What is the best method for adding RSA Key Fingerprints to known_hosts upon provisioning each server?

Inquisitive asked:

This question was inspired by this thread

The hypothetical scenario, for context is as follows:

1. SSH servers, whether they be routers, firewalls etc. are all firstly provisioned within a private + secure environment before being deployed. The SSH keys are generated locally on the server in this environment.
2. The SSH servers have their own ACLs in place for refusing connections from anything but our hosts
3. The host machine will be a Linux machine with multiple users

The standard approach may be to employ PKI with a trusted CA installed on all user accounts, and deploy a local SCEP server etc. But in place of this, would it be prudent to:

1. While in the secure environment, and upon provisioning, import the RSA fingerprint of the server to the known_hosts container of our host machine (or wherever it would be stored, I’m not overly familiar with Linux yet) using ssh-keyscan -H x.x.x.x >> ~/.ssh/known_hosts

2. Share/mirror that container of RSA fingerprints across the users on that host machine

3. Configure the host/each user to reject/drop/refuse the connection when given the following prompt, so that

The authenticity of host '[hostname] ([IP address])' can't be established. RSA key fingerprint is [key fingerprint]. Are you sure you want to continue connecting (yes/no)?

4. They cannot connect to any server that hasn’t gone through this procedure, then
5. Perhaps create a sandboxed separate user for cases where these aforementioned processes + restrictions cannot be implemented, but where remote configuration is still needed, so that the main more commonly-used passwords are not compromised by a possibly fake SSH server.