I have received a pentest report and one thing that i need to upgrade is the OpenSSH and OpenSSL on my Red Hat Linux 7.7 server. In the report it's mentioned that the version of SSH is:
ssh -v
OpenSSH_6.1p1, OpenSSL 1.0.1q 3 Dec 2015
When I checck like:
sshd -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
or
yum list installed openssh\*
Loaded plugins: product-id, rhnplugin, search-disabled-repos, subscription-manager
This system is receiving updates from RHN Classic or Red Hat Satellite.
Installed Packages
openssh.x86_64 7.4p1-21.el7 @prd-rhel-7
openssh-clients.x86_64 7.4p1-21.el7 @prd-rhel-7
openssh-server.x86_64 7.4p1-21.el7 @prd-rhel-7
So i'm a little bit confused about which is actually the version of OpenSSH on my server.
Can someone maybe explain me which is my version, the one returned by ssh -v or the one returned by sshd -v?
Thank you!
Best Answer
On a sample RHEL 7.7 host I checked,
ssh -Vandsshd -Vboth return the same version,OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017.If when you run
ssh -Von the target server you get differing results then I would say either you have additional SSH binaries in your path (which sshwill show you where they are) or someone has replaced the original client binaries, (rpm -V openssh-clientswill show you if the files don't tally with what the RPM database thinks they should be).Otherwise I would ask for clarification as to how the version of SSH has been ascertained.