Host key certificates are great, but it’s an even trickier thing to do than simply deleting the host key by a script… :-) > On 24. 2. 2023, at 14:05, Rory Campbell-Lange <rory@xxxxxxxxxxxxxxxxxx> wrote: > > On 24/02/23, Brian Candler (b.candler@xxxxxxxxx) wrote: >> Are you doing any other first-boot initialization on the cloned VMs? Are you >> (or could you) use cloud-init for this? >> >> If so, you can run: >> >> cloud-init clean [--seed] [--logs] [--machine-id] >> >> before cloning - or inside the cloned image using guestfish etc. I'm not >> sure if this actually removes the existing host keys, but if it doesn't, you >> could manually rm them as well. > > This situation is beyond my experience, but I guess another way around would be > to try and block the golden image host key for users and use a host certificate > on the golden image host. > > The golden image host could have its host certificate rotated every month, > perhaps, although that might mean you'd have to rotate the certificates on all > your other hosts too, depending on the expiry parameters on your certificates. > > This would require setting up a ssh certificate signing process which might not > be something you'd like to do. Also, all users would have to add a > "@cert-authority" line to their ~/.ssh/known_hosts. > > Rory > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://www.google.com/url?q=https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev&source=gmail-imap&ust=1677848781000000&usg=AOvVaw1sTcGhtCjOjnkNh1H9TZOx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
