Re: SSH

["Michael H. Warfield" <mhw@wittsend.com>]

On Tue, Jul 09, 2002 at 10:54:45AM -0600, David Jackson wrote:


> Fabien.LIOU@fr.thalesgroup.com wrote:

> > Hi,

> > Can you explain me what are the differences between ssh-3.X and OpenSSH-3.X

> Openssh is Open Source, free to use, and most important is being activily
> maintained
> ssh (if  your are referring to the commerical product), closed source and cost
> you money ?

	Half right...  Well...  Maybe 1/3 right.

	Ssh from SSH Communications is not "closed source".  The source
is completely available.  It may not meet the licensing requirements of
OSI for the "Open Source" branding, but it is not closed source.  You can
download the source from their web site and build it on your system
if you so desire, right now.

	It is also free for non-commercial use.  The "non-commercial"
aspect has gotten a lot stricter since the very loose definition days
of SSH 1.x, but it still is free for non-commercial use.

	OpenSSH incorporates both SSH version 1 and SSH version 2 in
a single client (server) binary.  Commercial SSH only incorporates
the version 2 protocol unless you install the older SSH1 package
(which they no longer officially support) FIRST.  Even then, there
are latency issues and protocol startup issues if you need to support
SSH1.

	All that being said, OpenSSH is still definitely the way to go.
Definitely Open Source (BSD License) and definitely free for both
non-commercial and commercial uses, plus supporting both major versions
of the SSH protocol (actually 3 versions of the protocol, two minor revisions
of the version 1 protocol plus the version 2 protocol).

> As far as Solaris, the package provide by Sun is OpenSSH but besure and check
> the version.

	DEFINITELY check the OpenSSH version.  Versions prior to 3.4p1
(that's 3.4 Portable 1, not 3.4 patch 1) with either BSDAuth, S/Key,
or PAM enabled are vulnerable to a serious remote execution security hole.
BSDAuth and S/Key are not commonly compiled in (other that on OpenBSD and
a few odd others) but PAM potentially is.  IAC...  The safest thing is
to be on 3.4p1.

> David

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!