OpenSSH Security Advisory: Trojaned Distribution Files

Eric Garff egarff at
Fri Aug 2 01:38:16 EST 2002

> 3. Solution:
> Verify that you did not build a trojaned version of the sources.  The
> portable SSH tar balls contain PGP signatures that should be verified
> before installation.  You can also use the following MD5 checksums for
> verification.
> MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8 
> MD5 (openssh-3.4p1.tar.gz.sig) = d5a956263287e7fd261528bb1962f24c
> MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2
> MD5 (openssh-3.2.2p1.tar.gz) = 9d3e1e31e8d6cdbfa3036cb183aa4a01
> MD5 (openssh-3.2.2p1.tar.gz.sig) = be4f9ed8da1735efd770dc8fa2bb808a

Are these the checksums of the clean or trojaned tarballs?


Eric Garff

More information about the openssh-unix-dev mailing list