]>
Commit | Line | Data |
---|---|---|
fe7dba42 | 1 | .\" $OpenBSD: ssh-keyscan.1,v 1.27 2009/10/28 16:38:18 reyk Exp $ |
4371658c | 2 | .\" |
3 | .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. | |
4 | .\" | |
5 | .\" Modification and redistribution in source and binary forms is | |
6 | .\" permitted provided that due credit is given to the author and the | |
aa144206 | 7 | .\" OpenBSD project by leaving this copyright notice intact. |
23c2a7a5 | 8 | .\" |
e473dcd1 | 9 | .Dd $Mdocdate$ |
4371658c | 10 | .Dt SSH-KEYSCAN 1 |
f6fdbddf | 11 | .Os |
12 | .Sh NAME | |
13 | .Nm ssh-keyscan | |
14 | .Nd gather ssh public keys | |
15 | .Sh SYNOPSIS | |
16 | .Nm ssh-keyscan | |
a4e5acef | 17 | .Bk -words |
3bafbaa7 | 18 | .Op Fl 46Hv |
19 | .Op Fl f Ar file | |
5061072f | 20 | .Op Fl p Ar port |
21 | .Op Fl T Ar timeout | |
22 | .Op Fl t Ar type | |
fe7dba42 | 23 | .Op Fl V Ar rdomain |
5061072f | 24 | .Op Ar host | addrlist namelist |
9995aaa3 | 25 | .Ar ... |
a4e5acef | 26 | .Ek |
f6fdbddf | 27 | .Sh DESCRIPTION |
28 | .Nm | |
29 | is a utility for gathering the public ssh host keys of a number of | |
a4e5acef | 30 | hosts. |
31 | It was designed to aid in building and verifying | |
f6fdbddf | 32 | .Pa ssh_known_hosts |
33 | files. | |
34 | .Nm | |
35 | provides a minimal interface suitable for use by shell and perl | |
36 | scripts. | |
37 | .Pp | |
38 | .Nm | |
39 | uses non-blocking socket I/O to contact as many hosts as possible in | |
a4e5acef | 40 | parallel, so it is very efficient. |
41 | The keys from a domain of 1,000 | |
f6fdbddf | 42 | hosts can be collected in tens of seconds, even when some of those |
a4e5acef | 43 | hosts are down or do not run ssh. |
44 | For scanning, one does not need | |
91789042 | 45 | login access to the machines that are being scanned, nor does the |
46 | scanning process involve any encryption. | |
0f6d5acf | 47 | .Pp |
48 | The options are as follows: | |
f6fdbddf | 49 | .Bl -tag -width Ds |
3bafbaa7 | 50 | .It Fl 4 |
51 | Forces | |
52 | .Nm | |
53 | to use IPv4 addresses only. | |
54 | .It Fl 6 | |
55 | Forces | |
56 | .Nm | |
57 | to use IPv6 addresses only. | |
58 | .It Fl f Ar file | |
59 | Read hosts or | |
60 | .Pa addrlist namelist | |
61 | pairs from this file, one per line. | |
62 | If | |
63 | .Pa - | |
64 | is supplied instead of a filename, | |
65 | .Nm | |
66 | will read hosts or | |
67 | .Pa addrlist namelist | |
68 | pairs from the standard input. | |
90a8ae9f | 69 | .It Fl H |
70 | Hash all hostnames and addresses in the output. | |
71 | Hashed names may be used normally by | |
72 | .Nm ssh | |
73 | and | |
74 | .Nm sshd , | |
75 | but they do not reveal identifying information should the file's contents | |
76 | be disclosed. | |
5061072f | 77 | .It Fl p Ar port |
78 | Port to connect to on the remote host. | |
75304f85 | 79 | .It Fl T Ar timeout |
a4e5acef | 80 | Set the timeout for connection attempts. |
81 | If | |
f6fdbddf | 82 | .Pa timeout |
83 | seconds have elapsed since a connection was initiated to a host or since the | |
84 | last time anything was read from that host, then the connection is | |
a4e5acef | 85 | closed and the host in question considered unavailable. |
86 | Default is 5 seconds. | |
