Sign host key with a CA pubkey

[teunvink]

Suggestion mentioned on IRC:

have all the host keys signed so that we can just approve the ca pubkey and be confident connecting to ring nodes without host key prompts

[teunvink]

Some possibly useful logs:

11:46 <bl____> on a secure machine create a keypair with ssh-keygen or community.crypto.openssh_keypair, publish the public key, on nodes sign host key with ssh-keygen or community.crypto.openssh_cert & put to ssh config is the rough process
11:47 <bl____> then on /etc/ssh/ssh_known_hosts etc put "@cert-authority *.ring.nlnog.net pubkey"
11:47 <bl____> latest putty supports this also finally
11:52 <bl____> so the "ca" is just simply a regular SSH keypair
12:02 <bl____> I am sure interwebs is full of tutorials for it, here is a redhat one: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-creating_ssh_ca_certificate_signing-keys
12:04 <@teun> thanks for the info, we can take a look at later and see how it relates to the SSFP entries we already have
12:06 <bl____> putty has rejected support for those unfortunately IIRC :(