Solved sshd_config and Protocol 2

M

max21

Hello, it's bee's buzzing again :)

I’m not trying to overstay my welcome but is this the proper way to setup use of Protocol 2? What does this mean "The default requires explicit activation of protocol 1"? Is it telling me I have to allow Protocol 1 to take lead in order to initiate Protocol 2. Or is it saying it don't allow Protocol 2 to lead and fall-back to Protocol 1 when needed.

My example is backwards. If this doesn’t work I rather not deal with Protocol 1 at all. Can it be remove it. Would that be OK? My brain must be too small because I can not dig these answers up out of ssh(1) and google or Linux don't seem to even heard about it. I could just try it but these kind of thing are too vital. A bunch of trial and error only lead to punching holes in a system.

Explicitly in there?

Also is it require that I remove the # sign since I change the port number?

Code: 
# *****************************
#Port 2222
#ListenAddress 0.0.0.0
#AddressFamily inet
# *****************************
#
#Protocol 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
#Protocol 1
#HostKey /etc/ssh/ssh_host_key
 
In short: Protocol 1 is pretty much obsolete and sshd won't provide any fallback should protocol 2 fail for some reason. See also sshd_config(5):

Code: 
     Protocol
             Specifies the protocol versions sshd(8) supports.  The possible
             values are `1' and `2'.  Multiple versions must be comma-
             separated.  The default is `2'.  Protocol 1 suffers from a number
             of cryptographic weaknesses and should not be used.  It is only
             offered to support legacy devices.
So to answer your question: you don't have to do anything. Protocol 2 is already in effect.
 
Yes, I understand. I also found a good example where -2 must represent Protocol 2. So I should not have to worry about the default. -2 in the command will take precedent. I’m turning into a nervous wreck, blacklist this, guard that against millions of hackers trying to wreak havoc around the world to demand a free meal. It just makes me wonder how in the world did Facebook, Uncle Sam, ebay and I bet Amazon who got our credit card and profile are now coming out the closet and telling us ALL DAY LONG that they got hacked out of our credit-card info and more months to years ago. Surely, they know ssh and all of this security stuff 10,000x better then most of us. The best of the best of the best .. and I’m not suppose to have doubt? I would never give up but it really piss me off.

Code: 
ssh -2 -N -f -L 5023:localhost:23 user@foo.example.com
 
The default configuration for sshd is protocol 2 only.

IOW, you don't have to do anything. You don't have to change the sshd_config file. You don't have to specify -2 with ssh.

There's nothing wrong with using -2, but it will only make a difference when connecting to really old ssh daemons that still support protocol 1.

For all intents and purposes, protocol 1 no longer exists in OpenSSH. You have to jump through a lot of hoops to re-enable it.
 
You must log in or register to reply here.
Back
Top