Date: Tue, 10 Oct 2017 16:47:40 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Cannot pkg upgrade WindowMaker 0.95.7 -> 0.95.8 Message-ID: <0c758985-915d-b275-261e-459679cadbfc@FreeBSD.org> In-Reply-To: <1507648362.12939.3.camel@btinternet.com> References: <1507556303.29148.15.camel@btinternet.com> <alpine.BSF.2.21.1710091623350.2032@yokozuna> <1507562180.29148.17.camel@btinternet.com> <alpine.BSF.2.21.1710091838370.2032@yokozuna> <1507648362.12939.3.camel@btinternet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/10/2017 16:12, James Geering wrote: > Another newbie questions I'm afraid but I cannot find the answer in the > documentation > or from google. > I am performing an svn checkout on the ports/head and of course am asked > to accept > the ECDSA key fingerprint. I'd rather not do this blindly and so would > like to check the > fingerprint as per normal. However, I cannot find a list of > fingerprints for the FreeBSD > servers. Where can I find these please so that I can add it to my known > hosts. FreeBSD servers have SSHFP records in the DNS -- so you can do eg. % dig +short SSHFP repo.freebsd.org 3 1 36B341D17435A6DF1380C9E706FEE1715626AFBB 1 2 65A5148D5FA17B02DA6BE9640BE654BE90CF87BC4F633D62BCBB882D EE8BF74F 1 1 A137868F78A49B2DCCB3B48B270991B39A92508A 2 1 8EE4E20F3AE231F3C496493D3F38565A093478CD 2 2 0B7936D1466DA23BA5F5BBCDC1B24F3DDA014323790BA511F7B06AAC 493E8C6B 4 2 BABD9D9AA10F0A8BD4BDB799F020B691FF293B52A9679E79C6140F3E 3A1220E1 3 2 64BAB351F14A5152982C5FF022EA9A78B4534A428C2564C711CD6D12 2DF807C8 4 1 F8BAE3FBBA737BEC38B7E80F57421C8B58DD3AB7 Now, you can go grovelling about in the documentation about SSHFP records to work out how those transform into the SSH fingerprints you would see from your desktop, but a much better way is to get ssh itself to lookup and verify the SSHFP records against the server's key. In your ~/.ssh/config or the /etc/ssh/ssh_config file add a section: Host *.freebsd.org VerifyHostKeysDNS yes This assumes you have a DNSSEC enabled resolver configured. If you're unsure that you do (or maybe even what that means), a quick solution is to add local_unbound="YES" to /etc/rc.conf, and then run: # service local_unbound setup # service local_unbound start Et voilĂ Cheers, Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0c758985-915d-b275-261e-459679cadbfc>