Re: Download OpenSSH through secure channel?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Ren Siyuan <netheril96@xxxxxxxxx> on Sun, 2014/10/12 22:52:
> I am trying to download a version of OpenSSH newer than the one
> preinstalled with my OS. But sadly I find that I can only download it
> through *unsecured* plain http/ftp/rsync protocol, vulnerable to attacks by
> anyone in the network path. It is odd that *the* software about security
> and encryption across untrusted network is distributed to everyone
> insecurely and not encrypted. Is there any future plan to distribute
> OpenSSH over secured channel, such as https?

OpenSSH development team provides GPG signature for their source tarballs. So
download the tarball with whatever (unsecure) protocol you prefer, download
the gpg signature file (ending .asc) and verify with gpg:

% gpg --verify openssh-6.7p1.tar.gz.asc 
gpg: Signature made Mon 06 Oct 2014 05:40:59 AM CEST using RSA key ID 6D920D30
gpg: Good signature from "Damien Miller <djm@xxxxxxxxxxx>" [unknown]
Primary key fingerprint: 59C2 118E D206 D927 E667  EBE3 D3E5 F56B 6D92 0D30

HTTPS does provide secure data transfer, but does not guaranty data is what
developers intended to provide. If you download a compromised source tarball
via HTTPS it is still compromised.
-- 
Schoene Gruesse
Chris
                         O< ascii ribbon campaign
                   stop html mail - www.asciiribbon.org

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux