On 2024-01-20, 20:14 -0800, Felix Lechner <felix.lech...@lease-up.com> wrote: >> How does the publishing happen exactly > > You can query SSH server keys remotely [1] but I would deploy keys I > know already.
Hi Felix, Thanks for getting back to me and sorry it took me so long to reply. Querying the SSH server would be a bit of a catch-22 situation though, unless the machine you're querying from is part of the same VPN as the server. While I do like the idea of using a DNS record, by itself this doesn't seem to solve the trust-on-first-use issue. I'd be fine with this solution, if the DNS were part of the same network as the newly installed server, but that's not my case. The other solution that comes to mind would involve: - some kind of cloud-init service that waits until the SSH key pair is generated and then communicates the public key to the cloud provider; - a cloud-init compliant cloud provider, that accepts the public key and then make it available to the user via a web dashboard. I think this is what some providers do with other system images? OTOH, UX-wise, this is much worse than the DNS record as it requires manual intervention. Let's see, maybe someone else might chime in with some other idea at some point. Thanks for now, cheers, Fabio. -- Fabio Natali https://fabionatali.com
