May 10, 2026
SSH and the Chamber of Hot Takes
Stop MitM on the first SSH connection, on any VPS or cloud provider
New cloud login trick has commenters fighting over whether this is genius or Security 101
TLDR: A new script aims to make the very first login to a new cloud server safer, closing a common “just click yes” security hole without relying on special provider tools. Commenters split fast: some hailed it as a smart real-world fix, while others dismissed it as something serious admins should already solve another way.
A tiny script about logging into a fresh server safely somehow turned into a full-on security cage match. The idea is simple in human terms: when you first connect to a brand-new rented computer online, you usually get a scary warning and many people just click “yes” and hope for the best. This script tries to kill that risky moment by using a temporary trusted key just long enough to fetch the server’s real identity, without leaving valuable secrets lying around in setup data. In other words: no blind trust, less chance of getting tricked by a fake middleman.
The comments, however, were absolutely not content to quietly clap. One camp called it a clever, practical fix for people spinning up lots of cheap cloud machines on providers that don’t offer fancy built-in protections. Another camp basically rolled in saying, “Cute, but serious people already handle this through the console,” which is the security equivalent of telling everyone they should have packed a parachute in the first place. Then came the trust-root crowd yelling, use a certificate authority, while others were baffled that providers still don’t just show server fingerprints in their dashboards like normal adults.
The most dramatic thread twist? A commenter brought up nation-state attackers, escalating the vibe from “helpful script” to “spy thriller.” The running joke beneath it all: the real enemy may be the ancient internet ritual of clicking “yes” on a warning nobody reads.
Key Points
- •The article describes a provider-independent technique for securing the first SSH connection to a new VM using cloud-init and a temporary SSH host key.
- •The method avoids Trust On First Use by authenticating an initial connection with a temporary host key, then generating and retrieving the VM’s long-term SSH host keys.
- •The article argues that injecting long-term SSH host private keys through cloud-init is dangerous because cloud-init user-data may be readable from metadata services or exposed through SSRF, provider systems, or workstation compromise.
- •The temporary host key is stored only in a temporary directory and is never added to `~/.ssh/known_hosts`, reducing the risk of accidental reuse.
- •The threat model claims protection against network attackers, later disclosure of cloud-init user-data, and some workstation or provider compromise scenarios, assuming OpenSSH remains secure.