Eric Hemmendinger, research director of information security at Aberdeen Group, agreed. "In general, there's a good reason why people will opt to buy a commercial version rather than an open source version," he said. "There's one place you can go for support." Hemmendinger added that when a bug or vulnerability is found, "if you're using an open source version, you may be able to get a response as quickly [as], if not faster than, [with] the commercial supplier ... or maybe not."

As it turns out, the most recently reported SSH exploit, described earlier in this article, did not affect current versions of OpenSSH, although the SSH Communications version was found to be vulnerable. In a separate incident, a trojan horse was found in some copies of the source for OpenSSH last August; however, that was not a vulnerability in the official version of OpenSSH, but rather in a polluted version of OpenSSH. No matter how secure a progam is, it always pays to verify the distribution to be sure it has not been tampered with.

Better Than the Alternatives

As with any other application, users and administrators alike should be concerned when bugs or security holes are found in SSH. However, the degree of severity of these problems can vary widely. Some exploits are only theoretical, whereas others pose a clear and present danger.

Toxen emphasized that under no circumstances should a system administrator use Telnet in place of SSH just because a few bugs have been found in SSH implementations. The protocol's unsecure cousins, including Telnet, the "r" commands and FTP, transmit usernames and passwords -- and everything else, for that matter -- as clear text. The only thing an attacker would need to do to compromise these unsecure protocols is find a way to "sniff" network traffic. That would be the most regrettable -- and preventable -- defeat of all.