HPE Community
Operating System - HP-UX
1821051 Members
2465 Online
109631 Solutions
New Discussion

ssh version upgrade

 
SOLVED
Go to solution
laiju.c.babu
Regular Advisor

‎05-01-2012 11:49 PM

‎05-01-2012 11:49 PM

ssh version upgrade

Hi Team,

 

We have a vulnerability assessment in our HP-Ux boxes. As per this we  have to update the ssh version from 1 to 2 . But i want to know how can i check the current ssh version installed in my box

 

     [71]> ssh -V
OpenSSH_5.3p1+sftpfilecontrol-v1.3-hpn13v5, OpenSSL 0.9.8n 24 Mar 2010
HP-UX Secure Shell-A.05.30.009, HP-UX Secure Shell version

 

From here how can i know whether i installed version1 or version2

 

As per the  sshd_config file the server is configured for accepting ssh connection from both version 1 and version 2 sinc the protocol entry is 2,1

 

Please help me on this.

 

Regards

Laiju


 

Laiju.C.Babu
0 Kudos
Reply
6 REPLIES 6
Matti_Kurkela
Honored Contributor

‎05-02-2012 12:30 AM

‎05-02-2012 12:30 AM

Re: ssh version upgrade

There are two versions of the SSH protocol specification: the older one, called "version 1" is now known to have several design flaws.

 

All modern versions of OpenSSH and its derivatives (including HP-UX Secure Shell) can support both protocol versions: the configuration entry "Protocol 2,1" in sshd_config means "accept both protocol versions".

 

Change it to "Protocol 2" and restart sshd (with "sh /sbin/init.d/secsh stop; sh /sbin/init.d/secsh start").Then the support for protocol version 1 will be disabled and only protocol version 2 will be accepted.

 

The original implementation for SSH protocol version 2 had support for different SSH protocol versions as separate binaries, so you could uninstall (or not install in the first place) the version you didn't wish to use. I think this was mainly because the original implementations for SSH protocol versions 1 and 2 had different licensing conditions: it was possible that you had the right to use SSH 1.* for free, but needed to pay for a license for SSH 2.*. (Back then, the SSH software version numbers directly matched the protocol version number: this is not true with OpenSSH and other SSH implementations that came later.)

 

But OpenSSH is not designed that way, and is completely free.

If you're interested in the history of SSH and/or OpenSSH, please see:

http://www.openssh.com/history.html

MK
Reply
laiju.c.babu
Regular Advisor

‎05-02-2012 01:10 AM

‎05-02-2012 01:10 AM

Re: ssh version upgrade

Hi MK,

 

Thanks for the reply .

 

What i understood is  the version 1 and version 2  in SSH refers to the  two protcols ie protocol 1 and 2. We can configure this by editing the file sshd_config.

 

The action i have to perform for this vulnerability issue is

 

1) i have to chage the sshd_conf file so that it should accept only protocol 2

2) stop and start the sshd  daemons

 

Am i right ?

 

Regards

Laiju.C.Babu
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎05-02-2012 03:15 AM

‎05-02-2012 03:15 AM

Solution

Re: ssh version upgrade

Yes, you're exactly right.

MK
0 Kudos
Reply
ManojK_1
Valued Contributor

‎05-02-2012 04:59 AM

‎05-02-2012 04:59 AM

Re: ssh version upgrade

Hi Laiju,

 

You are correct.

 

You can check the protocol version using by ssh as follows.

 

execute the command "ssh -v localhost" and check the folloowing line in the output.

debug1: Enabling compatibility mode for protocol 2.0

 

Thanks and Regards,

Manoj K

Thanks and Regards,
Manoj K
Reply
laiju.c.babu
Regular Advisor

‎05-16-2012 07:17 PM

‎05-16-2012 07:17 PM

Re: ssh version upgrade

Hi MK,

Whether i have to change the entry of protocol in /opt/ssh/etc/ssh_config also

 

Now the entry of protocol in /opt/ssh/etc/ssh_config is

 

#   Port 22
   Protocol 2,1

 

==========

 

Entry in sshd_config is

 

#Port 22
Protocol 2

 

Regards

Laiju.C.Babu
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎05-18-2012 06:47 AM

‎05-18-2012 06:47 AM

Re: ssh version upgrade

The /opt/ssh/etc/sshd_config controls the incoming connections to your system, while /opt/ssh/etc/ssh_config controls outgoing connections.

 

If your users/applications have no reason to make outgoing SSH/SFTP/scp connections from your server to any old servers that only support SSH version 1, you could make the change in ssh_config file too.

 

 

MK
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.