Re: Download OpenSSH through secure channel?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



How do I trust the key then?

On Oct 12, 2014, at 23:05, Christian Hesse <mail@xxxxxxxx> wrote:

> Ren Siyuan <netheril96@xxxxxxxxx> on Sun, 2014/10/12 22:52:
>> I am trying to download a version of OpenSSH newer than the one
>> preinstalled with my OS. But sadly I find that I can only download it
>> through *unsecured* plain http/ftp/rsync protocol, vulnerable to attacks by
>> anyone in the network path. It is odd that *the* software about security
>> and encryption across untrusted network is distributed to everyone
>> insecurely and not encrypted. Is there any future plan to distribute
>> OpenSSH over secured channel, such as https?
> 
> OpenSSH development team provides GPG signature for their source tarballs. So
> download the tarball with whatever (unsecure) protocol you prefer, download
> the gpg signature file (ending .asc) and verify with gpg:
> 
> % gpg --verify openssh-6.7p1.tar.gz.asc 
> gpg: Signature made Mon 06 Oct 2014 05:40:59 AM CEST using RSA key ID 6D920D30
> gpg: Good signature from "Damien Miller <djm@xxxxxxxxxxx>" [unknown]
> Primary key fingerprint: 59C2 118E D206 D927 E667  EBE3 D3E5 F56B 6D92 0D30
> 
> HTTPS does provide secure data transfer, but does not guaranty data is what
> developers intended to provide. If you download a compromised source tarball
> via HTTPS it is still compromised.
> -- 
> Schoene Gruesse
> Chris
>                         O< ascii ribbon campaign
>                   stop html mail - www.asciiribbon.org

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux