From f17a9a972d631fc4e964a911d196ee8d742b550a Mon Sep 17 00:00:00 2001
From: Konrad Bucheli <konrad.bucheli@psi.ch>
Date: Mon, 6 Feb 2023 14:18:49 +0100
Subject: [PATCH] document public keys for SSH host key CA

---
 _toc.yml                                |  1 +
 user-guide/index.md                     |  1 +
 user-guide/ssh_host_key_certificates.md | 20 ++++++++++++++++++++
 3 files changed, 22 insertions(+)
 create mode 100644 user-guide/ssh_host_key_certificates.md

diff --git a/_toc.yml b/_toc.yml
index c7e3f22b..6e65c282 100644
--- a/_toc.yml
+++ b/_toc.yml
@@ -12,6 +12,7 @@ parts:
           - file: user-guide/login_servers
           - file: user-guide/evolution_for_o365
           - file: user-guide/thunderbird_for_o365
+          - file: user-guide/ssh_host_key_certificates
           - file: user-guide/firefox_profile_per_host
           - file: user-guide/putty
 
diff --git a/user-guide/index.md b/user-guide/index.md
index 3cd216ef..3d1f4f04 100644
--- a/user-guide/index.md
+++ b/user-guide/index.md
@@ -16,5 +16,6 @@ This guide contains tricks and recipies for end users using Red Hat Enterprise L
 - [Login Servers](login_servers)
 - [Connect Evolution with Office365](evolution_for_o365)
 - [Connect Thunderbird with Office365](thunderbird_for_o365)
+- SSH asks to accept key on unknown host -> [SSH Host Key Certificates](ssh_host_key_certificates)
 - Firefox refuses to start with home directory on the network drive -> [Per Host Default Profile for Firefox](firefox_profile_per_host) 
 - AFS `permission denied` when using Putty -> [SSH Access from Windows using Putty](putty)
diff --git a/user-guide/ssh_host_key_certificates.md b/user-guide/ssh_host_key_certificates.md
new file mode 100644
index 00000000..e08f09a0
--- /dev/null
+++ b/user-guide/ssh_host_key_certificates.md
@@ -0,0 +1,20 @@
+# SSH Host Key Certificates
+
+The SSH host keys of Puppet managed Linux hosts have a certficate which avoids below key acceptance question:
+
+```
+$ ssh hipa-gw
+The authenticity of host 'hipa-gw (129.129.197.23)' can't be established.
+ECDSA key fingerprint is SHA256:aRuVOefLvadIyDTxlSglDNylKG6eww2ZW0ddZs97dUo.
+ECDSA key fingerprint is MD5:a8:be:15:24:9c:2b:82:7f:9d:9f:88:3f:e4:8c:df:cd.
+Are you sure you want to continue connecting (yes/no)?
+```
+
+To accept SSH host keys with a certificate, please update either `~/.ssh/known_hosts` (your user only) or `/etc/ssh/ssh_known_hosts` (system-wide) as follows:
+
+```
+# SSH host key certficate CA manged by PSI Puppet
+@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM3HQNqtTtmVtljco4zXfKMZc/6Lud+8VMHrXuoB/3e0+TVBKhS/O2pAZ1HU0o3it6VTdf+o66h8FmGKCUDiwcDPuQ/Cqmo18nWwgLYedKxHYM7oZip+9ts0IDso2LebbsspGrE4V6NqindZ+MAkKe3UvnJUFRnk+5+eSYsCe4IhidU02eVE+InXPkCpepuO4GViziV315QHBBqDeXfvQtA/EPw1TLLLVvgNokMKTcz7ObLbO6iXKK17FAqt+3ozfzOV6hGRI4g2409vW9rYjhZFUKJiG0VGmqKX7veZuUaInaVLAqPHUAT+y3h/E0oCNtY8ijXaKeuERj5BJE+Eab
+@cert-authority * ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2xLCCHNmXSeY+qNPmdo/jO2AXrcHyQDqZLBzWVwk2/GqMRDl4mavZLBPyQPNeLGAPc+BHg7iRC65wQQEeYOVU=
+@cert-authority * ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhIx/obIiiO9AtrUgj7pF8kAgv4g9Dp+DRXilkmlkxK
+```