[openssh.git] / contrib / make-ssh-known-hosts.1

.\" -*- nroff -*-
.\" ----------------------------------------------------------------------
.\" make-ssh-known-hosts.1 -- Make ssh-known-hosts file
.\" Copyright (c) 1995 Tero Kivinen
.\" All Rights Reserved.
.\"
.\" Make-ssh-known-hosts is distributed in the hope that it will be
.\" useful, but WITHOUT ANY WARRANTY.  No author or distributor accepts
.\" responsibility to anyone for the consequences of using it or for
.\" whether it serves any particular purpose or works at all, unless he
.\" says so in writing.  Refer to the General Public License for full
.\" details.
.\"
.\" Everyone is granted permission to copy, modify and redistribute
.\" make-ssh-known-hosts, but only under the conditions described in
.\" the General Public License.  A copy of this license is supposed to
.\" have been given to you along with make-ssh-known-hosts so you can
.\" know your rights and responsibilities.  It should be in a file named
.\" COPYING.  Among other things, the copyright notice and this notice
.\" must be preserved on all copies.
.\" ----------------------------------------------------------------------
.\"       Program: make-ssh-known-hosts.1
.\"	  $Source$
.\"	  Author : $Author$
.\"
.\"	  (C) Tero Kivinen 1995 <Tero.Kivinen@hut.fi>
.\"
.\"	  Creation          : 03:51 Jun 28 1995 kivinen
.\"	  Last Modification : 03:44 Jun 28 1995 kivinen
.\"	  Last check in     : $Date$
.\"	  Revision number   : $Revision$
.\"	  State             : $State$
.\"	  Version	    : 1.1
.\"
.\"	  Description       : Manual page for make-ssh-known-hosts.pl
.\"
.\"	  $Log$
.\"	  Revision 1.1  2000/03/15 01:13:03  damien
.\"	   - Created contrib/ subdirectory. Included helpers from Phil Hands'
.\"	     Debian package, README file and chroot patch from Ricardo Cerqueira
.\"	     <rmcc@clix.pt>
.\"	   - Moved gnome-ssh-askpass.c to contrib directory and reomved config
.\"	     option.
.\"	   - Slight cleanup to doc files
.\"	
.\"	  Revision 1.4  1998/07/08 00:40:14  kivinen
.\"	  	Changed to do similar commercial #ifdef processing than other
.\"	  	files.
.\"
.\"	  Revision 1.3  1998/06/11 00:07:21  kivinen
.\"	  	Fixed comment characters.
.\"
.\" Revision 1.2  1997/04/27  21:48:28  kivinen
.\" 	Added F-SECURE stuff.
.\"
.\"	  Revision 1.1.1.1  1996/02/18 21:38:13  ylo
.\"	  	Imported ssh-1.2.13.
.\"
.\" Revision 1.5  1995/10/02  01:23:23  ylo
.\" 	Make substitutions by configure.
.\"
.\" Revision 1.4  1995/08/31  09:21:35  ylo
.\" 	Minor cleanup.
.\"
.\" Revision 1.3  1995/08/29  22:37:10  ylo
.\" 	Minor cleanup.
.\"
.\" Revision 1.2  1995/07/15  13:26:11  ylo
.\" 	Changes from kivinen.
.\"
.\" Revision 1.1.1.1  1995/07/12  22:41:05  ylo
.\" Imported ssh-1.0.0.
.\"
.\"
.\"
.\" If you have any useful modifications or extensions please send them to
.\" Tero.Kivinen@hut.fi
.\"
.\"
.\"
.\"
.\"
.\" #ifndef F_SECURE_COMMERCIAL
.TH MAKE-SSH-KNOWN-HOSTS 1 "November 8, 1995" "SSH TOOLS" "SSH TOOLS"
.\" #endif F_SECURE_COMMERCIAL
.SH NAME
make-ssh-known-hosts \- make ssh_known_hosts file from DNS data
.SH SYNOPSIS
.na
.TP
.B make-ssh-known-hosts
.RB "[\|" "\-\-initialdns "\c
.I initial_dns\c
\|]
.br
.RB "[\|" "\-\-server "\c
.I domain_name_server\c
\|]
.br
.RB "[\|" "\-\-subdomains "\c
.I comma_separated_list_of_subdomains\c
\|]
.br
.RB "[\|" "\-\-debug "\c
.I debug_level\c
\|]
.br
.RB "[\|" "\-\-timeout "\c
.I ssh_exec_timeout\c
\|]
.br
.RB "[\|" "\-\-pingtimeout "\c
.I ping_timeout\c
\|]
.br
.RB "[\|" "\-\-passwordtimeout "\c
.I timeout_when_asking_password\c
\|]
.br
.RB "[\|" "\-\-notrustdaemon" "\|]"
.br
.RB "[\|" "\-\-norecursive" "\|]"
.br
.RB "[\|" "\-\-domainnamesplit" "\|]"
.br
.RB "[\|" "\-\-silent" "\|]"
.br
.RB "[\|" "\-\-keyscan" "\|]"
.br
.RB "[\|" "\-\-nslookup "\c
.I path_to_nslookup_program\c
\|]
.br
.RB "[\|" "\-\-ssh "\c
.I path_to_ssh_program\c
\|]
.br
.IR "domain_name " "[\|" "take_regexp " "[\|" "remove_regexp"\|]\|]"

