start ghost tasks. It can pull and push images to many systems at one all remotely. So if someone screws up a system (which happens in student labs) we can get it back up quickly, if we need to switch a lab over for something (like switch a Windows lab to Linux for a presentation), no problem.

      Now it's nothing we couldn't do by hand, of course, and something we could probably hack together from freely available software. However the advantage here is that it's ready to go as is. Given that we do not have the time to mess with this kind of thing, it's worth the money to us.

      Now I'm sure some enterprise software is pure fluff, but often the "non-enterprise" solution is woefully short on capabilities. It'll have all the technical stuff it needs, but lack in the ease of configuration, use and management. If you are running one server for yourself, you can tinker with nit pickey shit as much as is required. However when you run 1000 systems that's just not the case. You don't have that kind of time. You need to be able to centrally deploy and manage shit easily.

      That's the whole point of things like LDAP (or Microsoft's version of it, Active Directory). Sure, you could keep a local user DB on each computer, and just update it as needed. Works fine, needs no new software. However that gets to be a bitch if you are talking 500 computers and 3000 users. Much better to have a central system. In our case, we pay Sun for a product that synchs our Active Directory to our Sun LDAP database. Could we do it manually? Sure. Could something have been hacked to do it? Ya, but we lack the time, and the personel to do that. Better to just pay Sun for it.
  • Name recognition (Score:4, Interesting)

    by shudde ( 915065 ) on Wednesday September 28, 2005 @05:51PM (#13671339)

    I realise I'm displaying my ignorance here but it should hopefully prove a point. I've used OpenSSH for years and until now I had no idea they didn't develop the protocol or that a commercial variant existed.

    Couple that with the sheer number of servers and distributions using OpenSSH and the statements by Byron Rashed seem to have the ring of sour grapes.

    • You're missing the point. Popularity doesn't exactly equate to 'enterprise class'. Look at nmap, everyone knows and uses it. Is it enterprise class? No. Enterprise class means it's designed to be deployed across an entire enterprise/organization with centralized management, out of the box.
  • Define enterprise (Score:5, Interesting)

    by russg ( 64596 ) on Wednesday September 28, 2005 @05:56PM (#13671378) Homepage
    Not that I'm defending SSH, but it really depends on what specifically you are speaking of when it comes to comparing the offering of OpenSSH and SSH Communications. The two products are fairly similiar for base installs and function about the same. The problems with OpenSSH come into play in the enterprise when you want to manage the SSH installs globally or integrate the SSH server with other products.

    Two examples from my own experience. We attempted integration with RSA and OpenSSH had significant problems that we had to resolve and in the end we could not resolve the final problem which was a session would hang after exiting the shell if the session was authenticated using the RSA PAM module.

    The other example is related to distribution and configuration managment. We have started using SSH communications central management center to distribute new versions of Tectia server as well as centrally manage the configuration for Tectia/ssh. This has reduced our management overhead considerably. This is an "enterprise" feature.

    --russ
    • Two examples from my own experience. We attempted integration with RSA and OpenSSH had significant problems that we had to resolve and in the end we could not resolve the final problem which was a session would hang after exiting the shell if the session was authenticated using the RSA PAM module.

      One example from my own experience: I ran ssh-keygen from OpenSSH, copied the RSA public keys around, and it just worked. I do believe you've had different luck, but I suspect my case is more typical.

      The other exa
    • RSA PAM (Score:5, Insightful)

      by chowbok ( 467829 ) on Wednesday September 28, 2005 @07:36PM (#13672158) Homepage
      We attempted integration with RSA and OpenSSH had significant problems that we had to resolve and in the end we could not resolve the final problem which was a session would hang after exiting the shell if the session was authenticated using the RSA PAM module.

      I had that problem too... we fixed it by turning on PrivilegeSeparation (I know the RSA docs say to turn it off, but ignore that).

      In any event, that's a problem with RSA's buggy PAM module, not OpenSSH.
    • by Sinner ( 3398 ) on Thursday September 29, 2005 @01:06AM (#13673777)
      Big spaceship. Bald captain.
  • Did Darl finally move on to another project and change his name?
  • If you block cookies, it just shows you the flash premercial page over and over. (Yes, I block flash also.) I've tested this by accepting the cookie to see the article. I've searched for friendly copies elsewhere on the net, but failed to find any.

