RE: [Fed-Talk] Disabling sslv2 on ssh
RE: [Fed-Talk] Disabling sslv2 on ssh
- Subject: RE: [Fed-Talk] Disabling sslv2 on ssh
- From: "Losasso, Jonathan E IT3 CCG, N63" <email@hidden>
- Date: Mon, 23 Feb 2009 13:20:37 -0800
- Thread-topic: [Fed-Talk] Disabling sslv2 on ssh
Rex is correct about ssh, in my haste I was under the wrong impression that
ssh used ssl as a backbone for encryption.
My problem is with ssl, specifically openssl that ships with Leopard. In
order to be compliant with DoD standards (which uses retina) I am trying to
disable sslv2 and force sslv3 instead. In a perfect world I would be able to
disable ssl completely, yet as we all know nothing is perfect :) . It seems
the server admin tool uses openssl on port 311 which is using v2. So you can
see my need to force v3 if at all possible. Any documentation floating
around on this?
-Jonathan
-----Original Message-----
From: Roy Mendelssohn [mailto:email@hidden]
Sent: Monday, February 23, 2009 13:09
To: Losasso, Jonathan E IT3 CCG, N63
Cc: email@hidden
Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
As Rex pointed out, ssh only has protocol up to version 2 AFAIK.
There is a version 3 protocol for sftp, but that is what is most commonly
used. Can you provide a URL to ssh-3?
-Roy
On Feb 23, 2009, at 12:41 PM, Losasso, Jonathan E IT3 CCG, N63 wrote:
> Well that explains it, thanks for the quick responses!
>
> Back to the problem that brought me to this. How would I go about
> disabling
> sslv2 completely and revert to v3 in leopard? I can't seem to find
> much documentation on it.
>
> Thanks again.
>
> -Jonathan
>
> -----Original Message-----
> From: Rex Sanders [mailto:email@hidden]
> Sent: Monday, February 23, 2009 12:36
> To: Losasso, Jonathan E IT3 CCG, N63; email@hidden
> Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
>
> Jonathan,
>
> sshd_config "Protocol" line specifies the SSH protocol version, not
> SSL protocol version. AFAIK, SSH does not use the SSL protocol at
> all.
>
> SSH version 1 ("Protocol 1") has known design vulnerabilities and
> should not be used or allowed.
>
> SSH version 2 ("Protocol 2") is the current standard. SSHv2 has one
> design vulnerability with certain widely used ciphering schemes ("CBC
> mode encryption"). The vulnerability is difficult to exploit, almost
> impossible to exploit quietly, and "can potentially allow an attacker
> to recover up to
> 32 bits of plaintext from an arbitrary block of ciphertext".
> http://www.kb.cert.org/vuls/id/958563
> Workaround - specify only CTR mode encryption. Some clients don't
> support CTR mode.
>
> AFAIK, there is no SSH version 3 ("Protocol 3"), so I'm not surprised
> that specifying protocol 3 doesn't work.
>
> Wikipedia has some of the history and details:
> http://en.wikipedia.org/wiki/Ssh
>
> -- Rex
>
>
> At 12:04 PM -0800 2/23/09, Losasso, Jonathan E IT3 CCG, N63 wrote:
>> Content-class: urn:content-classes:message
>> Content-Type: multipart/signed; micalg=SHA1;
>> protocol="application/x-pkcs7-signature";
>> boundary="----=_NextPart_000_002E_01C995AE.DB867500"
>>
>> Anyone know how to force ssh to use sslv3 instead of v2 correctly?
>>
>> When I change Protocol from 2 to 3 in sshd_config (/etc/
>> sshd_config) I
>> get an error when trying to ssh remotely into that machine (ssh
>> email@hidden). What am I doing wrong?
>>
>> Any input is appreciated, thank you!
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> .gov
>
> This email sent to email@hidden
**********************
"The contents of this message do not reflect any position of the U.S.
Government or NOAA."
**********************
Roy Mendelssohn
Supervisory Operations Research Analyst
NOAA/NMFS
Environmental Research Division
Southwest Fisheries Science Center
1352 Lighthouse Avenue
Pacific Grove, CA 93950-2097
e-mail: email@hidden (Note new e-mail address)
voice: (831)-648-9029
fax: (831)-648-8440
www: http://www.pfeg.noaa.gov/
"Old age and treachery will overcome youth and skill."
"From those who have been given much, much will be expected"
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden