Adding ssh-host key to NetRanger 4235

infinitingr2 · ‎06-22-2004

I am running F-Secure SSH Server ver 5.3 for Windows. I attempted adding ssh host key to NetRanger 4235 so that I could later on perform upgrade but I got two types of error messages.

1. Error: Unsupported remote protocol version (2.0)

OR (not AND but OR)

2. Error: socket connect failed [4,111]

The first error I get from machines running F-Secure Server application and for which I have already generated host keys.

The second error I receive when I try to add ssh-host key for machines on which I am running F-Secure client BUT not F-Secure server.

What can I do so that I could succesfully add the SSH host key?

I know that the "key modulus length" (in this case, 2048) of the host ssh key for the host running F-Secure SSH Server but I do not know the "Public Exponent" of the ssh keys. What exactly do I need to do to overcome this problem.

Below is the CLI cut & paste information. Oh yes I have changed the IP address and stuff but everything else is just as I got it from the CLI.

------------------

nr-inside(config)# ssh

authorized-key Public key settings for the current user

host-key Add a known host key to the system

nr-inside(config)# ssh host

nr-inside(config)# ssh host-key 10.31.128.62

<511-2048> Key modulus length

<cr>

nr-inside(config)# ssh host-key 10.31.128.62

Error: Unsupported remote protocol version (2.0)

nr-inside(config)# ssh host-key 10.31.128.61

Error: socket connect failed [4,111]

nr-inside(config)# ssh host-key 10.31.166.30

Error: socket connect failed [4,111]

nr-inside(config)# ssh host-key 10.31.166.30

<511-2048> Key modulus length

<cr>

nr-inside(config)# ssh host-key 10.31.166.30 2048

<3-4294967294> Public exponent

nr-inside(config)# ssh host-key 10.31.166.30 2048

% Incomplete command

nr-inside(config)# ssh host-key 10.31.166.30

Error: Unsupported remote protocol version (2.0)

nr-inside(config)#

-------

Thanks.

Ad.

p_monette · ‎06-23-2004

Unfortunately, you will have to enable SSHv1 for the CIDS 4.x to work properly with your SSH Server.

Once that change is completed, trying connecting to the SSH server with something like :

copy backup-config scp://user@10.0.0.1/backup

Password: ****

The authenticity of host '10.0.0.1 (10.0.0.1)' can't be established.

RSA1 key fingerprint is 6e:f0:48:fe:3d:03:6f:35:90:37:da:4b:e2:f9:af:3a.

Are you sure you want to continue connecting (yes/no)? no

Host key verification failed.

lost connection

The authenticity for host, 10.0.0.1, can't be established. Verify the ssh host key in the known hosts configuration.

Then issue :

nr-inside# configure terminal

nr-inside# ssh host-key 10.0.0.1

MD5 fingerprint is xxxxxx

Bubble Babble is xxxxxx

Would you like to add this to the known hosts table for this host?[yes]: yes

Should be fine afterward.

marcabal · ‎06-23-2004

The error: " Error: Unsupported remote protocol version (2.0) " is happening because your SSH server is running a newer version that what the sensor supports.

You would either need to find a way for your SSH server to support an older version and create SSH keys for the older version.

Or load a different SSH server that does support the older version by default.

The error: "Error: socket connect failed [4,111]" happens when you try to use the "ssh host-key" command for an SSH client.

The "ssh host-key" command is only used for configuring the sensor to conenct to a remote SSH server. The "ssh host-key" command is not needed for a remote client to connect to the sensor (the sensor itself can not connect back to a remote SSH client unnless the client machine is also running an SSH server).

infinitingr2 · ‎06-23-2004

Thanks to you all for the input. I justhave two more questions.

1. DO I really need to set up an SSH Server in order to upgrade the signature on IDS Netrangers?

2. If the answer is yes, then where do I obtain SSH server that supports version 1. I have F-Secue running version 2.

If I could just squeeze in one more question, is there anybody on this forum that has ever performed a signatue upgrade on IDS Netranger appliance. I have been stucked with this upgrade problem for 3 weeks now. Any help would be appreciated.

Thanks

ad.

p_monette · ‎06-23-2004

1) No, you can use FTP, HTTP, HTTPS, and SSH thru with SCP

Syntax are (from the CSIDS online documentation) :

ftp://username@location/relativeDirectory/filename

ftp://username@location//absoluteDirectory/filename.

https://username@location/directory/filename

scp://username@location/relativeDirectory/filename

scp://username@location/absoluteDirectory/filename

http://username@location/directory/filename

2) Version 1 is mandatory. Other SSH products can do this but for several security vulnerabilities in protocol version 1, vendors are now forcing Protocol version 2 of SSH.

3) I am personnaly updating all my CIDS 4.x sensor with a SSH Server (running OpenSSH) and even doing ssh key-auth for a password-less auto-update.