mismatch in openssh latest rpm available at centos

Home » CentOS » mismatch in openssh latest rpm available at centos
CentOS 4 Comments

Hello Group,

The latest rpm in openssh is 5.8, however, the corresponding latest rpm available in centos 5.7 is only openssh-4.3p2-72.el5_6.3.x86_64.rpm and in 6.0 CentOS is openssh-5.3p1-20.el6.x86_64.rpm.

I have following questions.

1. I want to start from src.rpm and where can I get the src.rpm for openssh-5.3p1-20.el6.x86_64.rpm.

2. Can I install openssh-5.3p1-20.el6.x86_64.rpm SAFELY with 5.7 CentOS without causing any problems.

3. Which of these two rpms will be most compatible with latest OpenSSH rpm version 5.8.

Please let me know. It is important for my work.

Any help will be greatly appreciated.

4 thoughts on - mismatch in openssh latest rpm available at centos

  • You may want to read about how Redhat and thus CentOS handles package
    versions with regard to security patches, etc… There is information
    here:
    https://access.redhat.com/security/updates/backporting/

    As for obtaining the most recent version of openssh for other reasons
    (such as features), it is strongly recommended against compiling your
    own, and instead installing the package from another publicly accepted
    repository, such as EPEL or RepoForge. Any packages on there have
    already been compiled and tested to work with your version of CentOS.
    I would avoid installing the C6 version of openssh on C5, and instead
    make sure to get the proper package meant for C5.

    ❧ Brian Mathis

  • If you rebuild it, if it rebuilds, and if you rebuild anything that
    depends on the old one, then yes. It may not build without newer
    “buildrequires” being met though. And now, every time there is an
    upgrade, you have to remember to get the new one and rebuild again. You
    also have to track any changes of the new “buildrequires” that you had
    to build.

    They are all compatible … I don’t think any is more compatible than
    another.

    Unless you are going to look at the CVE website every day for ssh
    vulnerabilities and roll in patches or get new code from openssh
    directly for every one, then you want to stay with what is in the distro.

    Red Hat uses backporting for security issues:

    https://access.redhat.com/security/updates/backporting/

    If you rebuild a new ssh, you will also have to rebuild any packages
    that are built against the old openssh against the new openssh.

    If you are concerned about security … that is the whole purpose of
    enterprise linux … it backports security patches for 10 years while
    maintaining consistent APIs/ABIs.

    If you want the latest packages on your machine, then you want Fedora
    and not CentOS.

  • Johnny Hughes wrote:

    Well… I can see it. We had to build a newer package for 5.x, because we
    *had* to have PIV-II/pkcs11 support. That’s *just* come in with 6.2, to be
    able to log in with a smart card. Even so, there’s a bug/enhancement (and
    my manager has this in w/ Redhat, and it’s been escalated) needed, that it
    insists on showing the userlist of recent logins.

    mark

  • I think when substituting core packages it’s better to root the substitutes in /usr/local, use tagged init scripts and employ the ‘alternatives’ feature instead of trying to replace the core packages, their dependencies and dependents.

    Then both can be installed and the operator can switch from one to the other as necessary.

    -Ross

LEAVE A COMMENT