At 9:18 AM -0400 8/9/00, Nathan Bourgoine wrote:
>this is what an admin guy at the place i work said, what are
>your feelings on this?
>
> > funnier thing, every couple months i see a security notice
> > about a hole in SSH, all of which havent applied to OpenSSH
> > and i've never seen anything about OpenSSH thats bad, and
> > it's free.
>
>Ever think that maybe it's because you're one of three people
>in the world that uses OpenSSH, so no one is looking for holes?
Do not fool yourself. There are plenty of people using OpenSSH,
and its use is rapidly increasing. It has both ssh1 and most of
ssh2 support. It is bundled as part of OpenBSD and FreeBSD.
There are RPM's at www.openssh.com for installing it under linux.
It builds on an increasing number of other platforms (including
someone who is valiantly getting it to run on NeXTSTEP!). There
is a good chance it will be bundled as part of Darwin, and thus
as part of MacOS 10. If that happens, there will soon be more
OpenSSH boxes than any other ssh-server implementation.
Similarly, your admin friend is not following openssh all that
closely. There have been a few oversights in the implementation,
but as far as I'm aware they've all been caught before any
breakins occurred. Most of them came up if someone modified
the default configuration options, and I am not aware of any
breakins caused by these issues, but it hasn't been COMPLETELY
bug-free, either.
(actually, I should note that MOST of those problems are not
security issues at all, but just options which "did not work
quite right" if you turned them on).
I work at a university. At one point, I thought about getting
an official licensed version of ssh2 for a server I run (which
has people connect who are outside of the university). That
license would have cost me something like $500. $500 for one
service, on a machine which only cost me $1200, and whose main
role in life is to run OTHER (non-ssh) services. So instead
of buying that license, I sent $250 to help fund the development
of OpenSSH. You can bet plenty of others were in the same boat
as me.
This just proves is that even great software can loose otherwise
happy customers if the licensing fees get too far out-of-line.
And if you dig deep enough, you'll find that the CURRENT ssh
(not openssh) software includes a few updates that were written
by me, so you can imagine I had to be fairly pissed to see the
licensing for ssh get so far out-of-reason.
---
Garance Alistair Drosehn = [EMAIL PROTECTED]
Senior Systems Programmer or [EMAIL PROTECTED]
Rensselaer Polytechnic Institute
