Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] openssh trojan (alert)
well nice suggestion BUT it is not good to rely on a md5sum posted by someone in a newsgroup. The proper way to do a verifcation of your
version is to do a gpg --verify openssh-3.4p1.tar.gz.sig after you have importet the key DJM-GPG-KEY.asc (with gpg --import DJM-GPG-
KEY.asc) to be found in the portable directory of OpenSSH. We just checked it here and the tarball of openssh-3.4p1 reports a BAD
signature (we made a negative control with the tarball of openssh-3.2.3p1 which gave us a GOOD signature, so the key seems to work...)

BTW: I think you have to check your untouched tarball - cause the shellscript seems to remove itself from in openbsd-compat...

1.8.2002 10:54:02, ic_admin <admin@xxxxxxxxxxxx> wrote:

>Hi List,
>take a look at
> there you find this part:
>-- start --
>This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
>ports system:
> MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
>This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
> MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57
>-- stop --
>If you do not check this ...
.-. Ruhr-Universitaet Bochum
/v\ L I N U X Lehrstuhl fuer Biophysik
// \\ >Penguin Computing< c/o Christoph Wegener
/( )\ Gebaeude ND 04/Nord
^^-^^ D-44780 Bochum, GERMANY

Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626

< Previous Next >