NCSAM Tip #15: SSH Insecurity

October 21, 2011 - 3 Comments

On *nix systems, check your sshd_config and ssh_config files. In both files, the Protocol line should read “Protocol=2” and NOT “Protocol=2,1” or similar values that include protocol version 1 as an option. Putty should be configured to use only protocol version 2 as well.

Failure to check your SSH configuration can lead to a downgrade attack, where user credentials and the entire SSH session are recovered in the clear. If you are using SSH protocol version 1, your SSH session is no more secure than Telnet.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Pix 6.3x support only v1.

  2. good tip.also make sure that your Cisco IOS SSH server set to V-2 (ip ssh version 2)

  3. Indeed, then you discover that your ssh client, for example the sslvpn + the ssh plugin running on my fwsm, doesn’t support the v2.