This article is from the SSH - Secure Shell FAQ, by Thomas Koenig Thomas.Koenig@ciw.uni-karlsruhe.de with numerous contributions by others.
The central problem of administering ssh is the management of host
keys. To allow a client to connect to a remote host with RSA host
authentication, the server needs to know the client's public key.
You can collect these automatically each night using either make-ssh-
known-hosts.pl (distributed with the ssh source distribution) or with
the much faster ssh-keyscan, from ftp://cag.lcs.mit.edu/pub/dm/ (also
available from ftp://ftp.cs.hut.fi/ssh/contrib/).
Thomas Koenig has written a script to process output from one of these
utilities, check for new keys, warn about hosts which have changed
their keys (which could be an indication of a man in the middle
attack) and generate a complete new file. This script is available
With these utilities, you can write scripts to verify public keys on a
regular basis. When new machines are running ssh or people have
changed public keys, you may want to contact the people in question
directly, to make sure there were no man in the middle attacks (to
which these utilities are vulnerable).
A fingerprint scheme (equivalent to PGP fingerprints) has been
proposed to make this easier; it will probably be implemented in the