OT: reasoning behind open vs. closed SSH

Ben Lindstrom mouring at etoh.eviladmin.org
Tue Nov 25 15:09:05 EST 2003



On Mon, 24 Nov 2003, Jake Hawkes wrote:

> Let me preface this message by saying that the "General Discusion"
> mailing list archived was filled with 99% spam, so I though I'd post
> here instead to get some real people.
>

Hmm.. real people?  <looks around>  I've been accused of a lot of things,
but being a real person is not one. <grin>

> My employer is using SSH to replace rcp, rsh and rlogin in its UNIX
> products.
>
> Our experience so far is that the commercial product is slow(1), and
> difficult to use in scripts where standard input and output are being
> used, especially if not attached to a terminal.
>

Would be interesting to know what the problem is and if OpenSSH comes
closer to solving it.

> (1) This could be caused by the type of authentication we are using
>
> Also, the support is woefull.  One of our guys was on-site at a
> customer, called SSH up for support and was told that the problem he
> was having is a "known bug" and there is no way around it at the moment.
>
> My question is, what reasons should we go with the commercial product?
> Reasons given me have been:
>   1 - support
>   2 - legal liability

This one has urked me.  Everyone keeps claiming, "Oh closed source
products are better due to legal liability."  However when you ask any
commerical company if they will pay for any product destruction or breach
to a system.  You'll see most of them laugh you out of the room.

Not implying we provide any liability, but we don't pretend to do so
either.

>   3 - upgrades and patches
>   4 - more secure
>

The rest are subject at best.


> All of these seem bunk to me.
>
> My company has told me that the reasons they are going with SSH from
> SSH Communications Security Corp are basing on a whitepaper entitled:
>

	"Does your company depend on any Open Source products?"
		- Linux / OpenBSD / FreeBSD / NetBSD?
		- GCC?
		- Snort?
		- Apache?
		- Tomcat?

If the answer is yes.  Then you need to seriously suggest the person
making the decision re-evaluate how business is done.  Maybe they
need to replace any open source product (or freeware) being used with
commerical only.

I think track record and community involvement speak volumes (Commerical
and Open Source.  Anyone skimming OpenSSH-UNIX-Dev@ list would see posts
from NASA, IBM, Sun, Cray, HP, Redhat, Debian, US Military, universities
(students and Systems admin), etc.

And others prefer privacy in their questions and contact the team or
individual developers.  Would be great if half of the groups that
contacted me would post here.  It is impressive where OpenSSH is used.

<shrug> I hate statistical stuff myself and this one is getting dated:
http://www.openssh.com/usage/ssh-stats.html  (I believe there may be
a newer versions somewhere.)

It is also nice to know that OpenSSH and the greater OpenBSD team has
someone awake 24/7 to review security issues and wake up enough of the
OpenSSH team if a security release has to be done.

As for technical, <shrug> I've always been a fan of "let the product speak
for itself".  The more hot air you need to blow the more the company is
covering up for their flaws.

- Ben





More information about the openssh-unix-dev mailing list