• Jakob :lemmy:
    link
    fedilink
    Deutsch
    21 year ago

    At Work i have for one Project around 40 servers with different hostkeys. And there are more i have to consult regulary but not that often.

    At home i have around 15 servers an 5 Laptops to administer…

    So… i can’t remember all the random art hostkey-pictures… 😄😄 So i use certificates. I sign each hostkey with a CA, which is a Nitrokey HSM. On my clients i have only the CA-Cert in /etc/ssh/ssh_known_hosts

    Every new hostkey is signed on deployment, and i never get asked on that. Only get warned, if the certificate becomes invalid or lost… This is also good on scripted logins (ansible, cronjobs like etckeeper…)

    But if i had only a small bunch of hosts to administer, hostkeys could be a very good thing.