Obscure SSH Version

On a recent security audit we we hit because our Cisco devices revealed their SSH version.
Is there any way to fix that?

I don't believe so. We've had auditors complain about the version (v1 vs v2), but never about it showing the version.

Similar Messages

Authentication failed on device 3 times. Failed to detect SSH version running on the device. PRIMARY-STARTUP config Fetch Operation failed for TFTP

I have devices loaded but new devices keep getting this error "Authentication failed on device 3 times. Failed to detect SSH version running on the device. PRIMARY-STARTUP config Fetch Operation failed for TFTP" - which trying to get configurations. I am using LMS 3.0.1
I tried to TELNET on devices via Putty port 22 no good. Please help?
Name Version License Status Size CiscoWorks Common Services 3.1.1 Licensed Not applicable Campus Manager 5.0.3 Purchased 1500 CiscoView 6.1.7 Licensed Not applicable CiscoWorks Assistant 1.0.1 Licensed Not applicable Device Fault Manager 3.0.3 Purchased 1500 Internetwork Performance Monitor 4.0.1 Purchased 1500 Integration Utility 1.7.1 Licensed Not applicable LMS Portal 1.0.1 Licensed Not applicable Resource Manager Essentials 4.1.1 Purchased 1500

Showing 1-1 of 1 records
Go to page:
of 1 pages
Device Name
SysObjectID
Model
Device Status
Inventory Status
Inventory Last Updated Time
Config Status
Config Last Updated Time
1.
R2020012_01
.1.3.6.1.4.1.9.1.576
Cisco 2811 Integrated Services Router
Normal
Success
Jan 13 2011 10:43:49 EST
Failed
Jan 13 2011 10:37:24 EST
Rows per page:
20 50 100 500
Go to page:
of 1 pages

Ssh version

I get the following output when I type in ssh -V on the console...I am using Solaris 9.
SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.
Does this mean tht the ssh version is ssh protocol v 2.

It means that your SSH version is "Suns SSH 1.0". However Suns SSH is just a certain version of OpenSSH (can't remember which one) with a new name.
The SSH in question supports the SSH protocols 1.5 and 2.0.
Currently there are three SSH protocols that i know of, the first one was 1 (highly insecure), followed by 1.5 (not to secure either) and lastly 2.0 (fairly secure unless you got one with a security bug in :-)
//Magnus

CiscoWorks2k RME3.5 IDU 9.0 ssh version 2 ???

Does anyone know when ssh v2 will be supported or I missed something?
It seems like I can manage my devices with telnet or ssh v1. Having been able to do much with all of my ssh v2 devices.

I heard that support for SSH version 2 will be added in the next release of CiscoWorks, may be in 1st quarter of 2005.

Difference ssh version 1and version 2

Hi,Can anyone say what is the difference ssh version 1and version 2

SSH protocol, version 2
SSH protocol, version 1
Separate transport, authentication, and connection protocols
One monolithic protocol
Strong cryptographic integrity check
Weak CRC-32 integrity check; admits an insertion attack in conjunction with some bulk ciphers.
Supports password changing
N/A
Any number of session channels per connection (including none)
Exactly one session channel per connection (requires issuing a remote command even when you don't want one)
Full negotiation of modular cryptographic and compression algorithms, including bulk encryption, MAC, and public-key
Negotiates only the bulk cipher; all others are fixed
Encryption, MAC, and compression are negotiated separately for each direction, with independent keys
The same algorithms and keys are used in both directions (although RC4 uses separate keys, since the algorithm's design demands that keys not be reused)
Extensible algorithm/protocol naming scheme allows local extensions while preserving interoperability
Fixed encoding precludes interoperable additions
User authentication methods:
publickey (DSA, RSA*, OpenPGP)
hostbased
password
(Rhosts dropped due to insecurity)
Supports a wider variety:
public-key (RSA only)
RhostsRSA
password
Rhosts (rsh-style)
TIS
Kerberos
Use of Diffie-Hellman key agreement removes the need for a server key
Server key used for forward secrecy on the session key
Supports public-key certificates
N/A
User authentication exchange is more flexible, and allows requiring multiple forms of authentication for access.
Allows for exactly one form of authentication per session.
hostbased authentication is in principle independent of client network address, and so can work with proxying, mobile clients, etc. (though this is not currently implemented).
RhostsRSA authentication is effectively tied to the client host address, limiting its usefulness.
periodic replacement of session keys
N/A

SSH version in the CUCM

Hi,
I have an issue between my Iomega/EMC NAS and the DRS of my CUCMs.
It's OK with a 8.6 CUCM and NOK with 7.1.3 and 8.0.3.
I would like to know the SSH version in SFTP protocol used by the DRS service for the three version.
Thank you for your help.
BR

Michael,
I had the same question, so this is very helpful and I appreciate it.
Emmanuel,
I have a current issue with SFTP to a NAS and am curious if you were able to resolve. My storage engineers were also concerned about SSH version compatibility.

