Forcing cyclade to use SSH v2
underh20
process and sshd_config file). Due to security concern, we must
disable this version SSH v1 and upgrade/run only the SSH protocol
version 2.
Could anyone let me know how to do it without losing my SSH
connection
to this Cyclade ?
Thanks,
Bill
cyclade # ps -ef | grep ssh
306 ? root 4268 S /bin/sshd -f /etc/ssh/sshd_config
cyclade # cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp
$
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin://
bin
# The strategy used for options in the default sshd_config shipped
with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
#HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
:
:
:
Doug McIntyre
>Our 4-port cyclade is currently running SSHv1.68 (see below the ssh
>process and sshd_config file). Due to security concern, we must
>disable this version SSH v1 and upgrade/run only the SSH protocol
>version 2.
>Could anyone let me know how to do it without losing my SSH
>connection
>to this Cyclade ?
>cyclade # ps -ef | grep ssh
> 306 ? root 4268 S /bin/sshd -f /etc/ssh/sshd_config
Couldn't tell you how to make sure your session isn't reset if this is
the only sshd process running, normally there's one owned by root,
and then another process owned by each user logging in on a typical
unix box. After a config change, hup the root one (most likely with
the lowest PID), and you are all set.
># $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp
Change this line
>#Protocol 2,1
to
Protocol 2
underh20
How does one verify that one is using SSH v2 after uncommenting
"Protocol 2" and re-hupping the root SSH session ? Is there certain
command to do so ?
Is Protocol 2 simply a certificate for SSL v2 ? We know that SSL
doesn't encrypt the data but simply ensures the destination is
authentic. SSH on the other hand uses encryption to provide
confidentiality and integrity on both ends over high risk zones.
Looks like we need SSHv2 and not SSLv2.
Thanks,
Bill
On Jan 4, 12:44 pm, Doug McIntyre <mer...@geeks.org> wrote:
Doug McIntyre
>How does one verify that one is using SSH v2 after uncommenting
>"Protocol 2" and re-hupping the root SSH session ? Is there certain
>command to do so ?
You can ssh to the box with a -v flag to make sure v2 is enabled.
ssh -v server
debug1: Enabling compatibility mode for protocol 2.0
And then use the -1 flag to try to force connect as protocol rev 1.
ssh -1 -v server
debug1: Remote protocol version 2.0, remote software version
Protocol major versions differ: 1 vs. 2
>Is Protocol 2 simply a certificate for SSL v2 ? We know that SSL
>doesn't encrypt the data but simply ensures the destination is
>authentic. SSH on the other hand uses encryption to provide
>confidentiality and integrity on both ends over high risk zones.
>Looks like we need SSHv2 and not SSLv2.
SSH is totally unrelated to SSL. SSH doesn't use certificates.
The only thing OpenSSL code is used for in OpenSSH is to not reinvent
the crypto routines, but use mature code. x.509 and certificates and
all that totally doesn't exist in SSH at all.
SSH v2 is the version of protocol used between client and server. The
version 1 protocol has a few known weaknesses. Security audits will
always require fixing anything that has known weaknesses.
underh20
I just did the "ssh -v" command as suggested at our cyclade. I can
see that ssh protocol v2 is enabled.
However, in the top line, Sun_SSH_1.1.3 and SSH protocols 1.5/2.0
appear. Shouldn't we see something
like 2.X ? I need to show proofs that this cyclade is in fact running
SSH v2 only and no v1.
Thanks again, Bill
# ssh -v atlantis
Sun_SSH_1.1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to atlantis [172.25.148.44] port 22.
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat
OpenSSH_3.6*,OpenSSH_3.7*,OpenSSH_3.8*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1.3
debug1: use_engine is 'yes'
debug1: pkcs11 engine initialized, now setting it as default for RSA,
DSA, and symmetric ciphers
debug1: pkcs11 engine initialization complete
debug1: Failed to acquire GSS-API credentials for any mechanisms (No
credentials were supplied, or the credentials were unavailable or
inaccessible
Unknown code 0
)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Peer sent proposed langtags, ctos:
debug1: Peer sent proposed langtags, stoc:
debug1: We proposed langtags, ctos: i-default
debug1: We proposed langtags, stoc: i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 125/256
debug1: bits set: 1016/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '172.30.142.190' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:32
debug1: bits set: 1037/2048
debug1: ssh_rsa_verify: signature correct
debug1: newkeys: mode 1
debug1: set_newkeys: setting new keys for 'out' mode
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: set_newkeys: setting new keys for 'in' mode
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: publickey,password,keyboard-
interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
On Jan 4, 2:33 pm, Doug McIntyre <mer...@geeks.org> wrote:
Darren Dunham
> Hi David,
>
> I just did the "ssh -v" command as suggested at our cyclade. I can
> see that ssh protocol v2 is enabled.
> However, in the top line, Sun_SSH_1.1.3 and SSH protocols 1.5/2.0
> appear. Shouldn't we see something
> like 2.X ? I need to show proofs that this cyclade is in fact running
> SSH v2 only and no v1.
So try it. Take a look at your client. You can force the use of
protocol 1 and protocol 2 (see -1 and -2 command line options). What
happens when you try to connect with v1? What happens when you try to
connect with v2?
--
Darren
underh20
I can access the cyclade using ssh via both "-1" and "-2" option. See
below.
Is there any way that I can disable/stop the "-1" option completely in
our case ?
We just need to have SSH v2 running only. Thanks, Bill
# ssh -1 -v atlantis
Sun_SSH_1.1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to atlantis [172.25.148.44] port 22
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat
OpenSSH_3.6*,OpenSSH_3.7*,OpenSSH_3.8*
debug1: Local version string SSH-1.5-Sun_SSH_1.1.3
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024
bits).
debug1: Host 'atlantis' is known and matches the RSA1 host key.
debug1: Found key in /.ssh/known_hosts:33
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing challenge response authentication.
Password:
Response:
#
# ssh -2 -v atlantis
Sun_SSH_1.1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to atlantis [172.25.148.44] port 22.
debug1: Connection established.
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1025/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'atlantis' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:32
debug1: bits set: 1046/2048
debug1: ssh_rsa_verify: signature correct
debug1: newkeys: mode 1
debug1: set_newkeys: setting new keys for 'out' mode
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: set_newkeys: setting new keys for 'in' mode
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: publickey,password,keyboard-
interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
Chris Cox
> Hi Chris,
>
> OK. I did uncomment out "Protocol 2" in sshd_config file and killed/
> restarted the process
> with "sshd_config". When I tried "ssh -1 -v atlantis" , it didn't
> prompt me for password.
Should see:
Protocol major versions differ: 1 vs. 2
And it should just kick you right back out to your client
(that is, it just fails).
> Does it mean SSH v1 is not available at this server now ? However,
> when I tried "ssh -2 -v atlantis",
> it did prompt me for password. Please see the outputs below.
Ok... so now the server is strictly Protocol 2.
Done (success!)