topic Re: upgrade SSH version from 1 to 2 in Operating System - HP-UX

upgrade SSH version from 1 to 2

Lashin — Tue, 15 Feb 2011 05:53:21 GMT

Please help me to get the SSH version upgraded to 2.
security team informed that there is vulnerablity with existing version 1 and need to upgrade to version 2.

when i checked..

# ssh -V
OpenSSH_5.6p1+sftpfilecontrol-v1.3-hpn13v7, OpenSSL 0.9.8o 01 Jun 2010
HP-UX Secure Shell-A.05.60.002, HP-UX Secure Shell version
# grep -i protocol /opt/ssh/etc/sshd_config
Protocol 2
# HostKey for protocol version 1
# HostKeys for protocol version 2
# similar for protocol version 2
#

Is it already running with SSH version 2 ?
Do i need to disable any feature of version 1 to remove the vulnerability? how can i do that?

Re: upgrade SSH version from 1 to 2

Wouter Jagers — Tue, 15 Feb 2011 07:36:22 GMT

Hi,

Check your server side sshd_config file for the line starting with 'Protocol' (without the quotes).

To allow only v2 connections, make sure that line contains 'Protocol 2' (without the quotes) only.

Cheers
Wout

Re: upgrade SSH version from 1 to 2

Lashin — Tue, 15 Feb 2011 08:57:20 GMT

thanks Wout,

yes I have Protocol 2 entry enabled on ssd_config file on server.

that means server will accept only version 2 type ssh connection? do i need to do anything to disable version 1 features?

Re: upgrade SSH version from 1 to 2

Wouter Jagers — Tue, 15 Feb 2011 09:46:46 GMT

that should be enough.

you can try a v1 connection to test:
# ssh -1 yourhost
(ssh minus one yourhost)

'cause we're only really sure when we've tested our setup :-)

Cheers

Re: upgrade SSH version from 1 to 2

Lashin — Tue, 15 Feb 2011 11:33:20 GMT

Hi,

It is still accepting version 1 connection

#ssh -1 "sshserver name"
Password:
Response:

when i enter password here for "Response:", login is accepted and I get the login prompt.

# grep Protocol /opt/ssh/etc/sshd_config
Protocol 2
#

I observerd there is one more sshd_config file on server at location /opt/ssh/newconfig/opt/ssh/etc/sshd_config

i can see both version on this file

# grep Protocol /opt/ssh/newconfig/opt/ssh/etc/sshd_config
Protocol 2,1
#

but the ssh demon start up script "/sbin/init.d/secsh" shows the config file as "/opt/ssh/etc/sshd_config" only.

Do i stil need to edit /opt/ssh/newconfig/opt/ssh/etc/sshd_config and restart ssh demon to disable version1 feature?

Re: upgrade SSH version from 1 to 2

Matti_Kurkela — Tue, 15 Feb 2011 12:07:43 GMT

/opt/ssh/newconfig/opt/ssh/etc/sshd_config is a copy of the "factory default" configuration. One reason to provide it is to allow the sysadmin an easy way to restore the default configuration if the actual configuration file is corrupted or accidentally deleted.

(It's also a result of the standard way to manage configuration files with swinstall. You can upgrade your HP-SSH package, and your customized configuration file is not overwritten. But if the new version includes new configuration items, you can use the new default configuration in /opt/ssh/newconfig... as an example.)

No files in /opt/ssh/newconfig are actually read by sshd.

Your /opt/ssh/etc/sshd_config has been modified to allow only protocol version 2, but unless sshd has been restarted after the change, the sshd still uses the old settings (which presumably allowed the old protocol version too).

First, try restarting your sshd and then test again:

sh /sbin/init.d/secsh stop
sh /sbin/init.d/secsh start

MK