SSH Version Supported by Access Points

Hi,
I'm hoping this is an easy question...so apologies if it appears facile, but I can't find a definitive answer in any Cisco docs I've looked through.
When access points are used with a WLC, its possible to allow the access points to accept SSH connections (Under the advanced tab of the AP config).
My question is this: which version of SSH will be used when SSH sessions are created to the AP? (SSH v2?)
All of the data sheets etc. talk about SSH support, but give now version details.
Thanks in advance.
Nigel.

Hi Nigel,
Scott is right (as usual )
Just to confirm, I accessed a CAPWAP AP and looked at the #sh derived-config and this was the only SSH output shown, with SSH enabled on the AP:
ip ssh version 2
So, it looks like only SSH2 is allowed. Just to let you know the code ver was 7.0.116.0
Rocky

PCI Audit - SSH version 3 & above

Hi,
Suggest which version of ASA IOS version supports SSH ver. 3.0 & above. I'm currently having IOS 8.2 (5) version.
Regards
Alexander M

Hi Alex,
ASA currently support only version 1 & 2.
Thanks,
Varun Rao
Security Team,
Cisco TAC

Cisco IDS 4250XL - SSH protocol versions supported

I recently had a vulnerability scan completed and "SSH protocol versions supported" showed up in it for my IDS. Has anyone come across this and if so, how am I able to mitigate it. Is there a way to change the SSH version on the device?

What vulnerability is being asserted in the OpenSSH implementation of SSH protocol version 1?
I have not seen a new problem discovered in more than three years in the SSH protocol version 1. OpenSSH-3.7.1p2 contains all the fixes for all vulnerabilities that I am aware.
When a vulnerability assessment recommends shutting down SSH protocol version 1, they need to back it up with some facts to show that SSH1 as implemented in the IDS 4.x sensor is insecure.
=====
That having been said, you can disable SSH protocol version 1 by editing /etc/ssh/sshd_config and restarting the service. What you will lose is the ability to manage keys in the IDS CLI. So you cannot use authorized keys to log into the sensor.
The "copy scp:..." and "upgrade scp:..." commands will fail. When you start an SSH2 client, it will refuse to connect to the remote server because it won't trust the host key.
You also won't be able to manange network devices to perform blocking using the SSH protocol.

