Step‑by‑Step Guide to Upgrade OpenSSH and OpenSSL on CentOS 7
This tutorial walks you through safely upgrading OpenSSH (to 8.3p1) and OpenSSL (to 1.1.1g) on CentOS 7, covering prerequisite OpenSSL upgrade, service shutdown, dependency installation, source compilation, configuration tweaks, and verification steps.
OpenSSH is the free, open‑source implementation of the SSH protocol and frequently receives security patches. CentOS 7 ships an outdated version (OpenSSH_7.4p1, OpenSSL 1.0.2k‑fips 26 Jan 2017), so upgrading both OpenSSH and its OpenSSL dependency is essential.
This guide targets CentOS 7 only.
Enable Telnet (fallback)
This step provides a plain‑text fallback in case the SSH upgrade fails, allowing you to regain access. Remember to disable Telnet after use.
# Install telnet service
yum install -y telnet-server
# Start telnet service
systemctl status telnet.socket
# Open firewall port 23
default-cmd --permanent --add-port=23/tcp
firewall-cmd --reload
# From Windows, open cmd and telnet to the server
telnet [SERVER_IP]
# For CentOS 7, disable direct root login
mv /etc/securetty /etc/securetty_bakStop and Remove Existing OpenSSH
systemctl stop sshd
# List installed ssh packages
rpm -qa | grep openssh
# Remove rpm‑installed ssh packages
rpm -e openssh --nodeps && rpm -e openssh-clients --nodeps && rpm -e openssh-server --nodeps
# Verify removal
rpm -qa | grep opensshPre‑operations
# Install required dependencies
yum install -y pam* zlib*
# Backup current ssh configuration
mv /etc/ssh /etc/ssh_bakInstall OpenSSL 1.1.1g
mkdir ./sshupdate
cd ./sshupdate
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
tar -xzvf openssl-1.1.1g.tar.gz
cd openssl-1.1.1g
./config --prefix=/usr/ --openssldir=/usr/ shared
make && make install
# Verify version
openssl version
# Expected output: OpenSSL 1.1.1g 21 Apr 2020Install OpenSSH 8.3p1
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz
tar -xzvf openssh-8.3p1.tar.gz
cd openssh-8.3p1
./configure --with-zlib --with-ssl-dir --with-pam --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh
make && make install
cp contrib/redhat/sshd.init /etc/init.d/sshd
# Verify version
ssh -V
# Expected output: OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020Modify Configuration
vim /etc/ssh/sshd_config
# Change "#PermitRootLogin prohibit-password" to "PermitRootLogin yes" and uncomment
# If using a non‑standard port, adjust the Port directive accordingly
# Disable SELinux
sed -i.bak 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
setenforce 0Restart OpenSSH
nohup service sshd restart
nohup systemctl restart sshd
# Enable autostart
chkconfig --add sshdTest the New Setup
Open a new terminal and connect to the server with ssh user@SERVER_IP. If login fails, clear the files under /root/.ssh/ and retry.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.