Upgrading openssh?

tmccaff

I was told by my pci scan newed to update to newest openssh. How do I install it by source?

linuxhitman

(Oops! I just noticed this is a necro-thread -- I'll leave it JIC it will help someone.)

This is how I do it when I need to install a new version on CentOS 6 or CentOS 7.

This is for VERSION=7.9p1 -- latest is 8.0p1 but the process is essentially the same. The rpms are built as a non-root user in home directory. (See ~/.rpmmacros)

prerequisites
$ sudo yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel gtk2-devel

copy x11-ssh-askpass-1.2.4.1.tar.gz to ~/rpms/SOURCES (this file can be hard to find...)

copy the openssh tar.gz file to ~/rpms/SOURCES

cd to ~/rpms/SOURCES
$ cd ~/rpms/SOURCES

extract tar file
$ tar -xvzf openssh-7.9p1.tar.gz

$ cd openssh-7.9p1

copy system pam.d/ssh file to extracted archive
$ cp /etc/pam.d/sshd contrib/redhat/sshd.pam.old

copy spec file to SPECS directory
$ cp contrib/redhat/openssh.spec ~/rpms/SPECS/.

$ cd ..

rebuild the tar file
$ tar -zcpf openssh-7.9p1.tar.gz openssh-7.0p1

$ cd ~/rpms/SPECS

check version of openssl-devel should be >=1.0.1 and < 1.1
$ openssl version

if desired, edit openssh.spec to disable gnome askpass programs. It is
only necessary for desktops and can be removed from servers.
%define no_gnome_askpass 1

might need to comment out this line -- dunno why
BuildRequires: openssl-devel < 1.1

these are probably not necessary any more
replace BuildPreReq with BuildRequires
comment out the entries for slogin and slogin.1 under %files clients

build a src.rpm and .rpm file (use -ba to build both, -bs to build src.rpm only)
$ rpmbuild -ba openssh.spec