SSH Claims for New Secure Shell Draw Open-Source Ire

SSH Communications Security claims that its new Secure Shell program is far superior to open-source alternatives do not sit well with free-software developers.

SSH Communications Security Corp., a provider of enterprise security solutions and end-to-end communications security and the original developer of the Secure Shell protocol, announced this week the availability of Version 5.0 of its SSH Tectia client/server solution and SSH Tectia Manager 2.0.

Secure Shell programs provide a transport-level protocol for administrators and remote users to securely log into remote servers for management, work and FTP (file transfer protocol) transfers. Its most often used for remote administration purposes.

The SSH Tectia is available on Windows, Unix, Linux and IBM mainframe z/OS environments. SSH Tectia can be centrally managed with SSH Tectia Manager.

Byron Rashed, senior marketing communications manager of SSH Communications Security, claimed that SSHs product is better suited for enterprise-scale business applications than a similar open-source product from OpenSSH.

"OpenSSH is not an enterprise-class product that is needed for the demands of a large-scale deployment. We do not compare OpenSSH to our SSH Tectia solution, since its far from the same," Rashed said.

/zimages/4/28571.gifClick here to read about Novells plans for its first OpenSuSE Linux distribution in October.

However, OpenSSH is very popular and is commonly deployed in almost all BSD, Unix and Linux systems. More than 87 percent of Internet-facing servers were using OpenSSH, according to an OpenSSH Internet scan in September 2004.

Rashed acknowledged this but added, "Many vendors use it because it is free and they can use it without a license, so the number of users for remote access is quite large, but it does not provide very good SFTP or application connectivity usage."

In any case, "OpenSSH certainly has its place, and we are not competing with them. We truly have a different class of product that is more suitable for business-critical applications" that customers ask about, said Rashed.

These comments raised the ire of Theo de Raadt, leader of the OpenBSD operating system and a member of the OpenSSH development team.

"OpenSSH is built into all Unix and Linux vendor operating systems, and is also built into almost all larger managed network switches, from Cisco through Foundry. It comes on Linksys and D-Link wireless and security routers too," said de Raadt.

"It is just the most commonly installed security software used anywhere in the world," he said. According to OpenSSHs numbers, the SSH product line is on less than 7 percent of servers, and most of that comes from SSH-1.5, with 5.38 percent.

/zimages/4/28571.gifClick here to read about Massachusetts decision to support the newly ratified Open Document Format for Office Applications.

"It is only when you get to their SSH-1.99 and SSH-2.0 versions, at 0.32 percent and 1.22 percent of the market, that you are talking about modern SSH commercial versions," said De Raadt.

Rashed contends that business customers are now looking for Secure Shell programs with support and liability protection "due to compliance regulations and security audits." Specifically, "we have heard lots about SOX 404 [Sarbanes-Oxley], CA SB 1386 [California Information Practice Act], HIPAA [Health Insurance Portability and Accountability Act] and others along with internal audits that are driving customers to SSH Tectia," Rashed said.

"Liability is also an issue that companies are worried about. Open-source software usually does not have any indemnity insurances associated with them."

This misses "the point that the two are not exclusive. You can go to any number of OS vendors [like Red Hat or Novell] and pay for accountability and support for an OS that includes OpenSSH," countered Mark Cox, a Red Hat Inc. consulting engineer and founding member of the OpenSSL group.

/zimages/4/28571.gifCheck out eWEEK.coms for more on IM and other collaboration technologies.