https://community.hpe.com/t5/operating-system-hp-ux/hp-ssh-explained-paper/m-p/3070335#M751353 Version 1 of my HP-SSH Explained paper is now available at:<BR /><A href="http://newfdawg.com/docs/HP-SSH_Explained.PDF" target="_blank">http://newfdawg.com/docs/HP-SSH_Explained.PDF</A><BR />It is almost 3 MB.<BR />This paper does not include installation &amp; configuration, that can be found at:<BR /><A href="http://newfdawg.com/SHP-Articles.htm" target="_blank">http://newfdawg.com/SHP-Articles.htm</A><BR /><BR />- Chris Fri, 12 Sep 2003 22:20:42 GMT Chris Wong 2003-09-12T22:20:42Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ssh-explained-paper/m-p/3070335#M751353 Version 1 of my HP-SSH Explained paper is now available at:<BR /><A href="http://newfdawg.com/docs/HP-SSH_Explained.PDF" target="_blank">http://newfdawg.com/docs/HP-SSH_Explained.PDF</A><BR />It is almost 3 MB.<BR />This paper does not include installation &amp; configuration, that can be found at:<BR /><A href="http://newfdawg.com/SHP-Articles.htm" target="_blank">http://newfdawg.com/SHP-Articles.htm</A><BR /><BR />- Chris Fri, 12 Sep 2003 22:20:42 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ssh-explained-paper/m-p/3070335#M751353 Chris Wong 2003-09-12T22:20:42Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ssh-explained-paper/m-p/3070336#M751354 Get it here.<BR /><A href="http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA" target="_blank">http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA</A><BR /><BR />A good configuration paper is attached.<BR /><BR />SEP Fri, 12 Sep 2003 22:22:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ssh-explained-paper/m-p/3070336#M751354 Steven E. Protter 2003-09-12T22:22:30Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ssh-explained-paper/m-p/3070337#M751355 Hi Chris,<BR /><BR />I think this is a great article to help any HP-UX administrator new to SSH to pick up fast on both basic features as well as explore advanced features.<BR /><BR />I read the download portion and realised that there was no mention of any checksums to be checked to authenticate the downloaded T1471AA. Subsequently performed a check on <A href="http://www.software.hp.com" target="_blank">http://www.software.hp.com</A> and true enough, there were no md5 checksums or gpg signatures for package verification of any of HP's packages. <BR /><BR />If we look at most opensource programs like apache, openssl or openssh, there are md5 checksums and gpg signatures to check against trojan'ed packages. <BR /><BR />The security threat is real because there had been past reports (by CERT/CC) of trojan'ed OpenSSH distributions (CA-2002-24) and Sendmail distributions (CA-2002-28).<BR /><BR />Without <A href="http://www.software.hp.com" target="_blank">http://www.software.hp.com</A> on SSL and without any authenticode (md5 or gpg), it is a potentially big security risk that someone could compromise the server itself, or an internal DNS server or poison the DNS cache while creating a spoof'ed website to entrap a user into installing a trojan'ed package.<BR /><BR />Have I missed any mitigating mechanisms implemented by HP? <BR /><BR />Thanks in advance. Regards.<BR /><BR />Steven Sim Kok Leong Mon, 15 Sep 2003 01:13:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ssh-explained-paper/m-p/3070337#M751355 Steven Sim Kok Leong 2003-09-15T01:13:29Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ssh-explained-paper/m-p/3070338#M751356 Hi,<BR /><BR />Great point. I guess the answer is "you can install it from the application CD". Let's see if someone from HP responds to this. I believe the same situation applies to any HP-UX software downloaded from software.hp.com.<BR /><BR />- Chris<BR /><BR /> Mon, 15 Sep 2003 01:20:34 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ssh-explained-paper/m-p/3070338#M751356 Chris Wong 2003-09-15T01:20:34Z