SSH-Based Solutions - Looking for Industry Proof? 391
mcwop asks: "My company's IT department is trying to set up secure FTP with a vendor. It would be set up on a Sun box (not running Solaris 9). I emailed suggesting they look at OpenSSH. The response I received stated that they don't like to use freeware, but only consider industry proven and supported software. I have found one commercial version
at SSH. What other commercial versions are out there (I know Solaris 9 comes with SSH)? But more importantly, what are some commercial successes? What large organizations are implementing SSH?"
Client side (Score:3, Informative)
Re:Client side (Score:2, Informative)
Re:Client side (Score:5, Informative)
It's good, but I've switched to PuTTY [greenend.org.uk], mainly because it can heartbeat an SSH connection with an empty packet every minute to prevent sessions being timed out by over-zealous firewalls - very convenient if you need to monitor several machines.
Re:Client side (Score:2)
Re:Client side (Score:2)
Re:Client side (Score:2)
and
All of whom pointed out that Putty does indeed now do port forwarding. And particular thanks to Simon and the Putty team for making it so.
Re:Client side (Score:2)
Re:Client side (Score:2)
but as far as the article is concerned - your managers are smoking crack if they dont think that openSSH is good enough for them.
And it is very available... (Score:2)
Re:Client side (Score:2)
Even though I use Putty on windows machines (and WinSCP2) I don't like putty's interface one bit. I'd use plink (command-line putty) if it would only support all the options a the GUI putty. Right now, I just build OpenSSH under cygwin, and copy the exes and Cygwin dlls to other machines.
Re:Client side (Score:2, Informative)
Re:Client side (Score:3, Insightful)
Confused (Score:4, Interesting)
Re:Confused (Score:2)
Re:Confused (Score:2)
Good luck... (Score:4, Insightful)
Re:Good luck... (Score:3, Interesting)
I agree with the poster above. Since when are these mutually exclusive? That people refer to proprietary software as `commercial' is a fault of their logic. Chances are they are already relying in soem way or another on one of the following Open Source applications that are either produced for commercial reasons and have some kind of backing. Oh, did I mention that each of these apps is the markt leader in their field?
Silly (Score:5, Insightful)
Re:Silly (Score:4, Insightful)
I have run into this snobbish attitude also in my consulting work. I have been told on occasions "sorry son, we only use corporate quality software here".
If when proposing a particular solution I could quickly add that a site licencing fee is only $850 most corporate customers would not even flinch and would somehow feel more comfortable that they are not using some "freeware" or "shareware" product to run their business.
OpenSSH (Score:5, Interesting)
Re:OpenSSH (Score:5, Informative)
Re:OpenSSH (Score:2)
Been there, done that (Score:5, Insightful)
Then I showed him screen. Suddenly the light went on in his head-- "Hey, I don't have to use 2 phone lines and 2 modems to get 2 shells at work!" To him, it was the greatest thing since sliced bread.
After that, he didn't have any problems letting me install emacs.
Re:Been there, done that (Score:2, Funny)
Re:Been there, done that (Score:2, Funny)
Yeah, when is that thing going to achieve sentience?
Re:Been there, done that (Score:3, Funny)
Sssh! You'll make it angry!
some me one that's not.. (Score:2, Funny)
so we can 0wn them. ;-)
seriously, any unix admin worth their paycheck isn't using unsecure telnet or ftp.. i sure know i'm not. (and i don't get paid enough)
Re:some me one that's not.. (Score:2)
Re:some me one that's not.. (Score:2, Insightful)
firewalled off or not why take the risk? ssh does everything telnet does and more (like X and port forwarding, file transfers with scp). everything that goes through is encrypted.
the risk goes up even further if you're happily using an unencrypted network at home, behind a firewall. anyone sitting outside your house can watch you telnet from box to box! even encrypted 802.11b transmissions can be broken with time.
why take any chances when protection is so simple? it's also good to simply practice safe computing.
openSSH (Score:5, Insightful)
Re:openSSH (Score:2, Informative)
Make sure that when openssh is used, it is configured properly.
e.g.
- no root login
- SSH2 instead of SSH1
- use login with key instead of passwords
There are more configuration options, please read the man pages for those.
Re:openSSH (Score:2)
This is harder than it should be, to convince semitechnical people that it is more secure, or secure at all.
It's very, very hard for some people to get their brain around key-based authentication, or the concept that a password scheme could be weaker.
