Re: [Fed-Talk] Disabling sslv2 on ssh
Re: [Fed-Talk] Disabling sslv2 on ssh
- Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
- From: Rex Sanders <email@hidden>
- Date: Mon, 23 Feb 2009 12:36:27 -0800
Jonathan,
sshd_config "Protocol" line specifies the SSH protocol version, not SSL
protocol version. AFAIK, SSH does not use the SSL protocol at all.
SSH version 1 ("Protocol 1") has known design vulnerabilities and should
not be used or allowed.
SSH version 2 ("Protocol 2") is the current standard. SSHv2 has one design
vulnerability with certain widely used ciphering schemes ("CBC mode
encryption"). The vulnerability is difficult to exploit, almost impossible
to exploit quietly, and "can potentially allow an attacker to recover up to
32 bits of plaintext from an arbitrary block of ciphertext".
http://www.kb.cert.org/vuls/id/958563
Workaround - specify only CTR mode encryption. Some clients don't support
CTR mode.
AFAIK, there is no SSH version 3 ("Protocol 3"), so I'm not surprised that
specifying protocol 3 doesn't work.
Wikipedia has some of the history and details:
http://en.wikipedia.org/wiki/Ssh
-- Rex
At 12:04 PM -0800 2/23/09, Losasso, Jonathan E IT3 CCG, N63 wrote:
>Content-class: urn:content-classes:message
>Content-Type: multipart/signed; micalg=SHA1;
> protocol="application/x-pkcs7-signature";
> boundary="----=_NextPart_000_002E_01C995AE.DB867500"
>
>Anyone know how to force ssh to use sslv3 instead of v2 correctly?
>
>When I change Protocol from 2 to 3 in sshd_config (/etc/sshd_config) I get
>an error when trying to ssh remotely into that machine (ssh
>email@hidden). What am I doing wrong?
>
>Any input is appreciated, thank you!
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden