On Tue, Sep 24, 2002 at 11:54:17AM +0200, voguemaster wrote: > The only hint I have about the diff between SSH and SSL is the message > I replied to. When I was talking about elaborating on tunneling I was > basically asking what can I do with tunneling. Neither the SSL or the SSH > websites give any real hint to this, not that I have found.
SSH first and foremost is a terminal program. I believe your first post was something to the effect of "Telnet over SSL, or SSH, help me decide". SSH protects against statistical analysis, protocol quirks (like the first n chars start at m in the stream are the password, so be damn sure it is one block). SSL is a tube. It doesn't know anything about anyone. Stuff goes in one side, and you gets blurry until it leaves the other side. That is it. That's all see wrote. What you stuff into the tube is up to you. SSH was made to be a secure remote terminal protocol, that also fixed some of the mistakes of telnet, and rlogin while they were at it. Telnet/SSL was someone with SSL framework in place that said, "It'd be stupid easy to wrap another TCP port with SSL". I don't recommend its use. It is better than nothing, but given that a better solution exists for free and is likely easier to setup, why bother? http://www.ssh.com or http://www.openssh.com Download gtar xfz <filename> cd <dirname> ./configure;make;make install Start the server and you are good to go. No need to mess with PKI. > Just one example: can I code a client/server applications and > encrypt and do authentication with SSL/SSH tunneling ? I've no idea, > not from the things I've read about those two. Yeah, SSH is a secure > login and shell for a remote system. That I know. It's more than > that, isn't it ?? If you prefer, think of SSL as a protocol with a library, and SSH as a protocol with an application. You would not normally use SSH as a backend for encrypting things. There are times when I have used SSH for this purpose (securing CVS, VPNing IMAP connections from a webmail client in the DMZ), but if you are making an application, you either want to make a module (sub-command in the docs) for SSH or use something else. SSH can be more than a secure terminal service, but that is its primary common use. Client side SSL is capable of doing authentication with the server. This is done in Apache/SSL and modSSL (for Apache). I hate PKI with a passion, and don't recommend this route; but it has its place and will work. If you are interested in not using SSL, http://www.ssh.com has similar technologies that are ment for VPN and application development. Sentinal rings a bell in my head, but I can't recall what it is for. And your browser works just as good as mine. There are other companies, that might make something more like what you are after. I like SSH Security Communications, so I mention them. > I'm sorry if you're impatient about my post, but I don't recall > people answering me and me being a nag about it all over > again.. Maybe it's just my memory, but who knows.. There does come a point when we are no longer being helpful, but are consulting. I am happy to consult, but not in a public forum and not for free. You are not there yet, though. The reason you haven't seen a comparision of SSL and SSH, is quite simple. They are not used in the same manner, and don't really accomplish the same goal. SSL is designed so an anonymous public can have a secure connection to a server that, via blind faith in PKI, they trust to keep thier credit card info safe. It also works well for non-credit card info under similar conditions. SSH was designed for sys-admins to connect to thier machine from across town or Jamaca, and not have to worry about some idiot sniffing the root password. Authentication was not optional, and it was at the heart of the protocol's existance. The only commonality is they encrypt communications data. PGP and FTP do this too. There will never be a comparision between PGP/FTP and SSL. It just would not make sense. If you still don't quite grasp the difference. Read what SSL does. And read what SSH does. There is one or more RFCs on TLS, the IETF version of SSL. There are also several RFC drafts on SSH. http://www.ietf.org After reading the RFCs for one or both protocols, it should be crystal clear what the difference is, how they should be used, and what can (and should) be done with them. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ [EMAIL PROTECTED] University Of Calgary (_)/(_) I should be biking right now. Computer Science