On Sat, Jan 2, 2021 at 4:25 AM Christian Weisgerber <naddy_at_mips.inka.de> wrote: > > On 2021-01-01, Shawn Webb <shawn.webb_at_hardenedbsd.org> wrote: > > > This is why I asked FreeBSD to provide anonymous read-only ssh:// > > support for git. I'm very grateful they support it. > > > > One thing that I need to do with the HardenedBSD infrastructure is > > publish on our site the ssh pubkeys of the server (both RSA and > > ed25519). I plan to do that sometime this coming week. I wonder if it > > would be a good idea for FreeBSD to do the same > > The draft FreeBSD Git docs have the SSH fingerprints of the Git > servers. > https://github.com/bsdimp/freebsd-git-docs/blob/main/URLs.md > > Here's one from my own ~/.ssh/known_hosts: > SHA256:y1ljKrKMD3lDObRUG3xJ9gXwEIuqnh306tSyFd1tuZE git.freebsd.org (ED25519) And the ssh-keys file is available on the project site, signed with security-officer's key: https://www.freebsd.org/internal/ssh-keys.asc And in that file's header: """ Note that all machines listed below also have signed SSHFP records in DNS. If you have a DNSSEC-aware resolver and set VerifyHostKeyDNS to "ask" or "yes" in ~/.ssh/config, OpenSSH will verify host keys against these SSHFP records. """ Best, Li-WenReceived on Fri Jan 01 2021 - 23:37:26 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC