Posted by: Mangesh_Linux_Administrator | November 8, 2010

sshd FAQ


What are the differences between the two versions of the SSH protocol?

Most of the differences between are in the details of the protocol and are transparent to users. Protocol 2 provides additional mechanisms for confidentiality (the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) and integrity (hmac-md5, hmac-sha1). Note that protocol 1 lacks a strong mechanism for ensuring the integrity of the connection.

Unix users will notice that some auxiliary files have new names. Public keys are now stored in ~/.ssh/authorized_keys2 instead of ~/.ssh/authorized_keys and the host keys are stored in ~/.ssh/authorized_hosts2 instead of ~/.ssh/authorized_hosts.

If you are staying with the same client and changing only the protocol version, defaults such as the X11 forwarding and the forwarding of a connection to your authentication agent should remain unchanged. On the other hand, if you need to install a new client, it is worth checking and modifying the defaults, as they might be not the same as for your old client (see: Why isn’t my X11 connection and/or connection to my authentication agent forwarded by default, as it used to be?).

Note also that the older versions of the F-Secure SSH software commonly used under Windows and older Macintosh operating systems may not be capable of both SSHv1 and v2.)

How can I check whether my client supports Protocol verion 2?

Most clients can be forced to use SSHv2 by specifying a -2 option on the command line. For example:

% ssh -2 franklin.nersc.gov

Try to use this option with your client.

The Windows F-Secure SSH client, starting with v 5.2, supports both protocols and automatically adjusts its protocol version to match server requirements. If you are using this product, check the version you have and upgrade if necessary.

How can I make v2 my default?

You may have determined that you can force your client to use protocol v2, and yet find that it reverts to v1 by default. This could happen when v1 is set to be the default in the client configuration. Most Unix clients have two places where this could be set. One of them is user’s ~/.ssh/config. Check whether you have such a file and if you do, check whether it contains a line: Protocol 1. Removing this line, or changing it to Protocol 2, might solve your problem. If you have no such file or no such line in the file, it may be specified in the /etc/ssh/ssh_config file (on Linux, check with your sys admin for other flavors of Unix). You can either ask your system administrator to replace it with Protocol 2,1 or just create/edit your ~/.ssh/config and place the line: Protocol 2 in it. For other clients check the documentation or contact the vendor.

Why isn’t my X11 connection and/or connection to my authentication agent forwarded by default, as it used to be?

If you are staying with the same client and changing only the protocol version, the defaults, such as X11 forwarding and forwarding connections to your authentication agent, should remain unchanged. On the other hand if you had to install a new client it is worth checking and modifying defaults as they might not be the same as for your old client. On Lnix hosts the defaults for the SSH client are stored in /etc/ssh/ssh_config and in the F-secure SSH (the Windows client) you can access then via Edit Settings. For other SSH clients check the documentation provided by your vendor.

If the SSH client configuration files are owned by root and you have no permission to modify them then you can force the X11 and/or the authentication agent forwarding either by using command line parameters (-A for the authentication agent and -X for the X11 forwarding) or by modifying your ~/.ssh/config (add ForwardX11 yes for the X11 forwarding and ForwardAgent yes for the authentication agent forwarding). Those steps should be viewed as temporary and you should contact your system administrator to make permanent changes for the system defaults (especialy for the X11 forwarding).

How can I use keys with v2?

Your SSH keys and SSH agent will no longer work, after switching to Protocol 2. This is because Protocol 2 uses a different format for the keys. Generate a new pair and then place the public key on the targeted NERSC host in a ~/.ssh/authorized_keys2 file.

How can I overcome host key issues?

When you try to log in for the first time using Protocol 2, you’ll see the following question asked by your client:

% ssh franklin.nersc.gov
The authenticity of host 'franklin.nersc.gov ()' can't be established.
RSA1 key fingerprint is (they key for Franklin listed here)
Are you sure you want to continue connecting (yes/no)?

Just type yes; the version 2 host key will be remembered, and you’ll never see this question again.

Sometimes you might see:

% ssh franklin.nersc.gov
No RSA1 host key is known for franklin.nersc.gov and 
	you have requested strict checking.
	Host key verification failed.

If this is not against your site policy (check with your sys admin if in doubt), add a command-line argument (needs to be done only once):

% ssh -o StrictHostKeyChecking=no franklin.nersc.gov
Warning: Permanently added 'franklin.nersc.gov' (RSA1) 
	to the list of known hosts.

If your site policy requires StrictHostKeyChecking to be in place contact NERSC consultants.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: