ssh host keys on cloned virtual machines

Demi Marie Obenour demiobenour at gmail.com
Thu Mar 2 03:58:48 AEDT 2023


On 2/28/23 06:30, Nico Kadel-Garcia wrote:
> On Tue, Feb 28, 2023 at 1:57 AM Darren Tucker <dtucker at dtucker.net> wrote:
>>
>> Hi.
>>
>> I think this thread has veered far enough from the discussion of
>> OpenSSH development to be considered off-topic.
> 
> Fair enough, we got off into the weeds. The OpenSSH specific summary
> is, I think, that managing the host keys for image based OS deployment
> can be burdensome and confusing, and much, much easier by simply
> discarding the reliance on .ssh/known_hosts on clients.

And that is a problem.

OpenSSH should include documentation about how to manage known_hosts with
very large numbers of machines.  The obvious approach that comes to mind
is for whatever automation one is using to automatically issue an SSH
certificate to every new machine.  Every public cloud, and I suspect every
private cloud too, provides enough infrastructure to implement this securely.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB288B55FFF9C22C1.asc
Type: application/pgp-keys
Size: 4885 bytes
Desc: OpenPGP public key
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230301/7c54caae/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230301/7c54caae/attachment.asc>


More information about the openssh-unix-dev mailing list