]>
Commit | Line | Data |
---|---|---|
91789042 | 1 | .\" $OpenBSD: ssh-keyscan.1,v 1.12 2001/09/05 06:23:07 deraadt Exp $ |
4371658c | 2 | .\" |
3 | .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. | |
4 | .\" | |
5 | .\" Modification and redistribution in source and binary forms is | |
6 | .\" permitted provided that due credit is given to the author and the | |
aa144206 | 7 | .\" OpenBSD project by leaving this copyright notice intact. |
23c2a7a5 | 8 | .\" |
f6fdbddf | 9 | .Dd January 1, 1996 |
4371658c | 10 | .Dt SSH-KEYSCAN 1 |
f6fdbddf | 11 | .Os |
12 | .Sh NAME | |
13 | .Nm ssh-keyscan | |
14 | .Nd gather ssh public keys | |
15 | .Sh SYNOPSIS | |
16 | .Nm ssh-keyscan | |
5061072f | 17 | .Op Fl v46 |
18 | .Op Fl p Ar port | |
19 | .Op Fl T Ar timeout | |
20 | .Op Fl t Ar type | |
21 | .Op Fl f Ar file | |
22 | .Op Ar host | addrlist namelist | |
23 | .Op Ar ... | |
f6fdbddf | 24 | .Sh DESCRIPTION |
25 | .Nm | |
26 | is a utility for gathering the public ssh host keys of a number of | |
27 | hosts. It was designed to aid in building and verifying | |
28 | .Pa ssh_known_hosts | |
29 | files. | |
30 | .Nm | |
31 | provides a minimal interface suitable for use by shell and perl | |
32 | scripts. | |
33 | .Pp | |
34 | .Nm | |
35 | uses non-blocking socket I/O to contact as many hosts as possible in | |
36 | parallel, so it is very efficient. The keys from a domain of 1,000 | |
37 | hosts can be collected in tens of seconds, even when some of those | |
91789042 | 38 | hosts are down or do not run ssh. For scanning, one does not need |
39 | login access to the machines that are being scanned, nor does the | |
40 | scanning process involve any encryption. | |
0f6d5acf | 41 | .Pp |
42 | The options are as follows: | |
f6fdbddf | 43 | .Bl -tag -width Ds |
5061072f | 44 | .It Fl p Ar port |
45 | Port to connect to on the remote host. | |
75304f85 | 46 | .It Fl T Ar timeout |
3730bb22 | 47 | Set the timeout for connection attempts. If |
f6fdbddf | 48 | .Pa timeout |
49 | seconds have elapsed since a connection was initiated to a host or since the | |
50 | last time anything was read from that host, then the connection is | |
51 | closed and the host in question considered unavailable. Default is 5 | |
52 | seconds. | |
5061072f | 53 | .It Fl t Ar type |
75304f85 | 54 | Specifies the type of the key to fetch from the scanned hosts. |
5061072f | 55 | The possible values are |
56 | .Dq rsa1 | |
57 | for protocol version 1 and | |
58 | .Dq rsa | |
59 | or | |
60 | .Dq dsa | |
61 | for protocol version 2. | |
62 | Multiple values may be specified by separating them with commas. | |
63 | The default is | |
64 | .Dq rsa1 . | |
65 | .It Fl f Ar filename | |
3730bb22 | 66 | Read hosts or |
f6fdbddf | 67 | .Pa addrlist namelist |
68 | pairs from this file, one per line. | |
69 | If | |
70 | .Pa - | |
71 | is supplied instead of a filename, | |
72 | .Nm | |
3730bb22 | 73 | will read hosts or |
f6fdbddf | 74 | .Pa addrlist namelist |
75 | pairs from the standard input. | |
5061072f | 76 | .It Fl v |
77 | Verbose mode. | |
78 | Causes | |
79 | .Nm | |
80 | to print debugging messages about its progress. | |
81 | .It Fl 4 | |
82 | Forces | |
83 | .Nm | |
84 | to use IPv4 addresses only. | |
85 | .It Fl 6 | |
86 | Forces | |
87 | .Nm | |
88 | to use IPv6 addresses only. | |
9616313f | 89 | .El |
0f6d5acf | 90 | .Sh SECURITY |
91789042 | 91 | If a ssh_known_hosts file is constructed using |
0f6d5acf | 92 | .Nm |
91789042 | 93 | without verifying the keys, users will be vulnerable to |
0f6d5acf | 94 | .I man in the middle |
95 | attacks. | |
91789042 | 96 | On the other hand, if the security model allows such a risk, |
0f6d5acf | 97 | .Nm |
91789042 | 98 | can help in the detection of tampered keyfiles or man in the middle |
99 | attacks which have begun after the ssh_known_hosts file was created. | |
f6fdbddf | 100 | .Sh EXAMPLES |
5061072f | 101 | .Pp |
102 | Print the | |
103 | .Pa rsa1 | |
104 | host key for machine | |
f6fdbddf | 105 | .Pa hostname : |
106 | .Bd -literal | |
107 | ssh-keyscan hostname | |
108 | .Ed | |
109 | .Pp | |
110 | Find all hosts from the file | |
111 | .Pa ssh_hosts | |
112 | which have new or different keys from those in the sorted file | |
113 | .Pa ssh_known_hosts : | |
114 | .Bd -literal | |
5061072f | 115 | ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\ |
116 | sort -u - ssh_known_hosts | diff ssh_known_hosts - | |
f6fdbddf | 117 | .Ed |
f6fdbddf | 118 | .Sh FILES |
f6fdbddf | 119 | .Pa Input format: |
5061072f | 120 | .Bd -literal |
f6fdbddf | 121 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 |
5061072f | 122 | .Ed |
f6fdbddf | 123 | .Pp |
5061072f | 124 | .Pa Output format for rsa1 keys: |
125 | .Bd -literal | |
f6fdbddf | 126 | host-or-namelist bits exponent modulus |
5061072f | 127 | .Ed |
128 | .Pp | |
129 | .Pa Output format for rsa and dsa keys: | |
130 | .Bd -literal | |
131 | host-or-namelist keytype base64-encoded-key | |
132 | .Ed | |
133 | .Pp | |
134 | Where | |
135 | .Pa keytype | |
136 | is either | |
137 | .Dq ssh-rsa | |
138 | or | |
139 | .Dq ssh-dsa . | |
f6fdbddf | 140 | .Pp |
141 | .Pa /etc/ssh_known_hosts | |
142 | .Sh BUGS | |
143 | It generates "Connection closed by remote host" messages on the consoles | |
5061072f | 144 | of all the machines it scans if the server is older than version 2.9. |
f6fdbddf | 145 | This is because it opens a connection to the ssh port, reads the public |
146 | key, and drops the connection as soon as it gets the key. | |
147 | .Sh SEE ALSO | |
4371658c | 148 | .Xr ssh 1 , |
f6fdbddf | 149 | .Xr sshd 8 |
a5a2da3b | 150 | .Sh AUTHORS |
f6fdbddf | 151 | David Mazieres <dm@lcs.mit.edu> |
5061072f | 152 | wrote the initial version, and |
153 | Wayne Davison <wayned@users.sourceforge.net> | |
154 | added support for protocol version 2. |