HPE Community
Operating System - HP-UX
1826489 Members
4340 Online
109692 Solutions
New Discussion

Re: SSH question (or open source in general)

 
Volker Borowski
Honored Contributor

‎10-17-2001 01:19 AM

‎10-17-2001 01:19 AM

SSH question (or open source in general)

Hello,

it might be a stupid question, but here goes....

How do you ensure, that you get a "correct" version of ssh (or any open source sw)? I mean, if you decide to use it, there will be sure need for it, which in my opinion makes this thing VERY attractive to be attacked at it's root.

Means: how dou you ensure, that the sshd you install is not collecting any valuable information and passes it to a secret place ?

OK, I am new to open source fundamentals, and since yet, I only used open source things in non public or isolated environments. But this should be a thing somebody has thought about already.

May be someone can put some light on this.
Thanks
Volker
0 Kudos
Reply
9 REPLIES 9
Stefan Farrelly
Honored Contributor

‎10-17-2001 02:09 AM

‎10-17-2001 02:09 AM

Re: SSH question (or open source in general)


Its certainly a concern. Thats why I would only download shareware like this from an HP download site - that way HP have checked it, made any HP specific changes, and should have checked it for security, before posting onto an HP download site.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Santosh Nair_1
Honored Contributor

‎10-17-2001 02:34 AM

‎10-17-2001 02:34 AM

Re: SSH question (or open source in general)

This is the beauty of open source software...you can get the source. With the source in hand you and others can see exactly what the code is doing. So any malicious code could be easily detected, especially in high profile programs like ssh and apache.

Generally I like to build my code from the source, but the HP porting center is also pretty reliable.

-Santosh
Life is what's happening while you're busy making other plans
0 Kudos
Reply
Stefan Schulz
Honored Contributor

‎10-17-2001 05:33 AM

‎10-17-2001 05:33 AM

Re: SSH question (or open source in general)

The porting center is a good site for open source software which i would consider "safe" (is this correct, or has it to be save???).

If you get your software from another site i would reconmend using ony the homesite of this software which often provides a checksum for the tarballs. Also look at the readme which also often states a checksum.

Of course the savest is to get the source, control the checksum, have a look at the sources and build the software by yourselfe.

Hope this helps.

Regards Stefan
No Mouse found. System halted. Press Mousebutton to continue.
0 Kudos
Reply
Bernie Vande Griend
Respected Contributor

‎10-17-2001 06:33 AM

‎10-17-2001 06:33 AM

Re: SSH question (or open source in general)

Good question. I make sure to only get code or binaries from trusted sites. In this situation, I would only get the compiled code from the HP archives or from OpenSSH.
OpenSSH does have GPG signatures associated with every FTP server they have:
http://www.openssh.org/portable.html
Thats one way to make sure somebody is how they say they are.
I'm a big believed in getting the source, inspecting it and compiling it myself, just to be safe.
If I don't have the time, then I try to use HP's archives.

Ye who thinks he has a lot to say, probably shouldn't.
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎10-17-2001 06:44 AM

‎10-17-2001 06:44 AM

Re: SSH question (or open source in general)


Well I've had this argument for years about free/shareware/opensource.

Well most of unix is opensource. Have you ever used perl, bsd shells, emacs, apache, gcc, mysql, lsof, sccs, linux, and many of the thousands of other utilities?
The safest thing to do is to retreive the source from trusted sites, like gnu, hp, sun, sourceforge, etc... These sites have gone through the code before posting it, and you can get the source. Have you ever wondered how much crap a Microsoftie machine sends out? You should see the broadcast storm of netbios.
Live Free or Die
0 Kudos
Reply
Wodisch
Honored Contributor

‎10-17-2001 06:50 AM

‎10-17-2001 06:50 AM

Re: SSH question (or open source in general)

Hello Volker,

first check that your DNS server is not faked, or misled, to point you to the wrong place...
Then use those almost "official" servers, like the products home-page, HP, the Porting-Archives, and even then only those with MD5 or PGP-checksums (and check those checksums :-)

But most important is to really get the sources and build everything yourself (which would include GCC, BINUTILS, and such, too) and before doing it, proof-read the sources...
Now, at that point we all do not have enough time to actually do it (and perhaps some of us are not C/C++ programmers). So it goes down to trust, again:
Whom do you trust?
HP? Your university? Your colleagues? Us?
You will have to use even "common sense" to decide, which recommendation on the forums to trust!

Sorry to leave you frustrated,
Wodisch
0 Kudos
Reply
Darrell Allen
Honored Contributor

‎10-17-2001 08:23 AM

‎10-17-2001 08:23 AM

Re: SSH question (or open source in general)

Can't resist putting in my 2 cents worth:
Why should I trust source code that I'm not going to read (I'm not that good of a programmer and I've got better ways to spend my time) more than a binary compiled and packaged for my OS level and machine? If it's a reputable site I'll nearly always go for the package. The exception was when I worked for a company with a security division that had to review and approve programs. Can you imagine how long you sometimes have to wait for those reviews?

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
0 Kudos
Reply
Craig Rants
Honored Contributor

‎10-24-2001 01:35 PM

‎10-24-2001 01:35 PM

Re: SSH question (or open source in general)

Most reputable download sites usually will have some type of PGP key or something that you can verify the authenticity of their software with. The hpux software porting sites have an openssh depot, I would say that is probably very reliable, and easy to install if you are looking for that.

http://hpux.cs.utah.edu/
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Eugen Cocalea
Respected Contributor

‎10-24-2001 11:40 PM

‎10-24-2001 11:40 PM

Re: SSH question (or open source in general)

Hi,

Free software and open source are not exactly the same thing.

Open source you can trust entirely because you have the opportunity to check the sources. Well, assuming it's a hundreds of thousands lines of code program, you can't be 100% sure about it until you read and understand it all, but... still.

Free software with no source code, well... depends.

As everybody already said, trust the source of the program. If you trust the source/vendor, you trust the program implicitly.

Anyway, if you are not sure about a software that can cause a security hole, you better leave without it. And, hell, sshd is a security tool, altough it has (un-intended) holes (from time to time).

E.
To Live Is To Learn
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.