Fangtooth: Playing hopscotch with /etc/ssh/ssh_known_hosts

TL;DR: I can see no way to install a /etc/ssh/ssh_known_hosts file that survives Fangtooth’s nightly middleware regeneration run.

My installation uses /etc/ssh/ssh_known_hosts to centrally administer ssh host signatures, to make it less likely that a user will “just click allow” on a rogue server. It turns out that TrueNAS Fangtooth considers this file “unexpected” and removes it when it regenerates the ssh configuration - every night.

The ssh configuration statement to set this is GlobalKnownHostsFile - in ssh_config (client side), not sshd_config. There seems to be no way to add /etc/ssh/ssh_config statements through the System/ssh UI.

While I can run a nightly cron job to restore /etc/ssh/ssh_known_hosts, that’s obviously not how the middleware is intended to run. What facility or trickery am I missing to solve this cleanly?

Well, I don’t know if this is the official answer, but /etc/ssh/ssh_config.d is not auto-reverted by TrueNAS. So add a file in there named my_ssh_hosts.conf and put in it a single line:

GlobalKnownHostsFile /wherever/you/stuck/it/ssh_known_hosts

That gets ssh_known_hosts out of the way of the /etc/ssh rewriter and still makes all the ssh clients consult it by default. Pick any convenient place, as long as it’s world-readable (so all ssh clients can get at it) and only writable by whichever mechanism changes it (ansible in my case).