Are you still ignoring the WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! messages? Do you use “ssh -o StrictHostkeyChecking=no -o UserKnownHostsFile=/dev/null” to make SSH connections? How can you trust SSH keys in an environment where you install 10 new servers every day? Where a server lives less than a day in average?

Many How-Tos and articles talk about SSH security but fail to put SSH security into the context of managing large data centers or cloud environments with a high degree of automation. This talk covers the ground with SSH security features and shows advanced usage scenarios like:

* How to differentiat between human-machine and machine-machine communication and how to optimize SSH for each
* Best practice for establishing trust relationships between servers or user accounts
* When to use host-based authentication instead of user keys
* When you can us SSHFP to put SSH host key fingerprints into DNS and when it won't work
* Several ways to centrally manage the /etc/ssh/ssh_known_hosts file as suggested by the SSH man page
* Introduction to using the SSH PKI with CA certificates (new feature in OpenSSH 5.4) to simplify host key management in large environment
* When it is better to not use SSH but rsh or other remote execution tools

A special focus are automated environments and different strategies for handling new servers or frequent reinstallations of existing servers.

See also Embedding SSH Key in SSH URL (http://blog.schlomo.schapiro.org/2017/05/embedding-ssh-key-in-ssh-url.html), Automated OpenSSH Configuration Tests (http://blog.schlomo.schapiro.org/2014/04/automated-openssh-configuration-tests.html), and SSH with Personal Environment (http://blog.schlomo.schapiro.org/2014/02/ssh-with-personal-environment.html)