]>
Commit | Line | Data |
---|---|---|
1b56ff3d | 1 | .\" $OpenBSD: ssh-keyscan.1,v 1.18 2004/07/12 23:34:25 brad Exp $ |
3c0ef626 | 2 | .\" |
3 | .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. | |
4 | .\" | |
5 | .\" Modification and redistribution in source and binary forms is | |
6 | .\" permitted provided that due credit is given to the author and the | |
7 | .\" OpenBSD project by leaving this copyright notice intact. | |
8 | .\" | |
9 | .Dd January 1, 1996 | |
10 | .Dt SSH-KEYSCAN 1 | |
11 | .Os | |
12 | .Sh NAME | |
13 | .Nm ssh-keyscan | |
14 | .Nd gather ssh public keys | |
15 | .Sh SYNOPSIS | |
16 | .Nm ssh-keyscan | |
1c14df9e | 17 | .Bk -words |
3c0ef626 | 18 | .Op Fl v46 |
19 | .Op Fl p Ar port | |
20 | .Op Fl T Ar timeout | |
21 | .Op Fl t Ar type | |
22 | .Op Fl f Ar file | |
23 | .Op Ar host | addrlist namelist | |
24 | .Op Ar ... | |
1c14df9e | 25 | .Ek |
3c0ef626 | 26 | .Sh DESCRIPTION |
27 | .Nm | |
28 | is a utility for gathering the public ssh host keys of a number of | |
1c14df9e | 29 | hosts. |
30 | It was designed to aid in building and verifying | |
3c0ef626 | 31 | .Pa ssh_known_hosts |
32 | files. | |
33 | .Nm | |
34 | provides a minimal interface suitable for use by shell and perl | |
35 | scripts. | |
36 | .Pp | |
37 | .Nm | |
38 | uses non-blocking socket I/O to contact as many hosts as possible in | |
1c14df9e | 39 | parallel, so it is very efficient. |
40 | The keys from a domain of 1,000 | |
3c0ef626 | 41 | hosts can be collected in tens of seconds, even when some of those |
1c14df9e | 42 | hosts are down or do not run ssh. |
43 | For scanning, one does not need | |
3c0ef626 | 44 | login access to the machines that are being scanned, nor does the |
45 | scanning process involve any encryption. | |
46 | .Pp | |
47 | The options are as follows: | |
48 | .Bl -tag -width Ds | |
49 | .It Fl p Ar port | |
50 | Port to connect to on the remote host. | |
51 | .It Fl T Ar timeout | |
1c14df9e | 52 | Set the timeout for connection attempts. |
53 | If | |
3c0ef626 | 54 | .Pa timeout |
55 | seconds have elapsed since a connection was initiated to a host or since the | |
56 | last time anything was read from that host, then the connection is | |
1c14df9e | 57 | closed and the host in question considered unavailable. |
58 | Default is 5 seconds. | |
3c0ef626 | 59 | .It Fl t Ar type |
60 | Specifies the type of the key to fetch from the scanned hosts. | |
61 | The possible values are | |
62 | .Dq rsa1 | |
63 | for protocol version 1 and | |
64 | .Dq rsa | |
65 | or | |
66 | .Dq dsa | |
67 | for protocol version 2. | |
68 | Multiple values may be specified by separating them with commas. | |
69 | The default is | |
70 | .Dq rsa1 . | |
71 | .It Fl f Ar filename | |
72 | Read hosts or | |
73 | .Pa addrlist namelist | |
74 | pairs from this file, one per line. | |
75 | If | |
76 | .Pa - | |
77 | is supplied instead of a filename, | |
78 | .Nm | |
79 | will read hosts or | |
80 | .Pa addrlist namelist | |
81 | pairs from the standard input. | |
82 | .It Fl v | |
83 | Verbose mode. | |
84 | Causes | |
85 | .Nm | |
86 | to print debugging messages about its progress. | |
87 | .It Fl 4 | |
88 | Forces | |
89 | .Nm | |
90 | to use IPv4 addresses only. | |
91 | .It Fl 6 | |
92 | Forces | |
93 | .Nm | |
94 | to use IPv6 addresses only. | |
95 | .El | |
96 | .Sh SECURITY | |
97 | If a ssh_known_hosts file is constructed using | |
98 | .Nm | |
99 | without verifying the keys, users will be vulnerable to | |
1b56ff3d | 100 | .Em man in the middle |
3c0ef626 | 101 | attacks. |
102 | On the other hand, if the security model allows such a risk, | |
103 | .Nm | |
104 | can help in the detection of tampered keyfiles or man in the middle | |
105 | attacks which have begun after the ssh_known_hosts file was created. | |
3c0ef626 | 106 | .Sh FILES |
107 | .Pa Input format: | |
108 | .Bd -literal | |
109 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 | |
110 | .Ed | |
111 | .Pp | |
112 | .Pa Output format for rsa1 keys: | |
113 | .Bd -literal | |
114 | host-or-namelist bits exponent modulus | |
115 | .Ed | |
116 | .Pp | |
117 | .Pa Output format for rsa and dsa keys: | |
118 | .Bd -literal | |
119 | host-or-namelist keytype base64-encoded-key | |
120 | .Ed | |
121 | .Pp | |
122 | Where | |
123 | .Pa keytype | |
124 | is either | |
125 | .Dq ssh-rsa | |
126 | or | |
70791e56 | 127 | .Dq ssh-dss . |
3c0ef626 | 128 | .Pp |
e9a17296 | 129 | .Pa /etc/ssh/ssh_known_hosts |
70791e56 | 130 | .Sh EXAMPLES |
131 | Print the | |
132 | .Pa rsa1 | |
133 | host key for machine | |
134 | .Pa hostname : | |
135 | .Bd -literal | |
136 | $ ssh-keyscan hostname | |
137 | .Ed | |
138 | .Pp | |
139 | Find all hosts from the file | |
140 | .Pa ssh_hosts | |
141 | which have new or different keys from those in the sorted file | |
142 | .Pa ssh_known_hosts : | |
143 | .Bd -literal | |
144 | $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e | |
145 | sort -u - ssh_known_hosts | diff ssh_known_hosts - | |
146 | .Ed | |
3c0ef626 | 147 | .Sh SEE ALSO |
148 | .Xr ssh 1 , | |
149 | .Xr sshd 8 | |
150 | .Sh AUTHORS | |
70791e56 | 151 | .An David Mazieres Aq dm@lcs.mit.edu |
3c0ef626 | 152 | wrote the initial version, and |
70791e56 | 153 | .An Wayne Davison Aq wayned@users.sourceforge.net |
3c0ef626 | 154 | added support for protocol version 2. |
70791e56 | 155 | .Sh BUGS |
156 | It generates "Connection closed by remote host" messages on the consoles | |
157 | of all the machines it scans if the server is older than version 2.9. | |
158 | This is because it opens a connection to the ssh port, reads the public | |
159 | key, and drops the connection as soon as it gets the key. |