Ssh version
I get the following output when I type in ssh -V on the console...I am using Solaris 9.
SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.
Does this mean tht the ssh version is ssh protocol v 2.
It means that your SSH version is "Suns SSH 1.0". However Suns SSH is just a certain version of OpenSSH (can't remember which one) with a new name.
The SSH in question supports the SSH protocols 1.5 and 2.0.
Currently there are three SSH protocols that i know of, the first one was 1 (highly insecure), followed by 1.5 (not to secure either) and lastly 2.0 (fairly secure unless you got one with a security bug in :-)
//Magnus
Similar Messages
-
I have devices loaded but new devices keep getting this error "Authentication failed on device 3 times. Failed to detect SSH version running on the device. PRIMARY-STARTUP config Fetch Operation failed for TFTP" - which trying to get configurations. I am using LMS 3.0.1
I tried to TELNET on devices via Putty port 22 no good. Please help?
Name Version License Status Size CiscoWorks Common Services 3.1.1 Licensed Not applicable Campus Manager 5.0.3 Purchased 1500 CiscoView 6.1.7 Licensed Not applicable CiscoWorks Assistant 1.0.1 Licensed Not applicable Device Fault Manager 3.0.3 Purchased 1500 Internetwork Performance Monitor 4.0.1 Purchased 1500 Integration Utility 1.7.1 Licensed Not applicable LMS Portal 1.0.1 Licensed Not applicable Resource Manager Essentials 4.1.1 Purchased 1500Showing 1-1 of 1 records
Go to page:
of 1 pages
Device Name
SysObjectID
Model
Device Status
Inventory Status
Inventory Last Updated Time
Config Status
Config Last Updated Time
1.
R2020012_01
.1.3.6.1.4.1.9.1.576
Cisco 2811 Integrated Services Router
Normal
Success
Jan 13 2011 10:43:49 EST
Failed
Jan 13 2011 10:37:24 EST
Rows per page:
20 50 100 500
Go to page:
of 1 pages -
CiscoWorks2k RME3.5 IDU 9.0 ssh version 2 ???
Does anyone know when ssh v2 will be supported or I missed something?
It seems like I can manage my devices with telnet or ssh v1. Having been able to do much with all of my ssh v2 devices.I heard that support for SSH version 2 will be added in the next release of CiscoWorks, may be in 1st quarter of 2005.
-
Difference ssh version 1and version 2
Hi,Can anyone say what is the difference ssh version 1and version 2
SSH protocol, version 2
SSH protocol, version 1
Separate transport, authentication, and connection protocols
One monolithic protocol
Strong cryptographic integrity check
Weak CRC-32 integrity check; admits an insertion attack in conjunction with some bulk ciphers.
Supports password changing
N/A
Any number of session channels per connection (including none)
Exactly one session channel per connection (requires issuing a remote command even when you don't want one)
Full negotiation of modular cryptographic and compression algorithms, including bulk encryption, MAC, and public-key
Negotiates only the bulk cipher; all others are fixed
Encryption, MAC, and compression are negotiated separately for each direction, with independent keys
The same algorithms and keys are used in both directions (although RC4 uses separate keys, since the algorithm's design demands that keys not be reused)
Extensible algorithm/protocol naming scheme allows local extensions while preserving interoperability
Fixed encoding precludes interoperable additions
User authentication methods:
publickey (DSA, RSA*, OpenPGP)
hostbased
password
(Rhosts dropped due to insecurity)
Supports a wider variety:
public-key (RSA only)
RhostsRSA
password
Rhosts (rsh-style)
TIS
Kerberos
Use of Diffie-Hellman key agreement removes the need for a server key
Server key used for forward secrecy on the session key
Supports public-key certificates
N/A
User authentication exchange is more flexible, and allows requiring multiple forms of authentication for access.
Allows for exactly one form of authentication per session.
hostbased authentication is in principle independent of client network address, and so can work with proxying, mobile clients, etc. (though this is not currently implemented).
RhostsRSA authentication is effectively tied to the client host address, limiting its usefulness.
periodic replacement of session keys
N/A -
On a recent security audit we we hit because our Cisco devices revealed their SSH version.
Is there any way to fix that?I don't believe so. We've had auditors complain about the version (v1 vs v2), but never about it showing the version.
-
Hi,
I have an issue between my Iomega/EMC NAS and the DRS of my CUCMs.
It's OK with a 8.6 CUCM and NOK with 7.1.3 and 8.0.3.
I would like to know the SSH version in SFTP protocol used by the DRS service for the three version.
Thank you for your help.
BRMichael,
I had the same question, so this is very helpful and I appreciate it.
Emmanuel,
I have a current issue with SFTP to a NAS and am curious if you were able to resolve. My storage engineers were also concerned about SSH version compatibility. -
SSH Version Supported by Access Points
Hi,
I'm hoping this is an easy question...so apologies if it appears facile, but I can't find a definitive answer in any Cisco docs I've looked through.
When access points are used with a WLC, its possible to allow the access points to accept SSH connections (Under the advanced tab of the AP config).
My question is this: which version of SSH will be used when SSH sessions are created to the AP? (SSH v2?)
All of the data sheets etc. talk about SSH support, but give now version details.
Thanks in advance.
Nigel.Hi Nigel,
Scott is right (as usual )
Just to confirm, I accessed a CAPWAP AP and looked at the #sh derived-config and this was the only SSH output shown, with SSH enabled on the AP:
ip ssh version 2
So, it looks like only SSH2 is allowed. Just to let you know the code ver was 7.0.116.0
Rocky -
PCI Audit - SSH version 3 & above
Hi,
Suggest which version of ASA IOS version supports SSH ver. 3.0 & above. I'm currently having IOS 8.2 (5) version.
Regards
Alexander MHi Alex,
ASA currently support only version 1 & 2.
Thanks,
Varun Rao
Security Team,
Cisco TAC -
Cisco IDS 4250XL - SSH protocol versions supported
I recently had a vulnerability scan completed and "SSH protocol versions supported" showed up in it for my IDS. Has anyone come across this and if so, how am I able to mitigate it. Is there a way to change the SSH version on the device?
What vulnerability is being asserted in the OpenSSH implementation of SSH protocol version 1?
I have not seen a new problem discovered in more than three years in the SSH protocol version 1. OpenSSH-3.7.1p2 contains all the fixes for all vulnerabilities that I am aware.
When a vulnerability assessment recommends shutting down SSH protocol version 1, they need to back it up with some facts to show that SSH1 as implemented in the IDS 4.x sensor is insecure.
=====
That having been said, you can disable SSH protocol version 1 by editing /etc/ssh/sshd_config and restarting the service. What you will lose is the ability to manage keys in the IDS CLI. So you cannot use authorized keys to log into the sensor.
The "copy scp:..." and "upgrade scp:..." commands will fail. When you start an SSH2 client, it will refuse to connect to the remote server because it won't trust the host key.
You also won't be able to manange network devices to perform blocking using the SSH protocol. -
Not able to login after configuring SSH.Please reply
i have configured AAA on Cisco aeronet 1400 series wireless bridge (AIR-BR1410A-A-K9).After configuring i am not able to login to the device via telnet and via putty.Soon after enabling SSH i am not able to login even through SSH.The below are the commands i have configured on the device.I used to configure the same commands on my Cisco Switches also.
Layer -2
ip domain-name NETS
crypto key generate rsa general-keys modulus 1024
ip ssh version 2
aaa new-model
aaa authentication login Login-LAN group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa accounting exec EXEC-LAN-L2 start-stop group tacacs+
aaa accounting commands 1 Level-1-LAN-L2 start-stop group tacacs+
aaa accounting commands 15 Level-15-LAN-L2 start-stop group tacacs+
tacacs-server host 10.254.0.140 key !n01#zh3r3@|2
line vty 0 4
accounting commands 1 Level-1-LAN-L2
accounting commands 15 Level-15-LAN-L2
accounting exec EXEC-LAN-L2
login authentication Login-LAN
transport input sshHi,
Check out the connectivity between cisco aeronet and TACAS server and what is the failed logs says in tacas server.
If possible try to change the configuration to aaa authentication login Login-LAN(default) group tacacs+ line and then try what exactly happens.
Hope that helps
Regards
Ganesh.H -
Cisco ASA 5505 - problem with ssh, icmp on OUTSIDE interface
Hi all,
I have a very strange problem with OUTSIDE interface and remote ssh. Well, I have followed documentation and configure remote access for ssh like this [1.]. If I want to connect from internet to OUTSIDE interface [2.] get no response and in log I can see this message [3.]. I really do not understand why is ssh connection dropped by OUTSIDE access-list [4.]? If I understand documentation correctly there is no impact for remote mangement/access like icmp, ssh, http(s) by interface access-list. So, why?