Ssh has stopped working - reverse mapping causes segmentation fault

This was working on Friday, believe me. I haven't done anything that I'm aware of (apart from reboot the machine) to change things, except in trying to fix it.
Briefly, ssh crashes out with a segmentation fault and a crash log (below). Poking around with verbosity gives (real ip obscured):
% ssh ip4 -vvvv
OpenSSH_3.8.1p1, OpenSSL 0.9.7i 14 Oct 2005
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to ip4 [ip4] port 22.
debug1: Connection established.
debug1: identity file /Users/rpg/.ssh/identity type -1
debug1: identity file /Users/rpg/.ssh/id_rsa type -1
debug1: identity file /Users/rpg/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug3: Trying to reverse map address ip4.
Segmentation fault
I get similar reports for %ssh FQDN and %ssh $USER@[FQDN*|*ip4].
Although I'm trying to ssh to a machine on another continent, trying to ssh into my own machine (from a Terminal window on my own machine) also does not work. Setting UseDNS no in /etc/sshd_config on my machine does not help. Oddly, trying to ssh to my own machine by
%ssh 127.0.0.1 gives
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug3: Trying to reverse map address 127.0.0.1.
debug1: An invalid name was supplied
Configuration file does not specify default realm
debug1: An invalid name was supplied
A parameter was malformed
Validation error
debug1: An invalid name was supplied
Configuration file does not specify default realm
debug1: An invalid name was supplied
A parameter was malformed
Validation error
debug1: SSH2MSGKEXINIT sent
debug1: SSH2MSGKEXINIT received
and then works (after a lot more info).
I can ssh into this machine from elsewhere, I just can't ssh out. Below the crash log is a report from running a server with
% sudo sshd -D -ddd -e -p 10000
and connecting with
% ssh -vvv -p 10000 $USER@FQDN
ssh crash log:
Date/Time: 2006-05-29 15:42:09.284 +1000
OS Version: 10.4.6 (Build 8I1119)
Report Version: 4
Command: ssh
Path: /usr/bin/ssh
Parent: bash [1020] (note: also fails under tcsh)
Version: ??? (???)
PID: 1021
Thread: 0
Exception: EXCBADACCESS (0x0001)
Codes: KERNINVALIDADDRESS (0x0001) at 0xb1d255e4
Thread 0 Crashed:
0 libstdc++.6.dylib 0x90b37e3a _cxa_getglobals + 324
1 libstdc++.6.dylib 0x90b3853a _gxx_personalityv0 + 658
2 libgcc_s.1.dylib 0x90bcabf7 UnwindRaiseException + 147
3 libstdc++.6.dylib 0x90b38857 _cxathrow + 87
4 edu.mit.Kerberos 0x94c4a238 CCIContextDataMachIPCStub::OpenCCache(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) + 314
5 edu.mit.Kerberos 0x94c49fde CCEContext::OpenCCache(cccontextd*, char const*, ccccached**) + 160
6 edu.mit.Kerberos 0x94c49d5e cc_open + 64
7 edu.mit.Kerberos 0x94c49bf6 krb5stdccresolve + 182
8 edu.mit.Kerberos 0x94c4f1a1 __KLGetCCacheByName + 254
9 edu.mit.Kerberos 0x94c4ee8a __KLAcquireInitialTicketsForCache + 179
10 edu.mit.Kerberos 0x94c4ed7f krb5intccdefault + 85
11 edu.mit.Kerberos 0x94c40215 krb5gss_acquirecred + 2409
12 edu.mit.Kerberos 0x94c4ed11 kggetdefcred + 73
13 edu.mit.Kerberos 0x94c4da14 krb5gss_init_seccontext + 208
14 ssh 0x00024305 0x1000 + 144133
15 ssh 0x000246f4 0x1000 + 145140
16 ssh 0x000247fb 0x1000 + 145403
17 ssh 0x0000c462 0x1000 + 46178
18 ssh 0x0000a251 0x1000 + 37457
19 ssh 0x000042c7 0x1000 + 12999
20 ssh 0x000025f2 0x1000 + 5618
21 ssh 0x0000250d 0x1000 + 5389
Thread 0 crashed with i386 Thread State:
eax: 0x00000000 ebx: 0x90b3880d ecx:0xbfffda7c edx: 0xa4c425a0
edi: 0xb1d255e4 esi: 0xa4c425a0 ebp:0xbfffd9e8 esp: 0xbfffd9b0
ss: 0x0000002f efl: 0x00010246 eip:0x90b37e3a cs: 0x00000027
ds: 0x0000002f es: 0x0000002f fs:0x00000000 gs: 0x00000037
sudo sshd -D -ddd -e -p 10000:
debug2: readserverconfig: filename /etc/sshd_config
debug1: sshd version OpenSSH_3.8.1p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/sshhost_rsakey.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/sshhost_dsakey.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 10000 on ::.
Server listening on :: port 10000.
debug1: Bind to port 10000 on 0.0.0.0.
Server listening on 0.0.0.0 port 10000.
Generating 768 bit RSA key.
RSA key generation complete. <- pause here
debug1: Server will not fork when running in debugging mode.
Connection from ip4 port 50148
debug1: Current Session ID is 00B16810 / Session Attributes are 00008030
debug1: Creating new security session...
debug1: New Session ID is 0F7C2940 / Session Attributes are 00009020
debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.8.1p1
debug2: Network child is on pid 1101
debug3: preauth child monitor started
debug3: mmrequestreceive entering
debug3: privsep user:group 75:75
debug1: permanentlysetuid: 75/75
debug1: listhostkeytypes: ssh-rsa,ssh-dss
debug3: mmrequestsend entering: type 40
debug3: mmrequest_receiveexpect entering: type 41
debug3: mmrequestreceive entering
debug3: monitor_read: checking request 40
debug1: Miscellaneous failure
No such file or directory
debug3: mmrequestsend entering: type 41
debug3: mmrequestreceive entering
debug1: no credentials for GSSAPI mechanism Kerberos
debug1: SSH2MSGKEXINIT sent
Connection closed by ip4
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpamthreadcleanup entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpamthreadcleanup entering
and
% ssh -vvv -p 10000 $USER@FQDN :
OpenSSH_3.8.1p1, OpenSSL 0.9.7i 14 Oct 2005
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to FQDN [ip4] port 10000.
debug1: Connection established.
debug1: identity file /Users/rpg/.ssh/identity type -1
debug1: identity file /Users/rpg/.ssh/id_rsa type -1
debug1: identity file /Users/rpg/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug3: Trying to reverse map address ip4.
Segmentation fault

