From: Christopher L. Barnard <>
Date: Thu Feb 09 2006 - 17:10:15 EST
I asked:

> I have a question about Sun SSH vs OpenSSH.  When vulnerabilities are
> discovered and an alert is sent by CERT, IW, FSISAC, SAGE, etc, it indicates
> the vendor and version of software that is vulnerable.  Whenever the alert
> has to do with ssh, it indicates several vendors, but never Sun.  My
> understanding is that Sun SSH is based upon a version of OpenSSH.  The fact
> that Sun SSH is never mentioned in these alerts gives me the impression that
> the Sun SSH is not kept up to date.  So if one wants to keep abreast of
> security issues with the ssh protocol, use OpenSSH and not Sun SSH?

The results:

Pretty much half and half.  There are strong arguements for and against
both the SunSSH and OpenSSH.  Some of the arguements:

* Any vulnerability in OpenSSH is evaluated by Sun, and if it is pertinent
  a patch is issued for SunSSH.
* The versioning/revision control for Sun SSH is horrid.  With OpenSSH
  one can look at the version number and instantly know if it is current.
* SunSSH has the appropriate hooks for their auditing/quota/logging
* OpenSSH can be updated much much faster, since new code is released
  within hours of the announcement of a vulnerability.  Sun patches can take
  up to a month.

Thanks to all who replied.

| Christopher L. Barnard         O     When I was a boy I was told that |
|         / \    anybody could become president.  |
| (312) 347-4901               O---O   Now I'm beginning to believe it. |
|                --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+
sunmanagers mailing list
Received on Thu Feb 9 17:10:54 2006

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:55 EST