  • by Anonymous Coward
    s/It comes on Linksys and D-Link wireless and security routers too/Don't forget about Poland
  • Obviously... (Score:4, Insightful)

    by Comatose51 ( 687974 ) on Wednesday September 28, 2005 @05:58PM (#13671405) Homepage
    Byron Rashed, senior marketing communications manager of SSH Communications Security, claimed that SSH's product is better suited for enterprise-scale business applications than a similar open-source product from OpenSSH.

    Come on. Stop feeding the troll. He's a marketing droid. He comes from a tradition of making outlandish claims or at best distortion of truth. It's his job to drive sales for SSH. We should treat what marketing people say the same way we treat any advertisement. Take it with a block of salt. Obviously an open source implementation of SSH competes, and have done so very successfuly, with SSH. This is their attempt to win back the market. It's not worth giving too much thought to.

  • by DeafByBeheading ( 881815 ) on Wednesday September 28, 2005 @06:00PM (#13671421) Journal
    Rashed acknowledged this but added, "Many vendors use it because it is free and they can use it without a license, so the number of users for remote access is quite large, but it does not provide very good SFTP or application connectivity usage."
    No no no! You cannot use it without a license. It's released under the BSD license, and that license is just as important as a proprietary license. It just functions in a different way--to share the benefits of copyright rather than restrict them. Why do people keep saying that FOSS products don't have licenses?
    • by Asgard ( 60200 ) *
      FOSS programs generally don't have to connect to a 'license server' or have a paid-for 'license key' entered in a magic config file or dialog box. There is also not normally a hologram or fancy piece of paper that must be presented upon request.
    • by Bogtha ( 906264 ) on Wednesday September 28, 2005 @06:18PM (#13671588)

      You cannot use it without a license.

      Of course you can. [wikipedia.org]

      It's released under the BSD license

      That grants you permission to distribute copies. You already have the right to use it. Free Software licenses like the BSD-style licenses aren't EULAs, they only come into play when you want to distribute copies.

    • Why do people keep saying that FOSS products don't have licenses?
      I've got three letters for ya:
      F
      U
      D
      If a foggy haze can form over FOSS licensing being a scary question mark, it might just turn one PHB away from the FOSS and towards the proprietary and/or closed source.

    • Why do people keep saying that FOSS products don't have licenses?



      I suppose because I can use most FOSS products without a license. The GPL is a license relating to copying the code, it has nothing to do with usage. I can use it any way that I want, the license specifically states that you don't have to accept it to use the software.


  • He Said, She Said (Score:3, Informative)

    by Doc Ruby ( 173196 ) on Wednesday September 28, 2005 @06:00PM (#13671427) Homepage Journal
    You can tell the difference between news and Public Relations fairly easily these days. Either can look at a controversy like "SSH is enterprise-class software" (whatever that means, exactly). PR publishes a story about how one party claims it isn't, and another party irately claims it is, without telling the story of whether, in fact (or even in reliable opinion), it is or not. Actual news reporters investigate what "enterprise-class software" is, compare SSH to that, and tell the story of the software. Even including the opinions of experts, and inexpert stakeholders in the debate.

    We know that eWeek, like most IT press, is PR. But it's instructive to compare eWeek's obvious PR to "mainstream media", which is now mostly just PR. Real reporting keeps the "fairness and balance" in the process of determining the real story. Then tells the real story, with evidence and witnesses to back it up. PR, and most MSM, just spouts endless hourse of newscycle reiteration of "sources" promoting their versions of the story.
  • by eyeball ( 17206 ) on Wednesday September 28, 2005 @06:04PM (#13671464) Journal
    ...claims of OpenSSH not being an 'enterprise-class product' by SSH Communications...


    That's because almost everything that's 'enterprise-class' is crap.

    Sheesh. If I had a nickel for every time upper management was impressed into buying a 3-million dollar equivelent of syslog, I'd be back in the dot-com boom.