10.4.7 fixed this.
But broke iCal. . .
Actually, I never had any problems with 10.4.6, but ssh on my nat'ed Intel Macbook now segfaults when doing reverse mapping after upgrading to 10.4.7.
OpenSSH_3.8.1p1, OpenSSL 0.9.7i 14 Oct 2005
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to amrshampine [10.4.51.45] port 22.
debug1: Connection established.
debug1: identity file /Users/lindkvis/.ssh/identity type -1
debug1: identity file /Users/lindkvis/.ssh/id_rsa type -1
debug1: identity file /Users/lindkvis/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug3: Trying to reverse map address 10.4.51.45.
Macbook White 13" 1.83GHz 1GB Mac OS X (10.4.6)

Not able to login after configuring SSH.Please reply

i have configured AAA on Cisco aeronet 1400 series wireless bridge (AIR-BR1410A-A-K9).After configuring i am not able to login to the device via telnet and via putty.Soon after enabling SSH i am not able to login even through SSH.The below are the commands i have configured on the device.I used to configure the same commands on my Cisco Switches also.
Layer -2
ip domain-name NETS
crypto key generate rsa general-keys modulus 1024
ip ssh version 2
aaa new-model
aaa authentication login Login-LAN group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa accounting exec EXEC-LAN-L2 start-stop group tacacs+
aaa accounting commands 1 Level-1-LAN-L2 start-stop group tacacs+
aaa accounting commands 15 Level-15-LAN-L2 start-stop group tacacs+
tacacs-server host 10.254.0.140 key !n01#zh3r3@|2
line vty 0 4
accounting commands 1 Level-1-LAN-L2
accounting commands 15 Level-15-LAN-L2
accounting exec EXEC-LAN-L2
login authentication Login-LAN
transport input ssh

Hi,
Check out the connectivity between cisco aeronet and TACAS server and what is the failed logs says in tacas server.
If possible try to change the configuration to aaa authentication login Login-LAN(default) group tacacs+ line and then try what exactly happens.
Hope that helps
Regards
Ganesh.H

Cisco ASA 5505 - problem with ssh, icmp on OUTSIDE interface

Hi all,
I have a very strange problem with OUTSIDE interface and remote ssh. Well, I have followed documentation and configure remote access for ssh like this [1.]. If I want to connect from internet to OUTSIDE interface [2.] get no response and in log I can see this message [3.]. I really do not understand why is ssh connection dropped by OUTSIDE access-list [4.]? If I understand documentation correctly there is no impact for remote mangement/access like icmp, ssh, http(s) by interface access-list. So, why?
When I try ssh connection form internal network to INSIDE interface everything works fine and I can log in to ASA. If I try allow ssh in OUTSIDE access-list still no success and a get this message [5.]? It is strange, isn't?
The same problem with icmp if I want to "ping" OUTSIDE interface from internet a get thish message in log [6.] and configuration for ICMP like this [7.].
Full ASA config is in attachment.
Can anybody help how to fix it and explain what is exactly wrong.Thanks.
Regards,
Karel
[1.]
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
ASA-FW01# show ssh
Timeout: 60 minutes
Version allowed: 2
10.0.0.0 255.255.255.0 INSIDE
0.0.0.0 0.0.0.0 OUTSIDE
[2.]
ASA-FW01# show nameif
Interface Name Security
Vlan10 INSIDE 100
Vlan20 EXT-VLAN20 0
Vlan30 EXT-WIFI-VLAN30 10
Vlan100 OUTSIDE 0
ASA-FW01# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
ASA-FW01# show interface OUTSIDE detail
Interface Vlan100 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: >>VLAN pro pripojeni do internetu<<
MAC address f44e.05d0.6c17, MTU 1480
IP address 85.71.188.158, subnet mask 255.255.255.255
Traffic Statistics for "OUTSIDE":
90008 packets input, 10328084 bytes
60609 packets output, 13240078 bytes
1213 packets dropped
1 minute input rate 15 pkts/sec, 994 bytes/sec
[3.]
Jan 13 2015 06:45:30 ASA-FW01 : %ASA-6-106100: access-list OUTSIDE denied tcp OUTSIDE/193.86.236.70(46085) -> OUTSIDE/85.71.188.158(22) hit-cnt 1 first hit [0xb74026ad, 0x0]
[4.]
access-list OUTSIDE remark =======================================================================================
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended deny ip any any log
access-group OUTSIDE in interface OUTSIDE
[5.]
Jan 12 2015 23:00:46 ASA-FW01 : %ASA-2-106016: Deny IP spoof from (193.86.236.70) to 85.71.188.158 on interface OUTSIDE
[6.]
Jan 13 2015 06:51:16 ASA-FW01 : %ASA-4-400014: IDS:2004 ICMP echo request from 193.86.236.70 to 85.71.188.158 on interface OUTSIDE
[7.]
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 INSIDE
icmp permit 10.0.0.0 255.0.0.0 EXT-WIFI-VLAN30
icmp permit any OUTSIDE

