From: Christopher L. Barnard (cbar44@tsg.cbot.com)
Date: Thu Feb 09 2006 - 17:10:15 EST
I asked:
> I have a question about Sun SSH vs OpenSSH. When vulnerabilities are
> discovered and an alert is sent by CERT, IW, FSISAC, SAGE, etc, it indicates
> the vendor and version of software that is vulnerable. Whenever the alert
> has to do with ssh, it indicates several vendors, but never Sun. My
> understanding is that Sun SSH is based upon a version of OpenSSH. The fact
> that Sun SSH is never mentioned in these alerts gives me the impression that
> the Sun SSH is not kept up to date. So if one wants to keep abreast of
> security issues with the ssh protocol, use OpenSSH and not Sun SSH?
The results:
Pretty much half and half. There are strong arguements for and against
both the SunSSH and OpenSSH. Some of the arguements:
* Any vulnerability in OpenSSH is evaluated by Sun, and if it is pertinent
a patch is issued for SunSSH.
* The versioning/revision control for Sun SSH is horrid. With OpenSSH
one can look at the version number and instantly know if it is current.
* SunSSH has the appropriate hooks for their auditing/quota/logging
solutions.
* OpenSSH can be updated much much faster, since new code is released
within hours of the announcement of a vulnerability. Sun patches can take
up to a month.
Thanks to all who replied.
+-----------------------------------------------------------------------+
| Christopher L. Barnard O When I was a boy I was told that |
| cbarnard@tsg.cbot.com / \ anybody could become president. |
| (312) 347-4901 O---O Now I'm beginning to believe it. |
| http://www.cs.uchicago.edu/~cbarnard --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:38:56 EDT