]>
Commit | Line | Data |
---|---|---|
23c2a7a5 | 1 | .\" $OpenBSD: ssh-keyscan.1,v 1.3 2001/01/29 01:58:18 niklas Exp $ |
2 | .\" | |
f6fdbddf | 3 | .Dd January 1, 1996 |
4 | .Dt ssh-keyscan 1 | |
5 | .Os | |
6 | .Sh NAME | |
7 | .Nm ssh-keyscan | |
8 | .Nd gather ssh public keys | |
9 | .Sh SYNOPSIS | |
10 | .Nm ssh-keyscan | |
11 | .Op Fl t Ar timeout | |
12 | .Op Ar -- | host | addrlist namelist | |
13 | .Op Fl f Ar files ... | |
14 | .Sh DESCRIPTION | |
15 | .Nm | |
16 | is a utility for gathering the public ssh host keys of a number of | |
17 | hosts. It was designed to aid in building and verifying | |
18 | .Pa ssh_known_hosts | |
19 | files. | |
20 | .Nm | |
21 | provides a minimal interface suitable for use by shell and perl | |
22 | scripts. | |
23 | .Pp | |
24 | .Nm | |
25 | uses non-blocking socket I/O to contact as many hosts as possible in | |
26 | parallel, so it is very efficient. The keys from a domain of 1,000 | |
27 | hosts can be collected in tens of seconds, even when some of those | |
28 | hosts are down or do not run ssh. You do not need login access to the | |
29 | machines you are scanning, nor does does the scanning process involve | |
30 | any encryption. | |
31 | .Sh SECURITY | |
32 | If you make an ssh_known_hosts file using | |
33 | .Nm | |
34 | without verifying the keys, you will be vulnerable to | |
35 | .I man in the middle | |
36 | attacks. | |
37 | On the other hand, if your security model allows such a risk, | |
38 | .Nm | |
39 | can help you detect tampered keyfiles or man in the middle attacks which | |
40 | have begun after you created your ssh_known_hosts file. | |
41 | .Sh OPTIONS | |
42 | .Bl -tag -width Ds | |
43 | .It Fl t | |
44 | Set the timeout for connection attempts. If | |
45 | .Pa timeout | |
46 | seconds have elapsed since a connection was initiated to a host or since the | |
47 | last time anything was read from that host, then the connection is | |
48 | closed and the host in question considered unavailable. Default is 5 | |
49 | seconds. | |
50 | .It Fl f | |
51 | Read hosts or | |
52 | .Pa addrlist namelist | |
53 | pairs from this file, one per line. | |
54 | If | |
55 | .Pa - | |
56 | is supplied instead of a filename, | |
57 | .Nm | |
58 | will read hosts or | |
59 | .Pa addrlist namelist | |
60 | pairs from the standard input. | |
9616313f | 61 | .El |
f6fdbddf | 62 | .Sh EXAMPLES |
63 | .Pp | |
64 | Print the host key for machine | |
65 | .Pa hostname : | |
66 | .Bd -literal | |
67 | ssh-keyscan hostname | |
68 | .Ed | |
69 | .Pp | |
70 | Find all hosts from the file | |
71 | .Pa ssh_hosts | |
72 | which have new or different keys from those in the sorted file | |
73 | .Pa ssh_known_hosts : | |
74 | .Bd -literal | |
75 | ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\ | |
76 | diff ssh_known_hosts - | |
77 | .Ed | |
78 | .Pp | |
79 | .Sh FILES | |
80 | .Pp | |
81 | .Pa Input format: | |
82 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 | |
83 | .Pp | |
84 | .Pa Output format: | |
85 | host-or-namelist bits exponent modulus | |
86 | .Pp | |
87 | .Pa /etc/ssh_known_hosts | |
88 | .Sh BUGS | |
89 | It generates "Connection closed by remote host" messages on the consoles | |
90 | of all the machines it scans. | |
91 | This is because it opens a connection to the ssh port, reads the public | |
92 | key, and drops the connection as soon as it gets the key. | |
93 | .Sh SEE ALSO | |
94 | .Xr ssh 1 | |
95 | .Xr sshd 8 | |
96 | .Sh AUTHOR | |
97 | David Mazieres <dm@lcs.mit.edu> |