how to update openssl and openssh?

youyoums

Verified User
Joined
Jul 21, 2011
Messages
37
i just use centos 7.3,and there are OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013,i want to update openssh from 6.6.1p1 to OpenSSH 7.4/7.4p1 (2016-12-19)
 
If available for Centos 7 you use this command in a shell (SSH as root):
yum update

And it will update everything. If you only want openssh and openssl updated you can use "yum update openssl openssh".
If not available, wait until Centos has fixed it. It's possible to build from fedora rpm's but I would not advise that.
 
Hello,

OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 is the latest available on CentOS 7. If you want to have OpenSSH 7.4 then you need to install it from sources.


1. make sure you have IPKVM, IPMI or virtual console for the case if a process fails.

2. Download from http://www.openssh.com/portable.html#http

Code:
./configure --prefix=/opt --sysconfdir=/etc/ssh
make && make install

check:

Code:
# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@centos7 ssh]#

3. test and fix config:

Code:
/usr/sbin/sshd -t -f /etc/ssh/sshd_config

you might need to run:

Code:
chmod 600 /etc/ssh/ssh_host_ed25519_key
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key

and comment or remove lines /etc/ssh/sshd_config to fix the errors:

Code:
/etc/ssh/sshd_config line 94: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 95: Unsupported option GSSAPICleanupCredentials
/etc/ssh/sshd_config line 111: Unsupported option UsePAM

Make sure you have a regular user (not root) to connect to SSH, and then reboot the server (you might first try and restart sshd, but it might fail).



P.S. I don't guarantee that you won't face issue by following this guide. I described the steps I followed on my testing server. I can guarantee only what I do myself.

P.P.S. You might need to remove openssh rpm or protect your binaries from "downgrading" with yum/rpm packages.
 
As for upgrading OpenSSL search the forums... it has ready instructions.
 
If available for Centos 7 you use this command in a shell (SSH as root):
yum update

And it will update everything. If you only want openssh and openssl updated you can use "yum update openssl openssh".
If not available, wait until Centos has fixed it. It's possible to build from fedora rpm's but I would not advise that.
Thanks @Richard G
So "yum update openssl" will updated automatically in Cent OS7?
I confuse, because i see different method in similar threads
 
So "yum update openssl" will updated automatically in Cent OS7?
Yes, provided there is an openssl update present. It also present an update for openssl-devel if present too.

Example with Centos 8, but works the same in Centos 7:
Code:
[root@srv: /etc]# yum update openssl
CentOS-8 - AppStream                                                                                                   86 kB/s | 4.3 kB     00:00    
CentOS-8 - Base                                                                                                       1.1 MB/s | 3.9 kB     00:00    
CentOS-8 - Extras                                                                                                     3.5 kB/s | 1.5 kB     00:00    
CentOS-8 - PowerTools                                                                                                  21 kB/s | 4.3 kB     00:00    
Extra Packages for Enterprise Linux Modular 8 - x86_64                                                                 34 kB/s |  33 kB     00:00    
Extra Packages for Enterprise Linux 8 - x86_64                                                                         69 kB/s |  34 kB     00:00    
Dependencies resolved.
======================================================================================================================================================
 Package                               Architecture                   Version                                    Repository                      Size
======================================================================================================================================================
Upgrading:
 openssl                               x86_64                         1:1.1.1c-15.el8                            BaseOS                         697 k
 openssl-devel                         x86_64                         1:1.1.1c-15.el8                            BaseOS                         2.3 M
 openssl-libs                          x86_64                         1:1.1.1c-15.el8                            BaseOS                         1.5 M

Transaction Summary
======================================================================================================================================================
Upgrade  3 Packages
Total download size: 4.4 M
Is this ok [y/N]:

I always do "yum check-update" and see what is updated. Mostly I update everything which keeps the system up2date too.

I don't know which different methods you found, do you have an example?
 
@Richard G
OpenSSL doesn't update using this in CentOS7

[root@server ~]# yum update openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.web-ster.com
* epel: d2lzkl7pfhq30w.cloudfront.net
* extras: mirrors.xmission.com
* updates: mirrors.sonic.net
No packages marked for update

So i still using old version

[root@server ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@server ~]#


But updating openssh seem work correctly using "yum update openssh" in CentOs 7

In other way, i saw this https://forum.directadmin.com/threads/how-to-enable-http-2-in-apache-nginx-curl.52590/
But not yet try that method for upgrading
Thanks
 
Last edited:
OpenSSL doesn't update using this in CentOS7
Yes it does (as you could see from the openssh update), but I specifically wrote "provided there is an openssl update present" and at this moment there is no newer Openssl for Centos 7.

So if you want to use a newer openssl version on Centos 7, this is not possible, or you have to do something like mentioned in the thread you pointed to. However use at your own risk!
 
Yes it does (as you could see from the openssh update), but I specifically wrote "provided there is an openssl update present" and at this moment there is no newer Openssl for Centos 7.

So if you want to use a newer openssl version on Centos 7, this is not possible, or you have to do something like mentioned in the thread you pointed to. However use at your own risk!
Thanks you very much Ricard G
For the answer...
 
Richard is correct. Centos do bug fixes for that main level in general. You have to move up to Centos 8 to get higher through RPM. Updating OpenSSL through the source is not really a standard process. Like Richard, I would rather move up in OS release than do some custom Source process.
 
Richard is correct. Centos do bug fixes for that main level in general. You have to move up to Centos 8 to get higher through RPM. Updating OpenSSL through the source is not really a standard process. Like Richard, I would rather move up in OS release than do some custom Source process.
Thanks you very much, Brent for the answer
 
Back
Top