Download OpenSSH through secure channel?
Christian Hesse
mail at eworm.de
Mon Oct 13 02:05:17 EST 2014
Ren Siyuan <netheril96 at gmail.com> on Sun, 2014/10/12 22:52:
> I am trying to download a version of OpenSSH newer than the one
> preinstalled with my OS. But sadly I find that I can only download it
> through *unsecured* plain http/ftp/rsync protocol, vulnerable to attacks by
> anyone in the network path. It is odd that *the* software about security
> and encryption across untrusted network is distributed to everyone
> insecurely and not encrypted. Is there any future plan to distribute
> OpenSSH over secured channel, such as https?
OpenSSH development team provides GPG signature for their source tarballs. So
download the tarball with whatever (unsecure) protocol you prefer, download
the gpg signature file (ending .asc) and verify with gpg:
% gpg --verify openssh-6.7p1.tar.gz.asc
gpg: Signature made Mon 06 Oct 2014 05:40:59 AM CEST using RSA key ID 6D920D30
gpg: Good signature from "Damien Miller <djm at mindrot.org>" [unknown]
Primary key fingerprint: 59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30
HTTPS does provide secure data transfer, but does not guaranty data is what
developers intended to provide. If you download a compromised source tarball
via HTTPS it is still compromised.
--
Schoene Gruesse
Chris
O< ascii ribbon campaign
stop html mail - www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141012/04568487/attachment-0001.bin>
More information about the openssh-unix-dev
mailing list