05-01-2012 11:49 PM
We have a vulnerability assessment in our HP-Ux boxes. As per this we have to update the ssh version from 1 to 2 . But i want to know how can i check the current ssh version installed in my box
> ssh -V
OpenSSH_5.3p1+sftpfilecontrol-v1.3-hpn13v5, OpenSSL 0.9.8n 24 Mar 2010
HP-UX Secure Shell-A.05.30.009, HP-UX Secure Shell version
From here how can i know whether i installed version1 or version2
As per the sshd_config file the server is configured for accepting ssh connection from both version 1 and version 2 sinc the protocol entry is 2,1
Please help me on this.
Solved! Go to Solution.
05-02-2012 12:30 AM
There are two versions of the SSH protocol specification: the older one, called "version 1" is now known to have several design flaws.
All modern versions of OpenSSH and its derivatives (including HP-UX Secure Shell) can support both protocol versions: the configuration entry "Protocol 2,1" in sshd_config means "accept both protocol versions".
Change it to "Protocol 2" and restart sshd (with "sh /sbin/init.d/secsh stop; sh /sbin/init.d/secsh start").Then the support for protocol version 1 will be disabled and only protocol version 2 will be accepted.
The original implementation for SSH protocol version 2 had support for different SSH protocol versions as separate binaries, so you could uninstall (or not install in the first place) the version you didn't wish to use. I think this was mainly because the original implementations for SSH protocol versions 1 and 2 had different licensing conditions: it was possible that you had the right to use SSH 1.* for free, but needed to pay for a license for SSH 2.*. (Back then, the SSH software version numbers directly matched the protocol version number: this is not true with OpenSSH and other SSH implementations that came later.)
But OpenSSH is not designed that way, and is completely free.
If you're interested in the history of SSH and/or OpenSSH, please see:
05-02-2012 01:10 AM
Thanks for the reply .
What i understood is the version 1 and version 2 in SSH refers to the two protcols ie protocol 1 and 2. We can configure this by editing the file sshd_config.
The action i have to perform for this vulnerability issue is
1) i have to chage the sshd_conf file so that it should accept only protocol 2
2) stop and start the sshd daemons
Am i right ?
05-02-2012 04:59 AM
You are correct.
You can check the protocol version using by ssh as follows.
execute the command "ssh -v localhost" and check the folloowing line in the output.
debug1: Enabling compatibility mode for protocol 2.0
Thanks and Regards,
05-16-2012 07:17 PM
Whether i have to change the entry of protocol in /opt/ssh/etc/ssh_config also
Now the entry of protocol in /opt/ssh/etc/ssh_config is
# Port 22
Entry in sshd_config is
05-18-2012 06:47 AM
The /opt/ssh/etc/sshd_config controls the incoming connections to your system, while /opt/ssh/etc/ssh_config controls outgoing connections.
If your users/applications have no reason to make outgoing SSH/SFTP/scp connections from your server to any old servers that only support SSH version 1, you could make the change in ssh_config file too.