When I try ssh connection form internal network to INSIDE interface everything works fine and I can log in to ASA. If I try allow ssh in OUTSIDE access-list still no success and a get this message [5.]? It is strange, isn't?
The same problem with icmp if I want to "ping" OUTSIDE interface from internet a get thish message in log [6.] and configuration for ICMP like this [7.].
Full ASA config is in attachment.
Can anybody help how to fix it and explain what is exactly wrong.Thanks.
Regards,
Karel
[1.]
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
ASA-FW01# show ssh
Timeout: 60 minutes
Version allowed: 2
10.0.0.0 255.255.255.0 INSIDE
0.0.0.0 0.0.0.0 OUTSIDE
[2.]
ASA-FW01# show nameif
Interface Name Security
Vlan10 INSIDE 100
Vlan20 EXT-VLAN20 0
Vlan30 EXT-WIFI-VLAN30 10
Vlan100 OUTSIDE 0
ASA-FW01# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
ASA-FW01# show interface OUTSIDE detail
Interface Vlan100 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: >>VLAN pro pripojeni do internetu<<
MAC address f44e.05d0.6c17, MTU 1480
IP address 85.71.188.158, subnet mask 255.255.255.255
Traffic Statistics for "OUTSIDE":
90008 packets input, 10328084 bytes
60609 packets output, 13240078 bytes
1213 packets dropped
1 minute input rate 15 pkts/sec, 994 bytes/sec
[3.]
Jan 13 2015 06:45:30 ASA-FW01 : %ASA-6-106100: access-list OUTSIDE denied tcp OUTSIDE/193.86.236.70(46085) -> OUTSIDE/85.71.188.158(22) hit-cnt 1 first hit [0xb74026ad, 0x0]
[4.]
access-list OUTSIDE remark =======================================================================================
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended deny ip any any log
access-group OUTSIDE in interface OUTSIDE
[5.]
Jan 12 2015 23:00:46 ASA-FW01 : %ASA-2-106016: Deny IP spoof from (193.86.236.70) to 85.71.188.158 on interface OUTSIDE
[6.]
Jan 13 2015 06:51:16 ASA-FW01 : %ASA-4-400014: IDS:2004 ICMP echo request from 193.86.236.70 to 85.71.188.158 on interface OUTSIDE
[7.]
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 INSIDE
icmp permit 10.0.0.0 255.0.0.0 EXT-WIFI-VLAN30
icmp permit any OUTSIDEYou're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK -
Writing a file using ssh in OSB 11g
Hi
OSB 11G
Once I fetch from DB, i am able to write a flat file(delimiter with pipe) using Messaging Service and MFL.
Now, my requirement is to write using SSH .
Can anyone let me know how do I configure it in my Business Service?
Thanks
Edited by: soauser on Jul 12, 2011 9:08 AMOSB supports SSH File Transfer Protocol (SFTP) using SSH version 2 with SFTP transport -
section "26.5 SFTP Transport" at http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/http_poller.htm#i1085854
If existing options are not sufficient, you may also create custom transport using transport SDK and use that in OSB -
http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/part_tsdk.htm#sthref954
Regards,
Anuj -
Ssh configuration issue by enable UsePrivilegeSeparation
Hi,
I have the following error message after I set UsePrivilegeSeparation yes in /etc/ssh/sshd_configuration file:
. Solaris 10 with default ssh version come with solaris 10
. After I set the line 'UsePrivilegeSeparation yes' then complain about user sshd does not exist so I created the user and ssh started fine.
However, when I try to ssh to the box and won't let me login in, here is the error from messages log:
fatal: Userauth method unknown while starting PAM
Thank you for your help!https://wiki.archlinux.org/index.php/Fo … s_and_Code
-
Hello,
I�m trying to install openssh in a Solaris 8 machine. I followed these setps:
1.- Install the patch 112438-03 and boot -r
2.- pkgadd -d openssh-4.4p1-sol8-sparc-local
pkgadd -d openssl-0.9.6i-sol8-sparc-local
pkgadd -d zlib-1.2.3-sol8-sparc-local
3.- mkdir /var/empty
chown root:sys /var/empty
chmod 755 /var/empty
groupadd sshd
useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
4.-modify /usr/local/etc/sshd_config (making reference to /usr/local/libexec/sftp-server)
5.-implement the files /etc/hosts.allow and /etc/hosts.deny
6.- NOW I HAVE TRIED THE FOLLOWING ACCORDING WITH THE INSTRUCTIONS IN INSTALL.openssl document:
$ ./config
PROBLEMS: WHERE IS THE "config" script localted? I get the message "ksh: ./config: not found"
Please, help me! How can I follow from this point. I don`t know from where execute the config script.
