On 2015-03-28, Bernd Schoeller <[email protected]> wrote:
> On 28/03/15 16:22, Christian Weisgerber wrote:
>>> Should they be added?
>>
>> Yes, they should, but we may have to wait until 5.7 is released for the
>> mirror maintainers to update their machines.
>
> Ah, thanks for the clarification. Was not aware that they were that new.
If any mirror maintainers want SHA256 signatures added, send me a mail
with output from the shell commands below, plus the mirror name.
cd /etc/ssh
for i in SHA256 MD5; do
ssh-keygen -l -E $i -f ssh_host_rsa_key.pub | awk '{print "SR\t"$2}'
ssh-keygen -l -E $i -f ssh_host_dsa_key.pub | awk '{print "SD\t"$2}'
ssh-keygen -l -E $i -f ssh_host_ecdsa_key.pub | awk '{print "SE\t"$2}'
ssh-keygen -l -E $i -f ssh_host_ed25519_key.pub | awk '{print "S2\t"$2}'
done
The server doesn't need to run new ssh, you can copy the public keys
to another machine and run it there instead if you prefer.
(Yes I know this can be done remotely in bulk by somebody else
connecting to the mirrors, I am not going to add those though, I would
like them from the original pubkeys).
I wonder if it might make sense to include a known_hosts fragment for
the anoncvs mirrors somewhere (a list in /usr/share/misc perhaps?).
But then some people might take that as something of a guarantee,
which it isn't possible to make.
