I asked: > I have a question about Sun SSH vs OpenSSH. When vulnerabilities are > discovered and an alert is sent by CERT, IW, FSISAC, SAGE, etc, it indicates > the vendor and version of software that is vulnerable. Whenever the alert > has to do with ssh, it indicates several vendors, but never Sun. My > understanding is that Sun SSH is based upon a version of OpenSSH. The fact > that Sun SSH is never mentioned in these alerts gives me the impression that > the Sun SSH is not kept up to date. So if one wants to keep abreast of > security issues with the ssh protocol, use OpenSSH and not Sun SSH? The results: Pretty much half and half. There are strong arguements for and against both the SunSSH and OpenSSH. Some of the arguements: * Any vulnerability in OpenSSH is evaluated by Sun, and if it is pertinent a patch is issued for SunSSH. * The versioning/revision control for Sun SSH is horrid. With OpenSSH one can look at the version number and instantly know if it is current. * SunSSH has the appropriate hooks for their auditing/quota/logging solutions. * OpenSSH can be updated much much faster, since new code is released within hours of the announcement of a vulnerability. Sun patches can take up to a month. Thanks to all who replied. +-----------------------------------------------------------------------+ | Christopher L. Barnard O When I was a boy I was told that | | cbarnard@tsg.cbot.com / \ anybody could become president. | | (312) 347-4901 O---O Now I'm beginning to believe it. | | http://www.cs.uchicago.edu/~cbarnard --Clarence Darrow | +----------PGP public key available via finger or PGP keyserver---------+ _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu Feb 9 17:10:54 2006
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:55 EST