From owner-freebsd-questions@freebsd.org Tue Oct 10 15:47:45 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92302E35962 for ; Tue, 10 Oct 2017 15:47:45 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 52E8725D7 for ; Tue, 10 Oct 2017 15:47:44 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from leaf.local (unknown [88.202.132.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id D286B61A9 for ; Tue, 10 Oct 2017 15:47:40 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none (p=none dis=none) header.from=FreeBSD.org Subject: Re: Cannot pkg upgrade WindowMaker 0.95.7 -> 0.95.8 To: freebsd-questions@freebsd.org References: <1507556303.29148.15.camel@btinternet.com> <1507562180.29148.17.camel@btinternet.com> <1507648362.12939.3.camel@btinternet.com> From: Matthew Seaman Message-ID: <0c758985-915d-b275-261e-459679cadbfc@FreeBSD.org> Date: Tue, 10 Oct 2017 16:47:40 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <1507648362.12939.3.camel@btinternet.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Oct 2017 15:47:45 -0000 On 10/10/2017 16:12, James Geering wrote: > Another newbie questions I'm afraid but I cannot find the answer in the > documentation > or from google. > I am performing an svn checkout on the ports/head and of course am asked > to accept > the ECDSA key fingerprint. I'd rather not do this blindly and so would > like to check the > fingerprint as per normal. However, I cannot find a list of > fingerprints for the FreeBSD > servers. Where can I find these please so that I can add it to my known > hosts. FreeBSD servers have SSHFP records in the DNS -- so you can do eg. % dig +short SSHFP repo.freebsd.org 3 1 36B341D17435A6DF1380C9E706FEE1715626AFBB 1 2 65A5148D5FA17B02DA6BE9640BE654BE90CF87BC4F633D62BCBB882D EE8BF74F 1 1 A137868F78A49B2DCCB3B48B270991B39A92508A 2 1 8EE4E20F3AE231F3C496493D3F38565A093478CD 2 2 0B7936D1466DA23BA5F5BBCDC1B24F3DDA014323790BA511F7B06AAC 493E8C6B 4 2 BABD9D9AA10F0A8BD4BDB799F020B691FF293B52A9679E79C6140F3E 3A1220E1 3 2 64BAB351F14A5152982C5FF022EA9A78B4534A428C2564C711CD6D12 2DF807C8 4 1 F8BAE3FBBA737BEC38B7E80F57421C8B58DD3AB7 Now, you can go grovelling about in the documentation about SSHFP records to work out how those transform into the SSH fingerprints you would see from your desktop, but a much better way is to get ssh itself to lookup and verify the SSHFP records against the server's key. In your ~/.ssh/config or the /etc/ssh/ssh_config file add a section: Host *.freebsd.org VerifyHostKeysDNS yes This assumes you have a DNSSEC enabled resolver configured. If you're unsure that you do (or maybe even what that means), a quick solution is to add local_unbound="YES" to /etc/rc.conf, and then run: # service local_unbound setup # service local_unbound start Et voilĂ  Cheers, Matthew