]>
Commit | Line | Data |
---|---|---|
9108f8d9 | 1 | SSH-KEYSCAN(1) OpenBSD Reference Manual SSH-KEYSCAN(1) |
2 | ||
3 | NAME | |
4 | ssh-keyscan - gather ssh public keys | |
5 | ||
6 | SYNOPSIS | |
7 | ssh-keyscan [-46Hv] [-f file] [-p port] [-T timeout] [-t type] | |
8 | [host | addrlist namelist] [...] | |
9 | ||
10 | DESCRIPTION | |
11 | ssh-keyscan is a utility for gathering the public ssh host keys of a num- | |
12 | ber of hosts. It was designed to aid in building and verifying | |
13 | ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable | |
14 | for use by shell and perl scripts. | |
15 | ||
16 | ssh-keyscan uses non-blocking socket I/O to contact as many hosts as pos- | |
17 | sible in parallel, so it is very efficient. The keys from a domain of | |
18 | 1,000 hosts can be collected in tens of seconds, even when some of those | |
19 | hosts are down or do not run ssh. For scanning, one does not need login | |
20 | access to the machines that are being scanned, nor does the scanning pro- | |
21 | cess involve any encryption. | |
22 | ||
23 | The options are as follows: | |
24 | ||
25 | -4 Forces ssh-keyscan to use IPv4 addresses only. | |
26 | ||
27 | -6 Forces ssh-keyscan to use IPv6 addresses only. | |
28 | ||
29 | -f file | |
30 | Read hosts or addrlist namelist pairs from this file, one per | |
31 | line. If - is supplied instead of a filename, ssh-keyscan will | |
32 | read hosts or addrlist namelist pairs from the standard input. | |
33 | ||
34 | -H Hash all hostnames and addresses in the output. Hashed names may | |
35 | be used normally by ssh and sshd, but they do not reveal identi- | |
36 | fying information should the file's contents be disclosed. | |
37 | ||
38 | -p port | |
39 | Port to connect to on the remote host. | |
40 | ||
41 | -T timeout | |
42 | Set the timeout for connection attempts. If timeout seconds have | |
43 | elapsed since a connection was initiated to a host or since the | |
44 | last time anything was read from that host, then the connection | |
45 | is closed and the host in question considered unavailable. De- | |
46 | fault is 5 seconds. | |
47 | ||
48 | -t type | |
49 | Specifies the type of the key to fetch from the scanned hosts. | |
50 | The possible values are ``rsa1'' for protocol version 1 and | |
51 | ``rsa'' or ``dsa'' for protocol version 2. Multiple values may | |
52 | be specified by separating them with commas. The default is | |
53 | ``rsa1''. | |
54 | ||
55 | -v Verbose mode. Causes ssh-keyscan to print debugging messages | |
56 | about its progress. | |
57 | ||
58 | SECURITY | |
59 | If a ssh_known_hosts file is constructed using ssh-keyscan without veri- | |
60 | fying the keys, users will be vulnerable to man in the middle attacks. | |
61 | On the other hand, if the security model allows such a risk, ssh-keyscan | |
62 | can help in the detection of tampered keyfiles or man in the middle at- | |
63 | tacks which have begun after the ssh_known_hosts file was created. | |
64 | ||
65 | FILES | |
66 | Input format: | |
67 | ||
68 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 | |
69 | ||
70 | Output format for rsa1 keys: | |
71 | ||
72 | host-or-namelist bits exponent modulus | |
73 | ||
74 | Output format for rsa and dsa keys: | |
75 | ||
76 | host-or-namelist keytype base64-encoded-key | |
77 | ||
78 | Where keytype is either ``ssh-rsa'' or ``ssh-dss''. | |
79 | ||
80 | /etc/ssh/ssh_known_hosts | |
81 | ||
82 | EXAMPLES | |
83 | Print the rsa1 host key for machine hostname: | |
84 | ||
85 | $ ssh-keyscan hostname | |
86 | ||
87 | Find all hosts from the file ssh_hosts which have new or different keys | |
88 | from those in the sorted file ssh_known_hosts: | |
89 | ||
90 | $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \ | |
91 | sort -u - ssh_known_hosts | diff ssh_known_hosts - | |
92 | ||
93 | SEE ALSO | |
94 | ssh(1), sshd(8) | |
95 | ||
96 | AUTHORS | |
97 | David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne | |
98 | Davison <wayned@users.sourceforge.net> added support for protocol version | |
99 | 2. | |
100 | ||
101 | BUGS | |
102 | It generates "Connection closed by remote host" messages on the consoles | |
103 | of all the machines it scans if the server is older than version 2.9. | |
104 | This is because it opens a connection to the ssh port, reads the public | |
105 | key, and drops the connection as soon as it gets the key. | |
106 | ||
107 | OpenBSD 4.0 January 1, 1996 2 |