Cisco Blogs

Cisco Blog > Security

NCSAM Tip #15: SSH Insecurity

On *nix systems, check your sshd_config and ssh_config files. In both files, the Protocol line should read “Protocol=2” and NOT “Protocol=2,1” or similar values that include protocol version 1 as an option. Putty should be configured to use only protocol version 2 as well.

Failure to check your SSH configuration can lead to a downgrade attack, where user credentials and the entire SSH session are recovered in the clear. If you are using SSH protocol version 1, your SSH session is no more secure than Telnet.

Tags: ,

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Indeed, then you discover that your ssh client, for example the sslvpn + the ssh plugin running on my fwsm, doesn't support the v2.
  2. good tip.also make sure that your Cisco IOS SSH server set to V-2 (ip ssh version 2)
  3. Pix 6.3x support only v1.