]>
Commit | Line | Data |
---|---|---|
0f6d5acf | 1 | .\" $OpenBSD: ssh-keyscan.1,v 1.9 2001/08/02 18:37:35 mpech Exp $ |
4371658c | 2 | .\" |
3 | .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. | |
4 | .\" | |
5 | .\" Modification and redistribution in source and binary forms is | |
6 | .\" permitted provided that due credit is given to the author and the | |
aa144206 | 7 | .\" OpenBSD project by leaving this copyright notice intact. |
23c2a7a5 | 8 | .\" |
f6fdbddf | 9 | .Dd January 1, 1996 |
4371658c | 10 | .Dt SSH-KEYSCAN 1 |
f6fdbddf | 11 | .Os |
12 | .Sh NAME | |
13 | .Nm ssh-keyscan | |
14 | .Nd gather ssh public keys | |
15 | .Sh SYNOPSIS | |
16 | .Nm ssh-keyscan | |
17 | .Op Fl t Ar timeout | |
18 | .Op Ar -- | host | addrlist namelist | |
19 | .Op Fl f Ar files ... | |
20 | .Sh DESCRIPTION | |
21 | .Nm | |
22 | is a utility for gathering the public ssh host keys of a number of | |
23 | hosts. It was designed to aid in building and verifying | |
24 | .Pa ssh_known_hosts | |
25 | files. | |
26 | .Nm | |
27 | provides a minimal interface suitable for use by shell and perl | |
28 | scripts. | |
29 | .Pp | |
30 | .Nm | |
31 | uses non-blocking socket I/O to contact as many hosts as possible in | |
32 | parallel, so it is very efficient. The keys from a domain of 1,000 | |
33 | hosts can be collected in tens of seconds, even when some of those | |
34 | hosts are down or do not run ssh. You do not need login access to the | |
05cc0c99 | 35 | machines you are scanning, nor does the scanning process involve |
f6fdbddf | 36 | any encryption. |
0f6d5acf | 37 | .Pp |
38 | The options are as follows: | |
f6fdbddf | 39 | .Bl -tag -width Ds |
40 | .It Fl t | |
3730bb22 | 41 | Set the timeout for connection attempts. If |
f6fdbddf | 42 | .Pa timeout |
43 | seconds have elapsed since a connection was initiated to a host or since the | |
44 | last time anything was read from that host, then the connection is | |
45 | closed and the host in question considered unavailable. Default is 5 | |
46 | seconds. | |
47 | .It Fl f | |
3730bb22 | 48 | Read hosts or |
f6fdbddf | 49 | .Pa addrlist namelist |
50 | pairs from this file, one per line. | |
51 | If | |
52 | .Pa - | |
53 | is supplied instead of a filename, | |
54 | .Nm | |
3730bb22 | 55 | will read hosts or |
f6fdbddf | 56 | .Pa addrlist namelist |
57 | pairs from the standard input. | |
9616313f | 58 | .El |
0f6d5acf | 59 | .Sh SECURITY |
60 | If you make an ssh_known_hosts file using | |
61 | .Nm | |
62 | without verifying the keys, you will be vulnerable to | |
63 | .I man in the middle | |
64 | attacks. | |
65 | On the other hand, if your security model allows such a risk, | |
66 | .Nm | |
67 | can help you detect tampered keyfiles or man in the middle attacks which | |
68 | have begun after you created your ssh_known_hosts file. | |
f6fdbddf | 69 | .Sh EXAMPLES |
f6fdbddf | 70 | Print the host key for machine |
71 | .Pa hostname : | |
72 | .Bd -literal | |
73 | ssh-keyscan hostname | |
74 | .Ed | |
75 | .Pp | |
76 | Find all hosts from the file | |
77 | .Pa ssh_hosts | |
78 | which have new or different keys from those in the sorted file | |
79 | .Pa ssh_known_hosts : | |
80 | .Bd -literal | |
4371658c | 81 | $ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\ |
f6fdbddf | 82 | diff ssh_known_hosts - |
83 | .Ed | |
f6fdbddf | 84 | .Sh FILES |
f6fdbddf | 85 | .Pa Input format: |
86 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 | |
87 | .Pp | |
88 | .Pa Output format: | |
89 | host-or-namelist bits exponent modulus | |
90 | .Pp | |
91 | .Pa /etc/ssh_known_hosts | |
92 | .Sh BUGS | |
93 | It generates "Connection closed by remote host" messages on the consoles | |
94 | of all the machines it scans. | |
95 | This is because it opens a connection to the ssh port, reads the public | |
96 | key, and drops the connection as soon as it gets the key. | |
97 | .Sh SEE ALSO | |
4371658c | 98 | .Xr ssh 1 , |
f6fdbddf | 99 | .Xr sshd 8 |
a5a2da3b | 100 | .Sh AUTHORS |
f6fdbddf | 101 | David Mazieres <dm@lcs.mit.edu> |