欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

安全的安装PuTTY 0.70

程序员文章站 2024-03-18 14:41:28
...

为什么安装一个软件要这么麻烦?

安全事件:2012年1月PuTTY后门事件
这是我(@胡争辉)亲身经历的事件,同事春节回家期间在网吧(呵呵),用XX搜索引擎(呵呵),搜索PuTTY第一个是推广广告(呵呵),下载。
安全事件:2017年8月15日xshell多版本后门事件
目前除官方最新版本1326外,国内主流下载站上的 5.0.1322、 5.0.1325均确认存在后门
后门干什么?
直接把服务器的用户名和密码偷走,然后就可以兴风作浪了

访问**页面获取**下载链接

https://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html
Master Key
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/master-2015.asc
RSA, 4096-bit. Key ID: 4096R/04676F7C (long version: 4096R/AB585DC604676F7C).
Fingerprint: 440D E3B5 B7A1 CA85 B3CC 1718 AB58 5DC6 0467 6F7C
Release Key
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/release-2015.asc
RSA, 2048-bit. Key ID: 2048R/B43434E4 (long version: 2048R/9DFE2648B43434E4).
Fingerprint: 0054 DDAA 8ADA 15D2 768A 6DE7 9DFE 2648 B434 34E4
Secure Contact Key
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/contact-2016.asc
RSA, 2048-bit. Main key ID: 2048R/8A0AF00B (long version: 2048R/C4FCAAD08A0AF00B).
Encryption subkey ID: 2048R/50C2CF5C (long version: 2048R/9EB39CC150C2CF5C).
Fingerprint: 8A26 250E 763F E359 75F3 118F C4FC AAD0 8A0A F00B
Snapshot Key
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/snapshot-2015.asc
RSA, 2048-bit. Key ID: 2048R/D15F7E8A (long version: 2048R/EEF20295D15F7E8A).
Fingerprint: 0A3B 0048 FE49 9B67 A234 FEB6 EEF2 0295 D15F 7E8A
后面会需要核对这些指纹

下载**

下载Master Key

$ /usr/bin/wget https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/master-2015.asc

下载Release Key

$ /usr/bin/wget https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/release-2015.asc

下载Secure Contact Key

$ /usr/bin/wget https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/contact-2016.asc

下载Snapshot Key

$ /usr/bin/wget https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/snapshot-2015.asc

导入**

导入 Master Key

$ /usr/bin/gpg --import master-2015.asc
gpg: ** 04676F7C:公钥“PuTTY Master Key <[email protected].tartarus.org>”已导入
gpg: 合计被处理的数量:1
gpg:           已导入:1  (RSA: 1)
gpg: 没有找到任何绝对信任的**

导入 Release Key

$ /usr/bin/gpg --import release-2015.asc
gpg: ** B43434E4:公钥“PuTTY Releases <[email protected].tartarus.org>”已导入
gpg: 合计被处理的数量:1
gpg:           已导入:1  (RSA: 1)
gpg: 没有找到任何绝对信任的**

导入 Secure Contact Key

$ /usr/bin/gpg --import contact-2016.asc
gpg: ** 8A0AF00B:公钥“PuTTY Secure Contact <[email protected].tartarus.org>”已导入
gpg: 合计被处理的数量:1
gpg:           已导入:1  (RSA: 1)
gpg: 没有找到任何绝对信任的**

导入 Snapshot Key

$ /usr/bin/gpg --import snapshot-2015.asc
gpg: ** D15F7E8A:公钥“PuTTY Development Snapshots <[email protected].tartarus.org>”已导入
gpg: 合计被处理的数量:1
gpg:           已导入:1  (RSA: 1)
gpg: 没有找到任何绝对信任的**

列出指纹

$ /usr/bin/gpg --fingerprint
pub   4096R/04676F7C 2015-08-31 [有效至:2018-08-30]
**指纹 = 440D E3B5 B7A1 CA85 B3CC  1718 AB58 5DC6 0467 6F7C
uid                  PuTTY Master Key <[email protected].tartarus.org>

pub   2048R/B43434E4 2015-08-31 [有效至:2018-08-30]
**指纹 = 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4
uid                  PuTTY Releases <[email protected].tartarus.org>

pub   2048R/8A0AF00B 2016-02-23 [有效至:2019-02-22]
**指纹 = 8A26 250E 763F E359 75F3  118F C4FC AAD0 8A0A F00B
uid                  PuTTY Secure Contact <[email protected].tartarus.org>
sub   2048R/50C2CF5C 2016-02-23 [有效至:2019-02-22]

pub   2048R/D15F7E8A 2015-08-31 [有效至:2018-08-30]
**指纹 = 0A3B 0048 FE49 9B67 A234  FEB6 EEF2 0295 D15F 7E8A
uid                  PuTTY Development Snapshots <[email protected].tartarus.org>
与前面记录的指纹核对

