On Wed, 8 Dec 1999, Randall, Mark wrote:
> In making some recommendations to a client regarding the security of some of
> their configurations, I'm finding some systems using SSH1 and others using
> SSH2. None of the 1.2.27 versions I've found on the client site were
> compiled with RSAREF, which was a recently reported vulnerability...but I'm
> still wondering what I should provide the client in regards to a discussion
> of the two protocols.
Look at the supported algorithms, key lengths and client-side programs
and try to discuss the differences. The V1 vs. V2 stuff has been hashed
and rehashed quite a bit, any search engine should turn up a lot. It's
always seemed to me that the question comes down to apparent licensing issues
which need a copyright/trademark lawyer not an information security person.
> Does anybody have any opinions regarding SSH1 vs. SSH2, or perhaps know of
Sure, my opinion is that SSH2 is meant as a mechanism for a company to
derrive a specific revenue stream from a set of programs that were
widely used by security-concious administrators before that company
acquired the commercial rights to them. SSH1 is the administrative
community resisting the seemingly outrageous pricing scheme put in place
by that company.
In fact the recent outpourings by said entity have tried to revise the
interpretation of "commercial use" (which they have the rights to) in SSH1
in direct conflict with the definition previously stated by the product
manager at said company in the hopes that they'll derrive additional
revenue from V1 users.
IMO, the license terms that the program is distributed with, along with
the SSH FAQ on the V1 producer's Web site clearly define commercial use
differently than recent attempts by the commercial use licenseholder.
Even though the V1 distributor points to the V2 distributor as the
authority on usage questions, the program is distributed with a clear
license and that's what binds the user, so I don't tend to think the V2
distributor has a good claim. Consult a lawyer though, a real leagal
interpretation of the license may be different.
If your client is in the US (or other countries where the appropriate
patents are valid) and they _aren't_ compiling using RSAREF and
they _are_ compiling using IDEA then they need to have a license with
each of the appropriate patent holders or they're violating the law. Not
vulnerable to a buffer overflow is a different metric than not vulnerable
to a lawyer overflow.
If they're using SSH2 then they must have a license if they're a business.
> some white papers on the subject available on the net? I can point the
> client to a URL and let them do their own research, possibly, or paraphrase
> what I discover in professional forums such as this one.
The V2 distributor tries to address the differences on their site, but
they don't seem to have accurate information, look at their FAQ then go
through the recent V1 code and see what's left at the end of reconsiling
both positions.
You may want to look at OpenSSH too.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
