Hi,
well nice suggestion BUT it is not good to rely on a md5sum posted by someone in a newsgroup. The proper way to do a verifcation of your
version is to do a gpg --verify openssh-3.4p1.tar.gz.sig after you have importet the key DJM-GPG-KEY.asc (with gpg --import DJM-GPG-
KEY.asc) to be found in the portable directory of OpenSSH. We just checked it here and the tarball of openssh-3.4p1 reports a BAD
signature (we made a negative control with the tarball of openssh-3.2.3p1 which gave us a GOOD signature, so the key seems to work...)
BTW: I think you have to check your untouched tarball - cause the shellscript seems to remove itself from Makefile.in in openbsd-compat...
1.8.2002 10:54:02, ic_admin
Hi List,
take a look at "http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-securi..." there you find this part:
-- start -- This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports system: MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz: MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57 -- stop --
If you do not check this ...
Regards
Ruediger -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY
Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de