Prev: computing exp(1.0) on SPARC.
Next: String of nulls in /var/adm/mesages
From: Darren Dunham on 4 Jan 2010 18:31
On Jan 4, 3:02 pm, underh20 <underh20.scubadiv...(a)gmail.com> wrote:
> Hi  David,
>
> I just did the "ssh -v" command as suggested at our cyclade.  I can
> see that ssh protocol v2 is enabled.
> However, in the top line, Sun_SSH_1.1.3 and SSH protocols 1.5/2.0
> appear. Shouldn't we see something
> like 2.X ?  I need to show proofs that this cyclade is in fact running
> SSH v2 only and no v1.

So try it. Take a look at your client. You can force the use of
protocol 1 and protocol 2 (see -1 and -2 command line options). What
happens when you try to connect with v1? What happens when you try to
connect with v2?

--
Darren
From: underh20 on 4 Jan 2010 19:37
Hi Darren,

I can access the cyclade using ssh via both "-1" and "-2" option. See
below.
Is there any way that I can disable/stop the "-1" option completely in
our case ?
We just need to have SSH v2 running only. Thanks, Bill




# ssh -1 -v atlantis

Sun_SSH_1.1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to atlantis [172.25.148.44] port 22
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat
OpenSSH_3.6*,OpenSSH_3.7*,OpenSSH_3.8*
debug1: Local version string SSH-1.5-Sun_SSH_1.1.3
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024
bits).
debug1: Host 'atlantis' is known and matches the RSA1 host key.
debug1: Found key in /.ssh/known_hosts:33
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing challenge response authentication.
Password:
Response:
#



# ssh -2 -v atlantis

Sun_SSH_1.1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to atlantis [172.25.148.44] port 22.
debug1: Connection established.
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat
OpenSSH_3.6*,OpenSSH_3.7*,OpenSSH_3.8*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1.3
debug1: use_engine is 'yes'
debug1: pkcs11 engine initialized, now setting it as default for RSA,
DSA, and symmetric ciphers
debug1: pkcs11 engine initialization complete
debug1: Failed to acquire GSS-API credentials for any mechanisms (No
credentials were supplied, or the c
redentials were unavailable or inaccessible
Unknown code 0
)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Peer sent proposed langtags, ctos:
debug1: Peer sent proposed langtags, stoc:
debug1: We proposed langtags, ctos: i-default
debug1: We proposed langtags, stoc: i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1025/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'atlantis' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:32
debug1: bits set: 1046/2048
debug1: ssh_rsa_verify: signature correct
debug1: newkeys: mode 1
debug1: set_newkeys: setting new keys for 'out' mode
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: set_newkeys: setting new keys for 'in' mode
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: publickey,password,keyboard-
interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:





On Jan 4, 3:31 pm, Darren Dunham <darren.dun...(a)gmail.com> wrote:
> On Jan 4, 3:02 pm, underh20 <underh20.scubadiv...(a)gmail.com> wrote:
>
> > Hi  David,
>
> > I just did the "ssh -v" command as suggested at our cyclade.  I can
> > see that ssh protocol v2 is enabled.
> > However, in the top line, Sun_SSH_1.1.3 and SSH protocols 1.5/2.0
> > appear. Shouldn't we see something
> > like 2.X ?  I need to show proofs that this cyclade is in fact running
> > SSH v2 only and no v1.
>
> So try it.  Take a look at your client.  You can force the use of
> protocol 1 and protocol 2 (see -1 and -2 command line options).  What
> happens when you try to connect with v1?  What happens when you try to
> connect with v2?
>
> --
> Darren

From: Chris Cox on 4 Jan 2010 20:02
On Mon, 2010-01-04 at 11:32 -0800, underh20 wrote:
> Our 4-port cyclade is currently running SSHv1.68 (see below the ssh
> process and sshd_config file). Due to security concern, we must
> disable this version SSH v1 and upgrade/run only the SSH protocol
> version 2.

Change to:
Protocol 2

in your sshd_config

You can't use daemon.sh to stop/start/restart... it doesn't
work if you're using ssh to do work on the Cyclades.

Best bet it to manually kill the ssh server and restart
it. Do:

# ps | grep sshd_config

kill the pid associated with that.
Restart it using the line you see from that grep.

If that works, do:
# saveconf

to save the changes to survive a reboot.


>
> Could anyone let me know how to do it without losing my SSH
> connection
> to this Cyclade ?
>
>
> Thanks,
>
>
> Bill
>
>
> cyclade # ps -ef | grep ssh
> 306 ? root 4268 S /bin/sshd -f /etc/ssh/sshd_config
>
>
> cyclade # cat /etc/ssh/sshd_config
>
>
> # $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp
> $
>
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin://
> bin
>
>
> # The strategy used for options in the default sshd_config shipped
> with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
>
>
> #Port 22
> #Protocol 2,1
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
>
> #HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> #HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
> :
> :
> :
>

From: underh20 on 4 Jan 2010 20:32
Hi Chris,

OK. I did uncomment out "Protocol 2" in sshd_config file and killed/
restarted the process
with "sshd_config". When I tried "ssh -1 -v atlantis" , it didn't
prompt me for password.
Does it mean SSH v1 is not available at this server now ? However,
when I tried "ssh -2 -v atlantis",
it did prompt me for password. Please see the outputs below.

