Community Wiki

From (mt) Community Wiki

Many customers have wanted to update OpenSSH for PCI Compliance reasons. Unfortunately, CentOS doesn't keep up to date software versions on it's repositories, but it instead updates for security fixes, keeping the software version number. Since most PCI Compliance scans look for the software versions, and not the security fix version, the scan will fail. This article will go over how to upgrade OpenSSH. Please note that all the commands in the boxes are a single line, do not copy/paste the entire thing at once.

Results

Your server will now have an updated version of OpenSSH.

Requirements

This article has the following dependencies:

root access enabled: Enable Root Access
Developer Tools installed: Install Developer Tools
Update your software using yum: yum -y upgrade

Instructions

1. Connect to your server via SSH as root.

2. Once logged in, use the following command:

cd /root
wget http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/openssh-5.8p2.tar.gz && tar zxvf openssh-5.8p2.tar.gz
cd openssh-5.8p2
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install
service sshd restart

3. You should now have the most recent version of OpenSSH installed, you can verify this by typing the following:

ssh -v

You should now see the following:

OpenSSH_5.8p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

While you can compile OpenSSH with the latest version of OpenSSL, it seems that upgrading OpenSSL on CentOS breaks quite a few binaries, like Apache, PHP, Python, Perl, and YUM amongst other. Unless you compile each and every one of these binaries against the new OpenSSL, do not upgrade OpenSSL on your (dv) Dedicated-Virtual Server.

Contributions

Thanks to the following website where I was able to grab this information from:
http://blog.lowkey.net.my/tag/centos-openssh/