Re:openSSH (Score:2)
Ssh communications. (Score:4, Informative)
From Their Download Page: (Score:2)
Re:Ssh communications. (Score:3, Informative)
Escape character is '^]'.
SSH-2.0-Sun_SSH_1.0
^]
telnet>q
Everything else (config files, library dependencies etc.) speaks of OpenSSH so much that there is no other possible option. Sun probably took OpenSSH and modified a few things and released it as their own, as they are allowed to by the BSD license.
These configure options should get you an identical setup to that of the layout on Solaris 9;
CC=cc \
CFLAGS="-g -I/tmp/foo/include" \
LDFLAGS="-L/tmp/foo/lib -R/tmp/foo/lib" \
./configure \
--prefix=/tmp/foo \
--bindir=/usr/bin \
--sbindir=/usr/lib/ssh \
--localstatedir=/var/run \
--libdir=/usr/lib \
--includedir=/usr/include \
--mandir=/usr/share/man \
--with-ssl-dir=/tmp/foo \
--sysconfdir=/etc/ssh \
--libexecdir=/usr/lib/ssh \
--datadir=/usr/lib/ssh \
--with-pid-dir=/var/run \
--with-prngd-socket=/var/run/prng-socket \
--with-zlib=/tmp/foo \
--disable-wtmp \
--disable-utmp
The $CC variable is to build with Sun Forte, substitute with gcc as you please. Note the LDFLAGS and CFLAGS though. This configure expects to find zlib and openssl headers in
F-Secure, SSH, or OpenSSH (Score:5, Informative)
Did you think at all? (Score:5, Interesting)
Also Nokia's IPSO (on their Checkpoint based firewalls uses openssh.
As you can see Sun uses it. Good enough. I thought so.
Data Fellows... (Score:4, Informative)
...has a version of SSH [datafellows.com] available for Unices, Windows, Macs, even the Nokia 200 [datafellows.com]. Don't know how good it is, but they've got a fair amount of info on the site.
F-Secure SSH (Score:5, Informative)
http://www.f-secure.com/products/ssh/
List of platforms:
Server
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows 2000, Windows NT 4.0
Client
All major Unix platforms; Solaris, Linux, HP-UX, AIX, BSD
Windows XP
Windows 2000
Windows NT 4.0
Windows 95
Windows 98
Windows ME
MacOS
Nokia 9200 Series Communicators
Re:F-Secure SSH (Score:2, Informative)
OUR SOLUTION....We scrapped f-secure and went OpenSSH (BSD version anyway). We been very happy, and have save thousands of $$ in maintaince fees. Example: The recently posted problem with SSH had a newsgroup workaround posted within the same day. I tested the workaround and upgraded our machines by that evening. Anyway, that's truly....schweeeeeet!
Re:F-Secure SSH (Score:2)
I wish there was a client for Nokia 9110 that doesn't costs a fortune...
Re:F-Secure SSH (Score:2)
don't tell them it's freeware (Score:2, Funny)
https://https.openbsd.org/cgi-bin/order [openbsd.org]
besides, it's the right thing to do. =)
-Triumph
Other thoughts (Score:3, Insightful)
If using OpenSSH is questionable, using the #1 webserver shouldn't be. If Apache isn't proven or reliable in their eyes, then you have a really tough uphill battle.
Been there, done that (Score:5, Interesting)
We ended up compromising. They wanted vendor software, I wanted free. For the mission critical systems, we chose FSecure (fsecure.com) and for the high-importance and below (to include desktops), we went with OpenSSH.
Worked out well. With FSecure we also purchased Windows clients for the developers and if anything ever happened, they had the support they were looking for the vendor software. With everything else, OpenSSH did the job along with PuTTY on the peasants computers.
SSH Is Proven (Score:2, Interesting)
~Shane
SSH for secure file transfers (Score:2, Informative)
1) Encrypted file transfer
2) User authentication
3) chroot jail environment
After initally looking at F-Secure's ssh server for Windows to match the system standards. We found out that certain SSH subsystems (namely sftp) we not 100% compatible with all clients. I'd put the openssh code up against commercial offerings if you can spend a little bit of time configuring.
In the end we waived standards and used Linux, openssh+openssl+ldap. It did require patching the sftp subsystem for chroot access that was obtained off of the openssh mailing list. This does require a suid executable, but since our customers are [semi] trusted, the risk of them smashing the stack is manageable.
