Set SSH to Version 2

What the SSH protocol 2 enforcer does

This Automox Worklet™ pins OpenSSH to protocol version 2 on Linux endpoints by writing Protocol 2 into /etc/ssh/sshd_config. SSH protocol 1 was deprecated for cryptographic reasons, but it still surfaces on inherited servers, legacy images, and appliances where a vendor left it in place for backwards compatibility. The Worklet applies the fix across every Linux endpoint in scope at the same time, including jump boxes and build hosts that never make it onto a manual hardening checklist.

The remediation script greps sshd_config for an existing Protocol directive and rewrites it to Protocol 2 in place. If no directive exists, the script appends Protocol 2 to the file. A commented-out service sshd restart line is included for operators who want the change to take effect immediately rather than waiting for the next service reload. Because the evaluation phase always triggers remediation, the Worklet is safe to run as a recurring policy that holds the configuration in place across image refreshes and manual edits.

The Protocol directive was removed from sshd_config in OpenSSH 7.6, because version 1 support was deleted from the daemon entirely. On those newer builds the directive is silently ignored and causes no harm. On the long tail of older OpenSSH builds still in production, the directive is what closes the door.

Why enforce SSH protocol 2 across the fleet

SSH protocol 1 has known cryptographic weaknesses. The protocol uses a CRC32 checksum for integrity, which is not a cryptographic primitive and which Ariel Futoransky and Emiliano Kargieman broke publicly in 1998. SSHv1 is exposed to insertion attacks, session-key recovery, and downgrade to weak ciphers. Vulnerability scanners flag any sshd that negotiates protocol 1, and CIS Benchmark control 5.2.4 lists the Protocol 2 directive as a required configuration for compliant Linux builds. Auditors expect the directive in sshd_config even on hosts running OpenSSH 7.6 or newer where the daemon no longer speaks SSHv1, because the directive is the documentary evidence.

SSHv1 exposure is a drift problem: a one-line fix that gets applied to the bastion host the day the scanner finding lands, then never reaches the application servers, build hosts, and lab endpoints added after that initial remediation. Pushing the Protocol 2 directive through this Worklet on a recurring policy keeps the fix in place after every image rebuild, configuration management run, or admin login that touches sshd_config, and it produces a per-endpoint exit code that maps cleanly to CIS 5.2.4 evidence at audit time.

How SSH protocol 2 enforcement works

1. Evaluation phase: The evaluation script exits non-zero on every run so the policy always advances to remediation. This is a deliberate run-as-hardening pattern rather than a diffing check, because the Protocol directive needs to be present in sshd_config for audit evidence even when the running sshd would already refuse SSHv1. Treating evaluation as an unconditional trigger keeps the directive pinned across image refreshes, configuration management overwrites, and manual edits by another admin.

2. Remediation phase: The remediation script greps /etc/ssh/sshd_config for any line beginning with Protocol and rewrites the value to 2 using sed in place. When no Protocol line is found, the script appends Protocol 2 to the file. The commented service sshd restart line at the bottom of the script can be uncommented to apply the change without waiting for the next sshd reload. The script exits 0 after writing the directive; a non-zero exit indicates sshd_config was unreachable or the sed rewrite failed.

SSH protocol 2 enforcement requirements

• Linux endpoint running OpenSSH server (any distribution that ships sshd into /etc/ssh/sshd_config)

• Root or sudo privileges for the Automox agent (the default agent context already meets this)

• Read and write access to /etc/ssh/sshd_config from the agent context

• To activate the directive immediately, uncomment the service sshd restart line in remediation.sh; otherwise the change applies on the next sshd reload

• Confirm no legacy clients, scripts, or vendor appliances on the network still negotiate SSH protocol 1 before scheduling fleet-wide

Expected state after SSH protocol 2 enforcement

After remediation, /etc/ssh/sshd_config contains a single Protocol 2 line. On OpenSSH 5.4 through 7.5, sshd reads the directive at next reload and refuses any client that negotiates SSHv1 with the message Protocol major versions differ. On OpenSSH 7.6 and newer, SSHv1 support has been removed from the daemon entirely. The directive is silently ignored by sshd on those builds but still satisfies the CIS 5.2.4 control check and the configuration management audit trail. Either way, the endpoint stops accepting SSHv1.

Validate the change with sshd -T | grep -i protocol on the endpoint, or by running grep -E ^Protocol /etc/ssh/sshd_config and confirming the value is 2. For a connection-level check, run ssh -1 user@endpoint from a client that still supports SSHv1; a hardened endpoint replies with Protocol major versions differ and closes the socket. For long-term assurance, schedule this Worklet on a recurring policy so the next evaluation re-pins the directive any time a build script, configuration management run, or admin edit removes it. The remediation is idempotent, so repeat runs on a correctly configured endpoint rewrite the existing Protocol 2 directive to the same value without causing harm.