SSH Host Key Management Guide

Overview

SSH host keys verify server identity, but managing them at scale is an operational challenge that most teams solve with StrictHostKeyChecking=no — effectively disabling the security they provide. When you have hundreds or thousands of servers, manually maintaining known_hosts files becomes impractical, and host key rotation triggers a flood of “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED” alerts that train users to ignore security warnings.

This guide covers practical approaches to host key management that actually work at scale. From basic known_hosts distribution using configuration management tools, through SSH Certificate Authority (CA) setup that eliminates known_hosts entirely, to CI/CD pipeline configurations that need to connect to servers without interactive verification.

The SSH CA approach is the recommended end state — it provides host verification without maintaining known_hosts files and supports key rotation without client-side changes.

What You’ll Learn

• Host key discovery across your fleet using ssh-keyscan and configuration management inventory
• Safe rotation procedures that update clients before changing server keys
• known_hosts distribution patterns using Ansible, Puppet, and centralized management
• SSH Certificate Authority setup for both host and user certificates with step-by-step instructions
• CI/CD pipeline configurations for GitHub Actions, GitLab CI, and Jenkins that verify host keys securely
• Monitoring approaches to detect unauthorized host key changes indicating potential MITM attacks