Enable ToFU (Trust on First Use) with OpenSSH

Nick Schmidt
2 min readFeb 11, 2023

Ansible is a fantastic tool for Linux-based and NOS-based automation. Have you seen this error before?

"changed": false, "msg": "Failed to connect to the host via ssh: Host key verification failed."

When you use Ansible with SSH transport (as opposed to an API), you rely on the SSH key trust store to validate that the end-host is authentic. It’s stored in ~/.ssh/known_hosts on every user profile on a Linux machine.

Users building new machines will run afoul of this tool — because the machine doesn’t exist yet and should generate its own key, it’s not particularly easy to add to an orchestrator’s SSH trust store.

Fortunately, the designers of OpenSSH have us covered. The following stanza can be added to either ~/.ssh/config or to /etc/ssh/ssh_config, depending on how elaborate the existing configuration is:

Host *
StrictHostKeyChecking accept-new

The configuration enables the ToFU (Trust on First Use) model with OpenSSH. It’ll assume that the first key for a given IP address or hostname is valid, and continue to trust it without majorly compromising security by disabling trust.

ToFU is not better than a well-established Web of Trust or any hierarchical authorization (like PKI). ToFU seeks to strike a balance between administrative overhead and convenience — which is probably acceptable when building new virtual machines.

Try using ToFU to bootstrap the machine and apply more secure methods of administration after that as a solution to any security concerns — in theory, those should all be handled by Ansible Inventory Groups in a way that’s scalable and easy.

With the build steps covered here and managing an Ansible inventory file as code, the only remaining step is to join any newly built VMs to the existing inventory file in your Git repository!

Originally published at https://blog.engyak.co.



Nick Schmidt

I am a network engineer based out of Alaska, pursuing various methods of achieving SRE/NRE