RE: [Fed-Talk] Disabling sslv2 on ssh
RE: [Fed-Talk] Disabling sslv2 on ssh
- Subject: RE: [Fed-Talk] Disabling sslv2 on ssh
- From: "Losasso, Jonathan E IT3 CCG, N63" <email@hidden>
- Date: Mon, 23 Feb 2009 14:43:38 -0800
- Thread-topic: [Fed-Talk] Disabling sslv2 on ssh
That would be a nice option however we are actually using server admin to
manage multiple servers. Worst case scenario we could disable 311, therefore
disabling server admin. Only problem with that is making changes to our
other servers would require a lot more work. It's a solutin just a dirty
one.
Thanks for all your help
-----Original Message-----
From: van Bronkhorst, Erik W. (CHLK)
Sent: Monday, February 23, 2009 14:36
To: Losasso, Jonathan E IT3 CCG, N63
Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
can you just disable port 311 or are you actually using server admin ?
--
Code 471600D Erik van Bronkhorst
NAVAIRWARCENWPNDIV
1900 N KNOX ROAD STOP 6510 bldg 00005 rm 2015 China Lake CA 93555-6106
> From: "Losasso, Jonathan E IT3 CCG, N63" <email@hidden>
> Date: Mon, 23 Feb 2009 14:30:07 -0800
> To: <email@hidden>
> Subject: RE: [Fed-Talk] Disabling sslv2 on ssh
>
> Tim - We are running the latest version of openssl 0.9.8j, had to compile
on
> my own as apple is sometimes slow to release updates, so not exactly the
> version that ships with leopard.
>
> Erik - That does help a lot actually. However it seems the article is
geared
> more towards web server. I guess I am really not explaining the issue
> clearly enough. So I will try to take one more stab at it. We are not
> running a web server, the only services that are running that use SSL is
the
> 'server admin' tool which listens on port 311. I am currently trying to
> track down a conf file so I can disable sslv2 which it seems bent on
using.
> Originally I was trying to disable sslv2 system wide which doesn't seem
> possible and/or would break server admin. I can't seem to locate the conf
> file that server admin uses nor any start up scripts that show it being
> loaded.
>
> -jonathan
>
> -----Original Message-----
> From: Miller, Timothy J. [mailto:email@hidden]
> Sent: Monday, February 23, 2009 13:58
> To: Losasso, Jonathan E IT3 CCG, N63; email@hidden
> Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
>
> On 2/23/09 3:20 PM, "Losasso, Jonathan E IT3 CCG, N63"
> <email@hidden> wrote:
>
>> Rex is correct about ssh, in my haste I was under the wrong impression
>> that ssh used ssl as a backbone for encryption.
>>
>> My problem is with ssl, specifically openssl that ships with Leopard.
>> In order to be compliant with DoD standards (which uses retina) I am
>> trying to disable sslv2 and force sslv3 instead. In a perfect world I
>> would be able to disable ssl completely, yet as we all know nothing is
>> perfect :) . It seems the server admin tool uses openssl on port 311
>> which is using v2. So you can see my need to force v3 if at all
>> possible. Any documentation floating around on this?
>
> You have a more fundamental problem: The version of OpenSSL that ships
with
> OS X does not include the FIPS 140-2 certified module.
>
> -- Tim
>
> -----Original Message-----
> From: van Bronkhorst, Erik W. (CHLK)
> Sent: Monday, February 23, 2009 13:59
> To: Losasso, Jonathan E IT3 CCG, N63
> Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
>
> http://www.macosxhints.com/article.php?story=20041129143420344
> does this help?
>
> make sure to note the entry titled
> A better SSLCipherSuite
>
> By: MartySells on Fri, Dec 3 2004 at 11:21PM PST The original hint had:
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> I would suggest the following instead:
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL
>
> This setting will disable SSL version 2 (which has seciruty problems) as
> well as weak ciphers (LOW, EXP).
>
> [snip]
>
>
> WR
> Erik
>
> --
> Code 471600D Erik van Bronkhorst
> NAVAIRWARCENWPNDIV
> 1900 N KNOX ROAD STOP 6510 bldg 00005 rm 2015 China Lake CA 93555-6106
>
>
>
>> From: "Losasso, Jonathan E IT3 CCG, N63" <email@hidden>
>> Date: Mon, 23 Feb 2009 13:20:37 -0800
>> To: <email@hidden>
>> Subject: RE: [Fed-Talk] Disabling sslv2 on ssh
>>
>> Rex is correct about ssh, in my haste I was under the wrong impression
> that
>> ssh used ssl as a backbone for encryption.
