From now on, C&CZ signs the SSH keys of e.g. loginservers and compute clusternodes. That makes it possible for users, as explained on that page, to add the public signing key in the private .ssh/known_hosts, which makes one trust all C&CZ signed SSH servers. Whenever C&CZ deploys a new ‘lilo’, the question whether this might be spoofing will not occur then.