Re: Integrity checking NANOBSD images
Mike Tancsa wrote:
[ ... ]
> # ssh remote1.example.com "/tmp/rand-directory/dd if=/dev/ad2s1a
> bs=4096k | /tmp/rand-directory/sha256"
> 120+1 records in
> 120+1 records out
> 505389056 bytes transferred in 169.727727 secs (2977646 bytes/sec)
> 955ebad583bfc0718eb28ac89563941407294d5c61a0c0f35e3773f029cc0685
>
> Can I be reasonably certain the image has not been tampered with ? Or
> are there trivial ways to defeat this check ?
Checksumming the device image is a fine way of checking the integrity of it,
assuming it is read-only. The only thing you might want to do is use two or
three checksum algorithms (ie, use sha256 and md5 and something else), so that
someone can't create a new image which matches the sha256 checksum of the
original.
--
-Chuck
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 2 之 15 篇):