ssh-keyscan may not be a good idea in all cases.
Currently we call @ssh-keyscan@ before presenting the "marginal UI". But in certain circumstances, @ssh-keyscan@ may fail (this is bug #676 (closed)). Worse, perhaps, in other circumstances it may timeout, delaying the ssh connection. It may even succeed, but on a high-latency link when we would rather having the overhead of two connections.
I currently lack a proposed solution.
(from redmine: created on 2009-07-11)