ssh host keys on cloned virtual machines

Rory Campbell-Lange rory at
Sat Feb 25 00:05:05 AEDT 2023

On 24/02/23, Brian Candler (b.candler at wrote:
> Are you doing any other first-boot initialization on the cloned VMs? Are you
> (or could you) use cloud-init for this?
> If so, you can run:
>     cloud-init clean [--seed] [--logs] [--machine-id]
> before cloning - or inside the cloned image using guestfish etc. I'm not
> sure if this actually removes the existing host keys, but if it doesn't, you
> could manually rm them as well.

This situation is beyond my experience, but I guess another way around would be
to try and block the golden image host key for users and use a host certificate
on the golden image host.

The golden image host could have its host certificate rotated every month,
perhaps, although that might mean you'd have to rotate the certificates on all
your other hosts too, depending on the expiry parameters on your certificates.

This would require setting up a ssh certificate signing process which might not
be something you'd like to do. Also, all users would have to add a
"@cert-authority" line to their ~/.ssh/known_hosts.


More information about the openssh-unix-dev mailing list