[FQuest Notice] End of support for Telnet and SSHv1

**Kevin** · 10-27-2009, 10:34 AM

What:
Due to security concerns, PCI compliance requirements, and future upgrade plans FutureQuest, Inc. will no longer be providing support for the telnet and SSHv1 protocols. Command line access will still be provided by the SSHv2 protocol only.

When:
The telnet protocol will be disabled on 12/01/2009. There will be a 1 month extension period for anyone who needs more time to obtain an SSHv2 compatible client. If you need to continue using telnet during this grace period you must email the service desk and request the extension for the primary domain on each account you intend to use telnet on. The final shutoff date will be 01/08/2010 when it will be shut down for everyone.

The SSHv1 protocol will also be shut down on 12/01/2009 however due to the way the Secure SHell service is configured there can not be any grace period. Anyone using a Secure SHell client that is not SSHv2 compliant will need to upgrade before this date.

Why:
The telnet protocol has never been secure. It sends the username, password, and everything else across the internet in plain text. Passwords can be intercepted and the connection itself can be hijacked. FutureQuest has always provided command line access through ssh (Secure SHell) as a more secure alternative to telnet and we highly recommend using it instead. Due to the insecure nature of telnet we have decided to stop supporting it completely. Site Owners who are currently using telnet to connect to the command line interface will need to obtain an ssh client and begin using it instead. Detailed suggestions are below.

The SSHv1 protocol has a small security vulnerability that can in some cases allow a "man in the middle" attack to succeed. While the SSHv1 protocol is far more secure than the telnet protocol PCI compliance requirements are forcing us to disable SSHv1 completely leaving only SSHv2 for command line access.

How to prepare:
CNC command line access:
Unfortunately the Java based Secure SHell client we have provided in the CNC is only SSHv1 compatible not SSHv2. After the cutoff date the CNC Secure SHell client will be removed. Anyone who is currently using it for command line access will need to obtain an SSHv2 compatible client program.

Suggested SSHv2 clients:
For Macintosh and most UNIX users things are easy. Your operating systems already come with the OpenSSH client which can be run with the ssh command. If you have been using telnet from these systems the new procedure will be almost the same with the only difference being that you provide the user name on the command line instead of at a login prompt. More information is here: http://service.futurequest.net/kb539

For Windows users we suggest using the completely free PuTTY client program. More information is here: http://service.futurequest.net/kb565

*hobbes* · 10-27-2009, 11:36 AM

Quote:

Due to security concerns, PCI compliance requirements, and future upgrade plans FutureQuest, Inc. will no longer be providing support for the telnet and SSHv1 protocols.

So why isn't the insecure FTP protocol also biting the dust:-? Oh yeah, support calls would rise 1,000%!

**Kevin** · 10-27-2009, 11:43 AM

Quote:

Originally Posted by hobbes

So why isn't the insecure FTP protocol also biting the dust:-? Oh yeah, support calls would rise 1,000%!

And because PCI compliance doesn't require it (yet).

If it were up to me we would be shutting off telnet, FTP, unencrypted email (POP/IMAP/SMTP), the non-SSL CNC, and SSHv1 in that order. But I think Bob would run away screaming if we tried that so expect those insecurities to stick around for a while.

With all the recent FTP hacking due to malware stealing logins from infected PCs FTP is a pretty big threat. Unfortunately it is also the only method that many people have to publish their sites and it isn't nearly as easy to replace as telnet.

*idealord* · 10-27-2009, 12:59 PM

I use Cygwin with it's OpenSSH library. How can I tell if I'm using SSHv2? I've been using it for a while, and the login looks just like your Mac/Unix info pages.

Thanks!

**Kevin** · 10-27-2009, 01:04 PM

Cygwin should be using SSHv2 by default but just to make sure you have two choices (this applies to all UNIX like operating systems and OSX too)...

1. Add a -v to your ssh command line and look for this line:
debug1: Enabling compatibility mode for protocol 2.0

2. Add a -2 to your ssh command line to force it to use SSHv2 only and see if it works.

*idealord* · 10-27-2009, 01:08 PM

Quote:

Originally Posted by Kevin

Cygwin should be using SSHv2 by default but just to make sure you have two choices (this applies to all UNIX like operating systems and OSX too)...

1. Add a -v to your ssh command line and look for this line:
debug1: Enabling compatibility mode for protocol 2.0

-V gave me this:

OpenSSH_5.1p1, OpenSSL 0.9.8k 25 Mar 2009

Quote:

2. Add a -2 to your ssh command line to force it to use SSHv2 only and see if it works.

-2 worked. So I think your assumptions are correct. It's a March 2009 compile so, I'm guessing I'm good to go.

**Kevin** · 10-27-2009, 01:11 PM

What you got with -V was just the version string for your client. There is a difference between -V (version) and -v (verbose). But the fact that -2 worked is conclusive that you will be OK without SSHv1.

*idealord* · 10-27-2009, 01:17 PM

Thanks! -v just produced the options list on my client.

**Kevin** · 10-27-2009, 01:19 PM

You still have to connect to the server. Just running 'ssh -v' is incomplete. You have to run 'ssh -v user@host' or 'ssh -2 user@host'.

*Mandi* · 10-27-2009, 02:18 PM

I just gave PuTTY a spin, and it has an interesting function - right click is automagically "paste" - it took me a minute to comprehend that, as no menu popped up, and of course the first instance where I need it is the randomized password I use for login . . . so no text shows up (as well it shouldn't.)

Once I realized what was happening, it's a handy little shortcut, but I thought I'd mention it in case anyone else is a new PuTTY user too

.