-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2015-05-01 at 20:18 +0100, Nigel Metheringham wrote: > - Git access over ssh will have a different host key
This statement should be signed by a PGP key in the strong set, to let you verify the trust assertions herein. Of my own direct knowledge, I hereby affirm that these hostkeys are correct for `git.exim.org` (this format suitable for inclusion in known_hosts unless you prefer entries to be hashed): - ----------------------------8< cut here >8------------------------------ git.exim.org,131.111.8.88,2001:630:212:8::e:f0e ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB4UK+P4SAgUqS1A7IzpnfXvnCC4LAgJFCfqlF4tHiCIvrlXWbs82XShyiqTQKArSi8t/ekYpaZmOlaQW1KAki8= git.exim.org,131.111.8.88,2001:630:212:8::e:f0e ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC+mDJL1Uzv6SwERrxdyLig5ZRG6vzOYJYWDi3q7p3z2 git.exim.org,131.111.8.88,2001:630:212:8::e:f0e ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4ut9NVD1t1jt26fEoMQo8R0n0HbSr4L52WcdHP70W4kHQFXi2oyCaMjMNQdbAykIciIRBpky3zqW9leiDu6ACyWt9FKHhSKp90Mh0yB0Gnq0adWA0S4TQbb2qBjttp/d/+6CpjVYMFnLBJumA11cvWWR9p9rVZRYbdusCS1UKLogdg/SnVQ/EPg89MlXLr0Sn/ZwAx0ybc95RTeiOu/Wj1RMeObxSv9vrUCGcaH25eLxIaVaNp3GUu35INDVxeTg7nkMtG53FW++0nVOeJHlVucvGkPk3np2kxMHb/RJV2lPK9Dp/VI3FkB4ec/H+j79qC+Du8AEK/QK7ble7O943 - ----------------------------8< cut here >8------------------------------ These are the old-style digests; note that hummus is the name of the machine behind `git.exim.org`: 256 a5:0f:67:fa:91:79:7a:e9:b4:21:ab:dc:07:c3:65:62 root@hummus (ECDSA) 256 21:d2:70:9c:59:43:5d:c9:dd:1d:f7:a6:a9:9f:bc:c3 root@hummus (ED25519) 2048 51:71:e6:5f:6e:06:83:ed:cb:72:be:4f:3f:c7:11:fb root@hummus (RSA) As of OpenSSH 6.8 a newer format is used by default (not based on MD5!) and you should expect to see one of these: 256 SHA256:IPuTfrm4euxWbf8Kl7MZY6P13Xy7qeIFV068Z26ELf8 root@hummus (ECDSA) 256 SHA256:v0uTdvX//itZoJSGON87TXfQLaLLjETLyQ0L8XTyLl4 root@hummus (ED25519) 2048 SHA256:1exf8JxvQQ7Oaxyxdme6rsTfzfD3C9kELf3FvtGuAE8 root@hummus (RSA) Basis for direct knowledge assertion: I did the SSH setup on this box some time back; after the initial connection, I have never blindly accepted the hostkey, but have consistently connected to the same box (purportedly in Cambridge, UK). I generated some of the hostkeys. We use etckeeper to control these files and it has not seen any changes, while one of the backups of etckeeper is to a box under my personal administrative control. (Yes, that means that I could set up a box which fraudulently claims to be the new one). I pulled the fingerprints above from the files in `/etc/ssh` just now. On the old box, we had RSA and DSA keys, both 1024 bits. There is no DSA key on the new box. The IP addresses can be seen in <https://github.com/Exim/exim-dns/blob/master/exim.org.lua> and note that commit `67657780` by me (in 2013) set the IP addresses. - -Phil Pennock, [email protected] -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJVR+/yAAoJEE0ekA4UwcwELJ4P/3lFHL1yH0e1nWphymQRAco7 SL18aV3afvKLaSpqixeENXEIWjb7iCiKWbdiKK5KI4pFpzo3ERcDy7+4xlBfxayf WINTbdzQR6JNzc4yKTv06EGdTmsvijOn0JGiKwwIHYb7C6Qb5I8KkGv7Mpq5W/6d +DX3kpkPbf2fE4QnisCtyl5BJLSN1Rp8xNJ02wE+azGDQRw+qXU9/3ObsEwldnUF cXJMTC6qFdygsV5ryhVb6ewM0B5pw5Aw/IsXO7NB/8sn1GLGm4S9UCtQqQttPr3V AtjAiq5RLYDxLyMV5jkZkQGdVQPraEQOTHmqTMwkHZfqZv/JHALp+y9i8RGty9oA AS9CJwQ4L8W2zRRTuSCKNKCSJpbB77pHaoRiyTIYkD2nEjCI0AeRolfY3F3dAkUJ /KkHU2os0y8SJQnRTSmnWn93PMT+1bkc2JVypcVJZ8EDKiqoJAKqHrcDD+z0VpND IXeG1TCagRKg0vanFrycvYLl6IGNYCMGyVMBFYkksXS0rrDmtOUneduwLw+m1T+P EiB+MoBjetSCpVT5y/qxkJhDMoMAufY1JNjoDP+Vd2D+dYXLPBd5nJVETvJCNRlI aFJwENN1zuaeysLR1rCc8pX4jh8TTRwZw9ObFchmzuMOEWOOymMUtbsPwawZ+q27 8YPZi7igtEi0S0WvJxKq =c40b -----END PGP SIGNATURE----- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
