how to update openssl and openssh?

youyoums

Verified User
Joined
Jul 21, 2011
Messages
31
i just use centos 7.3,and there are OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013,i want to update openssh from 6.6.1p1 to OpenSSH 7.4/7.4p1 (2016-12-19)
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,254
Location
Maastricht
If available for Centos 7 you use this command in a shell (SSH as root):
yum update

And it will update everything. If you only want openssh and openssl updated you can use "yum update openssl openssh".
If not available, wait until Centos has fixed it. It's possible to build from fedora rpm's but I would not advise that.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Hello,

OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 is the latest available on CentOS 7. If you want to have OpenSSH 7.4 then you need to install it from sources.


1. make sure you have IPKVM, IPMI or virtual console for the case if a process fails.

2. Download from http://www.openssh.com/portable.html#http

Code:
./configure --prefix=/opt --sysconfdir=/etc/ssh
make && make install
check:

Code:
# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@centos7 ssh]#
3. test and fix config:

Code:
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
you might need to run:

Code:
chmod 600 /etc/ssh/ssh_host_ed25519_key
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
and comment or remove lines /etc/ssh/sshd_config to fix the errors:

Code:
/etc/ssh/sshd_config line 94: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 95: Unsupported option GSSAPICleanupCredentials
/etc/ssh/sshd_config line 111: Unsupported option UsePAM
Make sure you have a regular user (not root) to connect to SSH, and then reboot the server (you might first try and restart sshd, but it might fail).



P.S. I don't guarantee that you won't face issue by following this guide. I described the steps I followed on my testing server. I can guarantee only what I do myself.

P.P.S. You might need to remove openssh rpm or protect your binaries from "downgrading" with yum/rpm packages.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
As for upgrading OpenSSL search the forums... it has ready instructions.
 

kadek_mentik

Member
Joined
Jun 5, 2020
Messages
52
Location
Bali, Indonesia
If available for Centos 7 you use this command in a shell (SSH as root):
yum update

And it will update everything. If you only want openssh and openssl updated you can use "yum update openssl openssh".
If not available, wait until Centos has fixed it. It's possible to build from fedora rpm's but I would not advise that.
Thanks @Richard G
So "yum update openssl" will updated automatically in Cent OS7?
I confuse, because i see different method in similar threads
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,254
Location
Maastricht
So "yum update openssl" will updated automatically in Cent OS7?
Yes, provided there is an openssl update present. It also present an update for openssl-devel if present too.

Example with Centos 8, but works the same in Centos 7:
Code:
[root@srv: /etc]# yum update openssl
CentOS-8 - AppStream                                                                                                   86 kB/s | 4.3 kB     00:00    
CentOS-8 - Base                                                                                                       1.1 MB/s | 3.9 kB     00:00    
CentOS-8 - Extras                                                                                                     3.5 kB/s | 1.5 kB     00:00    
CentOS-8 - PowerTools                                                                                                  21 kB/s | 4.3 kB     00:00    
Extra Packages for Enterprise Linux Modular 8 - x86_64                                                                 34 kB/s |  33 kB     00:00    
Extra Packages for Enterprise Linux 8 - x86_64                                                                         69 kB/s |  34 kB     00:00    
Dependencies resolved.
======================================================================================================================================================
 Package                               Architecture                   Version                                    Repository                      Size
======================================================================================================================================================
Upgrading:
 openssl                               x86_64                         1:1.1.1c-15.el8                            BaseOS                         697 k
 openssl-devel                         x86_64                         1:1.1.1c-15.el8                            BaseOS                         2.3 M
 openssl-libs                          x86_64                         1:1.1.1c-15.el8                            BaseOS                         1.5 M

Transaction Summary
======================================================================================================================================================
Upgrade  3 Packages
Total download size: 4.4 M
Is this ok [y/N]:
I always do "yum check-update" and see what is updated. Mostly I update everything which keeps the system up2date too.

I don't know which different methods you found, do you have an example?
 

kadek_mentik

Member
Joined
Jun 5, 2020
Messages
52
Location
Bali, Indonesia
@Richard G
OpenSSL doesn't update using this in CentOS7

[root@server ~]# yum update openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.web-ster.com
* epel: d2lzkl7pfhq30w.cloudfront.net
* extras: mirrors.xmission.com
* updates: mirrors.sonic.net
No packages marked for update

So i still using old version

[root@server ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@server ~]#


But updating openssh seem work correctly using "yum update openssh" in CentOs 7

In other way, i saw this https://forum.directadmin.com/threads/how-to-enable-http-2-in-apache-nginx-curl.52590/
But not yet try that method for upgrading
Thanks
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,254
Location
Maastricht
OpenSSL doesn't update using this in CentOS7
Yes it does (as you could see from the openssh update), but I specifically wrote "provided there is an openssl update present" and at this moment there is no newer Openssl for Centos 7.

So if you want to use a newer openssl version on Centos 7, this is not possible, or you have to do something like mentioned in the thread you pointed to. However use at your own risk!
 

kadek_mentik

Member
Joined
Jun 5, 2020
Messages
52
Location
Bali, Indonesia
Yes it does (as you could see from the openssh update), but I specifically wrote "provided there is an openssl update present" and at this moment there is no newer Openssl for Centos 7.

So if you want to use a newer openssl version on Centos 7, this is not possible, or you have to do something like mentioned in the thread you pointed to. However use at your own risk!
Thanks you very much Ricard G
For the answer...
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
1,304
Location
Murfreesboro
Richard is correct. Centos do bug fixes for that main level in general. You have to move up to Centos 8 to get higher through RPM. Updating OpenSSL through the source is not really a standard process. Like Richard, I would rather move up in OS release than do some custom Source process.
 

kadek_mentik

Member
Joined
Jun 5, 2020
Messages
52
Location
Bali, Indonesia
Richard is correct. Centos do bug fixes for that main level in general. You have to move up to Centos 8 to get higher through RPM. Updating OpenSSL through the source is not really a standard process. Like Richard, I would rather move up in OS release than do some custom Source process.
Thanks you very much, Brent for the answer
 
Top