[gssapi-openssh.git] / openssh / ssh-keyscan.1

.\"	$OpenBSD: ssh-keyscan.1,v 1.18 2004/07/12 23:34:25 brad Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\"
.\" Modification and redistribution in source and binary forms is
.\" permitted provided that due credit is given to the author and the
.\" OpenBSD project by leaving this copyright notice intact.
.\"
.Dd January 1, 1996
.Dt SSH-KEYSCAN 1
.Os
.Sh NAME
.Nm ssh-keyscan
.Nd gather ssh public keys
.Sh SYNOPSIS
.Nm ssh-keyscan
.Bk -words
.Op Fl v46
.Op Fl p Ar port
.Op Fl T Ar timeout
.Op Fl t Ar type
.Op Fl f Ar file
.Op Ar host | addrlist namelist
.Op Ar ...
.Ek
.Sh DESCRIPTION
.Nm
is a utility for gathering the public ssh host keys of a number of
hosts.
It was designed to aid in building and verifying
.Pa ssh_known_hosts
files.
.Nm
provides a minimal interface suitable for use by shell and perl
scripts.
.Pp
.Nm
uses non-blocking socket I/O to contact as many hosts as possible in
parallel, so it is very efficient.
The keys from a domain of 1,000
hosts can be collected in tens of seconds, even when some of those
hosts are down or do not run ssh.
For scanning, one does not need
login access to the machines that are being scanned, nor does the
scanning process involve any encryption.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl p Ar port
Port to connect to on the remote host.
.It Fl T Ar timeout
Set the timeout for connection attempts.
If
.Pa timeout
seconds have elapsed since a connection was initiated to a host or since the
last time anything was read from that host, then the connection is
closed and the host in question considered unavailable.
Default is 5 seconds.
.It Fl t Ar type
Specifies the type of the key to fetch from the scanned hosts.
The possible values are
.Dq rsa1
for protocol version 1 and
.Dq rsa
or
.Dq dsa
for protocol version 2.
Multiple values may be specified by separating them with commas.
The default is
.Dq rsa1 .
.It Fl f Ar filename
Read hosts or
.Pa addrlist namelist
pairs from this file, one per line.
If
.Pa -
is supplied instead of a filename,
.Nm
will read hosts or
.Pa addrlist namelist
pairs from the standard input.
.It Fl v
Verbose mode.
Causes
.Nm
to print debugging messages about its progress.
.It Fl 4
Forces
.Nm
to use IPv4 addresses only.
.It Fl 6
Forces
.Nm
to use IPv6 addresses only.
.El
.Sh SECURITY
If a ssh_known_hosts file is constructed using
.Nm
without verifying the keys, users will be vulnerable to
.Em man in the middle
attacks.
On the other hand, if the security model allows such a risk,
.Nm
can help in the detection of tampered keyfiles or man in the middle
attacks which have begun after the ssh_known_hosts file was created.
.Sh FILES
.Pa Input format:
.Bd -literal
1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
.Ed
.Pp
.Pa Output format for rsa1 keys:
.Bd -literal
host-or-namelist bits exponent modulus
.Ed
.Pp
.Pa Output format for rsa and dsa keys:
.Bd -literal
host-or-namelist keytype base64-encoded-key
.Ed
.Pp
Where
.Pa keytype
is either
.Dq ssh-rsa
or
.Dq ssh-dss .
.Pp
.Pa /etc/ssh/ssh_known_hosts
.Sh EXAMPLES
Print the
.Pa rsa1
host key for machine
.Pa hostname :
.Bd -literal
$ ssh-keyscan hostname
.Ed
.Pp
Find all hosts from the file
.Pa ssh_hosts
which have new or different keys from those in the sorted file
.Pa ssh_known_hosts :
.Bd -literal
$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
	sort -u - ssh_known_hosts | diff ssh_known_hosts -
.Ed
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr sshd 8
.Sh AUTHORS
.An David Mazieres Aq dm@lcs.mit.edu
wrote the initial version, and
.An Wayne Davison Aq wayned@users.sourceforge.net
added support for protocol version 2.
.Sh BUGS
It generates "Connection closed by remote host" messages on the consoles
of all the machines it scans if the server is older than version 2.9.
This is because it opens a connection to the ssh port, reads the public
key, and drops the connection as soon as it gets the key.
Commit	Line	Data
1b56ff3d	1	.\" $OpenBSD: ssh-keyscan.1,v 1.18 2004/07/12 23:34:25 brad Exp $
3c0ef626	2	.\"
	3	.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
	4	.\"
	5	.\" Modification and redistribution in source and binary forms is
	6	.\" permitted provided that due credit is given to the author and the
	7	.\" OpenBSD project by leaving this copyright notice intact.
	8	.\"
	9	.Dd January 1, 1996
	10	.Dt SSH-KEYSCAN 1
	11	.Os
	12	.Sh NAME
	13	.Nm ssh-keyscan
	14	.Nd gather ssh public keys
	15	.Sh SYNOPSIS
	16	.Nm ssh-keyscan
1c14df9e	17	.Bk -words
3c0ef626	18	.Op Fl v46
	19	.Op Fl p Ar port
	20	.Op Fl T Ar timeout
	21	.Op Fl t Ar type
	22	.Op Fl f Ar file
	23	.Op Ar host \| addrlist namelist
	24	.Op Ar ...
