On Mon, 27 Oct 2008, Dominik Epple wrote:

> Hi,
> is there any way to use hostbased authentication without the need to
> have the SSH host keys stored in a known_hosts file?
> We run a large cluster where we need to have passwordless remote login
> available. We currently do that with hostbased SSH authentication. But
> it is error-prone and a lot of work to keep the known_hosts file up to
> date on all hosts. (This is the same situation like DNS vs /etc/hosts
> and LDAP vs /etc/passwd, and so on.)
> We know of the possibility to store SSH fingerprints in SSHFP records
> in DNS. But this currently does not allow hostbased authentication,
> it only allows the client to verify the server's host key.
> Is there any other possiblity?

Kerberos or push out hostkey lists with rdist.

openssh-unix-dev mailing list