06-22-2004 03:39 PM - edited 03-09-2019 07:49 AM
I am running F-Secure SSH Server ver 5.3 for Windows. I attempted adding ssh host key to NetRanger 4235 so that I could later on perform upgrade but I got two types of error messages.
1. Error: Unsupported remote protocol version (2.0)
OR (not AND but OR)
2. Error: socket connect failed [4,111]
The first error I get from machines running F-Secure Server application and for which I have already generated host keys.
The second error I receive when I try to add ssh-host key for machines on which I am running F-Secure client BUT not F-Secure server.
What can I do so that I could succesfully add the SSH host key?
I know that the "key modulus length" (in this case, 2048) of the host ssh key for the host running F-Secure SSH Server but I do not know the "Public Exponent" of the ssh keys. What exactly do I need to do to overcome this problem.
Below is the CLI cut & paste information. Oh yes I have changed the IP address and stuff but everything else is just as I got it from the CLI.
------------------
nr-inside(config)# ssh
authorized-key Public key settings for the current user
host-key Add a known host key to the system
nr-inside(config)# ssh host
nr-inside(config)# ssh host-key 10.31.128.62
<511-2048> Key modulus length
<cr>
nr-inside(config)# ssh host-key 10.31.128.62
Error: Unsupported remote protocol version (2.0)
nr-inside(config)# ssh host-key 10.31.128.61
Error: socket connect failed [4,111]
nr-inside(config)# ssh host-key 10.31.166.30
Error: socket connect failed [4,111]
nr-inside(config)# ssh host-key 10.31.166.30
<511-2048> Key modulus length
<cr>
nr-inside(config)# ssh host-key 10.31.166.30 2048
<3-4294967294> Public exponent
nr-inside(config)# ssh host-key 10.31.166.30 2048
% Incomplete command
nr-inside(config)# ssh host-key 10.31.166.30
Error: Unsupported remote protocol version (2.0)
nr-inside(config)#
-------
Thanks.
Ad.
06-23-2004 06:57 AM
Unfortunately, you will have to enable SSHv1 for the CIDS 4.x to work properly with your SSH Server.
Once that change is completed, trying connecting to the SSH server with something like :
copy backup-config scp://user@10.0.0.1/backup
Password: ****
The authenticity of host '10.0.0.1 (10.0.0.1)' can't be established.
RSA1 key fingerprint is 6e:f0:48:fe:3d:03:6f:35:90:37:da:4b:e2:f9:af:3a.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
lost connection
The authenticity for host, 10.0.0.1, can't be established. Verify the ssh host key in the known hosts configuration.
Then issue :
nr-inside# configure terminal
nr-inside# ssh host-key 10.0.0.1
MD5 fingerprint is xxxxxx
Bubble Babble is xxxxxx
Would you like to add this to the known hosts table for this host?[yes]: yes
Should be fine afterward.
06-23-2004 07:30 AM
The error: " Error: Unsupported remote protocol version (2.0) " is happening because your SSH server is running a newer version that what the sensor supports.
You would either need to find a way for your SSH server to support an older version and create SSH keys for the older version.
Or load a different SSH server that does support the older version by default.
The error: "Error: socket connect failed [4,111]" happens when you try to use the "ssh host-key" command for an SSH client.
The "ssh host-key" command is only used for configuring the sensor to conenct to a remote SSH server. The "ssh host-key" command is not needed for a remote client to connect to the sensor (the sensor itself can not connect back to a remote SSH client unnless the client machine is also running an SSH server).
06-23-2004 10:40 AM
Thanks to you all for the input. I justhave two more questions.
1. DO I really need to set up an SSH Server in order to upgrade the signature on IDS Netrangers?
2. If the answer is yes, then where do I obtain SSH server that supports version 1. I have F-Secue running version 2.
If I could just squeeze in one more question, is there anybody on this forum that has ever performed a signatue upgrade on IDS Netranger appliance. I have been stucked with this upgrade problem for 3 weeks now. Any help would be appreciated.
Thanks
ad.
06-23-2004 11:55 AM
1) No, you can use FTP, HTTP, HTTPS, and SSH thru with SCP
Syntax are (from the CSIDS online documentation) :
ftp://username@location/relativeDirectory/filename
ftp://username@location//absoluteDirectory/filename.
https://username@location/directory/filename
scp://username@location/relativeDirectory/filename
scp://username@location/absoluteDirectory/filename
http://username@location/directory/filename
2) Version 1 is mandatory. Other SSH products can do this but for several security vulnerabilities in protocol version 1, vendors are now forcing Protocol version 2 of SSH.
3) I am personnaly updating all my CIDS 4.x sensor with a SSH Server (running OpenSSH) and even doing ssh key-auth for a password-less auto-update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide