Re: ssh host keys on cloned virtual machines

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On 2/28/23 06:30, Nico Kadel-Garcia wrote:
> On Tue, Feb 28, 2023 at 1:57 AM Darren Tucker <dtucker@xxxxxxxxxxx> wrote:
>> Hi.
>> I think this thread has veered far enough from the discussion of
>> OpenSSH development to be considered off-topic.
> Fair enough, we got off into the weeds. The OpenSSH specific summary
> is, I think, that managing the host keys for image based OS deployment
> can be burdensome and confusing, and much, much easier by simply
> discarding the reliance on .ssh/known_hosts on clients.

And that is a problem.

OpenSSH should include documentation about how to manage known_hosts with
very large numbers of machines.  The obvious approach that comes to mind
is for whatever automation one is using to automatically issue an SSH
certificate to every new machine.  Every public cloud, and I suspect every
private cloud too, provides enough infrastructure to implement this securely.
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux