Re: [bitfolk] Enabling Monkeysphere

Hi Murray, On Thu, Mar 29, 2012 at 04:16:02PM +0100, Murray Crane wrote: If we're talking about: https://tools.bitfolk.com/wiki/Verifying_BitFolk%27s_SSH_fingerprints then you'll see the problem of console host vs. real host. The article states that BitFolk is not going to publish the keys for every console.bitfolk.com hostname, but then incorrectly goes on to state that you could publish them yourself. You obviously can't publish them yourself because whatever.console.bitfolk.com is actually just a CNAME for some VPS host that you have no admin access to, and admin access would be required to do the: # monkeysphere-host import-key blah.. I will correct the article. What I would suggest, if you want to be able to verify the console host using Monkeysphere, is that you do it in a two stage process. For example, if your account name were "ruminant", you could find your VPS host like so: $ host ruminant.console.bitfolk.com ruminant.console.bitfolk.com is an alias for console.president.bitfolk.com. console.president.bitfolk.com is an alias for president.bitfolk.com. president.bitfolk.com has address 85.119.80.16 president.bitfolk.com has IPv6 address 2001:ba8:0:1f1::6 You could then: $ ssh ruminant(a)president.bitfolk.com which Monkeysphere should be able to verify, as the host key for president.bitfolk.com is published. One you've verified that you do end up connected to the thing you expected to be connected to you could sign the host key yourself and re-publish it, as at the moment the entire thing relies on my single PGP key. Hopefully soon I will be able to add DNSSEC to the bitfolk.com zone and along with it I will publish SSHFP¹ records for all the console host mappings, so that will provide another (easier) way to verify, if you're using a validating DNS resolver. Cheers, Andy ¹ Dry details: http://tools.ietf.org/html/rfc4255 An example of use: http://benctechnicalblog.blogspot.co.uk/2011/03/sshfp-dns.html -- Has Jurassic Park taught us nothing? -- pfilandr