How do you securely retrieve the ssh host keys from a google compute engine instance?

[Jeff Frontz]

[question also posed on serverfault]

I want to update my ~/.ssh/known_hosts with the host key information for a newly created GCE instance. But I'm not sure how to securely retrieve that information.

I thought something like

gcloud compute ssh <GCEUSER>@<GCEHOST> --command='ssh-keyscan 127.0.0.1'

might work. But that (per the gcloud compute ssh documentation) appears to just be a wrapper for ssh (and, based on seeing StrictHostKeyChecking=no in the parameters listed in the associated log file under $HOME/.config/gcloud/logs/, apparently isn't doing any sort of checking on the host's identity).

There does seem to be a way to use the web console to launch a browser-based ssh session (and interactively/manually run ssh-keyscan), but 1) I can't see the internals to know if it really is as secure as it should be and 2) isn't an effective API for script integration.

Is there an API/gcloud mechanism for securely retrieving the GCE instance's host key?

Thanks,

Jeff

[Rahi (Google Cloud Support)]

Hello Jeff,

"gcloud command" or "API" will only retrieve information related to the specific project or Google products, such an instance metadata from a GCE instance. It is not possible to retrieve instance's configuration such as host keys via the gcloud command or API.

[Jeff Frontz]

Thanks, Rahi--- what is the proper way to securely retrieve the host key for a GCE instance?

[Rahi (Google Cloud Support)]

Hello Jeff,

I could see that you have reported the same issue at serverfault. I will answer your query there for more visibility.