After installing the S23 update on a 4230 I notice that the SSH version note says "Cisco Intrusion Detection System modifications included". What modifications were actually made to SSH and why were they need to be made? Thanks.
We modified the OpenSSH source code to facilitate device management. To communicate with devices using the secure shell protocol, nr.managed spawns an instance of ssh, invoking an option that causes ssh to read the password from standard input, which in this environment is piped directly into the nr.managed process. With this option disabled (the default), the client behaves identically to the released version.
IDS sensor appliances, versions 3.0(1) through 3.1(2) are vulnerable. To close the hole in a 3.1(2) sensor, disable ChallengeResponseAuthentication. To apply the change, log into the sensor as root and enter the following command:
# vi /etc/sshd_config
look for the line:
Delete the leading pound sign and change "yes" to "no". Now the line reads:
Save changes and exit. Reboot the sensor.
To close the hole in earlier sensor appliance versions, apply IDSk9-sp-3.1-2-S23.bin to update your sensor to version 3.1(2). (You should also apply the latest signature updates as well.) Once upgraded to 3.1(2), follow the steps above to disable ChallengeResponseAuthentication .
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...