How to Update OpenSSH on Ubuntu to Patch Vulnerabilities

Keeping your OpenSSH packages updated is critical for securing your Ubuntu Linux server against remote code execution and unauthorized access vulnerabilities. This guide provides a straightforward, step-by-step walkthrough on how to update the OpenSSH server and client packages to their latest patched versions using the standard Ubuntu Advanced Package Tool (APT).

Step 1: Update the Package Repository Index

Before upgrading any packages, you must update your local package index to ensure your system is aware of the latest available security patches. Open your terminal and run the following command:

sudo apt update

Step 2: Upgrade OpenSSH Packages

To minimize system changes, you can choose to upgrade only the OpenSSH server and client packages rather than upgrading the entire operating system. Execute the following command to target OpenSSH specifically:

sudo apt install --only-upgrade openssh-server openssh-client

If you prefer to apply all pending security updates on your system (which is highly recommended for overall security), run:

sudo apt upgrade

Step 3: Verify the Installed OpenSSH Version

After the upgrade process completes, verify that OpenSSH has been updated successfully. Check the installed version of the SSH client using:

ssh -V

To verify the specific Debian/Ubuntu package release version and ensure the security patch is applied, run:

apt policy openssh-server

Compare the installed version number against the Ubuntu Security Notices (USN) for your specific Ubuntu release to confirm the vulnerability has been patched.

Step 4: Restart the SSH Service

The package manager usually restarts the SSH daemon automatically during the upgrade. However, you can manually restart the service to ensure the new binary is actively running:

sudo systemctl restart ssh

Your active SSH connections will not be terminated by restarting the service, but it is always best practice to keep your current terminal session open while testing a new connection in a separate window to confirm everything works as expected.