On 24/02/23, Brian Candler (b.candler@xxxxxxxxx) wrote: > Are you doing any other first-boot initialization on the cloned VMs? Are you > (or could you) use cloud-init for this? > > If so, you can run: > > cloud-init clean [--seed] [--logs] [--machine-id] > > before cloning - or inside the cloned image using guestfish etc. I'm not > sure if this actually removes the existing host keys, but if it doesn't, you > could manually rm them as well. This situation is beyond my experience, but I guess another way around would be to try and block the golden image host key for users and use a host certificate on the golden image host. The golden image host could have its host certificate rotated every month, perhaps, although that might mean you'd have to rotate the certificates on all your other hosts too, depending on the expiry parameters on your certificates. This would require setting up a ssh certificate signing process which might not be something you'd like to do. Also, all users would have to add a "@cert-authority" line to their ~/.ssh/known_hosts. Rory _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
