Why is exposing known_hosts dangerous
I have been looking into automating builds using GIT and docker. One of the tools I find useful is
ssh-keyscan which adds the result to
known_hosts and allows you to bypass the ‘fingerprint’ prompt when cloning a repository for the first time.
I read a comment which pretty much says that exposing this file is dangerous. I thought keyscan just adds a bunch of public keys to your
known_hosts file. Why is this dangerous if anyone sees this – can they not get the exact same public keys using the same tool?
I would have thought that in the link, adding a private ssh key to the docker container would be the dangerous part since this is the part you aren’t meant to share.