Scenario-

You have scanned your servers using Qualys. It identified vulnerability on CentOS (Linux) server.

"OpenSSH Username Enumeration Vulnerability (CVE-2018-15473)
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
Customers are advised to upgrade to <A HREF="https://www.openbsd.org/" TARGET="_blank">OpenSSH 7.8</A> or later versions to remediate this vulnerability."

 

Solution:

Though solution suggests to install OpenSSH 7.8 or above, it is found that this is false-positive alert raised by Qualys if you have following OpenSSH version running on CentOS server

$ rpm -q openssh
openssh-7.4p1-21.el7.x86_64

The same is confirmed at – https://access.redhat.com/solutions/3830361

But if you want to update the OpenSSH version to 8.0 then follow these steps-

#Download OpenSSH 8.0
wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
tar -xzf openssh-8.0p1.tar.gz
cd openssh-8.0p1/

 

## Install PAM and SELinux Headers ##
sudo yum install pam-devel libselinux-devel --yes

## Compile and Install SSH from Sources ##
./configure --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh
make
sudo make install

 

NOTE: You may observe following errors while running 'make' command-

error: *** working libcrypto not found, check config.log
fix: Install openssl-devel.x86_64 package

sudo yum install openssl-devel.x86_64

error: configure: error: no acceptable C compiler found in $PATH
fix: Install gcc package

sudo yum install gcc

 

Once you have installed OpenSSH, restart SSH or open another terminal windows and check the version of OpenSSH now installed on your system.

$ ssh -V

OpenSSH_8.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017

 

Reference: If you want to install OpenSSH first time then follow this –

How to Install OpenSSH 8.0 Server from Source in Linux