Don't get me wrong - I have oceans of respect for ssh in all its many forms: ssh, scp, sftp, sshd... even OpenSSH and SSH Communications. However, I couldn't let this one slip by without saying something. Today, SSH Communication Security Corp. put out a press release stating that they are now fully compatible with OpenSSH.
This is all well and good, but here's my question - OpenSSH started in 1999, at which time it used the same source base as SSH 1.2.12. Right at that moment - when they were the same product - they were seamless and completely compatible. Why then, do we have to wait seven years to get that seamlessness back? Look, here's my beef: both OpenSSH and SSH Communications have a time and a place - there are reasons to use each in different contexts. And despite what you might think, they are not competitors - if you need one, only that one will do (e.g. if you need it to be free a $475 product won't cut it, and if you need support an unsupported product won't cut it.) So why are they always going at each other like Jennifer Aniston and Angelina Jolie stuck in an elevator?
Oh, you don't think there's any hostility? There is, you know. To see it in action, check out the serverwatch.com article where an SSH spokesperson cites an "11:1 vulnerability ratio against OpenSSH" and where he says that "OpenSSH can't be FIPS 140-2 certified." Aside from the deceptiveness of these two statements (one would expect this type of vulnerability disparity given their relative usage and FIPS 140-2 certification for OpenSSL - and thereby OpenSSH - is in the pipeline), the tone of these comments is unmistakeable. On the other side of the equation, OpenSSH users are certainly no less vocal about their preferences.
Look, here's the point: there are times when you might want to use OpenSSH (like when you don't have a budget for software or if you wish to redistribute without the hassle of getting a license) and there are times when you might want to use SSH's product (like if you're in the government or you want commercial support). It would make both products better - by leaps and bounds - if the animosity would stop and both parties made it seamless right out of the box. Everybody would benefit: us users wouldn't have to jump through hoops in order to get machines to talk to each other, SSH would be able to sell more units (and thus make more money) while simultaneously reducing the number of support calls, and OpenSSH would have quite a bit less static on their mailing lists about getting the two products to interoperate. Everybody wins... So why hasn't this been a priority all along rather than a newsworthy new feature?
Props to SSH for taking the first step.
Posted by Ed at November 29, 2005 05:45 PM