ssh version upgrade (426 Views)
Reply
Regular Advisor
laiju.c.babu
Posts: 121
Registered: ‎07-06-2008
Message 1 of 7 (426 Views)
Accepted Solution

ssh version upgrade

Hi Team,

 

We have a vulnerability assessment in our HP-Ux boxes. As per this we  have to update the ssh version from 1 to 2 . But i want to know how can i check the current ssh version installed in my box

 

     [71]> ssh -V
OpenSSH_5.3p1+sftpfilecontrol-v1.3-hpn13v5, OpenSSL 0.9.8n 24 Mar 2010
HP-UX Secure Shell-A.05.30.009, HP-UX Secure Shell version

 

From here how can i know whether i installed version1 or version2

 

As per the  sshd_config file the server is configured for accepting ssh connection from both version 1 and version 2 sinc the protocol entry is 2,1

 

Please help me on this.

 

Regards

Laiju


 

Laiju.C.Babu
Please use plain text.
Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 2 of 7 (422 Views)

Re: ssh version upgrade

There are two versions of the SSH protocol specification: the older one, called "version 1" is now known to have several design flaws.

 

All modern versions of OpenSSH and its derivatives (including HP-UX Secure Shell) can support both protocol versions: the configuration entry "Protocol 2,1" in sshd_config means "accept both protocol versions".

 

Change it to "Protocol 2" and restart sshd (with "sh /sbin/init.d/secsh stop; sh /sbin/init.d/secsh start").Then the support for protocol version 1 will be disabled and only protocol version 2 will be accepted.

 

The original implementation for SSH protocol version 2 had support for different SSH protocol versions as separate binaries, so you could uninstall (or not install in the first place) the version you didn't wish to use. I think this was mainly because the original implementations for SSH protocol versions 1 and 2 had different licensing conditions: it was possible that you had the right to use SSH 1.* for free, but needed to pay for a license for SSH 2.*. (Back then, the SSH software version numbers directly matched the protocol version number: this is not true with OpenSSH and other SSH implementations that came later.)

 

But OpenSSH is not designed that way, and is completely free.

If you're interested in the history of SSH and/or OpenSSH, please see:

http://www.openssh.com/history.html

MK
Please use plain text.
Regular Advisor
laiju.c.babu
Posts: 121
Registered: ‎07-06-2008
Message 3 of 7 (420 Views)

Re: ssh version upgrade

Hi MK,

 

Thanks for the reply .

 

What i understood is  the version 1 and version 2  in SSH refers to the  two protcols ie protocol 1 and 2. We can configure this by editing the file sshd_config.

 

The action i have to perform for this vulnerability issue is

 

1) i have to chage the sshd_conf file so that it should accept only protocol 2

2) stop and start the sshd  daemons

 

Am i right ?

 

Regards

Laiju.C.Babu
Please use plain text.
Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 4 of 7 (417 Views)

Re: ssh version upgrade

Yes, you're exactly right.

MK
Please use plain text.
Valued Contributor
ManojK_1
Posts: 271
Registered: ‎03-21-2007
Message 5 of 7 (410 Views)

Re: ssh version upgrade

Hi Laiju,

 

You are correct.

 

You can check the protocol version using by ssh as follows.

 

execute the command "ssh -v localhost" and check the folloowing line in the output.

debug1: Enabling compatibility mode for protocol 2.0

 

Thanks and Regards,

Manoj K

Thanks and Regards,
Manoj K
Please use plain text.
Regular Advisor
laiju.c.babu
Posts: 121
Registered: ‎07-06-2008
Message 6 of 7 (381 Views)

Re: ssh version upgrade

Hi MK,

Whether i have to change the entry of protocol in /opt/ssh/etc/ssh_config also

 

Now the entry of protocol in /opt/ssh/etc/ssh_config is

 

#   Port 22
   Protocol 2,1

 

==========

 

Entry in sshd_config is

 

#Port 22
Protocol 2

 

Regards

Laiju.C.Babu
Please use plain text.
Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 7 of 7 (371 Views)

Re: ssh version upgrade

The /opt/ssh/etc/sshd_config controls the incoming connections to your system, while /opt/ssh/etc/ssh_config controls outgoing connections.

 

If your users/applications have no reason to make outgoing SSH/SFTP/scp connections from your server to any old servers that only support SSH version 1, you could make the change in ssh_config file too.

 

 

MK
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation