m?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2012 02:26:04 -0000
--YIwHDYD8sUXtBKvt
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi Murray,
On Thu, Mar 29, 2012 at 04:16:02PM +0100, Murray Crane wrote:
> Is there any further guidance on how to get my
> *.console.bitfolk.comcert/key so I can include that in all the fun
> (other than the wiki)?
If we're talking about:
https://tools.bitfolk.com/wiki/Verifying_BitFolk%27s_SSH_fingerprints
then you'll see the problem of console host vs. real host. The
article states that BitFolk is not going to publish the keys for
every console.bitfolk.com hostname, but then incorrectly goes on to
state that you could publish them yourself.
You obviously can't publish them yourself because
whatever.console.bitfolk.com is actually just a CNAME for some VPS
host that you have no admin access to, and admin access would be
required to do the:
# monkeysphere-host import-key blah..
I will correct the article.
What I would suggest, if you want to be able to verify the console
host using Monkeysphere, is that you do it in a two stage process.
For example, if your account name were "ruminant", you could find
your VPS host like so:
$ host ruminant.console.bitfolk.com
ruminant.console.bitfolk.com is an alias for console.president.bitfolk.=
com.
console.president.bitfolk.com is an alias for president.bitfolk.com.
president.bitfolk.com has address 85.119.80.16
president.bitfolk.com has IPv6 address 2001:ba8:0:1f1::6
You could then:
$ ssh ruminant@???
which Monkeysphere should be able to verify, as the host key for
president.bitfolk.com is published. One you've verified that you do
end up connected to the thing you expected to be connected to you
could sign the host key yourself and re-publish it, as at the moment
the entire thing relies on my single PGP key.
Hopefully soon I will be able to add DNSSEC to the bitfolk.com zone
and along with it I will publish SSHFP=B9 records for all the console
host mappings, so that will provide another (easier) way to verify,
if you're using a validating DNS resolver.
Cheers,
Andy
=B9 Dry details:
http://tools.ietf.org/html/rfc4255
An example of use:
http://benctechnicalblog.blogspot.co.uk/2011/03/sshfp-dns.html
--=20
> The optimum programming team size is 1.
Has Jurassic Park taught us nothing?
-- pfilandr
--YIwHDYD8sUXtBKvt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAk91GboACgkQIJm2TL8VSQsH1ACePc5KHwfhvXt2VkjIqa6XVxQg
+qYAoLBnwnVwiq6lNAvGDPBscqPfbnyJ
=r01a
-----END PGP SIGNATURE-----
--YIwHDYD8sUXtBKvt--
From andyparkins@??? Fri Mar 30 08:53:16 2012
Received: from mail-wg0-f52.google.com ([74.125.82.52])
by mail.bitfolk.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
(Exim 4.72) (envelope-from <andyparkins@???>)
id 1SDXa8-00016p-1j
for users@???; Fri, 30 Mar 2012 08:53:16 +0000
Received: by wgbgn7 with SMTP id gn7so321978wgb.21
for <users@???>; Fri, 30 Mar 2012 01:53:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=from:to:subject:date:user-agent:mime-version:content-type
:content-transfer-encoding:message-id;
bh=OtHy5r33SixntkCPtXBCDoFrZt/RTxf//w9DVKiD/n0=;
b=yKsCUQaqPHqCU4tyCoQmSXXJsdP2DD47lpMeiqMwHFzXnPWZzAGGraCQWlvR1+IzfJ
4oGmIcBxFuZosFDUIAo+ENUajcmsBYZdpT/XGzH+9pCQMMlSPoqRK6daJbZOW3QEyX3Z
FL9l7H8X/i3uOUQQ2EgH8E+98OTlmpErGlSrt5ROYiCnRiSJe3/roCtKpVRqrJJ4T/mk
IwQq//bP28Xo+N4Iw+X4tDqFz6GWinyT5Gh0wUDWbKPUGKzY3m6oAWMDfc7z4P9LMpR9
BZBoPkYxBno1/GOABGuqlvuTS6NRfmLiDHx+6+PYv5+bd0A+T09aEmon1YjxRe7lVQfH
/a5Q==
Received: by 10.180.101.136 with SMTP id fg8mr4379161wib.4.1333097589563;
Fri, 30 Mar 2012 01:53:09 -0700 (PDT)
Received: from dvr.localnet (mail.360visiontechnology.com. [92.42.121.178])
by mx.google.com with ESMTPS id o2sm7549934wiv.11.2012.03.30.01.53.07
(version=TLSv1/SSLv3 cipher=OTHER);
Fri, 3
