• caglararli@hotmail.com
  • 05386281520

sshd HostKey hardcoding implementation

Çağlar Arlı      -    30 Views

sshd HostKey hardcoding implementation

We are performing regular reinstallations of our systems which keeps on changing the servers sshd private keys due to regeneration at the end of the OS installation.

Due to this our automated systems and my users have deactivated StrictHostkeyChecking so that they can continue immediately connecting to a system post reinstall. Especially our automation would break with StrictHostkeyChecking active in such a case.


With that in mind I was thinking about hard coding those private keys using a vault implementation and our ansible deployment, replacing the automatically generated keys during deployment. That would allow us to enforce StrictHostkeyChecking once again and if a connection attempt would end up with hostkey check based warning/error it would be a red flag moment, showing that unwanted tempering with the system (only on that level) might have happened.

I haven't been able to find good pro/contra material on that, especially with potential security risks in mind and therefore am asking here, if this would go against any security best practices or if this would be an acceptable solution.

Do any best practices for those topics exist or would I end up being forced deploying the public key of a changed HostKey to any system, that requires them to connect to (Clients, CICD, etc.)?