cancel
Showing results for 
Search instead for 
Did you mean: 

HP's SSH V3.2 or OpenSSH

SOLVED
Go to solution
Gregory Lee_1
Regular Advisor

HP's SSH V3.2 or OpenSSH

I'm looking into implementing SSH on my TRU64 5.1A server and was curious which SSH I should install? I'm currently using TCPWrappers and would like to incorporate SSH with it. What are the advantages/disadvantages of OpenSSH over the HP provided version?

Thanks in advance!
Greg
8 REPLIES

Re: HP's SSH V3.2 or OpenSSH

Hi Greg,
there is no easy answer to this question but I think the main advantage is that the HP SSH is *the* SSH from SSH Corporation. So this is a fully supported and backed product. OpenSSH do tend to have more security bugs than the real SSH. You will also be upgraded through standard patch routines.
I can see no problems running ssh through tcpwrap even though this is not the default configuration. i have not tested this myself yet, and I cannot think of why since I use host and key-based authentication.
Maby some engineering guy can pop in and give a better answer.

Kjetil
Gregory Lee_1
Regular Advisor

Re: HP's SSH V3.2 or OpenSSH

Kjetil,

I guess my main concern was if HP's SSH supported TCPWrappers. I know that OpenSSH does. So if someone can tell me for sure that it is supported I will probably be going that way. Good point about the patches.

Thanks,
Greg
Al Licause
Trusted Contributor

Re: HP's SSH V3.2 or OpenSSH

Both SSH and tcpwrappers are considered network components and as such may receive more attention if posted in the network thread.

It would also be easier to find similar discussions if such questions were posted to that thread.

RE: support of tcpwrappers by HP......since wrappers does not come with the base operating system nor is it considered a layered product, it is not a supported option.

However, HP does supply a CD which contains a collection of software that can be found in various public locations on the Internet. This CD is called Internet Express and can be ordered seperately from HP.

If you go to this URL you can get more information about Internet Express:

http://h30097.www3.hp.com/docs/pub_page/iass_docs.html

Many of the components that you can install from the IX CD do receive limited support from HP. The HP hotline will answer questions on these products on a best effort basis and if necessary, may be able to escalate problems found in products installed from the IX CD.

Gregory Lee_1
Regular Advisor

Re: HP's SSH V3.2 or OpenSSH

Al,

I guess "supported" maybe too strong of a word. I'm looking for the best way to secure my system. I understand that using secure shell and TCPWrappers are both great ways of accomplishing this.

What flavor of ssh would you suggest?

Thanks,
Greg

Al Licause
Trusted Contributor

Re: HP's SSH V3.2 or OpenSSH

Greg,

To "secure" a system can mean many things. I would be looking for a bit more as to just how secure you want your system to be an what is driving your security requirements.

Many customers have implemented security as a result of some audit by an in-house security group or they simply want to comply with what ever a recent security scan has marked as
"vulnerable".

If you are looking to provide more control for ftp, telnet and rlogin access, then tcpwrappers will give you that.

Enhanced (C2) security will also give an additional level of security different from either ssh or wrappers.

The ssh components will give you encryption on those sessions which protect you from monitoring of the data by
unfriendly users. I don't believe it will completely eliminate the possibility of attack or breakin. And this capability is available from both the commerical as well as the open variety.

Computer security is a completely seperate specialty not covered under this topic.

As to commercial ssh vs openssh, that may depend on your in-house requirements and/or the types of systems with which you need to interact.

I am not that familiar with
openssh, but I'll see if I can get someone from our team to address this. Others that may be are certainly welcome to comment.

In terms of "support", this too can mean many different things. I for one have found it very frustrating to post questions in private and public forums only to have them
ignored.

A supported product can offer more value when it comes to bugs and input as to just how to get something to work or possible work in a way other than was thought possible.

I have found that the less experience one has on a product or subject, the more valuable a support hotline or service can add.


Al Licause
Trusted Contributor

Re: HP's SSH V3.2 or OpenSSH

Greg,

I was given this URL by one of my team members. This should explain some of the major differences between the commercial ssh and openssh.

http://www.snailbook.com/faq/ossh-vs-ssh2.auto.html

Al
Paul Moore_3
Advisor
Solution

Re: HP's SSH V3.2 or OpenSSH

Hi Greg,

To answer your questions about HP's SSH product for Tru64 directly:

1. Our SSH product is based upon the SSH Toolkit version 3.2.0 from SSH Communications (who has recently transfered the toolkit to SafeNet). In addition to our own changes to the toolkit we continue to merge in security related changes from SSH (and now SafeNet).

2. Our SSH product does not have support for TCPWrappers however the 'AllowHosts' and 'Deny Hosts' SSH daemon options allow you to do similar restrictions. See the man pages and documentation for further details.

3. SSH comes as a mandatory part of the Base OS in Tru64 UNIX V5.1B and is a downloadable webkit for Tru64 UNIX V5.1A (http://h30097.www3.hp.com/unix/ssh/). Both are fully supported by HP.
Gregory Lee_1
Regular Advisor

Re: HP's SSH V3.2 or OpenSSH

Paul,

Thank you for your response. This is exactly the info I was looking for. Better late than never!

Greg