  • I've used both... (Score:2, Insightful)

    by LABarr ( 14341 )
    for quite a number of years. In networks both big,(huge) and small. (just to the room next door) And to be honest the are both pretty much configure and forget. But if I were deploying a world class enterprise, I'd stick with OpenSSH. If for no other reason than it is an off-shoot of the OpenBSD project and using that has conviced me what a truly first class OS looks like. OpenSSH is enterprise ready enough for virtually anyone on this planet.

    --
    Simulated Sig
  • "OpenSSH is an enterprise-class product that is needed for the demands of a large-scale deployment. We think OpenSSH compares very favourably to our SSH Tectia. In fact, there really is no reason for enterprise users, or any users for that matter, to purchase our SSH Tectia product."

    Does anyone really expect Rashed to say that?
  • At least that's what Google AdWords keeps telling me. By a curious coincidence with this article I got an email from them today, saying I'm not allowed to use that term when describing the quality of the Linux-support for the ADSL modems [networkned.co.uk] that I sell.

    I believe that I applied for an exemption for this term when I originally set up the ad with AdWords, but it's been running for months quite happily without bothering anyone.

    When I Google for "enterprise-level" I (of course) get loads of hits discussing ente

  • by adam872 ( 652411 ) on Wednesday September 28, 2005 @06:22PM (#13671627)
    This is just stupid. There are open source products out there that are clearly good enough to be used in "enterprise" settings and OpenSSH is one of them (Apache, Perl, Linux being some others). I've looked at what commercial SSH vs OpenSSH offers and I honestly can't think of a reason to use the commercial product. I agree (for once) with Theo and ask if it's not "enterprise class", why would O/S vendors include it in their products (Sun, Redhat etc)? For the record, all of my Solaris systems run OpenSSH supplied by Blastwave and the Linux machines have it already. It's all about the right tool for the job and open vs commercial is a secondary consideration (IMHO) over utility. In this case, the open source offering is at least as good as the commercial product.

    What extra features do you need out of SSH anyway? I ask not to be a smart arse, but as a genuine inquiry.
  • If SSH Comm. uses OpenSSH in their products. I mean, maybe all they're doing is slapping some lipstick on a pig and calling it Paris Hilton.
  • Because when we looked at it a few years ago it said something that amounted to

    "This may or may not contain someone else's code so if someone comes after you legally, you're on your own."

    Our lawyers did not like that one bit.
  • by NullProg ( 70833 ) on Wednesday September 28, 2005 @06:45PM (#13671813) Homepage Journal
    Byron Rashed, senior marketing communications manager of SSH Communications Security, claimed that SSH's product is better suited for enterprise-scale business applications than a similar open-source product from OpenSSH.

    Since when do we care what a Marketing manager says about anything.

    Enjoy,
  • It's:
    a) The kids who graduated from the elementary school held on the ship.
    b) The stiff upper lip kept by Picard and crew in the face of extreme danger.
    c) The next class after Galaxy.
    d) The schooling you get by the geek army if you think Picard could kick Kirk's arse.

    sheesh - I thought there were actual nerds on /. - guess I was wrong...
  • "Rashed contends that business customers are now looking for Secure Shell programs with support and liability protection "due to compliance regulations and security audits." Specifically, "we have heard lots about SOX 404 [Sarbanes-Oxley], CA SB 1386 [California Information Practice Act], HIPAA [Health Insurance Portability and Accountability Act] and others along with internal audits that are driving customers to SSH Tectia," Rashed said."

