Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSH modifications

After installing the S23 update on a 4230 I notice that the SSH version note says "Cisco Intrusion Detection System modifications included". What modifications were actually made to SSH and why were they need to be made? Thanks.

New Member

Re: SSH modifications

We modified the OpenSSH source code to facilitate device management. To communicate with devices using the secure shell protocol, nr.managed spawns an instance of ssh, invoking an option that causes ssh to read the password from standard input, which in this environment is piped directly into the nr.managed process. With this option disabled (the default), the client behaves identically to the released version.

New Member

Re: SSH modifications

Has Cisco received the notice about OpenSSH vulnerabilities? OpenSSH verions up to 3.3 are vulnerable and they recommend updatijng to 3.4.

When will this update be released for the sensors, etc?

New Member

Re: SSH modifications

IDS sensor appliances, versions 3.0(1) through 3.1(2) are vulnerable. To close the hole in a 3.1(2) sensor, disable ChallengeResponseAuthentication. To apply the change, log into the sensor as root and enter the following command:

# vi /etc/sshd_config

look for the line:

#ChallengeResponseAuthentication yes

Delete the leading pound sign and change "yes" to "no". Now the line reads:

ChallengeResponseAuthentication no

Save changes and exit. Reboot the sensor.

To close the hole in earlier sensor appliance versions, apply IDSk9-sp-3.1-2-S23.bin to update your sensor to version 3.1(2). (You should also apply the latest signature updates as well.) Once upgraded to 3.1(2), follow the steps above to disable ChallengeResponseAuthentication .

New Member

Re: SSH modifications

please ignore