Scenario-
You have scanned your servers using Qualys. It identified vulnerability on CentOS (Linux) server.
"OpenSSH Username Enumeration Vulnerability (CVE-2018-15473) OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. Customers are advised to upgrade to <A HREF="https://www.openbsd.org/" TARGET="_blank">OpenSSH 7.8</A> or later versions to remediate this vulnerability."
Solution:
Though solution suggests to install OpenSSH 7.8 or above, it is found that this is false-positive alert raised by Qualys if you have following OpenSSH version running on CentOS server
$ rpm -q openssh openssh-7.4p1-21.el7.x86_64
The same is confirmed at – https://access.redhat.com/solutions/3830361
But if you want to update the OpenSSH version to 8.0 then follow these steps-
#Download OpenSSH 8.0 wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz tar -xzf openssh-8.0p1.tar.gz cd openssh-8.0p1/
## Install PAM and SELinux Headers ## sudo yum install pam-devel libselinux-devel --yes ## Compile and Install SSH from Sources ## ./configure --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh make sudo make install
NOTE: You may observe following errors while running 'make' command- error: *** working libcrypto not found, check config.log fix: Install openssl-devel.x86_64 package sudo yum install openssl-devel.x86_64 error: configure: error: no acceptable C compiler found in $PATH fix: Install gcc package sudo yum install gcc
Once you have installed OpenSSH, restart SSH or open another terminal windows and check the version of OpenSSH now installed on your system.
$ ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017
Reference: If you want to install OpenSSH first time then follow this –