1c14df9e	25	.Ek
3c0ef626	26	.Sh DESCRIPTION
	27	.Nm
	28	is a utility for gathering the public ssh host keys of a number of
1c14df9e	29	hosts.
1c14df9e	30	It was designed to aid in building and verifying
3c0ef626	31	.Pa ssh_known_hosts
	32	files.
	33	.Nm
	34	provides a minimal interface suitable for use by shell and perl
	35	scripts.
	36	.Pp
	37	.Nm
	38	uses non-blocking socket I/O to contact as many hosts as possible in
1c14df9e	39	parallel, so it is very efficient.
1c14df9e	40	The keys from a domain of 1,000
3c0ef626	41	hosts can be collected in tens of seconds, even when some of those
1c14df9e	42	hosts are down or do not run ssh.
1c14df9e	43	For scanning, one does not need
3c0ef626	44	login access to the machines that are being scanned, nor does the
	45	scanning process involve any encryption.
	46	.Pp
	47	The options are as follows:
	48	.Bl -tag -width Ds
	49	.It Fl p Ar port
	50	Port to connect to on the remote host.
	51	.It Fl T Ar timeout
1c14df9e	52	Set the timeout for connection attempts.
1c14df9e	53	If
3c0ef626	54	.Pa timeout
	55	seconds have elapsed since a connection was initiated to a host or since the
	56	last time anything was read from that host, then the connection is
1c14df9e	57	closed and the host in question considered unavailable.
1c14df9e	58	Default is 5 seconds.
3c0ef626	59	.It Fl t Ar type
	60	Specifies the type of the key to fetch from the scanned hosts.
	61	The possible values are
	62	.Dq rsa1
	63	for protocol version 1 and
	64	.Dq rsa
	65	or
	66	.Dq dsa
	67	for protocol version 2.
	68	Multiple values may be specified by separating them with commas.
	69	The default is
	70	.Dq rsa1 .
	71	.It Fl f Ar filename
	72	Read hosts or
	73	.Pa addrlist namelist
	74	pairs from this file, one per line.
	75	If
	76	.Pa -
	77	is supplied instead of a filename,
	78	.Nm
	79	will read hosts or
	80	.Pa addrlist namelist
	81	pairs from the standard input.
	82	.It Fl v
	83	Verbose mode.
	84	Causes
	85	.Nm
	86	to print debugging messages about its progress.
	87	.It Fl 4
	88	Forces
	89	.Nm
	90	to use IPv4 addresses only.
	91	.It Fl 6
	92	Forces
	93	.Nm
	94	to use IPv6 addresses only.
	95	.El
	96	.Sh SECURITY
	97	If a ssh_known_hosts file is constructed using
	98	.Nm
	99	without verifying the keys, users will be vulnerable to
1b56ff3d	100	.Em man in the middle
3c0ef626	101	attacks.
	102	On the other hand, if the security model allows such a risk,
	103	.Nm
	104	can help in the detection of tampered keyfiles or man in the middle
	105	attacks which have begun after the ssh_known_hosts file was created.
3c0ef626	106	.Sh FILES
	107	.Pa Input format:
	108	.Bd -literal
	109	1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
	110	.Ed
	111	.Pp
	112	.Pa Output format for rsa1 keys:
	113	.Bd -literal
	114	host-or-namelist bits exponent modulus
	115	.Ed
	116	.Pp
	117	.Pa Output format for rsa and dsa keys:
	118	.Bd -literal
	119	host-or-namelist keytype base64-encoded-key
	120	.Ed
	121	.Pp
	122	Where
	123	.Pa keytype
	124	is either
	125	.Dq ssh-rsa
	126	or
70791e56	127	.Dq ssh-dss .
3c0ef626	128	.Pp
e9a17296	129	.Pa /etc/ssh/ssh_known_hosts
70791e56	130	.Sh EXAMPLES
	131	Print the
	132	.Pa rsa1
	133	host key for machine
	134	.Pa hostname :
	135	.Bd -literal
	136	$ ssh-keyscan hostname
	137	.Ed
	138	.Pp
	139	Find all hosts from the file
	140	.Pa ssh_hosts
	141	which have new or different keys from those in the sorted file
	142	.Pa ssh_known_hosts :
	143	.Bd -literal
	144	$ ssh-keyscan -t rsa,dsa -f ssh_hosts \| \e
	145	sort -u - ssh_known_hosts \| diff ssh_known_hosts -
	146	.Ed
3c0ef626	147	.Sh SEE ALSO
	148	.Xr ssh 1 ,
	149	.Xr sshd 8
	150	.Sh AUTHORS
70791e56	151	.An David Mazieres Aq dm@lcs.mit.edu
3c0ef626	152	wrote the initial version, and
70791e56	153	.An Wayne Davison Aq wayned@users.sourceforge.net
3c0ef626	154	added support for protocol version 2.
70791e56	155	.Sh BUGS
	156	It generates "Connection closed by remote host" messages on the consoles
	157	of all the machines it scans if the server is older than version 2.9.
	158	This is because it opens a connection to the ssh port, reads the public
	159	key, and drops the connection as soon as it gets the key.