ssh(1): When prompting whether to record a new host key, accept
the key fingerprint as a synonym for “yes”. This allows the user
to paste a fingerprint obtained out of band at the prompt and
have the client do the comparison for you.
One of those things I didn’t realize I needed until it’s provided.
You should never have to accept new host keys in a production environment. You should be capturing them and syncing them for all users so they already have a pre-populated known_hosts. There is no simple mechanism to do this with which is sad, but it’s not hard to build.
In some isolated, well-controlled environments, sure – or you could use certificates and a CA. But there are still plenty of scenarios where that’s not going to be the case (for example, when I first authenticate to my remote backup service, or my VPS provider’s out-of-band console, both of whom just publish host key fingerprints that I otherwise would have to manually verify).
Key feature for me:
One of those things I didn’t realize I needed until it’s provided.
You should never have to accept new host keys in a production environment. You should be capturing them and syncing them for all users so they already have a pre-populated known_hosts. There is no simple mechanism to do this with which is sad, but it’s not hard to build.
In some isolated, well-controlled environments, sure – or you could use certificates and a CA. But there are still plenty of scenarios where that’s not going to be the case (for example, when I first authenticate to my remote backup service, or my VPS provider’s out-of-band console, both of whom just publish host key fingerprints that I otherwise would have to manually verify).