Discussions

News: IBM Secure Shell Protocol for Java

  1. IBM Secure Shell Protocol for Java (14 messages)

    The Java based lightweight implementation of the Internet Engineering Task Force Secure Shell protocol provides secure remote log-in and other secure network services over an insecure network. The protocol has three major components: Transport Layer, User Authentication and Connection. The implementation is lightweight due to 1) using the highly optimized cryptographic library IBM CryptoLite for Java 2) efficient buffer and I/O handling 3) memory reuse to avoid excessive garbage collection 4) and threads are NOT used.

    Do you think that SSH could (or should) be used more in enterprise applications, possibly as a replacement for HTTPS for some RPC mechanisms? Would you use such a library, and what would you use it for?

    Threaded Messages (14)

  2. SSH[ Go to top ]

    Very topical for me, this.

    Our organisation mandates SSH for simple file transfer. No problems on Unix but finding good quality Windows SSH servers (without having to install a Linux shell) for a current project has been difficult.

    I'll certainly be checking this out.

    Kit
  3. SSH[ Go to top ]

    Have you tried http://freesshd.com?
  4. SSH[ Go to top ]

    There is another one: JSch at http://www.jcraft.com/jsch/. It is open source. A good one.

    We use this for our SuperScheduler and SuperWatchdog in our toolkit. I belive that Ant uses this as well.

    Wei Jiang
    Perfecting Java EE!
  5. SSH[ Go to top ]

    Very topical for me, this. Our organisation mandates SSH for simple file transfer. No problems on Unix but finding good quality Windows SSH servers (without having to install a Linux shell) for a current project has been difficult.

    Have you tried WinSSHD: http://www.bitvise.com/?
  6. SSH[ Go to top ]

    Very topical for me, this. Our organisation mandates SSH for simple file transfer. No problems on Unix but finding good quality Windows SSH servers (without having to install a Linux shell) for a current project has been difficult.
    Have you tried WinSSHD: http://www.bitvise.com/?

    Thanks for your input and to Frederik too above.

    I came across FreeSSHD and the Bitvise one too. You should understand there is a great amount of inertia where I work so mentioning "free software" still induces fits of paranoia and cries of "support contracts!".

    WinSSHD is more like it, but apparently our ops have their favourite too so who knows.

    Since my first reply, I have looked at it more deeply and I see the library just implements the protocol rather than the various SSH tools, but still. This is my first contact with SSH and I've been very impressed. I think this library could be really useful for simple but secure peer-to-peer communication.

    Regards
    Kit
  7. https is good enough mostly[ Go to top ]

    I wouldn't recommend layering rpc on top of ssh. Use https. Ssh is nice for two things: tunneling tcp connections and secure shell access on unix. Secure shell access on windows is of course possible but pretty useless considering the windows shell (cmd). A third use sftp is nice only as a ftp replacement. Ftp is now a legacy protocol basically superceded by http and https rather than sftp. Sftp on windows is not very useful since it requires an sftp client which most windows users don't have. Besides, very few usablke end user sftp capable applications exist (e.g. filezilla is not something to give to Joe Average). That rules out any enterprise usage of sftp outside the system engineering department. Enterprises distibute files through their intranet (only accessible through a vpn) using http based document management servers.

    You can actually run cygwin to get bash on windows and then run openssh. It's easy to set up (run it at home) and it gives you secure shell access + sftp.
  8. Versus PGP/GnuPG?[ Go to top ]

    I will definitely be looking at this library. It could be very useful for many automation tasks.

    I see many people referencing secure ftp, and I would like to note that PGP (or our friendly OSS GnuPG alternative) can offer very good protection in the case of a secure file transfer. Many financial institutions (I've worked with some of the biggest) currently utilize this.

    With a properly locked down FTP server and PGP, many security policies will be satisfied.

    Nevertheless, this SSH library will fit many uses. Thanks again to IBM.
  9. SSH[ Go to top ]

    I'm a former J2EE architect, and I've been working on Bank Applications (the transactional side) for a few years. This might be an interesting choice to study.

    It's good to have more alternatives besides HTTPS for transmition security.

    I will definitely try this new option.

    ACV
  10. IBM Secure Shell Protocol for Java[ Go to top ]

    Do you think that SSH could (or should) be used more in enterprise applications?

    SSH is already a de-facto standard in many areas and has been for many years, it is the default for remote logins and file transfer for most Linux distros and probably one of THE most useful "tools" ever written, at this level, on a par with the likes of AWK or grep etc.

    There are books written on SSH, there are hundreds of things you can do with it, all wonderfully secure. It is the basis for several other tools like scp (secure copy) and many tools such as "rsync" and "cvs" make use of SSH to make them secure. It's a great way to securely pick up your email in an unsecure environment like a WiFi cafe or TSS Symposium :-)

    I've just downloaded this AlphaWorks zip, it appears it's a jar (plus debug version, why I don't know), an example file and some docs. I'll try it out a little later but if it covers just half of the SSH options it's going to be a very useful tool in Java for anyone wanting secure ports, file transfer, CVS access, shell access, email, ... the list goes on.

    For anyone interested but new to SSH here's a reasonably good intro I found: http://www.ssh.com/...intro to SSH

    Watch this space for a review...

    -John-
  11. Secure ....[ Go to top ]

    Can't help but post because of so many posters talking about how "secure" ssh is, being the de facto standard for file transfer using Unix etc etc. I am by no means a security expert, but it depends what you want to secure, imho.

    SSH may give you good *transport* security, but a solid ftp server, preferably run by a non provileged user and in a changeroot environment may provide much better security for your *servers*. Do not take "sh" in ssh to lightly.
  12. Secure ....[ Go to top ]

    Do not take "sh" in ssh to lightly.
    Exactly, You don't want to give people shell access when all they need is upload/download. I found this, works great:

    http://www.sublimation.org/scponly/
  13. Secure ....[ Go to top ]

    Do not take "sh" in ssh to lightly.
    Exactly, You don't want to give people shell access when all they need is upload/download. I found this, works great:http://www.sublimation.org/scponly/

    Ah, good. We found that getting sftp withouth ssh to be quite difficult. We were kind of amazed that it WAS so difficult as well.
  14. Secure ....[ Go to top ]

    SSH may give you good *transport* security, but a solid ftp server, preferably run by a non provileged user and in a changeroot environment may provide much better security for your *servers*. Do not take "sh" in ssh to lightly.

    FTP is no where near as secure as the ssh tool set. FTP exposes user passwords and data to anyone capable of viewing network traffic and/or man-in-the-middle style attacks, both of which ssh combats.

    FTP is also more difficult to firewall given active reconnects back to the client and opening holes in a firewall that are undesireable. Sure passive FTP is possible but it's an additional headache that not all servers use or support.

    Chrooting is a decent countermeasure but it's breakable like most other things. More importantly however, it's not a moot point. ssh users can be chrooted as well but unlike FTP you retain an encrypted channel.

    Be warry of scponly type alternatives, they've historically been breakable as well. Still, I'd choose any combination of the scp/ssh tools over FTP, I'm suprised to see anyone argue differently.
  15. SSH vs SSL[ Go to top ]

    we use ssh for almost everything, as it's like networking duct tape. this is especially true if you have lots of headless Unix boxes all over the place. it's superior to using SSL in that the apps being secured can be unaware of SSH. SSL does a better job of ensuring that you have authenticated the server, but SSL is a pain if you aren't going to be using x509 certs rooted in the standard commercial CAs.

    But some security people HATE SSH because it's so easy for end-users to setup arbitrarily tunneling schemes.

    Given any SSH server on the internet in which you have an account (ie: at your house), you could completely bypass corporate policy to set your web browser to not use the corporate proxy server, to play games, or to establish IM sessions. (or so i've heard!)

    The same is possible over SSL, but setting up TCP darknets is just so easy when SSH is widespread. In workplaces where workers are supposed to be using their internet access in limited ways, this could be a problem.

    But, for taking an existing set of applications that talk in the clear and locking them down, SSH is indespensible. My ISP (COX) allows tcp/22 inbound but blocks everything else, so I can still do most of what I want via tunnels.