Hello

I run one service on my Slackware 8.1 system and that is SSH.
This banner was displayed when I'd telnet to the SSH port.
(banner grabbing for details)
SSH-1.99-OpenSSH_3.2.3p1

And 'ssh -V' displayed
OpenSSH_3.2.3p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f

Now I've read the security bulletins at the slackware site.
http://www.slackware.org/security/

I downloaded and upgrade openSSH with this package
'openssh-3.7.1p2-i386-1.tgz'
Restarted SSH and now the banners that are displayed are:

SSH-1.99-OpenSSH_3.7.1p2

And 'ssh -V'
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.6d 9 May 2002


Now I'm a bit confused I'm I running SSH-1.99 & OpenSSH_3.7.1p2
Why both?

This SANS article http://www.sans.org/top20/#u8 suggest upgrading
to SSH2.

Also I do not understand why the slackware security site does make
note of SSH, only openSSH issues.

Could you help explain this?

The confusion is because you're looking at two different things.

a) The OpenSSH software version (i.e. what version of the OpenSSH software suite)
b) The protocol version(s) of SSH that are supported

SSH has versions 1.33, 1.5, and 2.0. 1.99 just means it will support both 1.x and 2.0. Those are the versions of the SSH protocol that are implemented by OpenSSH. There are weaknesses in the SSH protocol prior to 2.0, so that is why it's recommended to only use protocol version 2.0.

There were also several vulnerabilities in the OpenSSH software prior to 3.7.1p1 (or p2 if you use PAM).

Hi, Thanks for explaining that.

I've edited the protocol line in
/etc/ssh/ssh_config

It now reads
Protocol 2
Instead of Protocol 2,1

The result is "SSH-2.0-OpenSSH_3.7.1p2"

I've tested this with remote SSH software (putty) and protocol one is denied access.


I have one other question though regarding your comment on PAM and version p2.
According to this article: http://www.kb.cert.org/vuls/id/602204
p2 was the fix for the PAM issue?
Or was there another later issue with PAM and p2.

This is a section from my sshd_config
As I understand uncomment lines are the default values.
Excluding for the last section on PAM enabling and thus disabling PasswordAuthentication.

Does this look to be secure?


# Authentication:

#LoginGraceTime 600
PermitRootLogin no
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

You have PAM auth enabled. 3.7.1p1 was still vulnerable, p2 has the fix for the PAM vulnerability. Since you're running 3.7.1p2, you're OK.

FYI the syntax for sshd_config and ssh_config is to have all the defaults comment out (preceeded by a '#'). If you want to change the behavior from default, for instance for PAMAuthenticationViaKbdInet then you would change the line to read like this:

PAMAuthenticationViaKbdInt no

notice the '#' was removed and the "yes" changed to "no". If you simply remove the '#' it will have no affect (i.e. "yes" is the default). You'll have to stop/start sshd after making changes to the config file. You can also "kill" the PID with a -HUP signal, which should cause it to reload the config.

Thank's for your help.
I'm glad SSH is secured.

I changed both /etc/ssh/ssh_config and sshd_config to read Protocol 2 without the #, I then rebooted the box but can still connect with putty using version 1 only and ssh -V shows SSH protocols 1.5/2.0 still. I went back and made sure my changes to the file were still there and they are. Any idea what I'm doing wrong? Thanks.

Make sure your ssh init script is actually using the config file (sshd_config) from /etc/ssh. It may be loading a specific config script (/etc/ssh/slack_sshd_config, just for example). Also, only sshd_config controls the version that the daemon uses. ssh_config is a system-wide default for using the ssh command. It can be overridden by a local ssh_config in the user's home .ssh directory (i.e. it's for clients, not for daemons).