Similar to what is done for servers (from PuppetDB data) it would be great to generate an authoritative ssh_known_hosts file.
As the devices don't change often and the list is short, it's okay to have something only semi-automatic.
Some of the ideas (from IRC and other):
- Get the list of devices from Netbox
- Use ssh-keyscan, main limitation: doesn't use ssh's proxycommand
- Have a script in puppet/utils that generates the file, then manually commit updates via Gerrit
- Have that script on puppetmaster (commiting to puppet-private) or cumin (to regular file) to workaround ssh-keyscan limitations
- Store the devices pubkeys in a Netbox' custom field (manually updated)