The SSH client must be configured to only use the SSHv2 protocol.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22456	GEN005501	SV-39209r1_rule	DCPP-1	Medium

Description
SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH client could provide access to the system with the privileges of the user running the client.

STIG	Date
Draft AIX Security Technical Implementation Guide	2011-08-17

Details

Check Text ( C-38187r1_chk )
Check the SSH client configuration for allowed protocol versions. # grep -i protocol /etc/ssh/ssh_config \| grep -v '^#' If the variables Protocol 2,1 or Protocol 1 are defined on a line without a leading comment, this is a finding. If the SSH client is F-Secure, the variable name for SSH 1 compatibility is Ssh1Compatibility, not protocol. If the variable Ssh1Compatiblity is set to yes, this is a finding.

Check Text ( C-38187r1_chk )

Check the SSH client configuration for allowed protocol versions.

# grep -i protocol /etc/ssh/ssh_config | grep -v '^#'

If the variables Protocol 2,1 or Protocol 1 are defined on a line without a leading comment, this is a finding.

If the SSH client is F-Secure, the variable name for SSH 1 compatibility is Ssh1Compatibility, not protocol. If the variable Ssh1Compatiblity is set to yes, this is a finding.

Fix Text (F-33461r1_fix)
Edit the /etc/ssh/ssh_config file and add or edit a Protocol configuration line that does not allow versions less than 2.