From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael H. Warfield" Subject: Re: SSH Date: Tue, 9 Jul 2002 14:30:29 -0400 Sender: linux-admin-owner@vger.kernel.org Message-ID: <20020709183029.GA16392@alcove.wittsend.com> References: <3D2B1555.491E71D3@wcox.com> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: <3D2B1555.491E71D3@wcox.com> List-Id: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: David Jackson Cc: Fabien.LIOU@fr.thalesgroup.com, linux-admin@vger.kernel.org On Tue, Jul 09, 2002 at 10:54:45AM -0600, David Jackson wrote: > Fabien.LIOU@fr.thalesgroup.com wrote: > > Hi, > > Can you explain me what are the differences between ssh-3.X and OpenSSH-3.X > Openssh is Open Source, free to use, and most important is being activily > maintained > ssh (if your are referring to the commerical product), closed source and cost > you money ? Half right... Well... Maybe 1/3 right. Ssh from SSH Communications is not "closed source". The source is completely available. It may not meet the licensing requirements of OSI for the "Open Source" branding, but it is not closed source. You can download the source from their web site and build it on your system if you so desire, right now. It is also free for non-commercial use. The "non-commercial" aspect has gotten a lot stricter since the very loose definition days of SSH 1.x, but it still is free for non-commercial use. OpenSSH incorporates both SSH version 1 and SSH version 2 in a single client (server) binary. Commercial SSH only incorporates the version 2 protocol unless you install the older SSH1 package (which they no longer officially support) FIRST. Even then, there are latency issues and protocol startup issues if you need to support SSH1. All that being said, OpenSSH is still definitely the way to go. Definitely Open Source (BSD License) and definitely free for both non-commercial and commercial uses, plus supporting both major versions of the SSH protocol (actually 3 versions of the protocol, two minor revisions of the version 1 protocol plus the version 2 protocol). > As far as Solaris, the package provide by Sun is OpenSSH but besure and check > the version. DEFINITELY check the OpenSSH version. Versions prior to 3.4p1 (that's 3.4 Portable 1, not 3.4 patch 1) with either BSDAuth, S/Key, or PAM enabled are vulnerable to a serious remote execution security hole. BSDAuth and S/Key are not commonly compiled in (other that on OpenBSD and a few odd others) but PAM potentially is. IAC... The safest thing is to be on 3.4p1. > David Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!