diff --git a/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml b/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
index e8dbb24aa8..9f427c9e5d 100644
--- a/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
+++ b/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
@@ -29,3 +29,12 @@
     group: root
     mode: 0644
     create: yes
+
+# Disable writing out known_hosts globally on the bastion host.
+# Nothing on this host should be connecting to somewhere not codified
+# above; this prevents us possibly hiding that by caching values.
+- name: Disable known_hosts caching
+  lineinfile:
+    path: /etc/ssh/ssh_config
+    regexp: 'UserKnownHostsFile'
+    line: '    UserKnownHostsFile /dev/null'