topic Re: ssh version upgrade in Operating System - HP-UX

ssh version upgrade

laiju.c.babu — Wed, 02 May 2012 06:49:57 GMT

Hi Team,

We have a vulnerability assessment in our HP-Ux boxes. As per this we have to update the ssh version from 1 to 2 . But i want to know how can i check the current ssh version installed in my box

[71]> ssh -V
OpenSSH_5.3p1+sftpfilecontrol-v1.3-hpn13v5, OpenSSL 0.9.8n 24 Mar 2010
HP-UX Secure Shell-A.05.30.009, HP-UX Secure Shell version

From here how can i know whether i installed version1 or version2

As per the sshd_config file the server is configured for accepting ssh connection from both version 1 and version 2 sinc the protocol entry is 2,1

Please help me on this.

Regards

Laiju

Re: ssh version upgrade

Matti_Kurkela — Wed, 02 May 2012 07:30:52 GMT

There are two versions of the SSH protocol specification: the older one, called "version 1" is now known to have several design flaws.

All modern versions of OpenSSH and its derivatives (including HP-UX Secure Shell) can support both protocol versions: the configuration entry "Protocol 2,1" in sshd_config means "accept both protocol versions".

Change it to "Protocol 2" and restart sshd (with "sh /sbin/init.d/secsh stop; sh /sbin/init.d/secsh start").Then the support for protocol version 1 will be disabled and only protocol version 2 will be accepted.

The original implementation for SSH protocol version 2 had support for different SSH protocol versions as separate binaries, so you could uninstall (or not install in the first place) the version you didn't wish to use. I think this was mainly because the original implementations for SSH protocol versions 1 and 2 had different licensing conditions: it was possible that you had the right to use SSH 1.* for free, but needed to pay for a license for SSH 2.*. (Back then, the SSH software version numbers directly matched the protocol version number: this is not true with OpenSSH and other SSH implementations that came later.)

But OpenSSH is not designed that way, and is completely free.

If you're interested in the history of SSH and/or OpenSSH, please see:

http://www.openssh.com/history.html

Re: ssh version upgrade

laiju.c.babu — Wed, 02 May 2012 08:10:37 GMT

Hi MK,

Thanks for the reply .

What i understood is the version 1 and version 2 in SSH refers to the two protcols ie protocol 1 and 2. We can configure this by editing the file sshd_config.

The action i have to perform for this vulnerability issue is

1) i have to chage the sshd_conf file so that it should accept only protocol 2

2) stop and start the sshd daemons

Am i right ?

Regards

Re: ssh version upgrade

Matti_Kurkela — Wed, 02 May 2012 10:15:35 GMT

Yes, you're exactly right.

Re: ssh version upgrade

ManojK_1 — Wed, 02 May 2012 11:59:35 GMT

Hi Laiju,

You are correct.

You can check the protocol version using by ssh as follows.

execute the command "ssh -v localhost" and check the folloowing line in the output.

debug1: Enabling compatibility mode for protocol 2.0

Thanks and Regards,

Manoj K

Re: ssh version upgrade

laiju.c.babu — Thu, 17 May 2012 02:17:57 GMT

Hi MK,

Whether i have to change the entry of protocol in /opt/ssh/etc/ssh_config also

Now the entry of protocol in /opt/ssh/etc/ssh_config is

# Port 22
Protocol 2,1

==========

Entry in sshd_config is

#Port 22
Protocol 2

Regards

Re: ssh version upgrade

Matti_Kurkela — Fri, 18 May 2012 13:47:45 GMT

The /opt/ssh/etc/sshd_config controls the incoming connections to your system, while /opt/ssh/etc/ssh_config controls outgoing connections.

If your users/applications have no reason to make outgoing SSH/SFTP/scp connections from your server to any old servers that only support SSH version 1, you could make the change in ssh_config file too.