[throwaway2048]

Even if you are using some kind of prebaked images to deploy, you should be generating individual keys using the SSH PKI features per machine as part of your individual host configurations.

This allows you to verify hosts while having never seen their keys. Just totally shutting off verification is a horrible idea.

[the_mitsuhiko]

If someone can actively MITM in your network you have other problems.

[throwaway2048]

That argument has been shown to be nonsense for years, it can apply to any mitigation technology or privilege reduction technique. The point is to reduce the amount of harm that can be done, because "just write software without bugs" isn't a solution at all.

[the_mitsuhiko]

> That argument has been shown to be nonsense for years, it can apply to any mitigation technology or privilege reduction technique. The point is to reduce the amount of harm that can be done, because "just write software without bugs" isn't a solution at all.

I don't disagree with this, but if you can MITM my traffic then impersonating SSH is the least of my worries. The chance that I will randomly SSH into a machine is pretty small to begin with whereas the deployment tools themselves for instance will push out code changes in regular intervals throughout the cluster. My point is: if you can actively MITM my traffic or anything similar in severity, then there are much more interesting targets than SSH.