    I was ready to jump all over this until I RTFA. This paragraph is

  • a few facts (Score:5, Informative)

    by rsilverman ( 266807 ) on Wednesday September 28, 2005 @09:18PM (#13672681)
    There's a lot of exaggeration and vagueness on both sides of this little
    tempest. What suffices for one enterprise may not for another, so it is
    certainly silly for ssh.com to claim that OpenSSH is not
    "enterprise-class" -- as Theo and others rightly point out, OpenSSH is
    used successfully in many large contexts. On the other hand, it is a fact
    that Tectia has a number of features OpenSSH lacks, some of which are
    particularly relevant to large organizations (which is not the same as
    simple widespread use). Here are a few of them:

    * PKI support

    Tectia can use X.509 certificates for both client and server
    authentication. To add a new SSH server or change an existing one's host
    key, all you need do is issue a certificate for it. Clients need only
    have a copy of a single public key: the issuing CA certificate. No
    constantly shifting mess of per-user and per-host known-host files to try
    to keep in sync, no spurious "unknown host" or "host key changed messages"
    confusing users and teaching them to ignore security warnings. It just
    works.

    For client authentication, there are no burgeoning copies of
    authorized_keys files lying around, unmanaged, needing to be individually
    tracked down whenever you want to turn off someone's access: instead, you
    can simply revoke the user's certificate. And flexible rules can grant
    access based on certificate attributes, like "anyone in the Foo Department
    can log into this host."

    The distributed-trust problem has been addressed abstractly by systems
    like PKI and Kerberos. In a large (or even medium) scale environment, you
    want to tie applications such as SSH into these systems, not have each one
    use its own ad-hoc mechanism.

    Note that both OpenSSH and Tectia support Kerberos. There is some
    variation in how well they use it to address the above problems, though,
    and I won't get into that here.

    * Greater configuration flexibility

    With the Tectia SSH server you can:

    + Modify almost all server parameters based on the client hostname and
    address, or properties of the requested account (username and group
    membership). Thus you can arrange that, accounts in one group permit
    password authentication, while those in another group require
    public-key -- or that connections coming from your internal network
    allow a wide range of ciphers, while those coming from the outside
    require a smaller, stronger set. You can accomplish some of this type
    of thing with OpenSSH, but generally you have to run multiple
    instances of the server on different ports.

    + Exert finer-grained control over what kinds of SSH services you
    provide. You can forbid terminal access while still allowing sftp,
    for example, by simply rejecting the corresponding SSH protocol
    requests (shell and exec channels), rather than resorting to custom
    shells or other hacks that have unwanted side effects.

    + Control port forwarding with ACLs that include permit/deny statements
    and patterns matching user, target hostname, IP address, etc.

    + Require multiple forms of authentication for access (e.g. password and
    public-key).

    * SOCKS support for outgoing SSH connections (note this is different from
    the OpenSSH -D feature, which Tectia has also).

    * "chroot"-ed logins

    * integrated support for RADIUS authentication

    * Support for Windows-native Kerberos. Although OpenSSH can be built with
    Kerberos support on Windows (with Cygwin), it does not
  • by Danathar ( 267989 ) on Wednesday September 28, 2005 @09:55PM (#13672810) Journal
    If they want people to buy a commercial version of SSH then they should provide something of value that OpenSSH does not provide!

    Ideas...

    1. How bout a hardware based SSH accelerator for fast SFTP/SCP transfers?

    2. GUI configuration in X/QT/GTK...ect...

    3. Performance monitoring tools

    I pulled these out of my ass in 3 seconds. None of them may be worth the time but you get the idea!
  • by cant_get_a_good_nick ( 172131 ) on Wednesday September 28, 2005 @11:22PM (#13673349)
    Though TFA mentions extra protection for rule sets like SOX and others, actually checking the license shows them pretty fairly lacking. Like most EULAs, you give up pretty much everything. This is what you get from: http://www.ssh.com/support/downloads/tectia-client /evaluation.mpl [ssh.com] It looks like it is their normal license, plus an amendment for the temporary license period. I extracted some parts on liability, yadda yadda.


    8. WARRANTY

    LICENSOR EXPRESSLY DISCLAIMS, TO THE EXTENT PERMITTED BY APPLICABLE LAW, ALL WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS, AND ANY WARRANTY THAT MAY ARISE BY REASON OF TRADE USAGE, CUSTOM OR COURSE OF DEALING. LICENSOR DOES NOT WARRANT THAT THE SOFTWARE WILL BE FREE FROM BUGS OR THAT ITS USE WILL BE UNINTERRUPTED NOR THAT THE SOFTWARE WILL OPERATE WITH ANY HARDWARE AND/OR OTHER SOFTWARE OR REGARDING THE USE, OR THE RESULTS OF THE USE, OF THE SOFTWARE OR DOCUMENTATION IN TERMS OF CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE. WITHOUT LIMITING THE FOREGOING, YOU ACKNOWLEDGE THAT THE SOFTWARE IS PROVIDED "AS IS," WITHOUT WARRANTY OF ANY KIND.

