You are able to know host keys before connecting?
2025-11-26How often in your tech career have you just said yes when being confronted with the following prompt?
$ ssh 115.166.58.26
The authenticity of host '115.166.58.26 (6c22:3021:deb3:e62f::1)' can't be established.
ED25519 key fingerprint is SHA256:Bm5pigTo5Xk2vJs4ecRw0Bt7mREt8zWjOScqFO+xAfw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
If you are anything like most developers, you probably thought many times. I also did that. A LOT. But begrudgingly…
I knew of the risks, but most of the time the tools to verify host keys properly were just not available to me. Let me share a solution, I am using since quite a while to solve this conundrum.
Set host keys via cloud-init
Basically all cloud provider support cloud-init through which we can provide information during creation of a VM. I have used the following on Digital Ocean and Hetzner via Debian, Ubuntu and Fedora. Most providers and operating systems should have support, though.
Create the host key via
ssh-keygen -t ed25519 -C "our-production-host" -P "" -f key
Create the cloud-config.yaml via
cat > cloud-config.yaml <<EOF
#cloud-config
ssh_keys:
ed25519_private: "$(awk '{printf "%s\\n", $0}' key)"
ed25519_public: "$(awk '{printf "%s", $0}' key.pub)"
ssh_deletekeys: false
EOF
which produces something like
#cloud-config
ssh_keys:
ed25519_private: "-----BEGIN OPENSSH PRIVATE KEY-----\n ... \n-----END OPENSSH PRIVATE KEY-----\n"
ed25519_public: "ssh-ed25519 AAAA...6e70 our-production-host"
ssh_deletekeys: false
Now you are able to know the SSH key beforehand!
# in OpenSSH format
$ ssh-keygen -yf key
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiS7+VfuTVytSmgG2cmJPup4KhQxZ5InNTCraWeow4Z
# ... or as a fingerprint
$ ssh-keygen -lf key
256 SHA256:phjJalhzT4myMIpK9MqXNnnfE8mR/zeFeb4SyRckBY8 (ED25519)
We are even able to spare the manual verification step, if we add the key into our known_hosts file before connecting.
echo "23.192.228.84 $(ssh-keygen -yf key)" >> ~/.ssh/known_hosts
May your SSH connections be truly yours.
© 2025 Dennis Stritzke
Code samples are public domain unless otherwise noted.