Inject a temporary SSH host key via cloud-init, use it briefly to retrieve long-term host keys, eliminating TOFU risk on first connection.
Key Takeaways
Standard TOFU (clicking yes to unknown host fingerprint) leaves you exposed to a MitM proxy on the very first SSH session.
Injecting a long-term private key via cloud-init fixes TOFU but leaks key material through the metadata service (e.g. curl http://169.254.169.254/hetzner/v1/userdata).
This technique injects only a temporary key, uses it once to bootstrap trust, then discards it – private key material is never valuable when exposed.
Works on any cloud-init-capable provider (Hetzner, etc.) without proprietary vendor tooling; cloud-init support is near-universal.
Script uses OpenSSH key rotation to write long-term host keys to known_hosts, avoiding direct injection of VM-supplied data into ssh’s parser.
