February 25, 2002

OpenSSH's de Raadt: We've passed SSH.com in usage

Author: JT Smith

- By Grant Gross -

A year after a trademark fight between SSH Communications Security and the Open Source OpenSSH project, the use of OpenSSH has skyrocketed, at least according to numbers from OpenSSH.

In February 2001, the trademark controversy had SSH Communications Security trying to enforce a trademark on SSH against the 2-year-old OpenSSH project. Tatu Ylönen, chairman and CTO of SSH Communications Security Corp., said then that he finally wanted to enforce the trademark because of a spat of emails he'd received expressing confusion over his company's product and OpenSSH.

The trademark fight has disappeared, according to Theo de Raadt, co-creator of OpenSSH and leader of the OpenBSD project. The two sides sat down during an Internet Engineering Task Force meeting in March 2001, and after that, "we never heard from Tatu again," de Raadt says. "I demanded that they publicly apologize and recant their legal threat. They stormed from the table, but it appears over."

As for the numbers, a University of Alberta study, published shortly before the controversy, found 17.4 percent of all SSH users on the Internet to be using OpenSSH and 80.3 percent using SSH Communications Security (SSH.com) products. de Raadt says those numbers have almost flip-flopped in a year, partially because of concerns over trademark issues with SSH Communications Security products.

Of course, these are OpenSSH's numbers. Ylönen didn't respond to two emails asking him to explain, disprove or confirm OpenSSH's new survey. Between December and this month, the OpenSSH crew scanned 2.4 million random Internet addresses, and found 59.4% of those with some form of SSH are using versions of OpenSSH, and only 37.3% are using SSH.com's products.

de Raadt admits there is a problem with the numbers -- that they're the result of only scanning for servers, because of the difficulty of scanning for clients. (Here's a paper, in Postscript format, on using ScanSSH to scan for SSH servers.) But scanning only servers doesn't explain the big shift, he says.

"The vendors sure were afraid of that entire licensing fiasco," he says. "I've had vendors call me on the phone and thank me for having fought that battle. Kind of odd. They sure didn't help."

Among the other reasons for the shift, de Raadt suggests:

  • Their scans hit a lot of Unix machines, which get upgraded often. And "people who are switching from SSH.com's old SSH1 codebase are not staying with SSH.com! that should be obvious, since most of them did not pay for the old SSH1 software to begin with."

  • Most major Linux distributions install OpenSSH by default.

  • A security problem in SSH that OpenSSH didn't have. In de Raadt's typical straightforward fashion, he says: "A lot of their customers were using SSH.com software on Solaris boxes. On
    Solaris boxes, this was a sure remote hole. A disastrous one. Many customers just gave up at that point; my view is that this was a completely careless mistake that SSH.com which should not have slipped through internal beta testing."

de Raadt says customers seem to not be renewing their SSH2 licenses because of competition from OpenSSH. "Their market may be increasing if more people are running SSH (more people ARE running SSH). They are still selling more each month, I think, but their market is not exploding as they might have hoped."

de Raadt says an OpenSSH derivative will ship in the next release of Sun's Solaris OS. When that happens, "I think we move to the next level: Telnet becomes a legacy protocol," he says.


  • Protocols
Click Here!