Quote

"Between stimulus and response there is a space. In that space is our power to choose our response.
In our response lies our growth and freedom"


“The only way to discover the limits of the possible is to go beyond them into the impossible.”


Monday 17 October 2016

What SSH you are running?

If two servers are running different type of SSH, connecting the two server can be a nightmare. To correct this you can to convert the keys. But before that you need to know what SSH is running or supported on these servers.

Secure Shell (SSH) enables remote login or remote command execution between two hosts. SSH connection is cryptographically secure communication channel. SSH ensures security by enabling authentication, data integrity, encryption, authorization, and forwarding/tunneling.

SSH1 and SSH2



In fact, SSH1 and SSH2 are totally different protocols in terms of design and do not have inter-compatibility in between them. In SSH1 is a monolithic design where several all functions, such as authentication, transport, connection are packed into a single protocol. While SSH2 has a layered architecture for extensibility and flexibility. For enhanced security, SSH2 has MAC-based integrity check, flexible session re-keying, fully-negotiable cryptographic algorithms, public-key certificates, etc.

Sample SSH1 public key:


ssh-dss AAAAB3NzaC1kc3MAAAEBAKueha6mfr5OUcscc88lmQUBBgYSZ08htHFaYzke2N5WG6ql1NgwQsyY2mMRxvvGckBeInx2GvRlz1+izDs5p4UGhkMzG8qOoT2y2vLwTFQyxi4IXET1e0E8VYC0dcLfs5Zg6RxEY7GA5FiydS6dceuPnLJgCYDfyb9Qbk4rVEvREODo8dV/KRlZxecEgaeKOO7ZnEzaIVPRCVbfasdfaseaRtZvxKfGnNFI957AfZ+Hqevz1IeQNDCp00EmaNli8Ow4rjOPlH7o818r35Ea8mMoV0hkirNQ25zf/Z1LvCS3649537YDi/SVmMMpGCvT93w/TRvk5RKlwVVy+H52C8/MKEAAAAVAOuDCV61LvfKz0bd8hYEJ/gGof9XAAABAQCFRhlpWtVOhTxcWcrnZ9EbbVRZO16St5TPjL86khb7b/VjScOAgt0tslHwtEEQzImv1xRkk6ZQ1o9pvAzb1fMZrZMGIy9zUXvL0v6LNXxCxN9YIjx14OXYfH8EIQDZJGRJoxHvEvUVjv3lHnTuxbdKrcbagvakxvgjq1wVyEueilO+g+WhJm+Q+XIYRl0TK9qtsAVFmzxBxT5USZFJ+1kbG7ippfFSGWRd3KPUCVQ8iGO3IMjtIlfcuGOArbKB06kMlxsdjNjhcEIHtR0jpaEeB2X+HrVScQEoXG4S8YkiIExlIvjhrVr571BTOuO9H5VHt4CtKUxeXxKZWslulYwAAABAHm3zlMsXxPL/HOq29qf7Lk90b7El+j19E2UkyssfSu6+/k4bFf6ax2n3yEn31S5bUdNvgqmlEjdERc4SkU65b5LW2ZI1v7kRoegG+bD2Q21N9Rv/lwS7CTprenKiMMRJ8TU7FMIVT3zEZkV+etC7cbaN+09GoiFTt+h7IDmo7onlo64oSMrcc+xt++ZUzENTVBgDoS9treternELkyJqZgb1/fdEPT6wRj132yBxWLqDGmbp9msmY1us+XNDY8isF80u9yTTXGTskOtCSaeavDDtPOKN5ZR20sHpIBgt6zd6mm/zKD6OZo14BLSJr7ldwSRzNNYMtkLnNyFSYxAIrm9Y==


Sample SSH2 public key:


—- BEGIN SSH2 PUBLIC KEY —-
Comment: “1024-bit DSA, converted from OpenSSH by satyam@sing”
AAAAB3NzaC1kc3MAAACBAJ7QKkrLoasddfasfasdfVmKVedk1GAr/S+Cruq3/GtjRnxvJqbBbfnelWYUC+vbHc5a+7bgRsQfCgoCeGKH5wGD4CDWQMhy2XYomnGf1gUC86Hq77/Noqa02N441EFSTIEoNlU2aYi8zwVQKlgP6e22mG9sK7zSaGX639ctaigHuST8qPAAAAFQC2az8dfxHkkDZAEw+RcvRn3asdfsafdasAAIEAgYpPs6d+Kyw37ZaBarlMEaZoEfrxhUZ44SN+KoqBZYpSVwyHJ+/RB0zVUizXCmZ5RhYSsYZ5asdfasfasdfmBxogaEh5d7xxUpg/9Xctf94Jsf7vxccjZ4XYARrVikq/0L9fuKOmo4ET9iAf+GL7w2u5gzxxZr+xX5jw/A7907lOCwAAACAMoHHk0o1XkG+yeaPtuwbrHshGqTjpOUkJ/AYuQ8OBuVAOdqse1di9JpeHko26G0zoH3N+nDHMGdYYTNHzRNYRd2q20ztcAP52crZo1rtpNdvs6c+RTEIgoP3oYh1e1+rg70tWKIW3R/NYB39CESHoyqsAJ7vzOPm0iUOd36YECY=
—- END SSH2 PUBLIC KEY —-


Verifying what SSH is running/supported


Since they(SSH1 and SSH2) are not compatible it is required to verify what SSH is running in to/from where we are trying to connect.

Option 1: /etc/ssh/sshd_config

  
If you check what SSH is running/supported on local machine then check /etc/ssh/sshd_config to see if it has 'Protocol 2' or 'Protocol 1,2' is present it. If /etc/ssh/sshd_config has 'Protocol 2' then only SSH2 is supported and if 'Protocol 1,2' is present then SSH1 and SSH2 both are supported.

Option 2: ssh <-v> user@remote_server

  
If you want to verify the SSH version supported on a remote machine then you can run the following to see which one connects successfully.
ssh <-v> user@remote_server
e.g ssh -1 user@remote_server or ssh -2 user@remote_server
if incorrect version is used then the following error is returned: 'Protocol major versions differ: 1 vs. 2'

Option 3: sshscan

  
If you want to scan entire network or a large group of machines then sshscan can be used.
By default this utility may not be installed on your machine. So you may need to install it before you can use it.

Option 4: ssh -V


ssh -V will give following output:

OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010


Once you know version are incorrect you can correct/convert the keys to be added in ~/.ssh/authorized_keys file using conversion methods as defined here.