Include accountname in totp url

[mirror/userdir-ldap-cgi.git] / html / doc-hosts.wml

diff --git a/html/doc-hosts.wml b/html/doc-hosts.wml
index 39c59d1..ead0b88 100644 (file)
--- a/html/doc-hosts.wml
+++ b/html/doc-hosts.wml
@@ -1,4 +1,7 @@
 #use wml::db.d.o title="debian.org Developer Machines"
+#use wml::vbar
+
+<dsatoc/>
 
 <h3>SSH Host Keys</h3>
 
@@ -7,6 +10,11 @@ stored in the Debian LDAP database.  The key and its fingerprint will
 be displayed when <a href="machines.cgi">details</a> for a machine are
 displayed.</p>
 
+<p>Developers that have a secure path to a DNSSEC enabled resolver can
+verify the existing SSHFP records for the debian.org servers by adding
+<code>VerifyHostKeyDNS yes</code> to their <code>~/.ssh/config</code>
+file.</p>
+
 <p>On machines in the debian.org which are updated from the LDAP
 database <code>/etc/ssh/ssh_known_hosts</code> contains the keys for
 all hosts in this domain.  This helps for easier log in into such a
@@ -14,8 +22,9 @@ machine.  This is also be available in the chroot environments.</p>
 
 <p>Developers should add <code>StrictHostKeyChecking yes</code> to
 their <code>~/.ssh/config</code> file so that they only connect to
-trusted hosts.  With the file mentioned above, nearly all hosts in the
-debian.org domain will be trusted automatically.</p>
+trusted hosts.  Either with the DNSSEC records or the file mentioned
+above, nearly all hosts in the debian.org domain will be trusted
+automatically.</p>
 
 <p>Developers can also execute <code>ud-host -f</code> or
 <code>ud-host -f -h host</code> on a machine in the debian.org domain
@@ -33,4 +42,5 @@ file(s)) will be exported to it and their SSH keys are not added to
 the LDAP system.</p>
 
 
-<p><a href="http://people.debian.org/~joey/misc/naming.html">Debian Host Naming Scheme</a></p>
+<p><a href="https://people.debian.org/~joey/misc/naming.html">Debian Host Naming Scheme</a></p>
+<p><a href="https://wiki.debian.org/DNSSEC">DNSSEC in Debian</a></p>