First you have to select a file that is guaranteed to be present in all appliances and is generated at build-time.  inithooks.conf wouldn't work for me because it isn't generated for my Ansible appliance (possibly this is a bug, but it didn't seem necessary).

Second, you have to allow for some time variation because all build-time timestamps are not the same.  For example the following is a listing of my ssh key timestamps.

-rw-r--r--  1 root root 1.7K Jun 29 21:34 ssh_config
-rw-------  1 root root  668 Jul 26 02:11 ssh_host_dsa_key
-rw-r--r--  1 root root  602 Jul 26 02:11 ssh_host_dsa_key.pub
-rw-------  1 root root  227 Jul 26 01:55 ssh_host_ecdsa_key
-rw-r--r--  1 root root  186 Jul 26 01:55 ssh_host_ecdsa_key.pub
-rw-------  1 root root 1.7K Jul 26 02:11 ssh_host_rsa_key
-rw-r--r--  1 root root  394 Jul 26 02:11 ssh_host_rsa_key.pub
-rw-r--r--  1 root root 2.5K Jul 26 01:56 sshd_config

Here the build started sometime before 1:55, sshd_config was updated during build at 1:56, and first-boot occurred a few minutes later about 2:11.

Is there any reason why we would expect the user@hostname to be different for the three keys, rsa, dsa, and ecdsa?  All three keys should have been rebuilt during first-boot with the then current hostname.  If the hostname changes later, the three keys should still match.  However, if the hotfix regens only the ecdsa key and the hostname has changed, then the keys will still not match.  The only way to guarantee matching keys would be to have the hotfix regen all three keys.  Because of the difficulty in achieving consistent results, I would recommend not issuing another hotfix.  By now, every TKLdev user should be aware of the problem.