At Work i have for one Project around 40 servers with different hostkeys.
And there are more i have to consult regulary but not that often.
At home i have around 15 servers an 5 Laptops to administer…
So… i can’t remember all the random art hostkey-pictures… 😄😄
So i use certificates. I sign each hostkey with a CA, which is a Nitrokey HSM. On my clients i have only the CA-Cert in /etc/ssh/ssh_known_hosts
Every new hostkey is signed on deployment, and i never get asked on that. Only get warned, if the certificate becomes invalid or lost…
This is also good on scripted logins (ansible, cronjobs like etckeeper…)
But if i had only a small bunch of hosts to administer, hostkeys could be a very good thing.
At Work i have for one Project around 40 servers with different hostkeys. And there are more i have to consult regulary but not that often.
At home i have around 15 servers an 5 Laptops to administer…
So… i can’t remember all the random art hostkey-pictures… 😄😄 So i use certificates. I sign each hostkey with a CA, which is a Nitrokey HSM. On my clients i have only the CA-Cert in /etc/ssh/ssh_known_hosts
Every new hostkey is signed on deployment, and i never get asked on that. Only get warned, if the certificate becomes invalid or lost… This is also good on scripted logins (ansible, cronjobs like etckeeper…)
But if i had only a small bunch of hosts to administer, hostkeys could be a very good thing.