Cisco Blogs

NCSAM Tip #15: SSH Insecurity

- October 21, 2011 - 3 Comments

On *nix systems, check your sshd_config and ssh_config files. In both files, the Protocol line should read “Protocol=2” and NOT “Protocol=2,1” or similar values that include protocol version 1 as an option. Putty should be configured to use only protocol version 2 as well.

Failure to check your SSH configuration can lead to a downgrade attack, where user credentials and the entire SSH session are recovered in the clear. If you are using SSH protocol version 1, your SSH session is no more secure than Telnet.

Leave a comment

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

All comments in this blog are held for moderation. Your comment will not display until it has been approved

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Indeed, then you discover that your ssh client, for example the sslvpn + the ssh plugin running on my fwsm, doesn't support the v2.

  2. good tip.also make sure that your Cisco IOS SSH server set to V-2 (ip ssh version 2)

  3. Pix 6.3x support only v1.