5061072f | 87 | .It Fl t Ar type |
75304f85 | 88 | Specifies the type of the key to fetch from the scanned hosts. |
5061072f | 89 | The possible values are |
90 | .Dq rsa1 | |
91 | for protocol version 1 and | |
92 | .Dq rsa | |
93 | or | |
94 | .Dq dsa | |
95 | for protocol version 2. | |
96 | Multiple values may be specified by separating them with commas. | |
97 | The default is | |
c47ff7a6 | 98 | .Dq rsa . |
fe7dba42 | 99 | .It Fl V Ar rdomain |
100 | Set the routing domain. | |
5061072f | 101 | .It Fl v |
102 | Verbose mode. | |
103 | Causes | |
104 | .Nm | |
105 | to print debugging messages about its progress. | |
9616313f | 106 | .El |
0f6d5acf | 107 | .Sh SECURITY |
525251b0 | 108 | If an ssh_known_hosts file is constructed using |
0f6d5acf | 109 | .Nm |
91789042 | 110 | without verifying the keys, users will be vulnerable to |
95a07125 | 111 | .Em man in the middle |
0f6d5acf | 112 | attacks. |
91789042 | 113 | On the other hand, if the security model allows such a risk, |
0f6d5acf | 114 | .Nm |
91789042 | 115 | can help in the detection of tampered keyfiles or man in the middle |
116 | attacks which have begun after the ssh_known_hosts file was created. | |
f6fdbddf | 117 | .Sh FILES |
f6fdbddf | 118 | .Pa Input format: |
5061072f | 119 | .Bd -literal |
f6fdbddf | 120 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 |
5061072f | 121 | .Ed |
f6fdbddf | 122 | .Pp |
5061072f | 123 | .Pa Output format for rsa1 keys: |
124 | .Bd -literal | |
f6fdbddf | 125 | host-or-namelist bits exponent modulus |
5061072f | 126 | .Ed |
127 | .Pp | |
128 | .Pa Output format for rsa and dsa keys: | |
129 | .Bd -literal | |
130 | host-or-namelist keytype base64-encoded-key | |
131 | .Ed | |
132 | .Pp | |
133 | Where | |
134 | .Pa keytype | |
135 | is either | |
136 | .Dq ssh-rsa | |
137 | or | |
dc109cfe | 138 | .Dq ssh-dss . |
f6fdbddf | 139 | .Pp |
2a8a6488 | 140 | .Pa /etc/ssh/ssh_known_hosts |
be193d89 | 141 | .Sh EXAMPLES |
142 | Print the | |
8647612c | 143 | .Pa rsa |
be193d89 | 144 | host key for machine |
145 | .Pa hostname : | |
146 | .Bd -literal | |
147 | $ ssh-keyscan hostname | |
148 | .Ed | |
149 | .Pp | |
150 | Find all hosts from the file | |
151 | .Pa ssh_hosts | |
152 | which have new or different keys from those in the sorted file | |
153 | .Pa ssh_known_hosts : | |
154 | .Bd -literal | |
155 | $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e | |
156 | sort -u - ssh_known_hosts | diff ssh_known_hosts - | |
157 | .Ed | |
f6fdbddf | 158 | .Sh SEE ALSO |
4371658c | 159 | .Xr ssh 1 , |
f6fdbddf | 160 | .Xr sshd 8 |
a5a2da3b | 161 | .Sh AUTHORS |
8f921a4a | 162 | .An -nosplit |
be193d89 | 163 | .An David Mazieres Aq dm@lcs.mit.edu |
5061072f | 164 | wrote the initial version, and |
be193d89 | 165 | .An Wayne Davison Aq wayned@users.sourceforge.net |
5061072f | 166 | added support for protocol version 2. |
be193d89 | 167 | .Sh BUGS |
168 | It generates "Connection closed by remote host" messages on the consoles | |
169 | of all the machines it scans if the server is older than version 2.9. | |
170 | This is because it opens a connection to the ssh port, reads the public | |
171 | key, and drops the connection as soon as it gets the key. |