Re: OpenSSH/scp ->> F-Secure SSH server Problems

["Richard E. Silverman" <res%shore.net@localhost>]

On Tue, 13 Mar 2001, Ken Hornstein wrote:

> I disagree that they have not "caught on" - in the communities that use
> Kerberos, for example, GSSAPI ftp is very popular.  I can even think of
> several commercial implementations of GSSAPI ftp.

I did not mean to imply otherwise.  Again, I meant "caught on" in the
largest sense.  I'm thinking in terms of what the average user sees,
sitting at home accessing the Internet through a commerical ISP and
browsing the Web.  I don't see many ISP's or general-access FTP servers
providing or advertising GSSAPI-secured FTP, or SSL-secured Telnet, etc.
I do see them installing SSH servers with growing frequency, advertising
that fact to their customers and suggesting they use it.

> > In the short time that it has existed, my impression is that SSH has
> > achieved much more widespread use than any of these techniques.
> 
> I'm not sure about this one, but I'd be going on gut feelings.  But without
> hard numbers to back this up ... it wouldn't be very meaningful.

Oh, I'm just going on subjective impressions here as well -- I don't have
any research at hand about the the relative numbers of these things
deployed in the Internet.  If such numbers exist, I'd love to see them.
Perhaps I'd be surprised.

> > Hence, an easy-to-use, comprehensive file-transfer protocol that
> > operates over SSH has a good chance of succeeding where these various
> > secured FTP's have failed."
> 
> And again, I disagree that the others have failed in the first place.
> (Mind you, I don't think that file-transfer over SSH is bad ... I'm
> just saying that I don't see any evidence that the others have failed).

Obviously, I did not mean that they failed to work.  They work just fine.
I meant only that they have failed to become a widespread solution to the
problem of insecure file transfers.  Whether that's due to technical
disadvantages, or merely to historical accident, I wasn't really opining
either way.  In a certain sense, it doesn't matter -- if SSH becomes
widespread and we can piggyback on its success to solve this problem as
well, then so much the better.  A technically better solution is no better
if it's not used.

> And come on ... you have to admit that saying things like "not used in
> real life," "not caught on", and saying that the other technologies
> have "failed" isn't exactly the same as saying they haven't achieved
> widespread use on the Internet 

I'm afraid I still think it's not fair to yank those phrases out of
context, concatenate them together, and complain about their meaning when
set that way.  They were surrounded by text which gave a different story.
For instance, those other technologies *have* failed -- to gain the kind
of widespread acceptance that SSH appears to be gaining, thus "succeeding
where [they] have failed."  It still seems clear to me.  But then, I wrote
it. :)  Sorry if I gave a different impression to begin with, but I hope
we've cleared that up now.

> (if we're using the "widespead use over the Internet" benchmark, we
> should all be working furiously toward getting SMTP-over-TLS and
> HTTP-over-TLS working better :-) ).

No disagreement there.  I am frequently frustrated that these options,
available in many standard clients, are almost always only available on
the server side exactly where they are least needed.  You can find
SMTP/TLS on mail servers inside secured corporate networks, but almost
never on your ISP's mailbox server.  My preferred way of allowing updates
to a web server is HTTP PUT over TLS -- but most commercial web
development packages seem to provide support for vanilla, insecure FTP
only (Netscape Composer being the only exception I can think of offhand,
though I'm sure there are some others).  It's very annoying.

-- 
  Richard Silverman
  slade%shore.net@localhost