In throwaway VMs like the ones usually used by companies today in GCP or AWS, every time an instance boots for the first time it will have a new set of ssh host keys created. That means that if an instance was recreated since the last time you connected to it (via an interactive session or, worse, in CI to deploy the latest code) the ssh client will fail because the host key changed. The common solution (at least with ansible) is always "disable host checking" but this seems like a bad idea to me. You are disabling an important part of your security checks.
- What is the simplest way to set the host keys in GCE? something like cloud-init maybe?
- Is it ok to reuse the same host key for all your VM instances or is it better to reuse keys only for instances with the same name? e.g.
db-1will always have the same host key no matter how many times it gets recreated but
db-2will have a different one than
As part of your instance creation process, you should
ssh-keyscan the newly created VM instance to obtain its ssh host keys. You can then distribute these to wherever they are needed.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.