ssh host keys on cloned virtual machines

Jan Schermer jan at
Sat Feb 25 00:09:31 AEDT 2023

Host key certificates are great, but it’s an even trickier thing to do than simply deleting the host key by a script… :-)

> On 24. 2. 2023, at 14:05, Rory Campbell-Lange <rory at> wrote:
> On 24/02/23, Brian Candler (b.candler at wrote:
>> Are you doing any other first-boot initialization on the cloned VMs? Are you
>> (or could you) use cloud-init for this?
>> If so, you can run:
>>     cloud-init clean [--seed] [--logs] [--machine-id]
>> before cloning - or inside the cloned image using guestfish etc. I'm not
>> sure if this actually removes the existing host keys, but if it doesn't, you
>> could manually rm them as well.
> This situation is beyond my experience, but I guess another way around would be
> to try and block the golden image host key for users and use a host certificate
> on the golden image host.
> The golden image host could have its host certificate rotated every month,
> perhaps, although that might mean you'd have to rotate the certificates on all
> your other hosts too, depending on the expiry parameters on your certificates.
> This would require setting up a ssh certificate signing process which might not
> be something you'd like to do. Also, all users would have to add a
> "@cert-authority" line to their ~/.ssh/known_hosts.
> Rory
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list