prompt to update a host key

Rory Campbell-Lange rory at
Sun Mar 17 05:34:00 AEDT 2019

On 15/03/19, Nico Kadel-Garcia (nkadel at wrote:

> On Fri, Mar 15, 2019 at 6:40 AM Stephen Harris <lists at> wrote:
> > On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote:
> > And that's when you look at using certificate based host keys.
> And it fails miserably as soon as any of the intervening firewalls
> block ICMP, such as, say, the security group settings for an AWS
> deployed virtual host. You need to check with port 22 on TCP, not ICMP
> packets. This sort of thing is also why a casually assembled "doodz,
> just do this thing!!!" breaks down in the larger world.

Hi Nico

Referencing back to the OP's question:

> > On 14/03/19, Jeremy Lin (jeremy.lin at wrote:
> > > As far as I can tell, there currently isn't a straightforward way to
> > > use password authentication for connecting to hosts where the host key
> > > changes frequently.

Is there an issue with using certificate based host keys, as Jochen
suggests, that means they can't easily be used for auto-generated

According to the RedHat docs: "To authenticate a host to a user, a
public key must be generated on the host, passed to the CA server,
signed by the CA, and then passed back to be stored on the host to
present to a user attempting to log into the host."

The process of picking up the auto-generated host file to the CA machine, signing the host file, copying
the resulting certificate back to the host, adding the line
"HostCertificate /etc/ssh/" or alternative in
the host /etc/ssh/sshd_config file and restarting sshd can all be

If all users have received the CA public host key and have added it with
the requisite @cert-authority preamble to their ~/.ssh/known_hosts file,
the host warning Jeremy was complaining about would not occur.

Or am I missing something obvious?


More information about the openssh-unix-dev mailing list