    9. LIMITATION OF LIABILITY

    THE ENTIRE RISK AS TO RESULTS AND PERFORMANCE OF THE SOFTWARE IS ASSUMED BY YOU. ANY LIABILITY OF LICENSOR WITH RESPECT TO THE SOFTWARE, THE PERFORMANCE THEREOF OR DEFECTS THEREIN, OR UNDER THIS AGREEMENT, UNDER ANY WARRANTY, NEGLIGENCE, STRICT LIABILITY OR OTHER LEGAL THEORY SHALL BE LIMITED EXCLUSIVELY TO PRODUCT REPLACEMENT OR, IF REPLACEMENT IS INADEQUATE AS A REMEDY, OR, IN LICENSOR'S SOLE OPINION, IMPRACTICAL, TO A REFUND OF THE ACTUAL AMOUNT PAID BY YOU TO LICENSOR, IF ANY, FOR THE SOFTWARE OR SERVICES GIVING RISE TO THE CLAIM.

    10. DISCLAIMER OF DAMAGES

    UNDER NO CIRCUMSTANCES WILL LICENSOR OR ITS LICENSORS BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES OF ANY KIND OR NATURE WHATSOEVER, WHETHER BASED ON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, ARISING OUT OF OR IN ANY WAY RELATED TO THE SOFTWARE, THIS AGREEMENT, WHETHER DUE TO A BREACH OF LICENSOR'S OBLIGATIONS HEREUNDER OR OTHERWISE, EVEN IF LICENSOR OR ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE OR IF SUCH DAMAGE COULD HAVE BEEN REASONABLY FORESEEN, AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY EXCLUSIVE REMEDY PROVIDED IN THIS AGREEMENT. SUCH LIMITATION ON DAMAGES INCLUDES, BUT IS NOT LIMITED TO, DAMAGES FOR LOSS OF GOODWILL, LOST PROFITS, LOSS OF DATA OR SOFTWARE, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION OR IMPAIRMENT OF OTHER GOODS. IN NO EVENT WILL LICENSOR OR ITS LICENSORS BE LIABLE FOR THE COSTS OF PROCUREMENT OF SUBSTITUTE SOFTWARE OR SERVICES.

    YOU ACKNOWLEDGE THAT THIS SOFTWARE IS NOT DESIGNED OR LICENSED FOR USE IN ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS SUCH AS OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR CONTROL, OR LIFE-CRITICAL APPLICATIONS. LICENSOR EXPRESSLY DISCLAIMS ANY LIABILITY RESULTING FROM USE OF THE SOFTWARE IN ANY SUCH ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS AND ACCEPTS NO LIABILITY IN RESPECT OF ANY ACTIONS OR CLAIMS BASED ON THE USE OF THE SOFTWARE IN ANY SUCH ON-LINE EQUIPMENT IN HAZARDOUS ENVIRONMENTS BY YOU. FOR PURPOSES OF THIS PARAGRAPH, THE TERM "LIFE-CRITICAL APPLICATION" MEANS AN APPLICATION IN WHICH THE FUNCTIONING OR MALFUNCTIONING OF THE SOFTWARE MAY RESULT DIRECTLY OR INDIRECTLY IN PHYSICAL INJURY OR LOSS OF HUMAN LIFE.


    Not sure what Online in Hazardous environments means. There's only a partial explanation; one additional interpretaion would have all of the Internet hazardous because of crackers. I like how some companies beat you over the head with "you can't sue anybody" then neglect to meantion you can't really sue them either. It's a true statement of most OSI licenses, but it's no worse than theirs in that regard.

An adequate bootstrap is a contradiction in terms.

Working...