.SH DESCRIPTION
.LP
.B make-ssh-known-hosts
is a perl5 script that helps create the
.I /etc/ssh_known_hosts
file, which is used by
.B ssh
to contain the host keys of all publicly known hosts.  
.B Ssh
does not normally permit login using rhosts or /etc/hosts.equiv
authentication unless the server knows the client's host key.  In
addition, the host keys are used to prevent man-in-the-middle attacks.
.LP
In addition to
.IR /etc/ssh_known_hosts ",
.B ssh
also uses the
.I $HOME/.ssh/known_hosts
file.  This file, however, is intended to contain only those hosts
that the particular user needs but are not in the global file.  It is
intended that the
.I /etc/ssh_known_hosts
file be maintained by the system administration, and periodically
updated to contain the host keys for any new hosts.
.LP
The
.B make-ssh-known-hosts
program finds all the hosts in a domain by making a DNS query to the
master domain name server of the domain. The master domain name server
is located by searching for the SOA record of the domain from the initial
domain name server (which can be specified with the
.B \-\-initialdns
option). The master domain name server can also be given directly with
the
.B \-\-server
option.
.LP
After getting the hostname list
.B make-ssh-known-hosts
tries to get the public key from every host in the domain. It first
tries to connect ssh port to check check if the host is alive, and if
so, it tries to run the command
.B cat /etc/ssh_host_key.pub
on the remote machine using
.BR ssh ".
If the command succeeds, it knows the remote machine has
.B ssh
installed properly, and it then extracts the public key from the
output, and prints the
.B /etc/ssh_known_hosts
entry for it to 
.BR STDOUT ". Because
.B make-ssh-known-hosts
is usually run before
remote machines have /etc/ssh_known_hosts file you may have to use
RSA-authentication to allow access to hosts. 
.LP
If the command fails for some reason, it checks if the
.B ssh
client still got the public key from the remote host in the initial dialog,
and if so, it will print a proper entry, and if
.B \-\-notrustdaemon
option is given comment it out.
.LP
.I Domain_name
is the domain name for which the file is to be generated. By default 
.B make-ssh-known-hosts
extracts also all subdomains of domain. Many sites will want to
include several domains in their
.I /etc/ssh_known_hosts
file.  The entries for each domain should be extracted separately by
running
.B make-ssh-known-hosts
once for each domain.  The results should then be combined to create
the final file.
.LP
.I Take_regexp
is a perl regular expression that matches the hosts to be taken from the
domain. The data matched contains all the DNS records in the form "\|\c
.B fieldname=value\c
\|". The fields are separated with newline, and the perl match is made in
multiline mode and it is case insensetive. The multiline mode means
that you can use a regexp like "\|\c
.B ^wks=.*telnet.*$\c
\|" to match all hosts that have WKS (well known services) field that
contains value "telnet".
.LP
.I Remove_regexp
is similar but those hosts that match the regexp are not added (it can
be used for example to filter out PCs and Macs using the hinfo field: "\|\c
.B ^hinfo=.*(mac|pc)\c
\|").

