Set SSH to Version 2

What the SSH protocol version enforcer does

This Automox Worklet™ configures OpenSSH to use only SSH protocol version 2 by setting Protocol 2 in /etc/ssh/sshd_config. SSH version 1 was deprecated due to design flaws and cryptographic weaknesses, but some systems may still have it enabled for legacy compatibility.

The Worklet searches for an existing Protocol setting and updates it, or appends the setting if not present. Modern OpenSSH versions default to protocol 2, but explicit configuration satisfies security audits and prevents accidental re-enablement of version 1.

Why enforce SSH protocol version 2

SSH protocol version 1 has fundamental security flaws. It uses CRC32 for integrity checking, which is not cryptographically secure. It is vulnerable to man-in-the-middle attacks, session hijacking, and insertion attacks. These weaknesses have been known for decades.

SSH protocol version 2 addresses all these issues with proper HMAC integrity checking, stronger key exchange algorithms, and better session security. There is no legitimate reason to use version 1 on modern systems.

Compliance frameworks and security benchmarks require SSH version 2. Vulnerability scanners flag any system that accepts version 1 connections. This Worklet helps you demonstrate compliance and eliminate an unnecessary attack vector.

How SSH protocol enforcement works

1. Evaluation phase: Always triggers remediation (exit 1) to apply the configuration. This is a run-once hardening action.

2. Remediation phase: Uses grep and sed to find and update any existing Protocol line to Protocol 2. If no existing line is found, appends Protocol 2 to /etc/ssh/sshd_config. An optional sshd restart is available by uncommenting the service restart line.

SSH protocol version requirements

• Linux endpoints with OpenSSH server installed

• Root privileges for the Automox agent

• To apply immediately, uncomment the service sshd restart line in remediation script

• Verify no legacy applications require SSH version 1

Expected SSH protocol configuration

After remediation and sshd restart, the server only accepts SSH version 2 connections. Note that the Protocol setting was deprecated and removed in OpenSSH 7.6 because version 1 support was completely removed. On these newer versions, the setting has no effect but is harmless.

For older OpenSSH versions, verify the setting with sshd -T | grep protocol or by checking /etc/ssh/sshd_config directly. Clients attempting to connect with version 1 will receive connection errors. All modern SSH clients default to version 2 and will connect without issues.

How to validate set ssh to version 2 changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for set ssh to version 2.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as grep, exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for set ssh to version 2. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit and remediation operations such as grep, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.