OpenSSH is the standard SSH implementation on most Linux servers. In 2024, a critical issue (CVE-2024-6387) was disclosed that can allow an unauthenticated attacker to achieve remote code execution in specific OpenSSH server configurations.
Because exposure is common (port 22 on the public internet), you should patch as soon as possible and reduce attack surface while you roll out updates.
Prerequisites
- Make sure you have working SSH access (and ideally a backup access path, like console access).
- Back up important configuration files (for example,
/etc/ssh/sshd_config). - Check your current OpenSSH version:
ssh -V
Update OpenSSH (recommended)
Option 1: Update via your package manager
For most Linux distributions, use the vendor packages (they may include backported security fixes).
Debian / Ubuntu
sudo apt update
sudo apt install openssh-server
ssh -V
CentOS / RHEL
sudo yum clean all
sudo yum makecache
sudo yum update openssh-server
ssh -V
Option 2: Build from source (only if necessary)
If your distribution does not provide a patched build quickly enough, you can compile a newer portable release. This is riskier on production systems; use maintenance windows and keep rollback plans.
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
tar -xzf openssh-9.8p1.tar.gz
cd openssh-9.8p1
./configure
make
sudo make install
sudo systemctl restart sshd
ssh -V
Post-update checks
sudo systemctl status sshd
Test SSH login from a second terminal before closing your existing session.
