HPE Community
Operating System - HP-UX
1820254 Members
2619 Online
109622 Solutions
New Discussion юеВ

upgrade SSH version from 1 to 2

 
SOLVED
Go to solution
Lashin
Advisor

тАО02-14-2011 09:53 PM

тАО02-14-2011 09:53 PM

upgrade SSH version from 1 to 2

Please help me to get the SSH version upgraded to 2.
security team informed that there is vulnerablity with existing version 1 and need to upgrade to version 2.

when i checked..

# ssh -V
OpenSSH_5.6p1+sftpfilecontrol-v1.3-hpn13v7, OpenSSL 0.9.8o 01 Jun 2010
HP-UX Secure Shell-A.05.60.002, HP-UX Secure Shell version
# grep -i protocol /opt/ssh/etc/sshd_config
Protocol 2
# HostKey for protocol version 1
# HostKeys for protocol version 2
# similar for protocol version 2
#

Is it already running with SSH version 2 ?
Do i need to disable any feature of version 1 to remove the vulnerability? how can i do that?
0 Kudos
Reply
5 REPLIES 5
Wouter Jagers
Honored Contributor

тАО02-14-2011 11:36 PM

тАО02-14-2011 11:36 PM

Re: upgrade SSH version from 1 to 2

Hi,

Check your server side sshd_config file for the line starting with 'Protocol' (without the quotes).

To allow only v2 connections, make sure that line contains 'Protocol 2' (without the quotes) only.

Cheers
Wout
an engineer's aim in a discussion is not to persuade, but to clarify.
0 Kudos
Reply
Lashin
Advisor

тАО02-15-2011 12:57 AM

тАО02-15-2011 12:57 AM

Re: upgrade SSH version from 1 to 2

thanks Wout,

yes I have Protocol 2 entry enabled on ssd_config file on server.

that means server will accept only version 2 type ssh connection? do i need to do anything to disable version 1 features?
0 Kudos
Reply
Wouter Jagers
Honored Contributor

тАО02-15-2011 01:46 AM

тАО02-15-2011 01:46 AM

Re: upgrade SSH version from 1 to 2

that should be enough.

you can try a v1 connection to test:
# ssh -1 yourhost
(ssh minus one yourhost)

'cause we're only really sure when we've tested our setup :-)

Cheers
an engineer's aim in a discussion is not to persuade, but to clarify.
0 Kudos
Reply
Lashin
Advisor

тАО02-15-2011 03:33 AM

тАО02-15-2011 03:33 AM

Re: upgrade SSH version from 1 to 2

Hi,

It is still accepting version 1 connection

#ssh -1 "sshserver name"
Password:
Response:

when i enter password here for "Response:", login is accepted and I get the login prompt.

# grep Protocol /opt/ssh/etc/sshd_config
Protocol 2
#

I observerd there is one more sshd_config file on server at location /opt/ssh/newconfig/opt/ssh/etc/sshd_config

i can see both version on this file

# grep Protocol /opt/ssh/newconfig/opt/ssh/etc/sshd_config
Protocol 2,1
#

but the ssh demon start up script "/sbin/init.d/secsh" shows the config file as "/opt/ssh/etc/sshd_config" only.

Do i stil need to edit /opt/ssh/newconfig/opt/ssh/etc/sshd_config and restart ssh demon to disable version1 feature?




0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО02-15-2011 04:07 AM

тАО02-15-2011 04:07 AM

Solution

Re: upgrade SSH version from 1 to 2

/opt/ssh/newconfig/opt/ssh/etc/sshd_config is a copy of the "factory default" configuration. One reason to provide it is to allow the sysadmin an easy way to restore the default configuration if the actual configuration file is corrupted or accidentally deleted.

(It's also a result of the standard way to manage configuration files with swinstall. You can upgrade your HP-SSH package, and your customized configuration file is not overwritten. But if the new version includes new configuration items, you can use the new default configuration in /opt/ssh/newconfig... as an example.)

No files in /opt/ssh/newconfig are actually read by sshd.

Your /opt/ssh/etc/sshd_config has been modified to allow only protocol version 2, but unless sshd has been restarted after the change, the sshd still uses the old settings (which presumably allowed the old protocol version too).

First, try restarting your sshd and then test again:

sh /sbin/init.d/secsh stop
sh /sbin/init.d/secsh start

MK
MK
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.