Thanks,

Bill


# ssh -1 -v atlantis
Sun_SSH_1.1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to atlantis [172.25.148.44] port 22.
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat
OpenSSH_3.6*,OpenSSH_3.7*,OpenSSH_3.8*
Protocol major versions differ: 1 vs. 2
debug1: Calling cleanup 0x34658(0x0)
#

#
# ssh -2 -v atlantis
Sun_SSH_1.1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to atlantis [172.25.148.44] port 22.
debug1: Connection established.
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat
OpenSSH_3.6*,OpenSSH_3.7*,OpenSSH_3.8*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1.3
debug1: use_engine is 'yes'
debug1: pkcs11 engine initialized, now setting it as default for RSA,
DSA, and symmetric ciphers
debug1: pkcs11 engine initialization complete
debug1: Failed to acquire GSS-API credentials for any mechanisms (No
credentials were supplied, or the credentials were unavailable or
inaccessible
Unknown code 0
)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Peer sent proposed langtags, ctos:
debug1: Peer sent proposed langtags, stoc:
debug1: We proposed langtags, ctos: i-default
debug1: We proposed langtags, stoc: i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 118/256
debug1: bits set: 1062/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'atlantis' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:32
debug1: bits set: 987/2048
debug1: ssh_rsa_verify: signature correct
debug1: newkeys: mode 1
debug1: set_newkeys: setting new keys for 'out' mode
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: set_newkeys: setting new keys for 'in' mode
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: publickey,password,keyboard-
interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
#


On Jan 4, 5:02 pm, Chris Cox <chrisnc...(a)endlessnow.com> wrote:
> On Mon, 2010-01-04 at 11:32 -0800, underh20 wrote:
> > Our 4-port cyclade is currently running SSHv1.68 (see below the ssh
> > process and sshd_config file).  Due to security concern, we must
> > disable this version SSH v1 and upgrade/run only the SSH protocol
> > version 2.
>
> Change to:
> Protocol 2
>
> in your sshd_config
>
> You can't use daemon.sh to stop/start/restart... it doesn't
> work if you're using ssh to do work on the Cyclades.
>
> Best bet it to manually kill the ssh server and restart
> it. Do:
>
> # ps | grep sshd_config
>
> kill the pid associated with that.
> Restart it using the line you see from that grep.
>
> If that works, do:
> # saveconf
>
> to save the changes to survive a reboot.
>
>
>
>
>
> > Could anyone let me know how to do it without losing my SSH
> > connection
> > to this Cyclade ?
>
> > Thanks,
>
> > Bill
>
> > cyclade # ps -ef | grep ssh
> >   306 ?       root       4268   S   /bin/sshd -f /etc/ssh/sshd_config
>
> > cyclade # cat /etc/ssh/sshd_config
>
> > #       $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp
> > $
>
> > # This is the sshd server system-wide configuration file.  See
> > # sshd_config(5) for more information.
>
> > # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin://
> > bin
>
> > # The strategy used for options in the default sshd_config shipped
> > with
> > # OpenSSH is to specify options with their default value where
> > # possible, but leave them commented.  Uncommented options change a
> > # default value.
>
> > #Port 22
> > #Protocol 2,1
> > #ListenAddress 0.0.0.0
> > #ListenAddress ::
>
> > #HostKey for protocol version 1
> > #HostKey /etc/ssh/ssh_host_key
> > #HostKeys for protocol version 2
> > #HostKey /etc/ssh/ssh_host_rsa_key
> > #HostKey /etc/ssh/ssh_host_dsa_key
> > :
> > :
> > :- Hide quoted text -
>
> - Show quoted text -

From: Chris Cox on 5 Jan 2010 12:29
On Mon, 2010-01-04 at 17:32 -0800, underh20 wrote:
> Hi Chris,
>
> OK. I did uncomment out "Protocol 2" in sshd_config file and killed/
> restarted the process
> with "sshd_config". When I tried "ssh -1 -v atlantis" , it didn't
> prompt me for password.

Should see:

Protocol major versions differ: 1 vs. 2

And it should just kick you right back out to your client
(that is, it just fails).

> Does it mean SSH v1 is not available at this server now ? However,
> when I tried "ssh -2 -v atlantis",
> it did prompt me for password. Please see the outputs below.

Ok... so now the server is strictly Protocol 2.

Done (success!)


First  |  Prev  | 
Pages: 1 2
Prev: computing exp(1.0) on SPARC.
Next: String of nulls in /var/adm/mesages