安全的安装PuTTY 0.70
为什么安装一个软件要这么麻烦?
安全事件:2012年1月PuTTY后门事件
这是我(@胡争辉)亲身经历的事件,同事春节回家期间在网吧(呵呵),用XX搜索引擎(呵呵),搜索PuTTY第一个是推广广告(呵呵),下载。
安全事件:2017年8月15日xshell多版本后门事件
目前除官方最新版本1326外,国内主流下载站上的 5.0.1322、 5.0.1325均确认存在后门
后门干什么?
直接把服务器的用户名和密码偷走,然后就可以兴风作浪了
访问**页面获取**下载链接
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html
Master Key
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/master-2015.asc
RSA, 4096-bit. Key ID: 4096R/04676F7C (long version: 4096R/AB585DC604676F7C).
Fingerprint: 440D E3B5 B7A1 CA85 B3CC 1718 AB58 5DC6 0467 6F7C
Release Key
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/release-2015.asc
RSA, 2048-bit. Key ID: 2048R/B43434E4 (long version: 2048R/9DFE2648B43434E4).
Fingerprint: 0054 DDAA 8ADA 15D2 768A 6DE7 9DFE 2648 B434 34E4
Secure Contact Key
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/contact-2016.asc
RSA, 2048-bit. Main key ID: 2048R/8A0AF00B (long version: 2048R/C4FCAAD08A0AF00B).
Encryption subkey ID: 2048R/50C2CF5C (long version: 2048R/9EB39CC150C2CF5C).
Fingerprint: 8A26 250E 763F E359 75F3 118F C4FC AAD0 8A0A F00B
Snapshot Key
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/snapshot-2015.asc
RSA, 2048-bit. Key ID: 2048R/D15F7E8A (long version: 2048R/EEF20295D15F7E8A).
Fingerprint: 0A3B 0048 FE49 9B67 A234 FEB6 EEF2 0295 D15F 7E8A
后面会需要核对这些指纹
下载**
下载Master Key
$ /usr/bin/wget https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/master-2015.asc
下载Release Key
$ /usr/bin/wget https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/release-2015.asc
下载Secure Contact Key
$ /usr/bin/wget https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/contact-2016.asc
下载Snapshot Key
$ /usr/bin/wget https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/snapshot-2015.asc
导入**
导入 Master Key
$ /usr/bin/gpg --import master-2015.asc
gpg: ** 04676F7C:公钥“PuTTY Master Key <[email protected].tartarus.org>”已导入
gpg: 合计被处理的数量:1
gpg: 已导入:1 (RSA: 1)
gpg: 没有找到任何绝对信任的**
导入 Release Key
$ /usr/bin/gpg --import release-2015.asc
gpg: ** B43434E4:公钥“PuTTY Releases <[email protected].tartarus.org>”已导入
gpg: 合计被处理的数量:1
gpg: 已导入:1 (RSA: 1)
gpg: 没有找到任何绝对信任的**
导入 Secure Contact Key
$ /usr/bin/gpg --import contact-2016.asc
gpg: ** 8A0AF00B:公钥“PuTTY Secure Contact <[email protected].tartarus.org>”已导入
gpg: 合计被处理的数量:1
gpg: 已导入:1 (RSA: 1)
gpg: 没有找到任何绝对信任的**
导入 Snapshot Key
$ /usr/bin/gpg --import snapshot-2015.asc
gpg: ** D15F7E8A:公钥“PuTTY Development Snapshots <[email protected].tartarus.org>”已导入
gpg: 合计被处理的数量:1
gpg: 已导入:1 (RSA: 1)
gpg: 没有找到任何绝对信任的**
列出指纹
$ /usr/bin/gpg --fingerprint
pub 4096R/04676F7C 2015-08-31 [有效至:2018-08-30]
**指纹 = 440D E3B5 B7A1 CA85 B3CC 1718 AB58 5DC6 0467 6F7C
uid PuTTY Master Key <[email protected].tartarus.org>
pub 2048R/B43434E4 2015-08-31 [有效至:2018-08-30]
**指纹 = 0054 DDAA 8ADA 15D2 768A 6DE7 9DFE 2648 B434 34E4
uid PuTTY Releases <[email protected].tartarus.org>
pub 2048R/8A0AF00B 2016-02-23 [有效至:2019-02-22]
**指纹 = 8A26 250E 763F E359 75F3 118F C4FC AAD0 8A0A F00B
uid PuTTY Secure Contact <[email protected].tartarus.org>
sub 2048R/50C2CF5C 2016-02-23 [有效至:2019-02-22]
pub 2048R/D15F7E8A 2015-08-31 [有效至:2018-08-30]
**指纹 = 0A3B 0048 FE49 9B67 A234 FEB6 EEF2 0295 D15F 7E8A
uid PuTTY Development Snapshots <[email protected].tartarus.org>
与前面记录的指纹核对
访问下载页面获取下载链接
MSI (‘Windows Installer’)
64-bit:
https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.70-installer.msi
64-bit: (signature)
https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.70-installer.msi.gpg
Checksum files
MD5:
https://the.earth.li/~sgtatham/putty/latest/md5sums
MD5: (signature)
https://the.earth.li/~sgtatham/putty/latest/md5sums.gpg
SHA-1:
https://the.earth.li/~sgtatham/putty/latest/sha1sums
SHA-1: (signature)
https://the.earth.li/~sgtatham/putty/latest/sha1sums.gpg
SHA-256:
https://the.earth.li/~sgtatham/putty/latest/sha256sums
SHA-256: (signature)
https://the.earth.li/~sgtatham/putty/latest/sha256sums.gpg
SHA-512:
https://the.earth.li/~sgtatham/putty/latest/sha512sums
SHA-512: (signature)
https://the.earth.li/~sgtatham/putty/latest/sha512sums.gpg
下载 64-bit: 程序
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.70-installer.msi
下载 64-bit: (signature) 程序
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.70-installer.msi.gpg
较验程序文件签名
$ /usr/bin/gpg --verify putty-64bit-0.70-installer.msi.gpg putty-64bit-0.70-installer.msi
gpg: 于 2017年07月 8日 14:49:50 CST 创建的签名,使用 RSA,钥匙号 B43434E4
gpg: 完好的签名,来自于“PuTTY Releases <[email protected].tartarus.org>”
gpg: 警告:这把**未经受信任的签名认证!
gpg: 没有证据表明这个签名属于它所声称的持有者。
主钥指纹: 0054 DDAA 8ADA 15D2 768A 6DE7 9DFE 2648 B434 34E4
下载摘要文件及摘要文件签名
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/md5sums
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/md5sums.gpg
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha1sums
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha1sums.gpg
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha256sums
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha256sums.gpg
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha512sums
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha512sums.gpg
校验摘要文件的签名
$ /usr/bin/gpg --verify md5sums.gpg
gpg: 于 2017年07月 8日 14:49:53 CST 创建的签名,使用 RSA,钥匙号 B43434E4
gpg: 完好的签名,来自于“PuTTY Releases <[email protected].tartarus.org>”
gpg: 警告:这把**未经受信任的签名认证!
gpg: 没有证据表明这个签名属于它所声称的持有者。
主钥指纹: 0054 DDAA 8ADA 15D2 768A 6DE7 9DFE 2648 B434 34E4
$ /usr/bin/gpg --verify sha1sums.gpg
gpg: 于 2017年07月 8日 14:49:53 CST 创建的签名,使用 RSA,钥匙号 B43434E4
gpg: 完好的签名,来自于“PuTTY Releases <[email protected].tartarus.org>”
gpg: 警告:这把**未经受信任的签名认证!
gpg: 没有证据表明这个签名属于它所声称的持有者。
主钥指纹: 0054 DDAA 8ADA 15D2 768A 6DE7 9DFE 2648 B434 34E4
$ /usr/bin/gpg --verify sha256sums.gpg
gpg: 于 2017年07月 8日 14:49:53 CST 创建的签名,使用 RSA,钥匙号 B43434E4
gpg: 完好的签名,来自于“PuTTY Releases <[email protected].tartarus.org>”
gpg: 警告:这把**未经受信任的签名认证!
gpg: 没有证据表明这个签名属于它所声称的持有者。
主钥指纹: 0054 DDAA 8ADA 15D2 768A 6DE7 9DFE 2648 B434 34E4
$ /usr/bin/gpg --verify sha512sums.gpg
gpg: 于 2017年07月 8日 14:49:53 CST 创建的签名,使用 RSA,钥匙号 B43434E4
gpg: 完好的签名,来自于“PuTTY Releases <[email protected].tartarus.org>”
gpg: 警告:这把**未经受信任的签名认证!
gpg: 没有证据表明这个签名属于它所声称的持有者。
主钥指纹: 0054 DDAA 8ADA 15D2 768A 6DE7 9DFE 2648 B434 34E4
校验摘要文件
$ /usr/bin/grep $(/usr/bin/md5sum putty-64bit-0.70-installer.msi | /usr/bin/awk '{print $1}') md5sums.gpg
$ /usr/bin/grep $(/usr/bin/sha1sum putty-64bit-0.70-installer.msi | /usr/bin/awk '{print $1}') sha1sums.gpg
$ /usr/bin/grep $(/usr/bin/sha256sum putty-64bit-0.70-installer.msi | /usr/bin/awk '{print $1}') sha256sums.gpg
$ /usr/bin/grep $(/usr/bin/sha512sum putty-64bit-0.70-installer.msi | /usr/bin/awk '{print $1}') sha512sums.gpg
上一篇: 用c语言实现扫雷游戏
下一篇: 基于 Blazor 开发五子棋⚫⚪小游戏
推荐阅读