thanksFollow this steps recently i did it in a solaris 8 box
hope this will solve your issue
Ssh installation for Solaris 8
Introduction:
Secure shell (SSH) is a protocol that provides a secure, remote connection to any device with ssh support. SSH is a substitute to Berkeley r-tools like telnet, rlogin, rsh and rcp which are not secure. SSH provides more security to any data that is being transported to the Internet by providing more authentication, encryption and authorization procedures. There are currently two versions of SSH available, SSH Version 1 and SSH Version 2
openssh
openssl (SSL)
prngd (Psuedo Random Generator Daemon)
zlib (Z library)
Installation:
#pkgadd -d openssl-0.9.6c-sol8-sparc-local
The following packages are available:
1 SMCosslc openssl
(sparc) 0.9.6c
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
#pkgadd -d prngd-0.9.23-sol8-sparc-local
The following packages are available:
1 SMCprngd prngd
(sparc) 0.9.23
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
#pkgadd -d zlib-1.1.4-sol8-sparc-local
The following packages are available:
1 SMCzlib zlib
(sparc) 1.1.4
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
#pkgadd -d openssh-3.1p1-sol8-sparc-local
The following packages are available:
1 SMCossh openssh
(sparc) 3.1p1
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
Note:- If you are facing any problem like PRNG is not seeded please apply 112438-01 patch and reboot the system and create a symbolic link
ln -s /devices/pseudo/random@0:random /dev/random
ln -s /devices/pseudo/random@0:urandom /dev/urandom
This is because of missing /dev/random
Create SSHD account and directory
# mkdir /var/empty
# chown root:sys /var/empty
# groupadd sshd
# useradd -g sshd -c "SSHD Admin" -d /var/empty �s /bin/false sshd
Startup Scripts:
Create a startup script for the ssh daemon.
/etc/init.d/sshd
#! /bin/sh
# start/stop the secure shell daemon
case "$1" in
'start')
# Start the ssh daemon
if [ -f /usr/local/sbin/sshd ]; then
echo "starting SSHD daemon"
/usr/local/sbin/sshd &
fi
'stop')
# Stop the ssh deamon
PID=`/usr/bin/ps -e -u 0 | /usr/bin/fgrep sshd | /usr/bin/awk '{print $1}'`
if [ ! -z "$PID" ] ; then
/usr/bin/kill ${PID} >/dev/null 2>&1
fi
echo "usage: /etc/init.d/sshd {start|stop}"
esac
Make the script executable and create a startup script on run level 2.
#sh sshd start
#chmod +x /etc/init.d/sshd
#ln �s /etc/init.d/sshd /etc/rc2.d/S99sshd
Create a startup script for the pseudo random generator daemon.
/etc/init.d/prngd
#! /bin/sh
# start/stop the pseudo random generator daemon
case "$1" in
'start')
# Start the ssh daemon
if [ -f /usr/local/bin/prngd ]; then
echo "starting PRNG daemon"
/usr/local/bin/prngd /var/spool/prngd/pool&
fi
'stop')
# Stop the ssh deamon
PID=`/usr/bin/ps -e -u 0 | /usr/bin/fgrep prngd | /usr/bin/awk '{print $1}'`
if [ ! -z "$PID" ] ; then
/usr/bin/kill ${PID} >/dev/null 2>&1
fi
echo "usage: /etc/init.d/prngd {start|stop}"
esac
Make the script executable and create a startup script on run level 2.