You're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK

Writing a file using ssh in OSB 11g

Hi
OSB 11G
Once I fetch from DB, i am able to write a flat file(delimiter with pipe) using Messaging Service and MFL.
Now, my requirement is to write using SSH .
Can anyone let me know how do I configure it in my Business Service?
Thanks
Edited by: soauser on Jul 12, 2011 9:08 AM

OSB supports SSH File Transfer Protocol (SFTP) using SSH version 2 with SFTP transport -
section "26.5 SFTP Transport" at http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/http_poller.htm#i1085854
If existing options are not sufficient, you may also create custom transport using transport SDK and use that in OSB -
http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/part_tsdk.htm#sthref954
Regards,
Anuj

Ssh configuration issue by enable UsePrivilegeSeparation

Hi,
I have the following error message after I set UsePrivilegeSeparation yes in /etc/ssh/sshd_configuration file:
. Solaris 10 with default ssh version come with solaris 10
. After I set the line 'UsePrivilegeSeparation yes' then complain about user sshd does not exist so I created the user and ssh started fine.
However, when I try to ssh to the box and won't let me login in, here is the error from messages log:
fatal: Userauth method unknown while starting PAM
Thank you for your help!

https://wiki.archlinux.org/index.php/Fo … s_and_Code

INSTALLING SSH IN SOLARIS 8

Hello,
I�m trying to install openssh in a Solaris 8 machine. I followed these setps:
1.- Install the patch 112438-03 and boot -r
2.- pkgadd -d openssh-4.4p1-sol8-sparc-local
pkgadd -d openssl-0.9.6i-sol8-sparc-local
pkgadd -d zlib-1.2.3-sol8-sparc-local
3.- mkdir /var/empty
chown root:sys /var/empty
chmod 755 /var/empty
groupadd sshd
useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
4.-modify /usr/local/etc/sshd_config (making reference to /usr/local/libexec/sftp-server)
5.-implement the files /etc/hosts.allow and /etc/hosts.deny
6.- NOW I HAVE TRIED THE FOLLOWING ACCORDING WITH THE INSTRUCTIONS IN INSTALL.openssl document:
$ ./config
PROBLEMS: WHERE IS THE "config" script localted? I get the message "ksh: ./config: not found"
Please, help me! How can I follow from this point. I don`t know from where execute the config script.
thanks

