September 27, 2005

The original developer of the Secure Shell protocol, SSH Communications Security Corp., announced yesterday the availability of Version 5.0 of its SSH Tectia client/server solution and SSH Tectia Manager 2.0.

Secure Shell (SSH) programs provide a transport-level protocol for administrators and remote users to securely log into remote servers for management, work and FTP (file transfer protocol) transfers. It's most often used for remote administration purposes.

The SSH Tectia is available on Windows, Unix, Linux and IBM mainframe z/OS environments. SSH Tectia can be centrally managed with SSH Tectia Manager.

Byron Rashed, senior marketing communications manager of SSH Communications Security, claimed that SSH's product is better suited for enterprise-scale business applications than a similar open-source product from OpenSSH.

"OpenSSH is not an enterprise-class product that is needed for the demands of a large-scale deployment. We do not compare OpenSSH to our SSH Tectia solution, since it's far from the same," Rashed said.

Click here to read about Novell's plans for its first OpenSuSE Linux distribution in October.

However, OpenSSH is very popular and is commonly deployed in almost all BSD, Unix and Linux systems.

More than 87 percent of Internet-facing servers were using OpenSSH, according to an OpenSSH Internet scan in September 2004.

Rashed acknowledged this but added, "Many vendors use it because it is free and they can use it without a license, so the number of users for remote access is quite large, but it does not provide very good SFTP or application connectivity usage."

In any case, "OpenSSH certainly has its place, and we are not competing with them. We truly have a different class of product that is more suitable for business-critical applications" that customers ask about, said Rashed.

These comments raised the ire of Theo de Raadt, leader of the OpenBSD operating system and a member of the OpenSSH development team.

"OpenSSH is built into all Unix and Linux vendor operating systems, and is also built into almost all larger managed network switches, from Cisco through Foundry. It comes on Linksys and D-Link wireless and security routers too," said de Raadt.

"It is just the most commonly installed security software used anywhere in the world," he said. According to OpenSSH's numbers, the SSH product line is on less than 7 percent of servers, and most of that comes from SSH-1.5, with 5.38 percent.

Click here to read about Massachusetts' decision to support the newly ratified Open Document Format for Office Applications.

"It is only when you get to their SSH-1.99 and SSH-2.0 versions, at 0.32 percent and 1.22 percent of the market, that you are talking about modern SSH commercial versions," said De Raadt.

Rashed contends that business customers are now looking for Secure Shell programs with support and liability protection "due to compliance regulations and security audits."

Specifically, "we have heard lots about SOX 404 [Sarbanes-Oxley], CA SB 1386 [California Information Practice Act], HIPAA [Health Insurance Portability and Accountability Act] and others along with internal audits that are driving customers to SSH Tectia," Rashed said.

"Liability is also an issue that companies are worried about. Open-source software usually does not have any indemnity insurances associated with them."

This misses "the point that the two are not exclusive.

You can go to any number of OS vendors [like Red Hat or Novell] and pay for accountability and support for an OS that includes OpenSSH," countered Mark Cox, a Red Hat Inc. consulting engineer and founding member of the OpenSSL group.

Source: eWeek