python
ssh fingerprints
It would be great to have server fingerprints documented somewhere, so newcomers like me don't blindly ssh to a machine over an untrusted network. If it's already done, I missed it and it should probably be documented in the server list page.
Adding fingerprints columns to the server list looks cumbersome, maybe distributing a ssh_known_hosts file would be easier if we're not going full DNSSEC plus SSHFP RR?
The ssh_known_hosts file can be easily generated via curl -s https://raw.githubusercontent.com/python/psf-salt/master/docs/list.rst | grep '|' | cut -d'|' -f2 | sed 1d | ssh-keyscan -f -.
We spoke about it with ewdurbin on python-infra, idea came up about using salt to gather the keys.
This one:
curl -s https://raw.githubusercontent.com/python/psf-salt/master/docs/list.rst | grep '|' | cut -d'|' -f2 | sed 1d | xargs -n 1 sh -c 'echo $0,$(dig +short $0)' | ssh-keyscan -f - | sort -u -
yields a sorted list of usable hosts fingerprints (hostname + IP, both are tested by SSH), I don't know if there's a prettier way to get this (sad ssh-keyscan has no "--resolve-hostnames" flag).
We should start by versionning this, at least everyone would be able to verify it from its own network (execute it, then diff), and we'll see that it won't change over time.
In one hand it's not hard to setup, in the other hand it's not a proof the fingerprints are right. But if the fingerprint are used by people from different networks (can't easily run the same man in the middle in all networks), and don't change over time, it's a better proof than not caring about the fingerprint and just shooting "yes" on a fingerprint prompt.
https://salt-public.psf.io/psf_known_hosts exists for this purpose now, linked from bottom of https://infra.psf.io/list.html
