Home / server / Questions / 342449
Accepted
smusumeche
Asked: 2011-12-20 10:05:44 +0800 CST

Updating OpenSSH to latest stable version via yum

  • 772

I am running CentOS 5.7 and need to upgrade OpenSSH to the latest stable version (PCI compliance issues). However, the most recent version available via the CentOS yum repository is 4.3p2. How can I update to the latest stable version using yum? Is there a different repository I should setup?

centos yum ssh pci-dss

5 Answers

  1. Best Answer

    As far as security fixes are concerned, you're all set; your compliance scanner is the one that's wrong.

    A lot of those scanners do their vulnerability detection via a check of the version string (in this case, a check of the string that OpenSSH sends to connecting clients including its version), which often leads to false positives when those scanners assume "issue X was fixed in OpenSSH version 5.whatever). Try changing an Apache server to ServerTokens Major and watch the scanner light up with a bunch of 2.0 vulnerabilities, regardless of what version you're actually on.

    Figure out exactly what vulnerabilities the scan thinks you have, find them in the RPM's changelog, and send your scan vendor the version that you're on as proof that the scan's detection is a false positive. And this link, for good measure.

    • 8

  2. Keep in mind that RedHat Backports all security fixes into it's stable version of SSH.

    So, running a yum update openssh will update you to the latest, stable, patched version for your Operating System. This should be good enough for any sane PCI compliance requirement, but it might require education on part of the PCI compliance officer.

    Also see this related questions for some useful tips: CentOS PCI Compliance assessment

    • 6

  3. Every PCI scanning company has different methods, but typically you can contest the result as a False Positive.

    Provide them with your current OS version, SSH version and when it was installed.

    I use 

    rpm -qa --last|grep "name"

    Where name is the name of the rpms for the service in which you are interested. In this case "ssh" will do.

    Send them this data. This is usually sufficient in most cases.

    • 2

  4. OpenSSH 4.3p2 is the only version of OpenSSH officially supported by CentOS 4.7.

    Of course you could build a package for a more recent version of OpenSSH yourself but I doubt that this would solve your "PCI compliance issues".

    What issues do you have exactly with OpenSSH 4.3p2?

    • 0

  5. To have PCI compliance I had to recently upgrade openssh on centos7(openssh6.6) to openssh7.5 (latest version). I referred this blog to upgrade. Hope this helps for centos7 upgrade for openssh.

    • -1