From owner-freebsd-security Thu Mar 25 10:48:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (Postfix) with ESMTP id 698FF14C3F for ; Thu, 25 Mar 1999 10:48:32 -0800 (PST) (envelope-from miket@dnai.com) Received: from einstein (dnai-207-181-255-51.dialup.dnai.com [207.181.255.51]) by dnai.com (8.8.8/8.8.8) with SMTP id KAA20531; Thu, 25 Mar 1999 10:47:33 -0800 (PST) Message-Id: <4.1.19990325103002.00abc6e0@mail.dnai.com> X-Sender: miket@mail.dnai.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 25 Mar 1999 10:39:56 -0800 To: Sheldon Hearn From: Mike Thompson Subject: Re: Kerberos vs SSH Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <375.922364125@axl.noc.iafrica.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:15 PM 3/25/99 +0200, Sheldon Hearn wrote: >Why are you so interested in ssh2? It's a totally different piece of >software from a different vendor. Are you sure it does something that >you need done, and which ssh1 doesn't do just fine? Being new to the security implications of web applications, it was not apparent that SSH v2 is from a different vendor as SSH v1 (same authors I believe). Both licenses with the shareware versions explicitly state the product is not to be used for commercial purposes and refer the reader to DataFellows to purchase a commercial license. Granted, the licenses do differ in that SSH v1 can be used for free for such things as the internal operations of ISPs that are not sold as a service to users, but SSH v2 clearly cannot. As a new software/internet company we want to be responsible for paying for the licensed software from both a moral and legal perspective. Also, one might naturally assume that SSH v2 is in active development and SSH v1 development has essentially stopped. I am beginning to thing that SSH v1 is actually a much more mature product that SSH v2. It certainly seems to be a more flexible product. >> I am currently looking into what the licensing costs would be >> for us to license SSH v2 for our servers. Does BEST.COM pay >> to license SSH v1 or SSH v2 for internal use? > >There are no licensing costs involved in using ssh1. In the COPYING file with SSH version 1.2.26 it states explicitly: For commercial licensing please contact Data Fellows, Ltd. Data Fellows has exclusive licensing rights for the technology for commercial purposes. Data Fellows offers commercial versions of SSH with maintenance agreements in addition to various licensing options. The license then goes on to indicate that SSH can actually be used for some commercial purposes (ISPs are an example) where SSH is not being resold as a service or product to end users. My partners and I are looking to build a major web service and the last thing we want to do is unwittingly make SSH a major part of our on-line web service architecture and then be hit with a lawsuit for licensing violations. Not what an Internet start-up needs. >Not exactly. All your Kerberos passwords are on the Kerberos server. >However, sshd configuration still needs to be host-specific. Got it. Thanks, Mike Thompson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message