.SH OPTIONS
.TP
.BI "\-\-initialdns " "initial_dns"\c
.TP
.BI "\-i " "initial_dns"\c
\&Set the initial domain name server used to query the SOA record of the
domain.

.TP
.BI "\-\-server " "domain_name_server"\c
.TP
.BI "\-se " "domain_name_server"\c
\&Set the master domain name server of the domain. This host is used
to query the DNS list of the domain.

.TP
.BI "\-\-subdomains " "subdomainlist"\c
.TP
.BI "\-su " "subdomainlist"\c
\&Comma separated list of subdomains that are added to hostnames. For
example, if subdomainlist is "\|\c
.I ,foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
\|" then when host foobar is added to
.B /etc/ssh_known_hosts
file it has aliases "\|\c
.I foobar, foobar.foo, foobar.foo.bar, foobar.foo.bar.zappa, foobar.foo.bar.zappa.hut.fi\c
\|". The default action is to take all subparts of the host but the
second last on a host by host basis.  (The last element is usually the
country code, and something like 
.I foobar.foo.bar.zappa.hut 
would not make sense.)

.TP
.BI "\-\-debug " "debug_level"\c
.TP
.BI "\-de " "debug_level"\c
\&Set the debug level. Default is 5, bigger values give more output.
Using a big value (like 999) will print lots of debugging output.

.TP
.BI "\-\-timeout " "ssh_exec_timeout"\c
.TP
.BI "\-ti " "ssh_exec_timeout"\c
\&Timeout when executing
.B ssh
command.  The default is 60 seconds.

.TP
.BI "\-\-pingtimeout " "ping_timeout"\c
.TP
.BI "\-pi " "ping_timeout"\c
\&Timeout when trying to ping the ssh port.  The default is 3 seconds.

.TP
.BI "\-\-passwordtimeout " "timeout_when_asking_password"\c
.TP
.BI "\-pa " "timeout_when_asking_password"\c
\&Timeout when asking password for ssh command. Default is that no
passwords are queried. Use value 0 to have no timeout for password queries.

.TP
.BI "\-\-notrustdaemon"\c
.TP
.BI "\-notr"\c
\&If the
.B ssh
command fails, use the public key stored in the local known hosts file
and trust it is the correct key for the host. If this option is not
given such entries are commented out in the generated
.B /etc/ssh_known_hosts
file.

.TP
.BI "\-\-norecursive"\c
.TP
.BI "\-nor"\c
\&Tell
.B make-ssh-known-hosts
that it should only extract keys for the given domain, and not to be
recursive. 

.TP
.BI "\-\-domainnamesplit"\c
.TP
.BI "\-do"\c
\&Split the domainname to get the list of subdomains. Use this option
if you don't want hostname to splitted to pieces automatically.
Default splitting is done host by host basis. If the domain is
zappa.hut.fi, and the host name is foo.bar then default action adds
entries "\|\c
.I foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
\|" and this options adds entries "\|\c
.I foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
\|").

.TP
.BI "\-\-silent"\c
.TP
.BI "\-si"\c
\&Be silent.

.TP
.BI "\-\-keyscan"\c
.TP
.BI "\-k"\c
\&Output list of all hosts in format "ipaddr1,ipaddr2,...ipaddrn
hostname.domain.co,hostname,ipaddr1,ipaddr2,all_other_hostname_entries".
The output of this can be feeded to ssh-keyscan to fetch keys.

