Use of ssh-keyscan
and TOFU
In the previous post I mentioned the usage of ssh-keyscan
to get and store a server's public SSH key. My doubt was that it may not be a secure-enough solution.
From what I understand, ssh-keyscan
is just another instance of TOFU, or trust on first use. Basically, it only automates what you do when you're prompted to verify a key fingerprint upon first connection to a server. If the known_hosts
file does not continuously change, it is ok to use this.
Anyway, I have still decided to update the GitHub Action and make use of a GitHub secret to hold the public key of the server I am connecting to.