Subject: Re: ssh - are you nuts?!?
To: RJ Atkinson <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 12/18/2000 11:04:03
In message <firstname.lastname@example.org>, RJ Atkinson writ
>At 02:55 18/12/00, Simon J. Gerraty wrote:
>>SSHv2 probably would have taken over - but for the license.
> OpenSSH implements both v1 and v2, has a
>BSD-style licence, and has freely available source code.
>My observation is that folks in my neighborhood are converting
>to this from the old sshv1 implementation.
> Oddly enough, I'm more inclined to use ESP to protect
>my traffic than either SSH.
I'd like to do that, too, but it's hard. And the reason why it's hard
illustrates why ssh has succeeded in the marketplace, and shows why
encrypting telnet will have trouble.
The key thing about ssh is that it's easy to install and run. It's a
user-level program that can be built by system adminstrators and
(for the client) even by end users. It doesn't require kernel changes,
and it doesn't require any infrastructure. Key management is purely
IPsec requires kernel changes; until very recently, mnost off-the-shelf
operating systems didn't include it. That's changing, but it's still
a third-party add-on for Windows 98, the most common desktop and laptop
platform. Being kernel-resident, bugs in an IPsec implementation can
crash the whole machine. And certificates -- the best way to use IPsec
-- require a CA. (The whole question of certificate standards are a
separate can of worms. Why, pray tell, should it matter what
brand-name prime numbers I use?)
The infrastructure issue is what afflicts secure telnet. Sure, it
works fine with Kerberos. But kerberos is painful to set up, and
requires a dedicated, secure machine. Other issues involving the
conflict between UDP and firewalls further complicate the issue.
I'd prefer IPsec, since it easily protects all traffic. But for now,
ssh is doing most of the job, with much less pain. And that's why I
use it, and will continue to use it for the forseeable future. (For
the record, I also use IPsec, but in other environments.)