Upgrading OpenSSH on CentOS

If you’ve taken a peek at your PCI scan results lately, you may have noticed that your scan provider is now requiring OpenSSH 6.6 or higher due to CVE-2014-2532 – a version that is not currently available in the CentOS 5 or 6 repositories. A Yum update isn’t going to help you much there.

You can, however, easily compile your own RPM and manually upgrade OpenSSH. The commands below are the ones I used to install version 6.6 (the latest stable at the time of this post), but can essentially be used for any compatible version.

First, download the OpenSSH source tarball from the vendor and unpack it. You can find the tarballs at http://www.openssh.com/portable.html

cd /usr/src

wget http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/openssh-6.8p1.tar.gz

tar -xvzf openssh-6.8p1.tar.gz

You may need to install a few things for the RPM build to work:

yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

Copy the spec file and tarball:

mkdir -p /root/rpmbuild/{SOURCES,SPECS}

cp ./openssh-6.8p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/

cp openssh-6.8p1.tar.gz /root/rpmbuild/SOURCES/

Do a little magic:

cd /root/rpmbuild/SPECS
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /usr/src/redhat/SPECS/openssh.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" /usr/src/redhat/SPECS/openssh.spec

…and build your RPM:

rpmbuild -bb openssh.spec

Now if you go back into /root/rpmbuild/RPMS/<arch> , you should see three RPMs. Go ahead and install them:

rpm -Uvh *.rpm

To verify the installed version, just type ‘ssh -v localhost’ and you should see the banner come up, indicating the new version.

*IMPORTANT! You may want to open a new SSH session to your server before exiting, to make sure everything is working! If you have a problem, simply:

yum downgrade openssh-server

By thecpaneladmin.com