Solved

SSH Protocol

Posted on 2009-05-14
3
2,413 Views
Last Modified: 2012-06-27
I have a client who is trying to take Credit card payments for his website. To do this he had to become PCI compliant. To satisfy the PCI compliancy regs we are using a company called Security Metrics. They have scanned the system and all is well with one exception:

"The remote service offers an insecure cryptographic protocol. Description : The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used. Solution: Disable compatibility with version 1 of the protocol"

Basically I have to disable protocol 1 of SSH but I have no idea how to do this and neither do Security Metrics. I have tried 'googling' the question and it appears this is the answer but I do not know how to do this / find the location.

"SSH has two protocols it may use, protocol 1 and protocol 2. The older protocol 1 is less secure and should be disabled unless you know that you specifically require it. Look for the following line in the /etc/ssh/sshd_config file, uncomment it and amend as shown:
# Protocol 2,1
Protocol 2
and restart the sshd service"

My client has a very simple setup as follows:

Windows XP Pro with SP3
AVG Free Edition version 8.0
Linksys ADSL Router with no blocked ports

Any help would be much appreciated.

Cheers
0
Comment
Question by:Norbert2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 35

Expert Comment

by:torimar
ID: 24384020
You forgot the most important piece of information: which SSH server is your client running?

I assume it will be OpenSSH, and I also assume it will be directly installed, not via Cygwin.

In this case, you should find the configuration file (sshd_config) in the installation folder of OpenSSH, most likely either in: c:\program files\openssh\ or in: c:\program files\openssh\etc\

Before you apply the changes you quoted in your post, make sure the server is not running. In a command prompt terminal, type:
net stop opensshd

After having applied the changes, restart the server typing:
net start opensshd
0
 
LVL 2

Accepted Solution

by:
stagira earned 500 total points
ID: 24384731
Hi,

yes, you need to change in the sshd_config, the token Protocol.

to find these file, you can scan all your harddire, or the process list with a tool like Procexp:

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

find the process sshd, it wil tell you were it live, then in the sshd_config change

# Protocol 2,1
Protocol 2


then restart the process.

Now, it should accept only SSHv2 connections.

Regards
0
 
LVL 35

Expert Comment

by:torimar
ID: 24450197
Norbert2000,

good to see you resolved your issue.
But didn't my comment say pretty much the same as the comment you chose for a solution? And didn't I say it even earlier?

It would have been only fair to at least split points between both comments.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question