Secure Shell software

New SSH Communications’ offering adds ease of use to its Tectia package.

In our test of SSH Communications Security’s Tectia 4.0 – its upgraded Secure Shell client and server combination – we found it is easy to use; provides convenient, restartable file transfers; and offers more GUI features than competing commercial and open source SSH implementations.

Tectia 4.0 also supports a variety of port-forwarding schemes that let you set a VPN-like tunnel to your managed machines.

Archive of Network World reviews

Subscribe to the Product Review newsletter

On the downside, some of the authentication options were very difficult to configure and use.

The SSH code – developed by SSH Communications in 1995 – provides console (or ‘shell’) communications between a network device and a local PC over the Internet, using cryptographic techniques to secure user authentication processes and data traffic flow between the machines. Tectia 4.0, announced in October and released in December, supports the current version of the protocol, SSH 2, and the older SSH 1.

We tested Tectia 4.0 client and server versions for Windows and Linux (see How we did it.) SSH Communications also offers Tectia Connector, a product that supports application tunneling, and Tectia Manager, software for managing distributed Tectia client/server installations.

Installation of Tectia 4.0 on Windows systems was straightforward. But the software was more difficult to get running on Red Hat Advanced Server because you have to uninstall OpenSSH to run Tectia.

The documentation was accurate and plentiful, and gave solid information about the core functions overall, but the parts pertaining to the new features were a bit sloppy. For example, while the documentation suggests that the product supports IPv6, the vendor does not recommend it for production environments.

You manage Tectia servers like any other Unix/Linux Daemon or Windows service. On Unix, the Tectia code generates syslog messages so you can track procedures such as user logons or logon failures. In Windows, the Tectia server generates messages to the Windows Event Log. The servers emit messages when the configuration changes, which could become a problem when strict change controls are required.

Tectia 4.0 provides a Windows GUI-based file transfer tool so you don’t need to run a command-line application to perform SSH file transfers. This improves its ease of use over previous versions.

Previous versions of the product let you set up SSH tunnels as an alternative to IPSec VPNs. Tectia 4.0 makes this much easier to use. The client can be configured in a “port forward only” mode so you can deploy it to desktops with minimal user configuration. It also supports Socks, a connection proxy mechanism that browsers and e-mail clients use, which makes it much easier to configure other software on the client system to support SSH port forwarding.

Tectia 4.0 supports several cryptographic algorithms, including Advanced Encryption Standard (AES), the current algorithm of choice for encrypting data; Triple-DES, Arcfour (RC-4) and others. SSH Communications also addresses the current IETF work to standardize the SSH protocol, with support for keyboard-interactive authentication (a new mechanism designed to support future interactive user-authentication mechanisms), Generic Security Services API (GSS-API) used for Active directory authentication, and X.509 digital certificates.

We reconfigured the server to use Rivest-Shamir-Adelman (RSA) keys instead of Digital Signature Algorithm (DSA) keys (the default.) This process was straightforward, but interoperability issues surfaced. The full procedure for setting up a new SSH server included having a client verifying the server’s public key hash. The standard way to do this – supported by the open source community and many SSH vendors – is to display the MD5 hash of the host key. Tectia does not support this procedure. It displays the hash in its proprietary Bubble Babble format. We were forced to use other tools to confirm our keys when interoperating with other SSH implementations.

SSH Communications offers an array of authentication options, from simple username/password all the way up to smart card digital certificates. The more sophisticated options are intended for use in situations where strong authentication is justified, such as medical systems, access to sensitive network equipment, traveling executives or military applications. We tested just the username/password, SSH key mechanisms and X.509 certificates.

We exercised connection combinations using Tectia clients and servers, and we tested interoperability with OpenSSH and Putty (two open source SSH implementations) and other SSH products. Everything worked as expected with the password and SSH key mechanisms.

However, X.509 support was more difficult to set up. After several calls and e-mails to the vendor’s support team, we got X.509 certificate authentication to work. It is very complex and not completely documented. While the product does function as advertised, this mechanism is probably too difficult to deploy to be useful in most environments.

Overall, we concluded that Tectia 4.0 is a commercial-grade SSH implementation that offers the strong security features of the SSH protocol with a pretty rich set of authentication and usability features. It would be a good fit in environments where you have cross-platform (Windows, Unix, and network devices) SSH console access requirements.