528 words
3 minutes
OpenSSH Security Upgrade Guide:Detailed Online and Offline Solutions
2025-09-24
Tutorial
Cybersecurity
/
Linux

Critical Warnings#

Before performing an OpenSSH upgrade in any production environment, you MUST prepare a rollback plan. This includes, but is not limited to: VM snapshots, VM cloning, or documenting executed commands for manual reversion.

Prerequisites#

  1. OpenSSL (May be omitted if the current version is compatible)
  2. OpenSSH Source Package

Upgrade Procedures#

Online upgrades via package managers are generally straightforward. However, for offline compilation, ensure your current SSH session remains active. If the connection is severed during the process, you will be unable to establish a new SSH session until the upgrade is complete, necessitating the use of Telnet or VNC—methods that significantly increase the difficulty of recovery.

1. Online Environment#

Upgrading in a connected environment is relatively simple. While you can use package managers like apt, dnf, or yum, these repositories often lag behind the latest releases. To install the latest version, manual compilation from source is still required.

Ubuntu/Debian#

Terminal window
# Update package index
sudo apt update
# Check for upgradable OpenSSH versions (Optional)
apt list --upgradable openssh-*
# Upgrade OpenSSH client and server
sudo apt install --only-upgrade openssh-client openssh-server
# Restart SSH service
sudo systemctl restart sshd
# Verify service status and port listening
sudo systemctl status sshd
sudo netstat -tunlp | grep :22

RHEL7/CentOS7#

Terminal window
# Check for available updates
sudo yum check-update
# Upgrade OpenSSH components
sudo yum update openssh openssh-server openssh-clients
# Restart and verify service
sudo systemctl restart sshd
sudo netstat -tunlp | grep :22

RHEL8/CentOS8+/RockyLinux9+#

Terminal window
# Refresh repository metadata
sudo dnf makecache
# Upgrade SSH components
sudo dnf upgrade openssh openssh-server openssh-clients
# Reload and verify service
sudo systemctl reload sshd
sudo netstat -tunlp | grep :22

2. Isolated Environment (Offline)#

Important Recommendations#

Recommended versions (as of September 2025):

  • OpenSSL: 1.1.1w or 3.x (depending on OS compatibility)
  • OpenSSH: 10.0p1 or later

Download links are provided at the end of this article.

Pre-upgrade Preparation#

Terminal window
# Create a dedicated workspace
mkdir /opt/ssh_upgrade && cd /opt/ssh_upgrade


# Secure backup of existing configurations and binaries
cp -a /etc/ssh /etc/ssh_backup_$(date +%F)
cp -a /etc/init.d/sshd /etc/init.d/sshd_backup
cp -a /usr/bin/openssl /usr/bin/openssl_backup
cp -a /etc/pam.d/sshd /etc/pam.d/sshd_backup


# Backup critical library dependencies
ldd $(which sshd) | awk 'NF == 4 {print $3}' | xargs -I {} cp -a {} /opt/lib_backup/

Uninstall Legacy OpenSSH Service#

Terminal window
# For Yum-based systems
yum -y remove openssh openssh-server openssh-clients openssh-askpass
# Alternative for RPM
rpm -e --nodeps openssh openssh-server openssh-clients
# For Apt-based systems
apt purge -y openssh-server openssh-client

Install OpenSSL (Optional)#

Omit this step if your current OpenSSL version meets the requirements of the new OpenSSH version.

Terminal window
tar -zxvf openssl-3.2.4.tar.gz
cd openssl-3.2.4


# Optimize compilation parameters
./config --prefix=/usr/local/openssl \
         --openssldir=/usr/local/openssl \
         shared zlib -Wl,-rpath=/usr/local/openssl/lib


make && make install


# Update symbolic links
ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -sf /usr/local/openssl/include/openssl /usr/include/openssl


# Refresh library cache
echo "/usr/local/openssl/lib" > /etc/ld.so.conf.d/openssl.conf
ldconfig -v | grep -i openssl


# Verify version
openssl version -a

Install OpenSSH#

Terminal window
tar -zxvf openssh-10.6p1.tar.gz
cd openssh-10.6p1


# Configure with necessary modules (PAM and Zlib support)
./configure --prefix=/usr \
            --sysconfdir=/etc/ssh \
            --with-ssl-dir=/usr/local/openssl \
            --with-pam \
            --with-zlib


make -j$(nproc)
make install


# Verify binary compatibility and version
ldd /usr/sbin/sshd
ssh -V

Modify sshd Configuration#

Terminal window
vi /etc/ssh/sshd_config


# Ensure the following critical configurations are set
Port 22
ListenAddress 0.0.0.0
PermitRootLogin prohibit-password
PasswordAuthentication yes
UsePAM yes

Start the Service#

Terminal window
systemctl start sshd
# Verify if the service is running correctly
systemctl status sshd

đź”— Related Links

[1] Alibaba Cloud OpenSSH Mirror:: https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable

[2] OpenSSL: https://www.openssl.org/source

OpenSSH Security Upgrade Guide:Detailed Online and Offline Solutions
https://fuwari.vercel.app/posts/bf5c26f0-e5a4-4794-8b2a-b0cc90961a51/
Author
Ryan Zhang
Published at
2025-09-24
License
CC BY-NC-SA 4.0
This content has been translated with the assistance of AI tools, including ChatGPT, Gemini, and Qwen. While efforts have been made to ensure accuracy and clarity, minor discrepancies may exist. Please refer to the original text for authoritative interpretation if needed.
When MinIO Web Console Vanishes, CLI is King:A Beginner's Guide to mc
Multiplayer Gaming Guide:Building a Virtual LAN with N2N
© 2026 Ryan Zhang. All Rights Reserved.
Powered by Astro & Fuwari
Edge computing services are powered by Cloudflare.