System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

upgrade SSH version from 1 to 2

 
SOLVED
Go to solution
Lashin
Advisor

upgrade SSH version from 1 to 2

Please help me to get the SSH version upgraded to 2.
security team informed that there is vulnerablity with existing version 1 and need to upgrade to version 2.

when i checked..

# ssh -V
OpenSSH_5.6p1+sftpfilecontrol-v1.3-hpn13v7, OpenSSL 0.9.8o 01 Jun 2010
HP-UX Secure Shell-A.05.60.002, HP-UX Secure Shell version
# grep -i protocol /opt/ssh/etc/sshd_config
Protocol 2
# HostKey for protocol version 1
# HostKeys for protocol version 2
# similar for protocol version 2
#

Is it already running with SSH version 2 ?
Do i need to disable any feature of version 1 to remove the vulnerability? how can i do that?
5 REPLIES
Wouter Jagers
Honored Contributor

Re: upgrade SSH version from 1 to 2

Hi,

Check your server side sshd_config file for the line starting with 'Protocol' (without the quotes).

To allow only v2 connections, make sure that line contains 'Protocol 2' (without the quotes) only.

Cheers
Wout
an engineer's aim in a discussion is not to persuade, but to clarify.
Lashin
Advisor

Re: upgrade SSH version from 1 to 2

thanks Wout,

yes I have Protocol 2 entry enabled on ssd_config file on server.

that means server will accept only version 2 type ssh connection? do i need to do anything to disable version 1 features?
Wouter Jagers
Honored Contributor

Re: upgrade SSH version from 1 to 2

that should be enough.

you can try a v1 connection to test:
# ssh -1 yourhost
(ssh minus one yourhost)

'cause we're only really sure when we've tested our setup :-)

Cheers
an engineer's aim in a discussion is not to persuade, but to clarify.
Lashin
Advisor

Re: upgrade SSH version from 1 to 2

Hi,

It is still accepting version 1 connection

#ssh -1 "sshserver name"
Password:
Response:

when i enter password here for "Response:", login is accepted and I get the login prompt.

# grep Protocol /opt/ssh/etc/sshd_config
Protocol 2
#

I observerd there is one more sshd_config file on server at location /opt/ssh/newconfig/opt/ssh/etc/sshd_config

i can see both version on this file

# grep Protocol /opt/ssh/newconfig/opt/ssh/etc/sshd_config
Protocol 2,1
#

but the ssh demon start up script "/sbin/init.d/secsh" shows the config file as "/opt/ssh/etc/sshd_config" only.

Do i stil need to edit /opt/ssh/newconfig/opt/ssh/etc/sshd_config and restart ssh demon to disable version1 feature?




Matti_Kurkela
Honored Contributor
Solution

Re: upgrade SSH version from 1 to 2

/opt/ssh/newconfig/opt/ssh/etc/sshd_config is a copy of the "factory default" configuration. One reason to provide it is to allow the sysadmin an easy way to restore the default configuration if the actual configuration file is corrupted or accidentally deleted.

(It's also a result of the standard way to manage configuration files with swinstall. You can upgrade your HP-SSH package, and your customized configuration file is not overwritten. But if the new version includes new configuration items, you can use the new default configuration in /opt/ssh/newconfig... as an example.)

No files in /opt/ssh/newconfig are actually read by sshd.

Your /opt/ssh/etc/sshd_config has been modified to allow only protocol version 2, but unless sshd has been restarted after the change, the sshd still uses the old settings (which presumably allowed the old protocol version too).

First, try restarting your sshd and then test again:

sh /sbin/init.d/secsh stop
sh /sbin/init.d/secsh start

MK
MK