At Work i have for one Project around 40 servers with different hostkeys. And there are more i have to consult regulary but not that often.

At home i have around 15 servers an 5 Laptops to administer…

So… i can’t remember all the random art hostkey-pictures… 😄😄 So i use certificates. I sign each hostkey with a CA, which is a Nitrokey HSM. On my clients i have only the CA-Cert in /etc/ssh/ssh_known_hosts

Every new hostkey is signed on deployment, and i never get asked on that. Only get warned, if the certificate becomes invalid or lost… This is also good on scripted logins (ansible, cronjobs like etckeeper…)

But if i had only a small bunch of hosts to administer, hostkeys could be a very good thing.

Create a post

Confidentiality Integrity Availability

  • 0 users online
  • 1 user / day
  • 1 user / week
  • 5 users / month
  • 30 users / 6 months
  • 1 subscriber
  • 413 Posts
  • Modlog