+++ /dev/null
-SSH-KEYSCAN(1) OpenBSD Reference Manual SSH-KEYSCAN(1)
-
-NAME
- ssh-keyscan - gather ssh public keys
-
-SYNOPSIS
- ssh-keyscan [-46Hv] [-f file] [-p port] [-T timeout] [-t type]
- [host | addrlist namelist] [...]
-
-DESCRIPTION
- ssh-keyscan is a utility for gathering the public ssh host keys of a num-
- ber of hosts. It was designed to aid in building and verifying
- ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable
- for use by shell and perl scripts.
-
- ssh-keyscan uses non-blocking socket I/O to contact as many hosts as pos-
- sible in parallel, so it is very efficient. The keys from a domain of
- 1,000 hosts can be collected in tens of seconds, even when some of those
- hosts are down or do not run ssh. For scanning, one does not need login
- access to the machines that are being scanned, nor does the scanning pro-
- cess involve any encryption.
-
- The options are as follows:
-
- -4 Forces ssh-keyscan to use IPv4 addresses only.
-
- -6 Forces ssh-keyscan to use IPv6 addresses only.
-
- -f file
- Read hosts or addrlist namelist pairs from this file, one per
- line. If - is supplied instead of a filename, ssh-keyscan will
- read hosts or addrlist namelist pairs from the standard input.
-
- -H Hash all hostnames and addresses in the output. Hashed names may
- be used normally by ssh and sshd, but they do not reveal identi-
- fying information should the file's contents be disclosed.
-
- -p port
- Port to connect to on the remote host.
-
- -T timeout
- Set the timeout for connection attempts. If timeout seconds have
- elapsed since a connection was initiated to a host or since the
- last time anything was read from that host, then the connection
- is closed and the host in question considered unavailable. De-
- fault is 5 seconds.
-
- -t type
- Specifies the type of the key to fetch from the scanned hosts.
- The possible values are ``rsa1'' for protocol version 1 and
- ``rsa'' or ``dsa'' for protocol version 2. Multiple values may
- be specified by separating them with commas. The default is
- ``rsa1''.
-
- -v Verbose mode. Causes ssh-keyscan to print debugging messages
- about its progress.
-
-SECURITY
- If a ssh_known_hosts file is constructed using ssh-keyscan without veri-
- fying the keys, users will be vulnerable to man in the middle attacks.
- On the other hand, if the security model allows such a risk, ssh-keyscan
- can help in the detection of tampered keyfiles or man in the middle at-
- tacks which have begun after the ssh_known_hosts file was created.
-
-FILES
- Input format:
-
- 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
-
- Output format for rsa1 keys:
-
- host-or-namelist bits exponent modulus
-
- Output format for rsa and dsa keys:
-
- host-or-namelist keytype base64-encoded-key
-
- Where keytype is either ``ssh-rsa'' or ``ssh-dss''.
-
- /etc/ssh/ssh_known_hosts
-
-EXAMPLES
- Print the rsa1 host key for machine hostname:
-
- $ ssh-keyscan hostname
-
- Find all hosts from the file ssh_hosts which have new or different keys
- from those in the sorted file ssh_known_hosts:
-
- $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
- sort -u - ssh_known_hosts | diff ssh_known_hosts -
-
-SEE ALSO
- ssh(1), sshd(8)
-
-AUTHORS
- David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne
- Davison <wayned@users.sourceforge.net> added support for protocol version
- 2.
-
-BUGS
- It generates "Connection closed by remote host" messages on the consoles
- of all the machines it scans if the server is older than version 2.9.
- This is because it opens a connection to the ssh port, reads the public
- key, and drops the connection as soon as it gets the key.
-
-OpenBSD 4.0 January 1, 1996 2