Customers can now sftp or scp in and are rooted to the ~username directory. At present, implementation has be as easy as our dedicated line FTP customers. Ironically, we recommend commerical SSH clients...
Lots of Options (Score:3, Informative)
D'uh! (Score:2)
All of them.
OpenSSH _is_ industry-proven. (Score:4, Insightful)
Don't to roll over and allow your firm to adopt a second-rate (and more expensive) security product simply because they don't trust open source. The answer to your problem, as uncomfortable a situation as it may be, is to try to inform the higher-ups of why they're misguided (without losing your job
Re:OpenSSH _is_ industry-proven. (Score:2)
If however, they INSIST on a commercial version, please let me know and I'd be happy to take their money. My soon-to-be-created company will charge per copy precisely their budget divided by the number of copies they want.
Support is extra, of course. But source is included.
W
HPUX has an official OpenSSH-based implementation (Score:3, Informative)
Re:HPUX has an official OpenSSH-based implementati (Score:2)
http://www.software.hp.com/cgi-bin/swdepot_parser
Thanks for the tip, Marx!
Usage Stats (Score:4, Informative)
http://www.openssh.org/usage/index.html
The OpenSSH team has put together a great page with a number of different usage statistics for SSH.
Kerberos (Score:2, Insightful)
Re:Kerberos (Score:2)
One compromised machine or one inside operator and the whole house of cards comes crashing down.
Kerberos is nice IFF you enforce strong passwords. Session integrity is only protected by the password (via string-to-key and excryption of your ticket-granting ticket and associated session key). Kerberos is very suceptable to ofline attacks if you have weak passwords.
OpenSSH vs Commercial SSH (Score:5, Insightful)
There really is no reason to use a commercial product unless the management is stuck on the "We need someone to sue if it breaks" business model of software acquisition.
Re:OpenSSH vs Commercial SSH (Score:3, Interesting)
SSH, Inc.'s Windows server offering had much better system integration than any of the Windows OpenSSH projects. Granted - this may no longer be the case (last I looked at this issue was over a year ago).
You don't mean commercial. You mean proprietary. (Score:2)
Yep, let's not use freeware (Score:3, Funny)
Instead, let's use proprietary "secure" software, ala Win2000, IIS, etc.
SSH over OpenSSH? (Score:2, Insightful)
It may sound silly to suggest it again, but consider mentioning OpenSSH in your spread of possibilities. Even though it did have a possible remote root exploit exposed recently, look how fast working updates and/or workarounds were released. You'd be very hard pressed to find that in a commercial product.
If you want industry standard... (Score:2, Interesting)
SSH is the original (Score:4, Informative)
If you want a "industry proven and supported [ssh.com]" product that supports SSH protocols, then the original SSH [ssh.com] is what you want, but you'll (obviously) have to pay [ssh.com].
What about other "freeware" (Score:2, Insightful)
Just point them to Sun (Score:2, Informative)
Some notable links:
http://www.sun.com/blueprints/0102/config
http://www.sun.com/blueprints/0701/openSS
The scripts for an automated package creation have been very useful for me over the past few months, as OpenSSH has blazed through the 3.x versions.
Dude, you could make some serious cash (Score:3, Funny)
Register a company called "Secure Products Inc.", and make a quick website, fake some letterhead, etc. Then, tell your boss you found a great SSH product from Secure Products for only $50 per seat. Then, download the newest version of OpenSSH, change the name to SPISSH and watch the $$$$ roll in!
Word.
SSH Alternatives (or HTTP/SSL?) (Score:2, Informative)
I have suggested SSH to these vendors and each time they cite reasons relating to their use of Microsoft Windows (often a managed server at some hosting company like AT&T), or their refusal to use non-mainstream-commercial software. They also tend to try to argue that FTP is good enough, and that the law doesn't require anything more secure. As we all should know, this is just plain senseless, and dangerous.
In my hunt for an alternative that would be acceptable to them as well as me, AND would be able to be automated, I realized that good old HTTP over SSL (HTTPS) would work just fine for transferring the data. Not only would it be secure enough (at 128-bit) but I could automate the entire thing with OSS tools from my side, and they already had everything they would need to make it work on their end under Windows.
With just a little configuration on each end, and a simple little perl script, we have a secure transfer mechanism.
