Ren Siyuan <netheril96@xxxxxxxxx> on Sun, 2014/10/12 22:52:
> I am trying to download a version of OpenSSH newer than the one
> preinstalled with my OS. But sadly I find that I can only download it
> through *unsecured* plain http/ftp/rsync protocol, vulnerable to attacks by
> anyone in the network path. It is odd that *the* software about security
> and encryption across untrusted network is distributed to everyone
> insecurely and not encrypted. Is there any future plan to distribute
> OpenSSH over secured channel, such as https?
OpenSSH development team provides GPG signature for their source tarballs. So
download the tarball with whatever (unsecure) protocol you prefer, download
the gpg signature file (ending .asc) and verify with gpg:
% gpg --verify openssh-6.7p1.tar.gz.asc
gpg: Signature made Mon 06 Oct 2014 05:40:59 AM CEST using RSA key ID 6D920D30
gpg: Good signature from "Damien Miller <djm@xxxxxxxxxxx>" [unknown]
Primary key fingerprint: 59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30
HTTPS does provide secure data transfer, but does not guaranty data is what
developers intended to provide. If you download a compromised source tarball
via HTTPS it is still compromised.
--
Schoene Gruesse
Chris
O< ascii ribbon campaign
stop html mail - www.asciiribbon.org
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
