Add new option "ssh_known_hosts" to the sysconfig section of the yaml config

It allows to preconfigure a list of known host keys. But the primary use case will probably be trusting signatures from SSH CAs for host keys. Example: --- sysconfig: ssh_known_hosts: myhost.example.org: "ssh-ed25519 AAAAC3NzaC1l...JJTO48B" "@cert-authority *.mydomain.org": "ssh-rsa AAAAB3NzaC1y...Zhk0="
2026-01-08 17:50:07 +01:00 · 2023-10-03 19:58:43 +02:00 · 2023-10-03 19:58:43 +02:00 · 5cf652ec56
parent 592d5e0869
commit 5cf652ec56
2 changed files with 33 additions and 0 deletions
--- a/1
+++ b/1
@ -4,6 +4,7 @@ SystemRescue ChangeLog
 ------------------------------------------------------------------------------
 10.03 (YYYY-MM-DD):
 ------------------------------------------------------------------------------
+* new option ssh_known_hosts in yaml config allows to trust SSH CAs signatures on host keys
 * Fix findroot loop when the password to any encrypted device is unknown (#342)
 * Fix using findroot when /sbin/init is an absolute symlink (#340)
 * Added sleuthkit (Tools for raw file system inspection) (#349)
--- a/airootfs/etc/systemd/scripts/sysrescue-initialize-whilenet
+++ b/airootfs/etc/systemd/scripts/sysrescue-initialize-whilenet
@ -404,6 +404,38 @@ if 'sysconfig' in config and 'authorized_keys' in config['sysconfig'] and \
        print(e)
        errcnt+=1

+# ==============================================================================
+# configure SSH known hosts
+# do this after late-loading SRMs because we want to add to what is contained in a SRM
+# ==============================================================================
+
+if 'sysconfig' in config and 'ssh_known_hosts' in config['sysconfig'] and \
+  config['sysconfig']['ssh_known_hosts'] and isinstance(config['sysconfig']['ssh_known_hosts'], dict):
+    print(f"====> Adding SSH known hosts ...")
+    # create list of key lines we want to add
+    keylines = []
+    for key, value in config['sysconfig']['ssh_known_hosts'].items():
+        keylines.append(f"{key} {value}")
+
+    try:
+        if os.path.exists("/etc/ssh/ssh_known_hosts"):
+            # check if we already have one of our keylines in the file: don't add it again
+            with open("/etc/ssh/ssh_known_hosts", "r") as khfile:
+                for line in khfile:
+                    line = line.strip()
+                    # iterate backwards through the list to make deletion safe
+                    for i in range(len(keylines)-1, -1, -1):
+                        if line == keylines[i]:
+                            del keylines[i]
+        if keylines:
+            with open("/etc/ssh/ssh_known_hosts", "a") as khfile:
+                # append all our keylines
+                for line in keylines:
+                    khfile.write(f"{line}\n")
+    except Exception as e:
+        print(e)
+        errcnt+=1
+
 # ==============================================================================
 # configure bash_history
 # do this after late-loading SRMs because we want to add to what is contained in a SRM