Does `ssh-keyscan` verify the legitimacy of the host(s) it scans?
Is there any way for ssh-keyscan to automatically verify the legitimacy of the host it scans?
No. How could it? You are using it to build the known_hosts
file that would be used for verification.
If not, doesn't it become security theatre and defeats the point of SSH's known_hosts verification?
In the example you've shown, it indeed does.
Although the problem isn't that ssh-keyscan
is being used, but rather when and how it is used. Overall, it isn't any different from getting the regular "Verify unknown host" SSH prompt and blindly typing yes
without looking at the fingerprint.
If you do it once and keep the resulting known_hosts
file around, then you still get the same Trust-on-first-use behavior that we all expect from SSH. But if you throw away and regenerate known_hosts
every time, with no verification against previous runs, then it's going to be a problem whether you use ssh-keyscan
or not.
In short, deploying a static known_hosts
file would be much more secure – GitHub's SSH hostkeys certainly don't change often, so there is really no need to re-keyscan them every time.