ssh.com FUD - SSH

This is a discussion on ssh.com FUD - SSH ; SSH Communications Security (SCS, at ssh.com) recently made the following announcement: http://ssh.com/company/newsroom/article/684/ It contains this paragraph: "Both SSH Tectia and OpenSSH are based on the Secure Shell version 2 (SSH2) protocol specifications, originally developed by SSH Communications Security and standardized ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: ssh.com FUD

  1. ssh.com FUD


    SSH Communications Security (SCS, at ssh.com) recently made the following
    announcement:

    http://ssh.com/company/newsroom/article/684/

    It contains this paragraph:

    "Both SSH Tectia and OpenSSH are based on the Secure Shell version 2 (SSH2)
    protocol specifications, originally developed by SSH Communications
    Security and standardized by the IETF. However, OpenSSH deviates from the
    standards in its SCP (Secure Copy Protocol) implementation. SSH Tectia
    Client and Server now incorporate a compatibility mode for OpenSSH SCP,
    which still uses the old Secure Shell version 1 (SSH1). In addition, the
    new SSH Tectia product versions will support the OpenSSH public-key file
    format, eliminating the need for manual key conversions."

    This is FUD, pure and simple, adulterated only by some outright errors.
    Let's deconstruct the text to see just how wrong it is.

    "Both SSH Tectia and OpenSSH are based on the Secure Shell version 2
    (SSH2) protocol specifications, originally developed by SSH
    Communications Security and standardized by the IETF. "

    True as far as it goes, but it would be more accurate to note that the
    IETF SSH working group has made substantial modifications, additions, and
    improvements to the protocol specs. The IETF did not just accept and
    "standardize" SCS's work as given.

    "However, OpenSSH deviates from the standards in its SCP (Secure Copy
    Protocol) implementation."

    This is a disturbing sentence. First let's dispose of the outright error:
    "scp" does not stand for "secure copy protocol." "scp" is not even the
    name of a protocol; it's the name of a program. "scp" is a play on "rcp,"
    meaning a secure version of the venerable Unix remote file-copying program
    -- just as "ssh" is a secure counterpart to "rsh." For the company
    started by the man who wrote the original ssh programs and coined these
    words, publishing this is an embarrassment. After all, the writer could
    just have gone upstairs and asked Tatu about it.

    Worse, though, is the claim that "OpenSSH deviates from the standards in
    its SCP." Unmentioned, of course, are the standards from which OpenSSH
    supposedly "deviates." It can't be the core protocols (transport,
    userauth, and connection): since scp just runs the ssh program in a
    subprocess for communication, it complies with these protocols exactly as
    much as ssh does. All that's left is the rcp protocol scp uses to
    actually transfer files. rcp can't "deviate" from SSH, because rcp is a
    totally different protocol about which SSH says nothing -- if it does,
    then running rsync or cvs, or forwarding an IMAP connection over an SSH
    connection, are all deviant as well. SCS appears to imply here that
    OpenSSH is somehow non-compliant because its scp does not use SFTP, the
    file-transfer protocol developed under the SSH umbrella. And that is
    absurd; there is no standard anywhere stating that "any program
    transferring files over an SSH connection must use SFTP."

    "SSH Tectia Client and Server now incorporate a compatibility mode for
    OpenSSH SCP, which still uses the old Secure Shell version 1 (SSH1)."

    I'm not absolutely sure what the first part means, since ssh2 and sshd2
    have always had an SSH-1 compatibility mode, by which each would just exec
    "ssh" or "sshd" instead. However, last year Tectia Server got an SSH-1
    "internal emulation" mode, meaning it can now handle protocol 1
    connections by itself. So I assume SCS is announcing here a similar
    change to scp2. That's certainly good. However, the release then claims
    that OpenSSH scp "still uses the old Secure Shell version 1 (SSH1)." This
    is just plain false. Firstly, scp doesn't directly use *any* version of
    the SSH protocol: it runs a program in a subprocess to connect to the
    remote host, and that program is "ssh" by default -- hence, it uses
    whatever protocol version ssh is configured to use. It might use either
    (or neither, if the user selects a different program with scp -S). And of
    course, the OpenSSH default is SSH-2.

    "In addition, the new SSH Tectia product versions will support the
    OpenSSH public-key file format, eliminating the need for manual key
    conversions."

    That, of course, is just peachy.

    SCS has a good product in Tectia, which has many feature advantages over
    its competitors, both commercial and free. The truth will sell itself;
    it's a shame SCS feels the need to use misleading and false statements in
    its advertising. These are not qualities a customer looks for in any
    vendor, and a security vendor least of all.

    --
    Richard Silverman
    res@qoxp.net


  2. Re: ssh.com FUD

    On 2005-12-03, Richard E. Silverman wrote:
    > http://ssh.com/company/newsroom/article/684/

    [...]
    > "Both SSH Tectia and OpenSSH are based on the Secure Shell version 2
    > (SSH2) protocol specifications, originally developed by SSH
    > Communications Security and standardized by the IETF. "
    >
    > True as far as it goes, but it would be more accurate to note that the
    > IETF SSH working group has made substantial modifications, additions, and
    > improvements to the protocol specs. The IETF did not just accept and
    > "standardize" SCS's work as given.


    Actually, even as I write this, the IETF hasn't actually standardized
    the SecSH protocols yet. It's in the "any day now" phase, but it's not
    a standard yet.

    The current status can be found at
    http://www.ietf.org/html.charters/secsh-charter.html

    Disclosure: for those that don't know, I'm one of the OpenSSH developers.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  3. Re: ssh.com FUD

    "Richard E. Silverman" ha scritto nel messaggio
    news:m2r78uhbq2.fsf@darwin.oankali.net...
    >
    > SSH Communications Security (SCS, at ssh.com) recently made the following
    > announcement:
    >
    > http://ssh.com/company/newsroom/article/684/
    >
    > This is FUD, pure and simple, adulterated only by some outright errors.
    > Let's deconstruct the text to see just how wrong it is.


    Hoping that the same message will be forwarded to that company making
    evidence that press-announcement have error and mistake.

    Cesare



+ Reply to Thread