Hi, Some 2 cents
== I am not affiliated with Mocana nor do I gain anything from writing this == Not sure if it helps, but another alternative is Mocana, I seen quite a few people/companies use it (Israeli), RAD is one of the names to comes to mind. Mocana is a complete package - i.e. gives you everything you need, SSL, SSH, etc, but the down side is it costs money. --- Regarding DropBear, a few vulnerabilities have been discovered in dropbear over the years: Dropbear SSH Server DoS http://www.securiteam.com/securitynews/5YP012AI0A.html Dropbear SSH Server Format String Vulnerability http://www.securiteam.com/unixfocus/5VP0E2AAUS.html Dropbear SSH Server svr_ses.childpidsize Buffer Overflow http://www.securiteam.com/unixfocus/6A00M0AEUQ.html But nothing since 2006 :) So I guess its ok, for the time being. I am not trying to say it is less/or more secure, but not having any public vulnerabilities in a product makes me jitter with fear :D, what is unknown scares me :) On Thursday 17 July 2008 13:42:25 Oleg Goldshmidt wrote: > Hi everybody, > > Does anyone have experience with DropBear SSH server/client > (http://matt.ucc.asn.au/dropbear/dropbear.html)? The context is an > embedded product with AMCC PPC460, Linux (say, 2.6.25 or later), and > busybox (1.10 or later) as the base, being defined/designed now. The > target audience is top tier customers, such as governments, > Fortune-whatever companies, major financial institutions, etc. SSH > access is essential (need ssh client, sshd, ssh-keygen, scp, whatever > dependencies there are). > > Busybox does not provide SSH functionality by itself, and recommends > Dropbear (http://busybox.net/tinyutils.html). I would like to be quite > sure that DropBear has the functionality and the security that the > target market requires. > > So far, what I see in the docs is as follows: > > * Judging by Changelog, Dropbear is in version 0.51, and the > development is not very active. This may be because it is very stable > and very secure, or may be because there are not many development > resources. > > * Uses LibTomCrypt rather than SSL - can anyone comment on > security/functionality? > > I see my choces as DropBear vs. OpenSSH, compiled and linked for > busybox. I am not particularly concerned about CPU or RAM, but I have > a rather serious shortage of (flash) storage in the system. In our > estimate, OpenSSH will take at least 10 times more storage than > DropBear (between 1.2 and 1.5M rather than 110K Dropbear claims). > > What I am interested to know is whether DropBear is a good substitute > for OpenSSH in terms of: > > * functionality > * full compatibility > * security > * stability > * etc. > > Any comments/experiences? Thanks a lot in advance, -- Noam Rathaus CTO [EMAIL PROTECTED] http://www.beyondsecurity.com "Know that you are safe." Beyond Security Finalist for the "Red Herring 100 Global" Awards 2007 ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
