On 2/28/23 06:30, Nico Kadel-Garcia wrote: > On Tue, Feb 28, 2023 at 1:57 AM Darren Tucker <dtucker@xxxxxxxxxxx> wrote: >> >> Hi. >> >> I think this thread has veered far enough from the discussion of >> OpenSSH development to be considered off-topic. > > Fair enough, we got off into the weeds. The OpenSSH specific summary > is, I think, that managing the host keys for image based OS deployment > can be burdensome and confusing, and much, much easier by simply > discarding the reliance on .ssh/known_hosts on clients. And that is a problem. OpenSSH should include documentation about how to manage known_hosts with very large numbers of machines. The obvious approach that comes to mind is for whatever automation one is using to automatically issue an SSH certificate to every new machine. Every public cloud, and I suspect every private cloud too, provides enough infrastructure to implement this securely. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
