How safely obtain and check host public key for `known_hosts`?

Asked Sep 26 '23 at 17:41

Active Sep 26 '23 at 18:28

Viewed 135 times

For a newly deployed instance I get the following message for the first time SSH connection:

The authenticity of host '[hostname] ([IP address])' can't be established.
RSA key fingerprint is [key fingerprint].
Are you sure you want to continue connecting (yes/no)?

I want to avoid this interaction with the user.

How to safely obtain, check and save this public key?

edited Sep 26 '23 at 18:28

Nikita Kipriyanov

12,569

asked Sep 26 '23 at 17:41

Eugen Konkov

Use DNSSEC and store keys in SSHFP records. – Nikita Kipriyanov Sep 26 '23 at 18:24
Does this answer your question? Can I automatically add a new host to known_hosts? – Nikita Kipriyanov Sep 26 '23 at 18:25
@NikitaKipriyanov: That leaves you open to man in the middle attacks, probably not a good idea. – Eugen Konkov Sep 26 '23 at 18:34
No, SSHFP with DNSSEC does not lead to MitM. – Nikita Kipriyanov Sep 26 '23 at 19:21
@NikitaKipriyanov So I'm in an environment where all DNS lookups and all outgoing connections. I cannot ensure that my DNS resolvers will validate DNSSEC-signed domains. How can I confirm that my key returns are secure? – doneal24 Sep 26 '23 at 19:49
Either distribute statically (via side channel — you have to do all the automation yourself, like write script which verifies ssh-keyscan output via HTTPS or whatever you trust and have user to run it appropriately) or with DNSSEC. No other options. No DNSSEC, no easy and convenient way. – Nikita Kipriyanov Sep 27 '23 at 03:08

How safely obtain and check host public key for `known_hosts`?

0 Answers0