Follow this steps recently i did it in a solaris 8 box
hope this will solve your issue
Ssh installation for Solaris 8
Introduction:
Secure shell (SSH) is a protocol that provides a secure, remote connection to any device with ssh support. SSH is a substitute to Berkeley r-tools like telnet, rlogin, rsh and rcp which are not secure. SSH provides more security to any data that is being transported to the Internet by providing more authentication, encryption and authorization procedures. There are currently two versions of SSH available, SSH Version 1 and SSH Version 2
openssh
openssl (SSL)
prngd (Psuedo Random Generator Daemon)
zlib (Z library)
Installation:
#pkgadd -d openssl-0.9.6c-sol8-sparc-local
The following packages are available:
1 SMCosslc openssl
(sparc) 0.9.6c
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
#pkgadd -d prngd-0.9.23-sol8-sparc-local
The following packages are available:
1 SMCprngd prngd
(sparc) 0.9.23
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
#pkgadd -d zlib-1.1.4-sol8-sparc-local
The following packages are available:
1 SMCzlib zlib
(sparc) 1.1.4
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
#pkgadd -d openssh-3.1p1-sol8-sparc-local
The following packages are available:
1 SMCossh openssh
(sparc) 3.1p1
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
Note:- If you are facing any problem like PRNG is not seeded please apply 112438-01 patch and reboot the system and create a symbolic link
ln -s /devices/pseudo/random@0:random /dev/random
ln -s /devices/pseudo/random@0:urandom /dev/urandom
This is because of missing /dev/random
Create SSHD account and directory
# mkdir /var/empty
# chown root:sys /var/empty
# groupadd sshd
# useradd -g sshd -c "SSHD Admin" -d /var/empty �s /bin/false sshd
Startup Scripts:
Create a startup script for the ssh daemon.
/etc/init.d/sshd
#! /bin/sh
# start/stop the secure shell daemon
case "$1" in
'start')
# Start the ssh daemon
if [ -f /usr/local/sbin/sshd ]; then
echo "starting SSHD daemon"
/usr/local/sbin/sshd &
fi
'stop')
# Stop the ssh deamon
PID=`/usr/bin/ps -e -u 0 | /usr/bin/fgrep sshd | /usr/bin/awk '{print $1}'`
if [ ! -z "$PID" ] ; then
/usr/bin/kill ${PID} >/dev/null 2>&1
fi
echo "usage: /etc/init.d/sshd {start|stop}"
esac
Make the script executable and create a startup script on run level 2.
#sh sshd start
#chmod +x /etc/init.d/sshd
#ln �s /etc/init.d/sshd /etc/rc2.d/S99sshd
Create a startup script for the pseudo random generator daemon.
/etc/init.d/prngd
#! /bin/sh
# start/stop the pseudo random generator daemon
case "$1" in
'start')
# Start the ssh daemon
if [ -f /usr/local/bin/prngd ]; then
echo "starting PRNG daemon"
/usr/local/bin/prngd /var/spool/prngd/pool&
fi
'stop')
# Stop the ssh deamon
PID=`/usr/bin/ps -e -u 0 | /usr/bin/fgrep prngd | /usr/bin/awk '{print $1}'`
if [ ! -z "$PID" ] ; then
/usr/bin/kill ${PID} >/dev/null 2>&1
fi
echo "usage: /etc/init.d/prngd {start|stop}"
esac
Make the script executable and create a startup script on run level 2.
#chmod +x /etc/init.d/prngd
#ln �s /etc/init.d/prngd /etc/rc2.d/S99prngd
# /etc/init.d/prngd start
starting PRNG daemon
Info: Random pool not (yet) seeded
Could not bind socket to /var/spool/prngd/pool: No such file or directory
# mkdir -p /var/spool/prngd
#/etc/init.d/prngd start
starting PRNG daemon
# Info: Random pool not (yet) seeded
Next is to start the actual ssh daemon,
# /etc/init.d/sshd start
starting SSHD daemon
Could not load host key: /usr/local/etc/ssh_host_key
Could not load host key: /usr/local/etc/ssh_host_rsa_key
Could not load host key: /usr/local/etc/ssh_host_dsa_key
Disabling protocol version 1. Could not load host key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
The errors above are due to the fact that we didn't create any key pairs for our ssh server.
Create a public key pair to support the new, DSA-based version 2 protocol
# /usr/local/bin/ssh-keygen -d -f /usr/local/etc/ssh_host_dsa_key -N ""
Generating public/private dsa key pair.
Your identification has been saved in /usr/local/etc/ssh_host_dsa_key.
Your public key has been saved in /usr/local/etc/ssh_host_dsa_key.pub.
The key fingerprint is:
00:91:f5:8a:55:7c:ac:ff:b7:08:1f:ce:23:aa:f2:79 root@solaris8
Create a public key pair to support the old, RSA-based version 1 protocol
# /usr/local/bin/ssh-keygen -b 1024 -f /usr/local/etc/ssh_host_rsa_key -t rsa -N ""
Generating public/private rsa1 key pair.
Your identification has been saved in /usr/local/etc/ssh_host_rsa_key.
Your public key has been saved in /usr/local/etc/ssh_host_rsa_key.pub.
The key fingerprint is:
8e:b0:1d:8a:22:f2:d2:37:1f:92:96:02:e8:74:ca:ea root@solaris8
Edit ssh daemon configuration file /usr/local/etc/sshd_config, enable protocol 2 and 1
Uncomment the line, that says
protocol 2,1
# /etc/init.d//sshd start
starting SSHD daemon
Thnaks
RK

Obscure SSH Version

Similar Messages

Maybe you are looking for