We have an internal brainstorming on which free (it has to be free) sftp softwares
to run on our Win2019 server:
between OpenSsh (which is now supported by MS) or SolarWinds free sftp server
As OpenSsh is now supported by MS, will OpenSsh patching/updates be supported by WSUS?
Is MS rolling out OpenSsh patches or we have to get it from the open source site of Openssh?
Will Openssh updates/patches be published together with Windows monthly updates
SolarWinds free sftp server doesn't support keys exchange, only credentials authentication.
Wintel colleague felt that Solarwinds is a 'set & forget' software, seldom requiring patching
or updating while Openssh, being open source tends to have more vulnerabilities & thus
more frequent patching. The other concern is this sftp server will be quite crucial to our
operations & each time we update/patch it, we'll need to verify services are not affected.
IT Security felt the ability to support keys exchange is crucial as relying on credentials
authentication alone (as in the free Solarwinds) is weaker.
IT Security felt that with MS support, patching can be facilitated by WSUS while
Solarwinds patching is not supported by WSUS & manual patch tracking/deployment
of Solarwinds will be manual: is this correct??
Anyone has comparison of how frequent the Solarwinds sftp updates/patching
is compared to OpenSsh's updates/patching?
Anyone has experience with issues after updating/patching OpenSsh?
Guess the testing is only a matter of doing an sftp transfer (or even just
a ssh login to the Openssh?)? An ex-colleague just shared that the
Openssh he obtained from the open source site (not from MS) that has
been in use for last 3.5 years do not have audit trail/logs to investigate
when a transfer fails: is this still not there with MS-supported Openssh?
Between an sftp that's static (hardly need update, so requirement to test after
a patch is less) vs an sftp that could support keys exchange with WSUS
regular patch, which two viewpoints/sftp server should we opt for?
We're placing this sftp server in DMZ for internal servers to sftp to it while
this server in DMZ will act as sftp client to sftp out to one of our vendor's
Cloud (via Internet). Wintel colleague argues that being open source,
it's more vulnerable to attacks (as source codes publicly available) while
in mitigation, IT Security felt that it does not have a public IP (as it act
as sftp client), thus the risk of attack via Internet is lesser though it sits
in DMZ. What are your views on arguments here?