In our case our internal policy states that we initiate all secure data transfers from our side so making our transfers "bi-directional" was easy, but for others who do not have this policy, or where it would be inappropriate, it is quite simple to set up an http server on the local side to handle inbound transfers, even on a Windows server/host.
There are of course other possibilities including using a TLS enabled ftp client/server, and they all come with other considerations including some relating to compatibility. I highly suggest that you personally review each of the alternatives yourself and do not rely purely on the advice gleaned here on Slashdot, as accurate (or not) as it may be.
Hope this helps!
-Anon
Solaris 9 ssh IS OpenSSH (Score:2, Informative)
The only commercial Unix ssh server that I'm aware of is from SSH.com
(it is resold be several companies like F-Secure IIRC).
Compaq^WHP supplies SSH.com's ssh for Tru64 Unix (free download from
Compaq's site, and I think will be included with Tru64 5.1B).
If I am not mistaken. (Score:2)
Now, to answer your question regarding Open SSH specifically. The only major and well known company that I know for sure that uses Open SSH is Cisco. There are certainly many others but, there are probably few who use it as a matter of policy. But, that doesn't mean that their engineers, having half a brain, haven't all acquired a copy and rely heavily on Open SSH. Part of the problem with free software is that it doesn't show up on the radar unless it is used very heavily but, that doesn't mean that it isn't used by many.
You've got a tough sell ahead of you as you must sell mind share, which is very difficult. It's far eaisier to sell SSH on technical merit but, that's already been done for you. To add further insult, if anyone does take you seriously and checks into Open SSH they will likely find a couple of recent vulnerabilities which, although already fixed, won't help your arguement.
I'd say let it go. If they want to pay for SSH then let them. Comfort yourself in thinking that that money will be used by SSH to advance the product and some of those advancements will make it into OpenSSH too.
Re:If I am not mistaken. (Score:2, Informative)
Re:If I am not mistaken. (Score:2)
The truth of the matter is that back in the early days of SSH, the world was entirely SSH.COM (now F-Secure). That's because there was noone else. SSH 1.x was all we had, and it was free (for non-commercial use, after 1.2.something).
It's profoundly clear that the large majority of businesses are switching to OpenSSH. The numbers prove it (check out openssh's statistics, posted here several times). Why? Because the old SSH 1.x installations are steadily dying, and people are forced to perform a semi-major upgrade. It's clear they're choosing OpenSSH. If you read the statistics in fact, it appears that the number of F-Secure installations is dropping. (not couting F-Secure 1.x, which is dropping like a stone).
You may think "oh, big conservative companies want a commerical product". Take for example UBS Warburg. A mega-huge conservative financial institution. They use OpenSSH whever possible ("as a matter of policy" to use your words). In fact, several of their employees are involved in OpenSSH development. I used to work for a hosting company, and there were other fiancial institutions that used OpenSSH. Of course not just banks liked OpenSSH. We had very few requests to support F-Secure.
They're by far not the only ones. Your "horses mouth" argument is way off the mark, too. The vast majority of development is going on in the OpenSSH world, not the closed proprietary world of F-Secure. Oh, and F-Secure's SSH isn't without a recent hole [f-secure.com] either.
Re:If I am not mistaken. (Score:2)
Sun RECOMMENDS OpenSSH (Score:2)
Corporate Examples...... (Score:2)
"freeware" to them and to the rest of us (Score:2)
I'm sure your boss(es) need a good clue-bat to the head and they'll be fine.
Re:"freeware" to them and to the rest of us (Score:2)
Stupid managers: fire them (Score:5, Insightful)
Then your company needs to fire its IT management staff since it is apparent they have absolutely no idea what they're talking about. In the meantime, you can tell them that OpenSSH is NOT Freeware. I wouldn't trust freeware either. The difference? Freeware is typically closed source software that the authors refuse to release to code to because they think they're really "eleet" or some similar childish reason. I would also ask you: if you're a talented geek (assumption), why are you working for some lame company that refuses to touch Open Source software? Go somewhere where you're gonna make a difference. If you have the skills, you'll find plenty of jobs doing what you'd really like to do.
I saved my previous company $60K with OpenSSH (Score:4, Insightful)
Except he didn't know how to load it. I was tasked with "implementing SSH..."
I loaded OpenSSH on all the Sun boxes (90+). Loaded up putty for all the developers and started shutting off telnet/ftp.
