Ah, ok.. what version of centos are you using?
Both Centos 6 and 7 will have patched versions of openssh.. so you're fine w/ the vuln scanning.
Example.. i'm running centos 6 on a machine:
Code:
root@kp1 [~]# rpm -q openssh
openssh-5.3p1-123.el6_9.x86_64
THere, we have openssh v. 5.3p1, but patch level 123.
You can look through the updates on it by using the rpm command:
Code:
root@kp1 [~]# rpm -qa --changelog openssh|less
(hit q to quit)
You'll see things like:
Code:
* Thu Aug 03 2017 Jakub Jelen <[email protected]> - 5.3p1-123
- Fix for CVE-2016-6210: User enumeration via covert timing channel (#1357442)
* Mon Dec 19 2016 Jakub Jelen <[email protected]> - 5.3p1-122
- Allow to use ibmca crypto hardware (#1397547)
- CVE-2015-8325: privilege escalation via user's PAM environment and UseLogin=yes (1405374)
* Thu Dec 15 2016 Jakub Jelen <[email protected]> - 5.3p1-121
- Fix missing hmac-md5-96 from server offer (#1373836)
* Wed Nov 02 2016 Jakub Jelen <[email protected]> - 5.3p1-120
- Prevent infinite loop when Ctrl+Z pressed at password prompt (#1218424)
- Remove RC4 cipher and MD5 based MAC from the default client proposal (#1373836)
which shows various CVE numbers that the software is patched for... is there a particular CVE they're complaining about?
Be assured, your openssh version is patched well for most companies scanning departments. I worked at a "large cable company" and was able to prove to them we were fine by pasting the output of the changelog in their tickets, etc..
These versions are patched for stability.. so prod servers work flawlessly without introducing new possible bugs in newer, less tested versions.
Tell them in the ticket that you have the "latest, patched, stable version from the vendor" and ask them which CVE they're referencing.. then paste the proof from the changelog.