FERRAMENTAS LINUX: How to Audit & Fix OpenSSH SCP/Rsync Privilege Escalation (Works for Any CVE)

Stop patching the same SSH flaws yearly. Learn to audit OpenSSH, block SCP privilege escalation (CVE list), and build your own security scripts. Commands + book inside.

In April 2026, a Fedora 44 update (FEDORA-2026-93679cc7c2) fixed five OpenSSH flaws, including CVE-2026-35385 — a privilege escalation vector via the legacy SCP protocol. But this isn’t about one old bug. It’s about a pattern: legacy SSH features remain dangerous.

This guide shows you how to detect, patch, and automate against similar SSH CVEs — today, next month, or two years from now.

How to check if you are vulnerable (Fedora & RHEL commands)

Run these commands to see if your OpenSSH still allows legacy SCP or weak algorithms

# Check your OpenSSH version
ssh -V

# See if SCP legacy protocol is enabled (vulnerable if 'scp' uses old mode)
grep -i "scp" /etc/ssh/ssh_config /etc/ssh/ssh_config.d/*.conf

# Test for the specific CVE pattern (privilege escalation via SCP -r)
scp -v localfile user@host:/tmp/ 2>&1 | grep "Sending file modes"

# List accepted public key algorithms (look for unsafe ECDSA)
sshd -T | grep pubkeyacceptedalgorithms

If your SSH version is older than OpenSSH 10.2p1 or you see without restrictions, you’re likely exposed.

Automation script to apply the fix (bash – works on Fedora, Debian, Ubuntu, RHEL)

Save this as and run as root.

#!/bin/bash
# Evergreen SSH Hardening Script – Blocks legacy SCP, weak algos, unsafe ProxyJump
# Run: chmod +x ssh-cve-fix.sh && sudo ./ssh-cve-fix.sh

set -e

# Detect distro
if command -v dnf &> /dev/null; then
    PKG_MGR="dnf"
elif command -v apt &> /dev/null; then
    PKG_MGR="apt"
else
    echo "Unsupported package manager"
    exit 1
fi

echo "[+] Updating OpenSSH to latest version"
$PKG_MGR update openssh-server openssh-client -y

echo "[+] Disabling SCP legacy protocol (mitigates CVE-2026-35385 pattern)"
sed -i 's/^#Subsystem sftp.*/Subsystem sftp internal-sftp/' /etc/ssh/sshd_config
echo "Subsystem scp internal-sftp" >> /etc/ssh/sshd_config

echo "[+] Forcing strong key algorithms (blocks ECDSA info leaks)"
echo "PubkeyAcceptedAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256" >> /etc/ssh/sshd_config
echo "HostbasedAcceptedAlgorithms ssh-ed25519,rsa-sha2-512" >> /etc/ssh/sshd_config

echo "[+] Restarting SSH"
systemctl restart sshd

echo "[✓] SSH hardening complete. Test with: ssh -Q cipher"

Run it:

sudo bash ssh-cve-fix.sh

Why this script works long-term: It disables legacy protocols (SCP) and weak algorithms — not just for one CVE, but for any future bug in those components.

Alternative mitigation if you can’t update now

No reboot? No package update allowed? Use these live workarounds.

Option A: (block SCP port 22 abuse)

# Limit SSH connections to prevent brute + SCP flooding
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

Option B: (confine SSH processes)

# Enforce SSH profile
sudo aa-enforce /etc/apparmor.d/usr.sbin.sshd
# Create custom rule to block legacy SCP writes
echo "/usr/bin/scp px -> /usr/bin/sftp," >> /etc/apparmor.d/local/usr.sbin.sshd

Option C: SSH config per-user (disable SCP)

# In /etc/ssh/sshd_config
Match User * 
    ForceCommand internal-sftp

The only tool that solves ALL CVEs (not just this one)

Patching today’s SSH bug feels good. But next month there’s a new sshd bypass, a sudo quirk, or a kernel privesc.

You need to build your own security tools – not wait for Fedora or Red Hat.

That’s exactly what Practical Binary Analysis teaches. This book shows you how to write , disassemble live SSH processes, and detect vulnerabilities before they ship.

👉 Get Practical Binary Analysis on Amazon

One script fixes a CVE. This book fixes every CVE you’ve never seen.

Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.).