The F-Secure sales rep called me to see "how things were going".
I told him we were going to go with OpenSSH. He asked about support... I laughed at him. 2 weeks later a major hole surfaced in SSH
(OpenSSH was not vulnerable to this one.) and F-Secure was the LAST vendor to come out with a fix, ala 2+ weeks later.
I have OpenSSH running on my HPUX box, all my Sun boxes, all my Linux boxes, and of course my OpenBSD boxes.
If OpenSSH is good enough for Sun/HP/Redhat it ought to be good enough for your managers. If not it might be time to go Bofh [ntk.net] on them....
Just load it on there and then tell them you *didn't realize* it was already on there.... Then stuff them in a tape safe...
Re:I saved my previous company $60K with OpenSSH (Score:2)
Cool! Like, did the CEO of the company personally walk to your cubicle with his minions and hand you a large oversized check?
They DO do that, right?
W
Answers for all your questions. (Score:2, Insightful)
The version of SSH that Sun is shipping with Solaris is in fact OpenSSH. Sun is not trying to hide this, they are proud of shipping it because it is an excellent program.
Most major insurance companies run SSH (if they are Microsoft shops) or OpenSSH (if they are not). Most hospitals run OpenSSH.
I use both products. Support is superb for both; but SSH.com has friendly, personable phone support while the OpenSSH support comes mostly from Usenet and Email (and can be fiery if you ask exceptionally stupid questions). OpenSSH fixes bugs faster than SSH.Com, but both products have had about the same number of problems, and all have been quickly and effectively resolved.
Popular clients for windows include putty [greenend.org.uk] and Teraterm SSH [zip.com.au]. Make sure you get a recent version, however, older versions of those programs use versions of SSH ( v 1.5) that have known bugs.
If you are dealing with a company that thinks commercial software is "better" than "freeware" you should be careful how you approach this project. If there is a single person who has created this mindset, that person is likely to be both powerful and not very analytical - a dangerous combination.
The larger issue (Score:2)
However, the larger question is this: how do you convince your boss that you should be allowed to use lots of free software off the net. The answer is you should not, and he should not approve such a thing. What you should be doing is picking a vendor that will do things like chase down security updates, while also providing you with the kinds of features that you need.
Of course, this brings into question the entire spectrum of software that you run. Should you switch OS vendors to someone who embraces Open Source Software (e.g. a Linux vendor like Red Hat, Caldera, SuSe, etc.).
If you need high-quality software with the latest feature-set, you should be looking at who will give you what you need and support it well.
Can of worms you say? Well, yes but when you start talking about Linux these days you have a lot of amunition. IBM is shipping Linux-based systems. Everybody and his brother is using Linux-based servers in production (unless they're using BSD
OpenSSH is hard to argue against, and you'll probably win that battle hands-down. But what happens when you want remote management via VNC or OpenLDAP has some features you want or you need a quick-and-dirty database and don't want to spend $thousands?
Get an OS that comes with the best software already installed. Get Linux.
bzzzzt! (Score:2)
the correct question is, "should i get a new job?" and the answer is yes.
i'm totally serious. it's as if 100 or so years ago you worked at a overland transport company that said, "ah, that mechanical train thing is never going to catch on, i'm sticking to wagons!"
let your current employer waste their time and while you humor them with whatever they think they want to hear, go find a more sane place to work while you have the luxury of time.
Lemmings (Score:2)
What, do they live under a rock? You'd be hard pressed to find another free software project used _more_ than OpenSSH.
Maybe you should forward a note to your CEO about how your clueless IT department is needlessly racking up support and licensing costs, while remaining ignorant of common IT practices.
-pmb
For what it's worth... (Score:2, Interesting)
Ah yes (Score:2)
...the thin, whiny sound of an incompetent, bumbling, empire-building middle manager, easily identified by the unhyphenated buzz-phrase "industry-proven" which is part of the Management 2.0 Service Pack upgrade along with "customer-focused" and "memory-hungry."
It really is unfair to have such a staggering advantage over the competition.
No, please. PLEASE go overpay for your "industry-proven" version of the exact same thing everyone with a clue already has. Just don't lay off anyone when your budget runs out.
Cisco Systems & SSH (Score:2)
Cisco Systems uses SSH extensively. You can find SSH supported in some of their commercial products. And internally, SSH is becoming one of the standards for remote access. It might be interesting to note that they use a combination of SSH2 from SSH, Inc AND OpenSSH with both being officially sanctioned solutions.
