Posted on 2009-05-14
I have a client who is trying to take Credit card payments for his website. To do this he had to become PCI compliant. To satisfy the PCI compliancy regs we are using a company called Security Metrics. They have scanned the system and all is well with one exception:
"The remote service offers an insecure cryptographic protocol. Description : The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used. Solution: Disable compatibility with version 1 of the protocol"
Basically I have to disable protocol 1 of SSH but I have no idea how to do this and neither do Security Metrics. I have tried 'googling' the question and it appears this is the answer but I do not know how to do this / find the location.
"SSH has two protocols it may use, protocol 1 and protocol 2. The older protocol 1 is less secure and should be disabled unless you know that you specifically require it. Look for the following line in the /etc/ssh/sshd_config file, uncomment it and amend as shown:
# Protocol 2,1
and restart the sshd service"
My client has a very simple setup as follows:
Windows XP Pro with SP3
AVG Free Edition version 8.0
Linksys ADSL Router with no blocked ports
Any help would be much appreciated.