(bugfix) Use service-level known_hosts for generated SSH keys

When a selected SSH credential has no pinned known_hosts entries, create
and use a pobsync service-level known_hosts file under POBSYNC_HOME/state.

Pass UserKnownHostsFile and StrictHostKeyChecking=accept-new to SSH so
unattended backups no longer depend on root's known_hosts or an
interactive shell session.

Keep pinned credential known_hosts behavior unchanged when entries are
configured explicitly.

src/pobsync_backend/config_source.py

@@ -40,6 +40,11 @@ def _attach_credential_options(config: dict[str, Any], credential: SshCredential
         options.append(f"-oIdentityFile={paths['identity_file']}")
     if paths.get("known_hosts") and not _has_ssh_option(options, "UserKnownHostsFile"):
         options.append(f"-oUserKnownHostsFile={paths['known_hosts']}")
+    if paths.get("accept_new_known_hosts"):
+        if not _has_ssh_option(options, "UserKnownHostsFile"):
+            options.append(f"-oUserKnownHostsFile={paths['accept_new_known_hosts']}")
+        if not _has_ssh_option(options, "StrictHostKeyChecking"):
+            options.append("-oStrictHostKeyChecking=accept-new")
     ssh["options"] = options
     config["ssh_credential"] = {
         "id": credential.pk,
@@ -69,6 +74,12 @@ def _materialize_credential(credential: SshCredential) -> dict[str, str]:
         known_hosts.write_text(_with_trailing_newline(credential.known_hosts), encoding="utf-8")
         os.chmod(known_hosts, 0o600)
         result["known_hosts"] = str(known_hosts)
+    else:
+        known_hosts = paths.state_dir / "known_hosts"
+        known_hosts.parent.mkdir(mode=0o700, parents=True, exist_ok=True)
+        known_hosts.touch(mode=0o600, exist_ok=True)
+        os.chmod(known_hosts, 0o600)
+        result["accept_new_known_hosts"] = str(known_hosts)
     return result