Check out the press that OpenSSH DOES get (Score:2)
for secure FTP, try SafeTP (Score:2)
To secure FTP traffic, I highly recommend SafeTP [berkeley.edu] from the folks at Berkeley. SafeTP is an RFC 2228 [ietf.org] compliant FTP Security Extension that uses Public Key Crypto to authenticate and secure the link.
SafeTP [berkeley.edu] is supported under Unix / Linux as well as Windows 95/98/ME/NT/2000/etc. Source code for Unix and compiled code for Windows is available free of cost.
This quote from the Berkeley folks may be useful:
We have found SafeTP [berkeley.edu] to be both user friendly and expert friendly. We have been successfully using it now for several years. It works well behind firewalls. The code is both well written and stable.
Sprint PCS 3 OpenSSH (Score:2, Interesting)
All of my machines are standard with OpenSSH now, and I know that all the new machines coming in are required to have SSH in place of Telnet... and OpenSSH is the defacto standard, although we will accept a commercial implimentation if the vendor provides it.
Anything Sprint PCS provided, though, is OpenSSH. Telnet as been officially "banned" from all new equipment, even if people are breaking this rule (much to my chagrin) on occasion.
The Written Word (Score:2)
They have builds of OpenSSH (and tons of other free software) for a variety of UNIX platforms, and they offer commercial support for them. I used them at my last employer, and was extremely satisfied with them. On several occasions they integrated or wrote fixes when I came across bugs, and submitted their fixes upstream to the maintainers. Their response was also much faster than the maintainers.
Sun uses ssh (Score:2)
- Hubert
CNN.com uses (or used) SSH (Score:2)
When I left CNN, I went to a startup called ZapMedia. It was a much smaller company, but we used SSH for all communications to our production boxes (which were colocated at Exodus outside of our company LAN). We even did remote CVS checkouts over SSH as part of our code release process. The use of SSH was completely secure and worked very well.
We are using openSSH and we are rather large (Score:2)
Before that we used F-Secure's SSH as a commercial version. It works great but is clearly more expensive than FREE.
SSH.com server and client... (Score:3, Interesting)
Some people might point to the recent OpenSSH security holes trying to discredit them, but look at how quick the turnaround on patches was.. amazing.
One thing I did want to point out was the SSH.com Windows client. I really like it. It might not be worth the money, but if you fall into one of the categories where you get a free license (allows university use and non-commercial use according to their website), it's quite good. I especially like the ease in opening additional sessions or secure file transfer, etc. Worth checking out..
(And definitely don't use the TeraTerm SSH client. It's still SSH version 1, and is just a hack on top of TeraTerm... never seemed like the greatest solution to me, even if it did work)
Run, don't walk -- far away from these bozos! (Score:2)
You cannot find anything commercial that is more proven or better supported than OpenSSH. There may be commercial packages that are as good -- although I don't know of any -- but there can be none that are better. Support from commercial companies is, too often, a joke.
Case in point: very recently a bug was discovered in OpenSSH: if you used a certain form of challenge-response authentication, a remote compromise may be possible. Within days of the bug being announced, there was a workaround; and versions post-3.3 are not affected since they UsePrivilegeSeparation by default. This is the only significant bug I can remember off-hand.
In any case, SSH is a commercial product and is done by Tatu Ylonen, who was the original SSH guy; OpenSSH is the free version that the OpenBSD guys forked when SSH went commercial.
Disney Internet Group uses OpenSSH (Score:2)
As it turns out, the prevailing attitude is that with commercial software we have to involve the vendor every time we want to do anything remotely unusual. If we improve the tool, the vendor probably won't support it. If the vendor improves the tool, they will probably require more money and a needlessly complicated upgrade for us to benefit from it.
Stand up to your managers. Don't just tell them that Free Is Better, show them.
Re:Well proven? (Score:2, Informative)
If you really mean a SSH (not SSL) survey, by Netcraft, I don't know about it and can't find it on their website...where is it?
Re:Well proven? (Score:3, Informative)
You mean the "very similar to the Netcraft [openssh.org] Web Server Survey" done by the OpenSSH people?
Couldn't find anything at Netcraft, so I assumed this is what you were talking about.
Re:Solaris /dev/random (Score:2, Informative)