From owner-freebsd-questions@FreeBSD.ORG  Wed Dec 18 17:11:13 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 80313893
 for <freebsd-questions@freebsd.org>; Wed, 18 Dec 2013 17:11:13 +0000 (UTC)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
 [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1031210DD
 for <freebsd-questions@freebsd.org>; Wed, 18 Dec 2013 17:11:12 +0000 (UTC)
Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com
 [85.199.232.226] (may be forged)) (authenticated bits=0)
 by smtp.infracaninophile.co.uk (8.14.7/8.14.7) with ESMTP id rBIHB1jX070414
 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
 for <freebsd-questions@freebsd.org>; Wed, 18 Dec 2013 17:11:06 GMT
 (envelope-from matthew@freebsd.org)
DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk rBIHB1jX070414
Authentication-Results: smtp.infracaninophile.co.uk/rBIHB1jX070414;
 dkim=none reason="no signature"; dkim-adsp=none
X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host
 no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be
 ox-dell39.ox.adestra.com
Message-ID: <52B1D71C.3060202@freebsd.org>
Date: Wed, 18 Dec 2013 17:10:52 +0000
From: Matthew Seaman <matthew@freebsd.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Subject: Re: FreeBSD server pubic keys
References: <CAHAXwYCaA11HcGDW2Fz=M8WzGDOV7jG+FRcmHbC4LM=OXF0VFg@mail.gmail.com>
In-Reply-To: <CAHAXwYCaA11HcGDW2Fz=M8WzGDOV7jG+FRcmHbC4LM=OXF0VFg@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="4HEPgeS7fvtRJ5T6VLGOkkq96KaAhwFlh"
X-Virus-Scanned: clamav-milter 0.98 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_00,DCC_CHECK,
 RCVD_IN_RP_RNBL,RDNS_NONE,SPF_SOFTFAIL autolearn=no version=3.3.2
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
 lucid-nonsense.infracaninophile.co.uk
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2013 17:11:13 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--4HEPgeS7fvtRJ5T6VLGOkkq96KaAhwFlh
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 12/18/13 12:39, David Noel wrote:
> There was a file somewhere that I no longer seem able to locate that
> contained the public keys of all public-facing FreeBSD.org servers.
> Does anyone know where to locate this?

=46rom the DNS.  Eg.

:% dig +short IN SSHFP freefall.freebsd.org
1 2 4B493272CCCDD234C02ADE8FAFD4E772E5A3C775364B6BCAEEE7A98B 16E4AB04
2 2 7F76BEFD3EAB7FB3C38AC650DC1EC74426523CEE208399A86E896BCB 82E49582
3 1 E37999A583E73F49B22D19C306FB69D161D15988
1 1 B35C16D3DA4B7FE15C15A55E7B6465231F9EDE84
2 1 901699919C153B6040062BFAD12FC328DB9D4FA7
3 2 A9B851FE028353393112F74DB6C4E547BB8CEA66E3F1443680C421A1 B5EB420F

Those are the SSH public keys for that server, albeit encoded in an
unusual way.  Setting up your local ssh config so that it looks up host
keys as a verification step is as simple as putting this:

Host *
     VerifyHostKeyDNS yes

into /etc/ssh/ssh_config

	Cheers,

	Matthew



--4HEPgeS7fvtRJ5T6VLGOkkq96KaAhwFlh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJSsdclXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnFMEQAIcOINRhk1t21CqPcZymCPYH
m2sm4KDEBr5BreRxDzat2+c5nXhN2pb/xvEDEB8gVvbkuO9irnqfi6ORT58s4giP
yv4riwOn30dm6nX6DywGLD1lBXQvCzH0DwAUOE010lhTOL/o/lO51+ejaTou/33J
J+xrd469vfdF+sjD4ZtkXhced/ZJNiXFtRlRVksunqgdgw4vC5oCGNga60eJqtIt
Ck+3kzpVRm3bdcIdKnSaN+TEYzRdWQdwjv0X2On+G4qFUfz3YFqzo3RH5ny6QfQ6
790Zkac4PP9UiEIq7jk8hVYjfNSQA1Tvy7fZcjgpV432YjKk2WYSM/WZKu/pbjf2
umK0xZRzgoSrkIi3YvRrxogkkoKo+HC9bdRrvcqJLRV+Z8H8cHubt4kIl7W7hRHP
UyP0BHF45mAuXrsTNooXBXjDFFYM0oI/8gvMnqimxSzLHt2bFqMNTmqDEApxKrfP
VN3MEKnkdxMVVRtMnXKRNpy9ZENaJvtM8YvermP50u3hs20XDx5zme2JgfPeH5rG
oDg5DVS+AfislJoPbvNCekPxCBXXdhQNV7m9ZvFefRFgfCpwWL5+/M/6leP2W8Mj
IzFIhLRd1cb5C2CkmqC2GTkpSdcCxWLrbwBmwWXl8TzATHRxCDozWvutQMJKzKS6
ROqDJcjMenlrGcjZITAV
=Q1OA
-----END PGP SIGNATURE-----

--4HEPgeS7fvtRJ5T6VLGOkkq96KaAhwFlh--