On Sat, Jan 02, 2021 at 08:37:14AM +0800, Li-Wen Hsu wrote: > On Sat, Jan 2, 2021 at 4:25 AM Christian Weisgerber <naddy_at_mips.inka.de> wrote: > > > > On 2021-01-01, Shawn Webb <shawn.webb_at_hardenedbsd.org> wrote: > > > > > This is why I asked FreeBSD to provide anonymous read-only ssh:// > > > support for git. I'm very grateful they support it. > > > > > > One thing that I need to do with the HardenedBSD infrastructure is > > > publish on our site the ssh pubkeys of the server (both RSA and > > > ed25519). I plan to do that sometime this coming week. I wonder if it > > > would be a good idea for FreeBSD to do the same > > > > The draft FreeBSD Git docs have the SSH fingerprints of the Git > > servers. > > https://github.com/bsdimp/freebsd-git-docs/blob/main/URLs.md > > > > Here's one from my own ~/.ssh/known_hosts: > > SHA256:y1ljKrKMD3lDObRUG3xJ9gXwEIuqnh306tSyFd1tuZE git.freebsd.org (ED25519) > > And the ssh-keys file is available on the project site, signed with > security-officer's key: > > https://www.freebsd.org/internal/ssh-keys.asc > > And in that file's header: > """ > Note that all machines listed below also have signed SSHFP records in > DNS. If you have a DNSSEC-aware resolver and set VerifyHostKeyDNS to > "ask" or "yes" in ~/.ssh/config, OpenSSH will verify host keys against > these SSHFP records. > """ Awesome! Thanks for the clarification! Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC