global known_hosts for ssh services

To use it:

If you prefer you can also append it to your user-local ~/.ssh/known_hosts, but it is easier to update if you keep it separate.

Add your service to the file

Public SSH service names are verified using WebPKI. That means you have to run a web server with a valid TLS certificate.

To publish a public service here, put a known_hosts file with your public key (or CA) at, for example:

https://exe.dev/.well-known/ssh-known-hosts

Then ask us to crawl it by running:

There are startup and rate limits, expect it to take a minute. It blocks until completion so you can get error messages.

The .well-known file must be continuously served. At unspecified future dates, knownhosts.net will recrawl the file. If it is missing, your host key will be removed from the file.

If you cannot run a web server, I'm sorry, that sucks. You can contact me if you have a specific case that cannot be worked around and we can try and work it out together.

Log

A log of changes to the knownhosts.net file is maintained at /log. To see the current file in your browser visit /?text.

About

This is public service I run personally to scratch my own itch. I think ssh is a good way to interact with services, and the only reasonable argument against it is a lack of working PKI. So here it is.

I hope to get the knownhosts.net file published as a package in major Linux distributions. More soon.

To discuss the service you can contact me at david@zentus.com.