Re: HEADS UP: FreeBSD src repo transitioning to git this weekend

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Fri, 1 Jan 2021 21:12:54 -0500
On Sat, Jan 02, 2021 at 08:37:14AM +0800, Li-Wen Hsu wrote:
> On Sat, Jan 2, 2021 at 4:25 AM Christian Weisgerber <naddy_at_mips.inka.de> wrote:
> >
> > On 2021-01-01, Shawn Webb <shawn.webb_at_hardenedbsd.org> wrote:
> >
> > > This is why I asked FreeBSD to provide anonymous read-only ssh://
> > > support for git. I'm very grateful they support it.
> > >
> > > One thing that I need to do with the HardenedBSD infrastructure is
> > > publish on our site the ssh pubkeys of the server (both RSA and
> > > ed25519). I plan to do that sometime this coming week. I wonder if it
> > > would be a good idea for FreeBSD to do the same
> >
> > The draft FreeBSD Git docs have the SSH fingerprints of the Git
> > servers.
> > https://github.com/bsdimp/freebsd-git-docs/blob/main/URLs.md
> >
> > Here's one from my own ~/.ssh/known_hosts:
> > SHA256:y1ljKrKMD3lDObRUG3xJ9gXwEIuqnh306tSyFd1tuZE git.freebsd.org (ED25519)
> 
> And the ssh-keys file is available on the project site, signed with
> security-officer's key:
> 
> https://www.freebsd.org/internal/ssh-keys.asc
> 
> And in that file's header:
> """
> Note that all machines listed below also have signed SSHFP records in
> DNS.  If you have a DNSSEC-aware resolver and set VerifyHostKeyDNS to
> "ask" or "yes" in ~/.ssh/config, OpenSSH will verify host keys against
> these SSHFP records.
> """

Awesome! Thanks for the clarification!

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

GPG Key ID:          0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

Received on Sat Jan 02 2021 - 01:12:58 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC