I'm not sure if this is appropriate for the forum, but I figured it was security related, so here goes...
I'm writing an anlaysis for my group about moving some of the old internet protocols (rsh, rlogin, etc...) to the SSH suite of tools. An outside security group recommended a commercial version of SSH (Tectia), but I'm not sure that it's worth paying for. I have lots of previous experience with OpenSSH, and I was wondering if the commercial version offered anything more than the open-source version. I understand that the open-source version does not use patented algorithms. Am I losing any level of security by using the open-source version over the commercial version?
Given they're implementing the same algorithms(DES, etc) how different can they be? Seems like open-source-paranoia to me, the outdated notion that actively updated open source is wide-open to hackers while slower-updated closed source is invulnerable.
IMHO there is no valid reason to use commercial SSH instead of OpenSSH. I've worked at several companies which provide web services and all used OpenSSH. If there were any real security issues with it we never could have done that.
Only old versions of OpenSSH has some exploits available, but still, not so dangerous.
However, some companies prefer the "enterprise" approach rather than open-source.
The outside security company says that because of liability.
Something goes wrong with an open source app, there's no one to call for help, and there's no one liable other than yourself, yet, the security company who told you it was ok to use an open source app may become liable.
I agree with System Shock. If you purchase the commercial version (Tectia), you will have someone accountable if something goes wrong or there are problems. Not the case for the OpenSSH version. Actually, the line on their website (www.ssh.org) says it all: "Original. Secure. Supported"
If you are going to be using this on a large scale, I see no harm in going for it.
I'm going to take a different approach on this topic. imho.
If you plan on using SSH on a large scale, meaning (50+) users and plan on moving data with SSH then you might want to look at some type of commercial products out there. I've seen too many adhoc apps written, when the person that wrote that app leaves the company, then the company is then left to limp along till someone else learns it or some other method is found.
The company I work for uses SSH, FTP, SSL and other IP based protocols to move data from point A to point B. We've written automation around those protocols to provide ease of use and a common method for interfacing them. We sell a commercial product for doing just that. I think the real questions are...
1) What do you want to accomplish?
2) How many users are/will be involved?
3) Are they technical users or just �point an click user�?
Once you know these questions you will better be able to determine cost and usability for the masses which should help you determine whether to go with a commercial application or some open source code.
SSH2 is SSH2 just like FTP is FTP whether is open source or commercial. It's how to implement it for the masses that makes the difference. imho...
