On 2015-05-01 at 20:18 +0100, Nigel Metheringham wrote:
> - Git access over ssh will have a different host key
This statement should be signed by a PGP key in the strong set, to let
you verify the trust assertions herein.
Of my own direct knowledge, I hereby affirm that these hostkeys are
correct for `git.exim.org` (this format suitable for inclusion in
known_hosts unless you prefer entries to be hashed):
- ----------------------------8< cut here >8------------------------------
git.exim.org,131.111.8.88,2001:630:212:8::e:f0e ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB4UK+P4SAgUqS1A7IzpnfXvnCC4LAgJFCfqlF4tHiCIvrlXWbs82XShyiqTQKArSi8t/ekYpaZmOlaQW1KAki8=
git.exim.org,131.111.8.88,2001:630:212:8::e:f0e ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC+mDJL1Uzv6SwERrxdyLig5ZRG6vzOYJYWDi3q7p3z2
git.exim.org,131.111.8.88,2001:630:212:8::e:f0e ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4ut9NVD1t1jt26fEoMQo8R0n0HbSr4L52WcdHP70W4kHQFXi2oyCaMjMNQdbAykIciIRBpky3zqW9leiDu6ACyWt9FKHhSKp90Mh0yB0Gnq0adWA0S4TQbb2qBjttp/d/+6CpjVYMFnLBJumA11cvWWR9p9rVZRYbdusCS1UKLogdg/SnVQ/EPg89MlXLr0Sn/ZwAx0ybc95RTeiOu/Wj1RMeObxSv9vrUCGcaH25eLxIaVaNp3GUu35INDVxeTg7nkMtG53FW++0nVOeJHlVucvGkPk3np2kxMHb/RJV2lPK9Dp/VI3FkB4ec/H+j79qC+Du8AEK/QK7ble7O943
- ----------------------------8< cut here >8------------------------------
These are the old-style digests; note that hummus is the name of the
machine behind `git.exim.org`:
256 a5:0f:67:fa:91:79:7a:e9:b4:21:ab:dc:07:c3:65:62 root@hummus (ECDSA)
256 21:d2:70:9c:59:43:5d:c9:dd:1d:f7:a6:a9:9f:bc:c3 root@hummus (ED25519)
2048 51:71:e6:5f:6e:06:83:ed:cb:72:be:4f:3f:c7:11:fb root@hummus (RSA)
As of OpenSSH 6.8 a newer format is used by default (not based on MD5!)
and you should expect to see one of these:
256 SHA256:IPuTfrm4euxWbf8Kl7MZY6P13Xy7qeIFV068Z26ELf8 root@hummus (ECDSA)
256 SHA256:v0uTdvX//itZoJSGON87TXfQLaLLjETLyQ0L8XTyLl4 root@hummus (ED25519)
2048 SHA256:1exf8JxvQQ7Oaxyxdme6rsTfzfD3C9kELf3FvtGuAE8 root@hummus (RSA)
Basis for direct knowledge assertion: I did the SSH setup on this box
some time back; after the initial connection, I have never blindly
accepted the hostkey, but have consistently connected to the same box
(purportedly in Cambridge, UK). I generated some of the hostkeys. We
use etckeeper to control these files and it has not seen any changes,
while one of the backups of etckeeper is to a box under my personal
administrative control. (Yes, that means that I could set up a box
which fraudulently claims to be the new one). I pulled the fingerprints
above from the files in `/etc/ssh` just now.
On the old box, we had RSA and DSA keys, both 1024 bits. There is no
DSA key on the new box.
The IP addresses can be seen in
<
https://github.com/Exim/exim-dns/blob/master/exim.org.lua> and note
that commit `67657780` by me (in 2013) set the IP addresses.
- -Phil Pennock, pdp@???