.TP
.BI "\-\-nslookup " "path_to_nslookup_program"\c
.TP
.BI "\-n " "path_to_nslookup_program"\c
\&Path to the
.B nslookup
program. 

.TP
.BI "\-\-ssh " "path_to_ssh_program"\c
.TP
.BI "\-ss " "path_to_ssh_program"\c
\&Path to the
.B ssh
program, including all options.

.SH EXAMPLES
.LP
The following command:
.IP
.B example# make-ssh-known-hosts cs.hut.fi > \c
.B /etc/ssh_known_hosts
.LP
finds all public keys of the hosts in
.B cs.hut.fi
domain and put them to
.B /etc/ssh_known_hosts
file splitting domain names on a per host basis.
.LP
The command
.IP
.B example% make-ssh-known-hosts hut.fi '^wks=.*ssh' > \c
.B hut-hosts
.LP
finds all hosts in
.B hut.fi
domain, and its subdomains having own name server (cs.hut.fi,
tf.hut.fi, tky.hut.fi) that have ssh service and puts their public key
to hut-hosts file. This would require that the domain name server of
hut.fi would define all hosts running ssh to have entry ssh in their
WKS record. Because nobody yet adds ssh to WKS, it would be better to
use command
.IP
.B example% make-ssh-known-hosts hut.fi '^wks=.*telnet' > \c
.B hut-hosts
.LP
that would take those host having telnet service. This uses default
subdomain list.

.LP
The command:
.IP
.B example% make-ssh-known-hosts hut.fi 'dipoli.hut.fi' '^hinfo=.*(mac|pc)' > \c
.B dipoli-hosts
.LP
finds all hosts in hut.fi domain that are in dipoli.hut.fi subdomain
(note dipoli.hut.fi does not have own name server so its entries are
in hut.fi-server) and that are not Mac or PC.

.SH FILES
.ta 3i
/etc/ssh_known_hosts	Global host public key list

.SH "SEE ALSO"
.BR ssh (1),
.BR sshd (8),
.BR ssh-keygen (1),
.BR ping (8),
.BR nslookup (8),
.BR perl (1),
.BR perlre (1)

.SH AUTHOR
Tero Kivinen <kivinen@hut.fi>

.SH COPYING
.LP
Permission is granted to make and distribute verbatim copies of
this manual provided the copyright notice and this permission notice
are preserved on all copies.
.LP
Permission is granted to copy and distribute modified versions of this
manual under the conditions for verbatim copying, provided that the
entire resulting derived work is distributed under the terms of a
permission notice identical to this one.
.LP
Permission is granted to copy and distribute translations of this
manual into another language, under the above conditions for modified
versions, except that this permission notice may be included in
translations approved by the the author instead of in the original
English.
Commit	Line	Data
13652e52	1	.\" -- nroff --
	2	.\" ----------------------------------------------------------------------
	3	.\" make-ssh-known-hosts.1 -- Make ssh-known-hosts file
	4	.\" Copyright (c) 1995 Tero Kivinen
	5	.\" All Rights Reserved.
	6	.\"
	7	.\" Make-ssh-known-hosts is distributed in the hope that it will be
	8	.\" useful, but WITHOUT ANY WARRANTY. No author or distributor accepts
	9	.\" responsibility to anyone for the consequences of using it or for
	10	.\" whether it serves any particular purpose or works at all, unless he
	11	.\" says so in writing. Refer to the General Public License for full
	12	.\" details.
	13	.\"
	14	.\" Everyone is granted permission to copy, modify and redistribute
	15	.\" make-ssh-known-hosts, but only under the conditions described in
	16	.\" the General Public License. A copy of this license is supposed to
	17	.\" have been given to you along with make-ssh-known-hosts so you can
	18	.\" know your rights and responsibilities. It should be in a file named
	19	.\" COPYING. Among other things, the copyright notice and this notice
	20	.\" must be preserved on all copies.
	21	.\" ----------------------------------------------------------------------
	22	.\" Program: make-ssh-known-hosts.1
	23	.\" $Source$
	24	.\" Author : $Author$
	25	.\"
	26	.\" (C) Tero Kivinen 1995 <Tero.Kivinen@hut.fi>
	27	.\"
	28	.\" Creation : 03:51 Jun 28 1995 kivinen
	29	.\" Last Modification : 03:44 Jun 28 1995 kivinen
	30	.\" Last check in : $Date$
	31	.\" Revision number : $Revision$
	32	.\" State : $State$
	33	.\" Version : 1.1
	34	.\"
	35	.\" Description : Manual page for make-ssh-known-hosts.pl
	36	.\"
	37	.\" $Log$
	38	.\" Revision 1.1 2000/03/15 01:13:03 damien
	39	.\" - Created contrib/ subdirectory. Included helpers from Phil Hands'
	40	.\" Debian package, README file and chroot patch from Ricardo Cerqueira
	41	.\" <rmcc@clix.pt>
	42	.\" - Moved gnome-ssh-askpass.c to contrib directory and reomved config
	43	.\" option.
	44	.\" - Slight cleanup to doc files
	45	.\"
	46	.\" Revision 1.4 1998/07/08 00:40:14 kivinen
	47	.\" Changed to do similar commercial #ifdef processing than other
	48	.\" files.
	49	.\"
	50	.\" Revision 1.3 1998/06/11 00:07:21 kivinen
	51	.\" Fixed comment characters.
	52	.\"
	53	.\" Revision 1.2 1997/04/27 21:48:28 kivinen
	54	.\" Added F-SECURE stuff.
	55	.\"
	56	.\" Revision 1.1.1.1 1996/02/18 21:38:13 ylo
	57	.\" Imported ssh-1.2.13.
	58	.\"
	59	.\" Revision 1.5 1995/10/02 01:23:23 ylo
	60	.\" Make substitutions by configure.
	61	.\"
	62	.\" Revision 1.4 1995/08/31 09:21:35 ylo
	63	.\" Minor cleanup.
	64	.\"
65	.\" Revision 1.3 1995/08/29 22:37:10 ylo
66	.\" Minor cleanup.
67	.\"
68	.\" Revision 1.2 1995/07/15 13:26:11 ylo
69	.\" Changes from kivinen.
70	.\"
71	.\" Revision 1.1.1.1 1995/07/12 22:41:05 ylo
72	.\" Imported ssh-1.0.0.
73	.\"
74	.\"
75	.\"
76	.\" If you have any useful modifications or extensions please send them to
77	.\" Tero.Kivinen@hut.fi
78	.\"
79	.\"
80	.\"
81	.\"
82	.\"
83	.\" #ifndef F_SECURE_COMMERCIAL
84	.TH MAKE-SSH-KNOWN-HOSTS 1 "November 8, 1995" "SSH TOOLS" "SSH TOOLS"
85	.\" #endif F_SECURE_COMMERCIAL
86	.SH NAME
87	make-ssh-known-hosts \- make ssh_known_hosts file from DNS data
