Forcing cyclade to use SSH v2
in [Solaris]
|
From: underh20 on 4 Jan 2010 14:32 Our 4-port cyclade is currently running SSHv1.68 (see below the ssh process and sshd_config file). Due to security concern, we must disable this version SSH v1 and upgrade/run only the SSH protocol version 2. Could anyone let me know how to do it without losing my SSH connection to this Cyclade ? Thanks, Bill cyclade # ps -ef | grep ssh 306 ? root 4268 S /bin/sshd -f /etc/ssh/sshd_config cyclade # cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:// bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key #HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key : : :
From: Doug McIntyre on 4 Jan 2010 15:44 underh20 <underh20.scubadiving(a)gmail.com> writes: >Our 4-port cyclade is currently running SSHv1.68 (see below the ssh >process and sshd_config file). Due to security concern, we must >disable this version SSH v1 and upgrade/run only the SSH protocol >version 2. >Could anyone let me know how to do it without losing my SSH >connection >to this Cyclade ? >cyclade # ps -ef | grep ssh > 306 ? root 4268 S /bin/sshd -f /etc/ssh/sshd_config Couldn't tell you how to make sure your session isn't reset if this is the only sshd process running, normally there's one owned by root, and then another process owned by each user logging in on a typical unix box. After a config change, hup the root one (most likely with the lowest PID), and you are all set. ># $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp Change this line >#Protocol 2,1 to Protocol 2
From: underh20 on 4 Jan 2010 17:16 How does one verify that one is using SSH v2 after uncommenting "Protocol 2" and re-hupping the root SSH session ? Is there certain command to do so ? Is Protocol 2 simply a certificate for SSL v2 ? We know that SSL doesn't encrypt the data but simply ensures the destination is authentic. SSH on the other hand uses encryption to provide confidentiality and integrity on both ends over high risk zones. Looks like we need SSHv2 and not SSLv2. Thanks, Bill On Jan 4, 12:44 pm, Doug McIntyre <mer...(a)geeks.org> wrote: > underh20 <underh20.scubadiv...(a)gmail.com> writes: > >Our 4-port cyclade is currently running SSHv1.68 (see below the ssh > >process and sshd_config file). Due to security concern, we must > >disable this version SSH v1 and upgrade/run only the SSH protocol > >version 2. > >Could anyone let me know how to do it without losing my SSH > >connection > >to this Cyclade ? > >cyclade # ps -ef | grep ssh > > 306 ? root 4268 S /bin/sshd -f /etc/ssh/sshd_config > > Couldn't tell you how to make sure your session isn't reset if this is > the only sshd process running, normally there's one owned by root, > and then another process owned by each user logging in on a typical > unix box. After a config change, hup the root one (most likely with > the lowest PID), and you are all set. > > ># $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp > > Change this line > > >#Protocol 2,1 > > to > > Protocol 2
From: Doug McIntyre on 4 Jan 2010 17:33 underh20 <underh20.scubadiving(a)gmail.com> writes: >How does one verify that one is using SSH v2 after uncommenting >"Protocol 2" and re-hupping the root SSH session ? Is there certain >command to do so ? You can ssh to the box with a -v flag to make sure v2 is enabled. ssh -v server debug1: Enabling compatibility mode for protocol 2.0 And then use the -1 flag to try to force connect as protocol rev 1. ssh -1 -v server debug1: Remote protocol version 2.0, remote software version Protocol major versions differ: 1 vs. 2 >Is Protocol 2 simply a certificate for SSL v2 ? We know that SSL >doesn't encrypt the data but simply ensures the destination is >authentic. SSH on the other hand uses encryption to provide >confidentiality and integrity on both ends over high risk zones. >Looks like we need SSHv2 and not SSLv2. SSH is totally unrelated to SSL. SSH doesn't use certificates. The only thing OpenSSL code is used for in OpenSSH is to not reinvent the crypto routines, but use mature code. x.509 and certificates and all that totally doesn't exist in SSH at all. SSH v2 is the version of protocol used between client and server. The version 1 protocol has a few known weaknesses. Security audits will always require fixing anything that has known weaknesses.
From: underh20 on 4 Jan 2010 18:02 Hi David, I just did the "ssh -v" command as suggested at our cyclade. I can see that ssh protocol v2 is enabled. However, in the top line, Sun_SSH_1.1.3 and SSH protocols 1.5/2.0 appear. Shouldn't we see something like 2.X ? I need to show proofs that this cyclade is in fact running SSH v2 only and no v1. Thanks again, Bill # ssh -v atlantis Sun_SSH_1.1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090704f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to atlantis [172.25.148.44] port 22. debug1: Connection established. debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1 debug1: match: OpenSSH_3.8.1p1 pat OpenSSH_3.6*,OpenSSH_3.7*,OpenSSH_3.8* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-Sun_SSH_1.1.3 debug1: use_engine is 'yes' debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetric ciphers debug1: pkcs11 engine initialization complete debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible Unknown code 0 ) debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: Peer sent proposed langtags, ctos: debug1: Peer sent proposed langtags, stoc: debug1: We proposed langtags, ctos: i-default debug1: We proposed langtags, stoc: i-default debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 125/256 debug1: bits set: 1016/2048 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '172.30.142.190' is known and matches the RSA host key. debug1: Found key in /.ssh/known_hosts:32 debug1: bits set: 1037/2048 debug1: ssh_rsa_verify: signature correct debug1: newkeys: mode 1 debug1: set_newkeys: setting new keys for 'out' mode debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: set_newkeys: setting new keys for 'in' mode debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: Authentications that can continue: publickey,password,keyboard- interactive debug1: Next authentication method: publickey debug1: Trying private key: /.ssh/identity debug1: Trying private key: /.ssh/id_rsa debug1: Trying private key: /.ssh/id_dsa debug1: Next authentication method: keyboard-interactive Password: On Jan 4, 2:33 pm, Doug McIntyre <mer...(a)geeks.org> wrote: > underh20 <underh20.scubadiv...(a)gmail.com> writes: > >How does one verify that one is using SSH v2 after uncommenting > >"Protocol 2" and re-hupping the root SSH session ? Is there certain > >command to do so ? > > You can ssh to the box with a -v flag to make sure v2 is enabled. > > ssh -v server > debug1: Enabling compatibility mode for protocol 2.0 > > And then use the -1 flag to try to force connect as protocol rev 1. > > ssh -1 -v server > debug1: Remote protocol version 2.0, remote software version > Protocol major versions differ: 1 vs. 2 > > >Is Protocol 2 simply a certificate for SSL v2 ? We know that SSL > >doesn't encrypt the data but simply ensures the destination is > >authentic. SSH on the other hand uses encryption to provide > >confidentiality and integrity on both ends over high risk zones. > >Looks like we need SSHv2 and not SSLv2. > > SSH is totally unrelated to SSL. SSH doesn't use certificates. > The only thing OpenSSL code is used for in OpenSSH is to not reinvent > the crypto routines, but use mature code. x.509 and certificates and > all that totally doesn't exist in SSH at all. > > SSH v2 is the version of protocol used between client and server. The > version 1 protocol has a few known weaknesses. Security audits will > always require fixing anything that has known weaknesses.
|
Next
|
Last
Pages: 1 2 Prev: computing exp(1.0) on SPARC. Next: String of nulls in /var/adm/mesages |