>>
>> My problem is with ssl, specifically openssl that ships with Leopard. In
>> order to be compliant with DoD standards (which uses retina) I am trying
> to
>> disable sslv2 and force sslv3 instead. In a perfect world I would be able
> to
>> disable ssl completely, yet as we all know nothing is perfect :) . It
> seems
>> the server admin tool uses openssl on port 311 which is using v2. So you
> can
>> see my need to force v3 if at all possible. Any documentation floating
>> around on this?
>>
>> -Jonathan
>>
>> -----Original Message-----
>> From: Roy Mendelssohn [mailto:email@hidden]
>> Sent: Monday, February 23, 2009 13:09
>> To: Losasso, Jonathan E IT3 CCG, N63
>> Cc: email@hidden
>> Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
>>
>> As Rex pointed out, ssh only has protocol up to version 2 AFAIK.
>> There is a version 3 protocol for sftp, but that is what is most
commonly
>> used. Can you provide a URL to ssh-3?
>>
>> -Roy
>>
>> On Feb 23, 2009, at 12:41 PM, Losasso, Jonathan E IT3 CCG, N63 wrote:
>>
>>> Well that explains it, thanks for the quick responses!
>>>
>>> Back to the problem that brought me to this. How would I go about
>>> disabling
>>> sslv2 completely and revert to v3 in leopard? I can't seem to find
>>> much documentation on it.
>>>
>>> Thanks again.
>>>
>>> -Jonathan
>>>
>>> -----Original Message-----
>>> From: Rex Sanders [mailto:email@hidden]
>>> Sent: Monday, February 23, 2009 12:36
>>> To: Losasso, Jonathan E IT3 CCG, N63; email@hidden
>>> Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
>>>
>>> Jonathan,
>>>
>>> sshd_config "Protocol" line specifies the SSH protocol version, not
>>> SSL protocol version. AFAIK, SSH does not use the SSL protocol at
>>> all.
>>>
>>> SSH version 1 ("Protocol 1") has known design vulnerabilities and
>>> should not be used or allowed.
>>>
>>> SSH version 2 ("Protocol 2") is the current standard. SSHv2 has one
>>> design vulnerability with certain widely used ciphering schemes ("CBC
>>> mode encryption"). The vulnerability is difficult to exploit, almost
>>> impossible to exploit quietly, and "can potentially allow an attacker
>>> to recover up to
>>> 32 bits of plaintext from an arbitrary block of ciphertext".
>>> http://www.kb.cert.org/vuls/id/958563
>>> Workaround - specify only CTR mode encryption. Some clients don't
>>> support CTR mode.
>>>
>>> AFAIK, there is no SSH version 3 ("Protocol 3"), so I'm not surprised
>>> that specifying protocol 3 doesn't work.
>>>
>>> Wikipedia has some of the history and details:
>>> http://en.wikipedia.org/wiki/Ssh
>>>
>>> -- Rex
>>>
>>>
>>> At 12:04 PM -0800 2/23/09, Losasso, Jonathan E IT3 CCG, N63 wrote:
>>>> Content-class: urn:content-classes:message
>>>> Content-Type: multipart/signed; micalg=SHA1;
>>>> protocol="application/x-pkcs7-signature";
>>>> boundary="----=_NextPart_000_002E_01C995AE.DB867500"
>>>>
>>>> Anyone know how to force ssh to use sslv3 instead of v2 correctly?
>>>>
>>>> When I change Protocol from 2 to 3 in sshd_config (/etc/
>>>> sshd_config) I
>>>> get an error when trying to ssh remotely into that machine (ssh
>>>> email@hidden). What am I doing wrong?
>>>>
>>>> Any input is appreciated, thank you!
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>> .gov
>>>
>>> This email sent to email@hidden
>>
>> **********************
>> "The contents of this message do not reflect any position of the U.S.
>> Government or NOAA."
>> **********************
>> Roy Mendelssohn
>> Supervisory Operations Research Analyst
>> NOAA/NMFS
>> Environmental Research Division
>> Southwest Fisheries Science Center
>> 1352 Lighthouse Avenue
>> Pacific Grove, CA 93950-2097
>>
>> e-mail: email@hidden (Note new e-mail address)
>> voice: (831)-648-9029
>> fax: (831)-648-8440
>> www: http://www.pfeg.noaa.gov/
>>
>> "Old age and treachery will overcome youth and skill."
>> "From those who have been given much, much will be expected"
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>
> l
>>
>> This email sent to email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
l
>
> This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden