diff --git a/ChangeLog b/ChangeLog
index 984a0bf..b3da3ac 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,7 @@ SystemRescue ChangeLog
 ------------------------------------------------------------------------------
 10.03 (YYYY-MM-DD):
 ------------------------------------------------------------------------------
+* new option ssh_known_hosts in yaml config allows to trust SSH CAs signatures on host keys
 * Fix findroot loop when the password to any encrypted device is unknown (#342)
 * Fix using findroot when /sbin/init is an absolute symlink (#340)
 * Added sleuthkit (Tools for raw file system inspection) (#349)
diff --git a/airootfs/etc/systemd/scripts/sysrescue-initialize-whilenet b/airootfs/etc/systemd/scripts/sysrescue-initialize-whilenet
index 16a54ab..1d6bd81 100755
--- a/airootfs/etc/systemd/scripts/sysrescue-initialize-whilenet
+++ b/airootfs/etc/systemd/scripts/sysrescue-initialize-whilenet
@@ -404,6 +404,38 @@ if 'sysconfig' in config and 'authorized_keys' in config['sysconfig'] and \
         print(e)
         errcnt+=1
 
+# ==============================================================================
+# configure SSH known hosts
+# do this after late-loading SRMs because we want to add to what is contained in a SRM
+# ==============================================================================
+
+if 'sysconfig' in config and 'ssh_known_hosts' in config['sysconfig'] and \
+  config['sysconfig']['ssh_known_hosts'] and isinstance(config['sysconfig']['ssh_known_hosts'], dict):
+    print(f"====> Adding SSH known hosts ...")
+    # create list of key lines we want to add
+    keylines = []
+    for key, value in config['sysconfig']['ssh_known_hosts'].items():
+        keylines.append(f"{key} {value}")
+
+    try:
+        if os.path.exists("/etc/ssh/ssh_known_hosts"):
+            # check if we already have one of our keylines in the file: don't add it again
+            with open("/etc/ssh/ssh_known_hosts", "r") as khfile:
+                for line in khfile:
+                    line = line.strip()
+                    # iterate backwards through the list to make deletion safe
+                    for i in range(len(keylines)-1, -1, -1):
+                        if line == keylines[i]:
+                            del keylines[i]
+        if keylines:
+            with open("/etc/ssh/ssh_known_hosts", "a") as khfile:
+                # append all our keylines
+                for line in keylines:
+                    khfile.write(f"{line}\n")
+    except Exception as e:
+        print(e)
+        errcnt+=1
+
 # ==============================================================================
 # configure bash_history
 # do this after late-loading SRMs because we want to add to what is contained in a SRM