I am aware that running ssh-keyscan
on a remote host doesn't prove that the remote host is indeed the one you are trying to connect to, only that it's the same one each time, but what about if I run ssh-keyscan localhost
on that host beforehand, and add that info to my known hosts manually?
Is there any way that that can be spoofed too?
What if I do ssh-keyscan 127.0.0.1
?