distro: redhat linux 8.0
kernel: 2.4.18

What do I do to *enforce* on all clients Linux and Windows to use Protocol 2?

Why? doing some security testings with ettercap [check it out from sourceforge.net] I was able to sniff usernames/passwords for SSH v1. The only solution is to use SSH V2.

Did I miss anything on the sshd_config file?


************** Server side of the story**************

SSH Server version: OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f

By default, the server's configuration will force your client (i.e. ssh program) to try to connect with the server using SSH V2 first and then fall back to V1.

So...to accept Protocol 2 connections only, I went to /etc/ssh/sshd_config file, and added the following line to it:
Protocol 2

# service sshd restart /*to restart SSH daemon
#chkconfig --list /*to see if enabled

*********** Client Side of the story **************
To test my settings I logged in from a Linux client...

#ssh -1 -l user 192.168.0.191
Protocol major versions differ: 1 vs. 2 /* was the message which is good. after that the connection is refused.

#ssh -2 -l user 192.168.0.191 /* it let me in after I put the pass

**********Problem Logging in from a M$ Windows box *****

Using SSH windows client from www.ssh.com I get right in using Protocol 1 or 2.
Same thing with WinSCP client from winscp.vse.cz

What do I do to *enforce* on all clients Linux and Windows to use Protocol 2? Did I miss anything on the sshd_config file?

thanks,
el chupacabra

Where is this ettercap you speak of? I'm sorry I can't help you with your question but I am wondering how you sniffed the username and passwords and how you cracked the enyrption. I can't find anything on sourceforge.net.

heh.. what do you think...?

and to enforce protocol version 2 and deny 1 replace "Protocol 2,1" with Protocol 2".

i'd have liked to come in with a "well duhhh" but i didn't actually say that huh?

hey thanks for tip...
I added 'Protocol 2,1'
and uncommented

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

which are for Protocol V2 only


/*however on my system by uncommenting

HostKey /etc/ssh/ssh_host_key SSH V1 is *still* enabled.
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

# ssh -1 -l user ip /*got right in
# ssh -2 -l user ip /*got right in


/*When I leave HostKey /etc/ssh/ssh_host_key commented I get...

# service sshd restart
Stopping sshd: [ OK ]
Starting sshdisabling protocol version1. Could not load host key [ OK ]


/*tesing again
]# ssh -1 -l user ip
Protocol major versions differ: 1 vs. 2 /*could not get in. Good.

# ssh -2 -l user ip /*get right in.

So wrapping up....my sshd_config looks like this

Port 22
#Protocol 2,1
Protocol 2,1 /*that did it. Do not leave Protocol 2 only
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

thanks for tip though. But give it a try on your system. Possibly you have SSH V1 too because you uncommented HostKey /etc/ssh/ssh_host_key

el chupacabra

well it was only the Protocol line that was relevant, hence it being bold... and as unspawn said... you need to change it it "protocol 2" thoguht that would have been quite apparent.

At first I had added only Protocol 2 but for some reason still V1 was enabled.

I did a try with both nessus and by logging in to the machine remotely.

Any ideas why?

Hey acid_kewpie is your name Simon?

no. i thought my name would have given that away.....

A quick test proves that you need to comment out the key as well as protocol v1.

I don't know what's up but comments like "i'd have liked to come in with a "well duhhh" but i didn't actually say that huh?" do not help at all. If you want to tell jokes, that's fine, we can all laugh together but first read the post before saying anything silly so that later on people do not laugh at you.

I think everybody --including Moderators-- should read carefully the posts and if they can answer it in a professional way --just to avoid being classified as a 'smartass'.

If you would have read my first post I clearly said I had put the Protocol 2 on the config file and still didn't work.... "well...duh".

Bottom line...I'm sick of know-it-alls and smart asses who can't even read the damn first post.

My intention is not to offend anybody but neither to make you feel warm and fuzzy and tell you how great you are for your silly comments.

What are they going to do now? Ban me from the forum for expressing my opinions? Where are we? In the Microsoft world ? [ yes I got fired from M$ for expressing my opinions three years ago. Big deal. ]

el chupacabra

I agree chupacabra. The reason I asked acid_kewpie if his name was Simon is becuase he acts like that British guy Simon on Amercain Idol. I've never seen him make a post without putting in a remark to belittle someone for not knowing what he knows.

I have an idea for you kewpie. Just anwer the question in the post and then write down on little piece of paper all the other remarks that you would have like to put down. This will help with your recovery. Remember, the first step is to admit you have a problem.

yeah i didn't notice that bit at first, oops. but that comment was quite blatantly about me not anyone else. and i'm not a smart arse. and where does this "they" stuff come form? I can assure that they, sorry... we... wouldn't do a thing about what you said. just like every other time someone with half a handful of posts starts stomping their feet for no apparent reason.

Well duh! Maybe you should read the whole post first.