4

If you have too many machines and you are nearly always asked about a host key when you connect, it leaves an opening that the first time you connect to a machine it's a security threat, but anytime after that it is not and you need to pay attention if the key isn't the same as it may be a man-in-the-middle attack.

So if you've never connected to these machines before and you have in excess of 1000 machines, the probability is high that it will take a really long time to connect to them all, so how does one ensure that the correct keys are already in place so that the keys which do not match are not ignored?

Note: this question was prompted by my asking this question.

leeand00
  • 1,357
  • 1
  • 13
  • 21
  • Fantastic question. Could the question be summarized as "Looking for SSH key management tricks that apply to a large fleet of machines to reduce the 'trust of first use' attack surface." ? I'm picturing a framework whereby part of the first-time boot process for these machines is to add its key to a centralized `known_hosts` file. No idea if that exists, or if it can be done securely. – Mike Ounsworth Dec 10 '18 at 01:00
  • 2
    Have you looked into `OpenSSH Certificate Authentication`? It should allow signing host keys with a CA key, which you then distribute. – Daniel Dec 10 '18 at 06:25

1 Answers1

3

There is no need for tricks, SSH Certificate Authority is designed for exactly this kind of situation.

You install host certificates signed by the Certificate Authority, distribute the Root Certificate to your users, and your users are connecting securely from the first connection.

Lie Ryan
  • 31,279
  • 6
  • 69
  • 93