SSH and OpenSSH Comparisons? 26
Colonel Bleep asks: "My company is finally on the road to getting serious about Unix server security. Though there's a lot more to do, the current push is to replace telnet, ftp, rcp and the like with ssh. Problem is, the security team in charge of the transition is composed mostly of Microsoft-trained techicians that hold varying opinions of open source software. Non team members, such as myself, are kept abreast of developments via email. Input is encouraged. OpenSSH came up during a recent email exchange with the coordinator. It didn't take long for the "isn't proprietary is better?" mantra to rear its ugly head. Though I use OpenSSH at home I found myself at a loss to explain why the corp might want to consider using it over commercial SSH. That's aside from the obvious open source peer review argument, of course. I haven't been able to uncover any direct side-by-side reviews of the two products but I would very much like to pass such a comparison along. What say ye?" Update: 11/14 2:40p EDT by C : Users of SSHv1 may want to take a look at this security bulletin on a potential SSHv1 exploit that is rumored to be in the wild.
User Interface (Score:3, Interesting)
Obvious differences (Score:4, Informative)
OpenSSH will save your company money. This has to be balanced against the lack of a commercial support contract, although I'm sure you could find someone prepared to sell you a supoprt contract for OpenSSH. Where the balance swings depends on your companies priorities.
OpenSSH gives you peace of mind that the software you're depending on isn't vulnerable to the financial failure of a commercial company.
Commercial ssh has a few features that aren't yet present in OpenSSH (twofish and IDEA ciphers, for example, or host based authentication).
Re:Obvious differences (Score:1)
If you don't think that all of the commercial implementations have been audited, you are very mistaken. The commercial ssh vendors would not be in business if they did not realize the security benefits of code audits.
noah
Re:Obvious differences (Score:1)
The differences are minor... (Score:3, Interesting)
The reality is that the differences are really minor, and, now that RSA is legal, openssh can be setup to act almost exactly the same as closedssh.
The only signicant difference between them for most peole is the price.
There used to be a fair bit of difference, but at least for unix, this is no longer true. Since 2.5 openssh has supported sftp. Since 3.0 it supports rekeying a session. With external PAM modules you can support smart cards and securid logins.
The one advantage that ssh has over openssh is that this is all integrated into one package. The smartcard support is built in, you don't have to go looking for support.
If you are not planning on using smartcards or tokens, then openssh wins based on price alone. You can get it pre-compiled for most platforms, so the compilation is not so much the issue. Otherwise you have to weigh the choices a little more carefully. Check to see if your required token/card is supported by both. If not, then it is likely to be easier to add support into openssh, having the source and all.
In terms of windows clients...that is one big differentiator. Again, mostly money! We use tera-term [zip.com.au] and that works quite well, but does not do ssh V2 protocols.
In either case, you are buying a big whack of security, but don't forget, passwords can be extremely weak! Don't let up on the other security policies just because you now have SSH. (And yes, I know that the poster is not responsible for this, this is just a general admonition :-)
Whatever you get, I wish you the best of luck.
Now for the gratuitous links: :-)
securid and openssh [omniti.com]
some preliminary smartcard itegration with openssh [neohapsis.com]
another smartcard and openssh link [umich.edu]
Re:The differences are minor... (Score:2, Informative)
http://www.chiark.greenend.org.uk/~sgtatham/put
Features (Score:1)
Re:Features (Score:1)
Re:Features (Score:1)
Re:Features (Score:1)
Re:Features (Score:1)
Re:Features (Score:2, Informative)
Van Dyke Secure CRT [vandyke.com] is a really good GUI that support SSH2 with the most advanced encryption and authentication schemes (AES). My favourite features are:
You can probably implement all those features when you use OpenSSH via an Xterm, but it would take you days to research Xwindow configuration and expect scripting language.
The only feature that command line SSH (OpenSSH and the commercial ssh.fi ssh) has is the ability to forward authentication using ssh-agent.
Re:Features (Score:3, Informative)
I've found Putty interoperates better with OpenSSH 3.0 than Secure-CRT - at least versus SCRT version 3.1. This may be better in 3.4, but Van Dyke wants upgrade fees, so...
I also have a problem with the way Van Dyke forces you to pay upgrade fees - The 3.1 version I purchased from them won't even install anymore, it says it has expired. It's OK to charge for software upgrades, but it's wrong to disallow use of older versions!
Free for non-commercial use, the Windows ssh client at ssh.com is pretty decent and polished.
And there's always TeraTerm Pro. It used to be better than Putty, but recent builds of Putty have turned that around, IMHO. I believe TT supports only SSH1, and not SSH2.
As an example, recent Putty versions support port forwarding, SSH2 DSA keys, and agent forwarding. And as always, it has a very small footprint.
Lastly, iXplorer is a nice Windows GUI dropped on top of pscp/plink for secure (SCP) file transfers.
Re:Features (Score:1)
I've talked to other people who have experienced this too. I had one version (about a year+ ago) work fine, but none of the new ones have worked for me.
However, I have recently found WinSCP [winscp.vse.cz] and it works great! More configurable than i-explorer, much more intuitive UI (configurable: Windows Explorer like or Norton Command like). Freeware too. It doesn't even "install", it's just one executable, no spyware, funky registry keys, etc. Very nice.
Not too much of a difference (Score:1)
If spending money for support and proactive updates is easier for company than having a your current IT staff RTFM and monitor security-related mailing lists, then go with commercial ssh.
Remember too that in almost all cases openssh and commercial ssh can interoperate. So, you could buy commercial ssh on a few machines until you're confortable with using it, and then implement future installations using openssh.
-D
OpenSSH is the way to go... (Score:2)
Peer Audited Code
If a bug is found its patched nearly same or next day usually
And I have never been able to get Closed SSH 3.0 to compile on Slackware, mandrake, or Stampede, always dies with weird complier errors.
OpenSSH works everytime.
Chroot sftp (Score:2, Informative)
SSH crc32 problem (Score:1)
Pro's / Con's (Score:1)
Re:Pro's / Con's (Score:1)
It may be a bit of overkill to install all the cygwin tools just to get the openssh support- but
since I have them installed anyways....
Re:Pro's / Con's (Score:1)
http://www.networksimplicity.com/openssh/ [networksimplicity.com]
It's primarily for adding sshd as a service but it includes ssh which can be run on the command line.
OpenSSH codebase originates from ssh.com (Score:1, Insightful)
OpenSSH is basically a very old ssh.com SSH with some improvements. The SSH technology as we know it wouldn't exist without ssh.com's efforts of developing and standardizing it in the first place. Some might consider that this alone is enough reason for buying the commercial version to support the development of the SSH technology.
Re:OpenSSH codebase originates from ssh.com (Score:2)
They have done their share of work too, and are more than a cheap ripoff of the ssh1 codebase.