
Ask HN: How do you manage SSH known hosts? - paulddraper
SSH avoids MITM, but only if you know the host&#x27;s fingerprint.<p>How do you keep track and manage SSH fingerprints with many machines (e.g. an AWS cloud deployment)?
======
moviuro
I'd probably have hooks in deployment to publish SSH keys in the DNS. See
[https://en.wikipedia.org/wiki/SSHFP_record](https://en.wikipedia.org/wiki/SSHFP_record)
and
[https://man.openbsd.org/ssh_config.5#VerifyHostKeyDNS](https://man.openbsd.org/ssh_config.5#VerifyHostKeyDNS)

I was trying to work on a script (like [https://acme.sh](https://acme.sh)) to
publish that kind of info, but DNS is hard, and I didn't have enough time to
really work on that project.

------
fosco
is using SSH certificates (PKI) an option? redhat [0] provides a great guide
on it that I recommend.

[0] [https://access.redhat.com/documentation/en-
us/red_hat_enterp...](https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/6/html/deployment_guide/sec-
using_openssh_certificate_authentication)

