diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 20315bf..749d007 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -216,6 +216,7 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul
 prometheus::node_exporter::export_scrape_job: true
 prometheus::systemd_exporter::export_scrape_job: true
 
+ssh::server::storeconfigs_enabled: false
 ssh::server::options:
   Protocol: '2'
   ListenAddress:
@@ -244,6 +245,9 @@ ssh::server::options:
     - XMODIFIERS
   Subsystem: sftp /usr/libexec/openssh/sftp-server
 
+profiles::ssh::knownhosts::lines:
+  - '@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1HD97vYxLTniE4qNpGuftUlvmkEXIuX8+7nbENv/IzsGUghEDRtyThjQ7ojNKIsQ7f8wXr0gMcI+fAPfrbcOMHCAoYMomikwL0b3h95SZI40q3CyM+0DMnwiVVDX6C1QxkO2Rv9cszSkCa85NotJhXiUuTBI9BFcRPy+mAhbpAru+bfypYofI0wW97XNTl8Jgwmni5MgutBIQAokFIn5ux8iWxndCH3AqDtmkwC5DfQeQ+wZx7rkwqJEpJffQzrjb1gIM6P9hDCVBBVPh/3o80IJ69rFWrJAZUb+JpG4cXJH0NcSW+wqc3JCT/x3q8VlHwOTXSlNNKtOJCRx73mB8e1XTTy2a9FgpKDDg5XQXWHAViJDz1RTRL9gRefMylRgKz4bXoTuY9kJWM8hPTyUejtukbJThlBJc3OmDxBZBF7F0iqB11pHexok43OCEiANodVa36eWu9/5X032Vm48fZ1/akDPY/NSy3wAn7kwut+A0/JAHFHASrq+1mt9YurkJegI+YHXO6eEWpBIpmI7ORHJbGL4MhkHrxYzVamuP8CkU7tXzsv138+wpOcRHNp9yJY4PT40BZkRf/O3O+jt3pj9Dj8rvgywF2W6hFzywh3Y78upOprRkQlQtHfsI8EyrYI8/hUw2u3H+3yPXh3YjWfqvWVG1BRLRHBV7m90uaw=='
+
 profiles::base::groups::local:
   admins:
     ensure: present
diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp
index eb5a1f6..e050581 100644
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@@ -33,6 +33,7 @@ class profiles::base (
     include profiles::dns::base
     include profiles::pki::vault
     include profiles::ssh::sign
+    include profiles::ssh::knownhosts
     include profiles::cloudinit::init
     include profiles::metrics::default
     include profiles::helpers::node_lookup
diff --git a/site/profiles/manifests/ssh/knownhosts.pp b/site/profiles/manifests/ssh/knownhosts.pp
new file mode 100644
index 0000000..aeff1c6
--- /dev/null
+++ b/site/profiles/manifests/ssh/knownhosts.pp
@@ -0,0 +1,12 @@
+# manage known hosts
+class profiles::ssh::knownhosts (
+  Array $lines = [],
+) {
+  file {'/etc/ssh/ssh_known_hosts':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('profiles/ssh/ssh_known_hosts.erb'),
+  }
+}
diff --git a/site/profiles/templates/ssh/ssh_known_hosts.erb b/site/profiles/templates/ssh/ssh_known_hosts.erb
new file mode 100644
index 0000000..069e17b
--- /dev/null
+++ b/site/profiles/templates/ssh/ssh_known_hosts.erb
@@ -0,0 +1,4 @@
+# this file is managed by puppet
+<% @lines.each do |line| -%>
+<%= line %>
+<% end -%>