On 9/28/12, Matthew Seaman <matt...@freebsd.org> wrote: > On 28/09/2012 20:41, Ed Flecko wrote: >> David - I'd like to, but every time I try that it prompts me for a >> password...and I don't know what password it wants??? > > That would be the password to a freebsd.org account, which isn't going > to work for most people on two counts: > > * freebsd.org uses SSH keys for authentication, not passwords. > > * even if you've got a SSH key, not being a FreeBSD committer you > probably don't have a freebsd.org account. > > For anonymous access, you can use http or svn. Given that anonymous > access is read-only, there's really not much to be gained from SSH or > other means of encrypting the connection, either for you, or for the > FreeBSD servers. It's anonymous, so you don't care about > authentication. FreeBSD sources are publicly available, so you don't > care about anyone eavesdropping on the traffic. About the only thing > you're still exposed to is a man-in-the-middle attack, where someone > could pose as a FreeBSD server and feed you a trojanned set of sources > -- but then, you'ld still be exposed in exactly the same way even using > svn+ssh. In practice, attacks of this type are very (pretty much > vanishingly) rare. If they do concern you, then use portsnap(8) / > freebsd-update(8) which has specific cryptographic protection against > such things. The portsnap and freebsd-update build systems also have > special access to the master FreeBSD repositories to minimize the > chances that they themselves could be fed trojanned sources. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. > PGP: http://www.infracaninophile.co.uk/pgpkey
MITM-based attacks--and subsequent corrupted sources--are my concern. It was my understanding that anonymous svn+ssh would prevent this assuming the host key was properly verified against http://www.freebsd.org/internal/ssh-keys.asc. Recently I've installed from an iso and then manually updated with pgp-signed security patches. It would certainly be nice to have some secure source update mechanism though. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"