online cheksum verification for FreeBSD

Peter Jeremy peterjeremy at acm.org
Wed Mar 10 21:36:09 UTC 2010 

On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger <elmstel at gmail.com> wrote:
>  I believe it would be highly desireable to have an online md5sum
>verification for FreeBSD as this is already implemented by checkroot
>(http://www.elstel.com/checkroot/) for openSUSE.

You are welcome to adapt your tool to support FreeBSD and have it
included in the ports system.

That said, it's unclear that your tool offers any benefits over
the freebsd-update(8) tool that is part of the FreeBSD base system.

>The only thing that I have found about it is:
>"DS   Compare the system against a "known good" index of the installed
>release.'"

As well as freebsd-update(8), the FreeBSD base system includes
mtree(8) - which can be used to generate and check file hashes.  Other
tools, such as tripwire, are available in the ports tree.

>However this known good index would need to be stored on a FreeBSD
>server because everything that is stored locally can be altered by an
>intruder.

This isn't completely true - the known good index could be stored on
read-only media - CD-ROM or write-protected floppy.  Note that an
intruder could equally easily modify the checkroot executable unless
it is also stored on read-only media.  (And even a statically linked
checkroot won't protect against a suborned kernel).

I notice that your tool only appears to store MD5 hashes - I presume
you are aware that the MD5 algorithm has been shown to have a number
of weaknesses and is not recommended for new applications.  This
is why FreeBSD has moved to using a combination of MD5 and SHA256.

Also, your website mentions DSA is unsafe.  Could you please provide
a reference for this claim as I am unaware of any results suggesting
that DSA is less secure than RSA.

-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20100310/d1d2e40a/attachment.pgp

More information about the freebsd-security mailing list