访问下载页面获取下载链接

MSI (‘Windows Installer’)
64-bit:
https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.70-installer.msi
64-bit: (signature)
https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.70-installer.msi.gpg
Checksum files
MD5:
https://the.earth.li/~sgtatham/putty/latest/md5sums
MD5: (signature)
https://the.earth.li/~sgtatham/putty/latest/md5sums.gpg
SHA-1:
https://the.earth.li/~sgtatham/putty/latest/sha1sums
SHA-1: (signature)
https://the.earth.li/~sgtatham/putty/latest/sha1sums.gpg
SHA-256:
https://the.earth.li/~sgtatham/putty/latest/sha256sums
SHA-256: (signature)
https://the.earth.li/~sgtatham/putty/latest/sha256sums.gpg
SHA-512:
https://the.earth.li/~sgtatham/putty/latest/sha512sums
SHA-512: (signature)
https://the.earth.li/~sgtatham/putty/latest/sha512sums.gpg

下载 64-bit: 程序

$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.70-installer.msi

下载 64-bit: (signature) 程序

$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.70-installer.msi.gpg

较验程序文件签名

$ /usr/bin/gpg --verify putty-64bit-0.70-installer.msi.gpg putty-64bit-0.70-installer.msi
gpg:201707814:49:50 CST 创建的签名,使用 RSA,钥匙号 B43434E4
gpg: 完好的签名,来自于“PuTTY Releases <[email protected].tartarus.org>”
gpg: 警告:这把**未经受信任的签名认证!
gpg:       没有证据表明这个签名属于它所声称的持有者。
主钥指纹: 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4

下载摘要文件及摘要文件签名

$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/md5sums
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/md5sums.gpg
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha1sums
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha1sums.gpg
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha256sums
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha256sums.gpg
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha512sums
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha512sums.gpg

校验摘要文件的签名

$ /usr/bin/gpg --verify md5sums.gpg
gpg:201707814:49:53 CST 创建的签名,使用 RSA,钥匙号 B43434E4
gpg: 完好的签名,来自于“PuTTY Releases <[email protected].tartarus.org>”
gpg: 警告:这把**未经受信任的签名认证!
gpg:       没有证据表明这个签名属于它所声称的持有者。
主钥指纹: 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4
$ /usr/bin/gpg --verify sha1sums.gpg
gpg:201707814:49:53 CST 创建的签名,使用 RSA,钥匙号 B43434E4
gpg: 完好的签名,来自于“PuTTY Releases <[email protected].tartarus.org>”
gpg: 警告:这把**未经受信任的签名认证!
gpg:       没有证据表明这个签名属于它所声称的持有者。
主钥指纹: 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4
$ /usr/bin/gpg --verify sha256sums.gpg
gpg:201707814:49:53 CST 创建的签名,使用 RSA,钥匙号 B43434E4
gpg: 完好的签名,来自于“PuTTY Releases <[email protected].tartarus.org>”
gpg: 警告:这把**未经受信任的签名认证!
gpg:       没有证据表明这个签名属于它所声称的持有者。
主钥指纹: 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4
$ /usr/bin/gpg --verify sha512sums.gpg
gpg:201707814:49:53 CST 创建的签名,使用 RSA,钥匙号 B43434E4
gpg: 完好的签名,来自于“PuTTY Releases <[email protected].tartarus.org>”
gpg: 警告:这把**未经受信任的签名认证!
gpg:       没有证据表明这个签名属于它所声称的持有者。
主钥指纹: 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4

校验摘要文件

$ /usr/bin/grep $(/usr/bin/md5sum putty-64bit-0.70-installer.msi | /usr/bin/awk '{print $1}') md5sums.gpg
$ /usr/bin/grep $(/usr/bin/sha1sum putty-64bit-0.70-installer.msi | /usr/bin/awk '{print $1}') sha1sums.gpg
$ /usr/bin/grep $(/usr/bin/sha256sum putty-64bit-0.70-installer.msi | /usr/bin/awk '{print $1}') sha256sums.gpg
$ /usr/bin/grep $(/usr/bin/sha512sum putty-64bit-0.70-installer.msi | /usr/bin/awk '{print $1}') sha512sums.gpg