CentOS 6.8 upgrade ssh

Hmm. Okay. This is new. CentOS 6.8 is the platform – and it is patched up to date – however appears to be running a dark ages version of OpenSSH. This is far from ideal, and a fix that involves upgrading that rather than a host migration is the way forwards if at all possible.

So – breaking the “sure want the new version I will compile from source” mantra of years gone by and realising that in the production environment if its not on an RPM or DEB you are asking for trouble – here is an outline of how to restore a little magic to your SSH – without looking at a full migration to get around that.

This is generally BAD – as while the wider world does not have access to this port – the PCI scanner does as it is allowed through all the good stuff to get to the soft underbelly. Xauth Command Injection, J-PAKE, Child_set_env() Bypass, the list is long and distinguished.

This story starts looking a little like this:

[~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

[~]# cat /etc/redhat-release
CentOS release 6.8 (Final)

…and ends looking a lot like this:

[~/rpmbuild/RPMS/x86_64]# ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

Happy days.

So these were the steps involved.

cd /usr/src

wget http://mirror.jmu.edu/pub/OpenBSD/OpenSSH/portable/openssh-7.3p1.tar.gz

tar -xvzf openssh-7.3p1.tar.gz

yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

mkdir -p /root/rpmbuild/{SOURCES,SPECS}

cp ./openssh-7.3p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/

cp openssh-7.3p1.tar.gz /root/rpmbuild/SOURCES/

cd /root/rpmbuild/SPECS

Make the changes here:

sed -i -e “s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g” openssh.spec
sed -i -e “s/%define no_x11_askpass 0/%define no_x11_askpass 1/g” openssh.spec
sed -i -e “s/BuildPreReq/BuildRequires/g” openssh.spec

Build that to RPM:

rpmbuild -bb openssh.spec

Go find the goodness:


There should be four RPM’s in there – lets have that – and cross our fingers:

rpm -Uvh *.rpm

Now you can do the whole:

ssh -V

to show the new version number and then BEFORE YOU LOG OUT – try logging in from another console.

If it would appear that it has all gone horribly wrong… then it is a good job you have backups!

Equally you can roll this back with:

yum downgrade openssh-server

Done. Kettle on.

*The original article was found here: http://thecpaneladmin.com/upgrading-openssh-on-centos-5/ – who have been quite the lifesaver today. Many thanks : )

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this:
Skip to toolbar