#chmod +x /etc/init.d/prngd
#ln �s /etc/init.d/prngd /etc/rc2.d/S99prngd
# /etc/init.d/prngd start
starting PRNG daemon
Info: Random pool not (yet) seeded
Could not bind socket to /var/spool/prngd/pool: No such file or directory
# mkdir -p /var/spool/prngd
#/etc/init.d/prngd start
starting PRNG daemon
# Info: Random pool not (yet) seeded
Next is to start the actual ssh daemon,
# /etc/init.d/sshd start
starting SSHD daemon
Could not load host key: /usr/local/etc/ssh_host_key
Could not load host key: /usr/local/etc/ssh_host_rsa_key
Could not load host key: /usr/local/etc/ssh_host_dsa_key
Disabling protocol version 1. Could not load host key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
The errors above are due to the fact that we didn't create any key pairs for our ssh server.
Create a public key pair to support the new, DSA-based version 2 protocol
# /usr/local/bin/ssh-keygen -d -f /usr/local/etc/ssh_host_dsa_key -N ""
Generating public/private dsa key pair.
Your identification has been saved in /usr/local/etc/ssh_host_dsa_key.
Your public key has been saved in /usr/local/etc/ssh_host_dsa_key.pub.
The key fingerprint is:
00:91:f5:8a:55:7c:ac:ff:b7:08:1f:ce:23:aa:f2:79 root@solaris8
Create a public key pair to support the old, RSA-based version 1 protocol
# /usr/local/bin/ssh-keygen -b 1024 -f /usr/local/etc/ssh_host_rsa_key -t rsa -N ""
Generating public/private rsa1 key pair.
Your identification has been saved in /usr/local/etc/ssh_host_rsa_key.
Your public key has been saved in /usr/local/etc/ssh_host_rsa_key.pub.
The key fingerprint is:
8e:b0:1d:8a:22:f2:d2:37:1f:92:96:02:e8:74:ca:ea root@solaris8
Edit ssh daemon configuration file /usr/local/etc/sshd_config, enable protocol 2 and 1
Uncomment the line, that says
protocol 2,1
# /etc/init.d//sshd start
starting SSHD daemon
Thnaks
RK -
SSH local database username and password not working
I have a weird issue. I recently setup an ASA 5510 and had SSH working. To make it easier on my VPN users I then decided I wanted to setup a Windows 2008 Network Policy Server for RADIUS authentication. Ever since I added the RADIUS part to aaa authentication, when I use SSH to connect to the ASA it will not take the local user name and password I have setup. I can however get in using a Domain user name and password. Below is the SSH and AAA configuration. Am I missing something here? The username and password in the ASA is not on the domain and it's like the ASA is not even trying LOCAL when it tries to authenticate. I want it to use the local username and password if possible. I'm kind of new to ASA's..
On another note, I have never been able to SSH in on the internal interface. I always get a "The remote system refused the connection" error message. I can only use the outside interface.
Site-ASA# sh run | in ssh
aaa authentication ssh console SERVER_RADIUS LOCAL
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
Site-ASA# sh run | in aaa
aaa-server SERVER_RADIUS protocol radius
aaa-server SERVER_RADIUS (inside) host 10.0.0.6
aaa authentication ssh console SERVER_RADIUS LOCAL
aaa authentication http console SERVER_RADIUS LOCAL
Site-ASA#
If there are any other config that would help I would be more than happy to display them
Thanks!Thanks for the reply. I was just coming in to update this because you are exactly correct. For some reason I kept thinking that if the authentication failed via RADIUS it would use local which is not the case.
Problem (or no problem) resolved.
Maybe you are looking for
-
How to Load Arabic Data from flat file using SQL Loader ?
Hi All, We need to load Arabic data from an xls file to Oracle database, Request you to provide a very good note/step to achieve the same. Below are the database parameters used NLS_CHARACTERSET AR8ISO8859P6 nls_language american DB version:-10g rele
-
Problem while Consuming Java Webservice from WCF client
Hi, I am trying to Consume Java Webservice from WCF client.The webservice main functionality is digital data management.The client can Query Digital data and upload digital data by calling webservice methods.Problem is when i am trying to call webmet
-
How do I update from 10.6.8 - 10.8?
How do i update from 10.6.8 to 10.8?
-
I just saw the presentations of the PDC2008 (via the net since I couldn't make it to the PDC). It's nice to see that we can add multi-touch functionality to a native, unmanaged application, just handling WM_TOUCH, similar to WM_MOUSE events at this m
-
Default the SAPscript name as custom script name in ME6F selction screen
In the standard transaction ME6F , I have developed a custom SAPscript , z_meldruk. Now , the requirement is that while running the ME6F transaction instead of standard script MELDURK , the custom script Z_MELDRUK should come as default value in the