OpenSSH Trojan

Steve Bougerolle steveb at
Thu Aug 1 17:15:22 PDT 2002

On Fri, 2002-08-02 at 10:48, Bryan Breen wrote:
> Perhaps the real lesson is to double check those md5sum or validate them
> against a signing key. And in particular, use values that are not coming
> from the same server that you are obtaining the source from (and hopefully
> not a server that is just an identical mirror).

I agree.

It's frightening how many sites simply post MD5 sums in a file in the
same folder as the code you're downloading.  That's so easy to subvert
it's actually misleading and therefore dangerous to bother doing it at

Coders should be PGP signing these things, just like the kernel guys
do.  Once you get into it, verifying signatures is easy.

(Having said all that, isn't OpenSSH signed?)

Steve Bougerolle
Creek & Cowley Consulting

Unsubscribe: send email to listar at
and put 'unsubscribe lfs-security' in the subject header of the message

More information about the lfs-security mailing list