BestHub
Sign in
Operations 5 min read

How to Safely Upgrade OpenSSH and OpenSSL on CentOS 7

This step‑by‑step guide shows how to upgrade the outdated OpenSSH 7.4p1 and OpenSSL 1.0.2k on a CentOS 7 server by first installing Telnet as a fallback, removing the old packages, installing OpenSSL 1.1.1g, compiling OpenSSH 8.3p1, adjusting the configuration, and finally testing the new SSH service.

Raymond Ops
Raymond Ops
Raymond Ops
How to Safely Upgrade OpenSSH and OpenSSL on CentOS 7

OpenSSH is the free open‑source implementation of the SSH protocol and frequently suffers security vulnerabilities. The version bundled with CentOS 7 (OpenSSH_7.4p1, OpenSSL 1.0.2k‑fips 26 Jan 2017) is outdated, so upgrading both OpenSSH and OpenSSL is required.

This tutorial applies only to CentOS 7.

Enable Telnet

This step provides a fallback in case the upgrade fails and you lose SSH access; because Telnet transmits data in clear text, be sure to disable it after use.
<code># Install telnet service
yum install -y telnet-server

# Start telnet service
systemctl status telnet.socket

# Open firewall port 23
defirewall-cmd --permanent --add-port=23/tcp
firewall-cmd --reload

# From Windows, open cmd and telnet to the server
telnet [server_ip]

# Linux7 does not allow direct root login for security; workaround:
mv /etc/securetty /etc/securetty_bak</code>

Stop service and uninstall the existing OpenSSH

<code>systemctl stop sshd
# List installed ssh packages
rpm -qa | grep openssh
# Remove rpm‑installed ssh packages
rpm -e openssh --nodeps && rpm -e openssh-clients --nodeps && rpm -e openssh-server --nodeps
# Verify removal
rpm -qa | grep openssh</code>

Pre‑operations

<code># Install related dependencies
yum install -y pam* zlib*
# Backup original ssh configuration
mv /etc/ssh /etc/ssh_bak</code>

Install OpenSSL (1.1.1g)

<code>mkdir ./sshupdate
cd ./sshupdate
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
tar -xzvf openssl-1.1.1g.tar.gz
cd openssl-1.1.1g
./config --prefix=/usr/ --openssldir=/usr/ shared
make && make install
# Verify version
openssl version
# Expected output: OpenSSL 1.1.1g  21 Apr 2020</code>

Install OpenSSH (8.3p1)

<code>wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz
tar -xzvf openssh-8.3p1.tar.gz
cd openssh-8.3p1
./configure --with-zlib --with-ssl-dir --with-pam --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh
make && make install
cp contrib/redhat/sshd.init /etc/init.d/sshd
# Verify version
ssh -V
# Expected output: OpenSSH_8.3p1, OpenSSL 1.1.1g  21 Apr 2020</code>

Modify configuration file

<code>vim /etc/ssh/sshd_config
# Change "#PermitRootLogin prohibit-password" to "PermitRootLogin yes" and uncomment
# If using a non‑standard port, adjust the Port directive accordingly
# Disable SELinux
sed -i.bak 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
setenforce 0</code>

Restart OpenSSH

<code>nohup service sshd restart
nohup systemctl restart sshd
# Add to startup
chkconfig --add sshd</code>

Test

Open a new terminal and connect to the server with SSH. If login fails, clear the files under

/root/.ssh/

and try again.

LinuxOpenSSLServer AdministrationOpenSSHCentOS7
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment