RE: [Fed-Talk] Disabling sslv2 on ssh
RE: [Fed-Talk] Disabling sslv2 on ssh
- Subject: RE: [Fed-Talk] Disabling sslv2 on ssh
- From: "Losasso, Jonathan E IT3 CCG, N63" <email@hidden>
- Date: Mon, 23 Feb 2009 12:41:46 -0800
- Thread-topic: [Fed-Talk] Disabling sslv2 on ssh
Well that explains it, thanks for the quick responses!
Back to the problem that brought me to this. How would I go about disabling
sslv2 completely and revert to v3 in leopard? I can't seem to find much
documentation on it.
Thanks again.
-Jonathan
-----Original Message-----
From: Rex Sanders [mailto:email@hidden]
Sent: Monday, February 23, 2009 12:36
To: Losasso, Jonathan E IT3 CCG, N63; email@hidden
Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
Jonathan,
sshd_config "Protocol" line specifies the SSH protocol version, not SSL
protocol version. AFAIK, SSH does not use the SSL protocol at all.
SSH version 1 ("Protocol 1") has known design vulnerabilities and should not
be used or allowed.
SSH version 2 ("Protocol 2") is the current standard. SSHv2 has one design
vulnerability with certain widely used ciphering schemes ("CBC mode
encryption"). The vulnerability is difficult to exploit, almost impossible
to exploit quietly, and "can potentially allow an attacker to recover up to
32 bits of plaintext from an arbitrary block of ciphertext".
http://www.kb.cert.org/vuls/id/958563
Workaround - specify only CTR mode encryption. Some clients don't support
CTR mode.
AFAIK, there is no SSH version 3 ("Protocol 3"), so I'm not surprised that
specifying protocol 3 doesn't work.
Wikipedia has some of the history and details:
http://en.wikipedia.org/wiki/Ssh
-- Rex
At 12:04 PM -0800 2/23/09, Losasso, Jonathan E IT3 CCG, N63 wrote:
>Content-class: urn:content-classes:message
>Content-Type: multipart/signed; micalg=SHA1;
> protocol="application/x-pkcs7-signature";
> boundary="----=_NextPart_000_002E_01C995AE.DB867500"
>
>Anyone know how to force ssh to use sslv3 instead of v2 correctly?
>
>When I change Protocol from 2 to 3 in sshd_config (/etc/sshd_config) I
>get an error when trying to ssh remotely into that machine (ssh
>email@hidden). What am I doing wrong?
>
>Any input is appreciated, thank you!
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden