Download OpenSSH through secure channel?
Ren Siyuan
netheril96 at gmail.com
Mon Oct 13 02:11:08 EST 2014
How do I trust the key then?
On Oct 12, 2014, at 23:05, Christian Hesse <mail at eworm.de> wrote:
> Ren Siyuan <netheril96 at gmail.com> on Sun, 2014/10/12 22:52:
>> I am trying to download a version of OpenSSH newer than the one
>> preinstalled with my OS. But sadly I find that I can only download it
>> through *unsecured* plain http/ftp/rsync protocol, vulnerable to attacks by
>> anyone in the network path. It is odd that *the* software about security
>> and encryption across untrusted network is distributed to everyone
>> insecurely and not encrypted. Is there any future plan to distribute
>> OpenSSH over secured channel, such as https?
>
> OpenSSH development team provides GPG signature for their source tarballs. So
> download the tarball with whatever (unsecure) protocol you prefer, download
> the gpg signature file (ending .asc) and verify with gpg:
>
> % gpg --verify openssh-6.7p1.tar.gz.asc
> gpg: Signature made Mon 06 Oct 2014 05:40:59 AM CEST using RSA key ID 6D920D30
> gpg: Good signature from "Damien Miller <djm at mindrot.org>" [unknown]
> Primary key fingerprint: 59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30
>
> HTTPS does provide secure data transfer, but does not guaranty data is what
> developers intended to provide. If you download a compromised source tarball
> via HTTPS it is still compromised.
> --
> Schoene Gruesse
> Chris
> O< ascii ribbon campaign
> stop html mail - www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141012/ce249203/attachment.bin>
More information about the openssh-unix-dev
mailing list