88	.SH SYNOPSIS
89	.na
90	.TP
91	.B make-ssh-known-hosts
92	.RB "[\\|" "\-\-initialdns "\c
93	.I initial_dns\c
94	\\|]
95	.br
96	.RB "[\\|" "\-\-server "\c
97	.I domain_name_server\c
98	\\|]
99	.br
100	.RB "[\\|" "\-\-subdomains "\c
101	.I comma_separated_list_of_subdomains\c
102	\\|]
103	.br
104	.RB "[\\|" "\-\-debug "\c
105	.I debug_level\c
106	\\|]
107	.br
108	.RB "[\\|" "\-\-timeout "\c
109	.I ssh_exec_timeout\c
110	\\|]
111	.br
112	.RB "[\\|" "\-\-pingtimeout "\c
113	.I ping_timeout\c
114	\\|]
115	.br
116	.RB "[\\|" "\-\-passwordtimeout "\c
117	.I timeout_when_asking_password\c
118	\\|]
119	.br
120	.RB "[\\|" "\-\-notrustdaemon" "\\|]"
121	.br
122	.RB "[\\|" "\-\-norecursive" "\\|]"
123	.br
124	.RB "[\\|" "\-\-domainnamesplit" "\\|]"
125	.br
126	.RB "[\\|" "\-\-silent" "\\|]"
127	.br
128	.RB "[\\|" "\-\-keyscan" "\\|]"
129	.br
130	.RB "[\\|" "\-\-nslookup "\c
131	.I path_to_nslookup_program\c
132	\\|]
133	.br
134	.RB "[\\|" "\-\-ssh "\c
135	.I path_to_ssh_program\c
136	\\|]
137	.br
138	.IR "domain_name " "[\\|" "take_regexp " "[\\|" "remove_regexp"\\|]\\|]"
139
140	.SH DESCRIPTION
141	.LP
142	.B make-ssh-known-hosts
143	is a perl5 script that helps create the
144	.I /etc/ssh_known_hosts
145	file, which is used by
146	.B ssh
147	to contain the host keys of all publicly known hosts.
148	.B Ssh
149	does not normally permit login using rhosts or /etc/hosts.equiv
150	authentication unless the server knows the client's host key. In
151	addition, the host keys are used to prevent man-in-the-middle attacks.
152	.LP
153	In addition to
154	.IR /etc/ssh_known_hosts ",
155	.B ssh
156	also uses the
157	.I $HOME/.ssh/known_hosts
158	file. This file, however, is intended to contain only those hosts
159	that the particular user needs but are not in the global file. It is
160	intended that the
161	.I /etc/ssh_known_hosts
162	file be maintained by the system administration, and periodically
163	updated to contain the host keys for any new hosts.
164	.LP
165	The
166	.B make-ssh-known-hosts
167	program finds all the hosts in a domain by making a DNS query to the
168	master domain name server of the domain. The master domain name server
169	is located by searching for the SOA record of the domain from the initial
170	domain name server (which can be specified with the
171	.B \-\-initialdns
172	option). The master domain name server can also be given directly with
173	the
174	.B \-\-server
175	option.
176	.LP
177	After getting the hostname list
178	.B make-ssh-known-hosts
179	tries to get the public key from every host in the domain. It first
180	tries to connect ssh port to check check if the host is alive, and if
181	so, it tries to run the command
182	.B cat /etc/ssh_host_key.pub
183	on the remote machine using
184	.BR ssh ".
185	If the command succeeds, it knows the remote machine has
186	.B ssh
187	installed properly, and it then extracts the public key from the
188	output, and prints the
189	.B /etc/ssh_known_hosts
190	entry for it to
191	.BR STDOUT ". Because
192	.B make-ssh-known-hosts
193	is usually run before
194	remote machines have /etc/ssh_known_hosts file you may have to use
195	RSA-authentication to allow access to hosts.
196	.LP
197	If the command fails for some reason, it checks if the
198	.B ssh
199	client still got the public key from the remote host in the initial dialog,
200	and if so, it will print a proper entry, and if
201	.B \-\-notrustdaemon
202	option is given comment it out.
203	.LP
204	.I Domain_name
205	is the domain name for which the file is to be generated. By default
206	.B make-ssh-known-hosts
207	extracts also all subdomains of domain. Many sites will want to
208	include several domains in their
209	.I /etc/ssh_known_hosts
210	file. The entries for each domain should be extracted separately by
211	running
212	.B make-ssh-known-hosts
213	once for each domain. The results should then be combined to create
214	the final file.
215	.LP
216	.I Take_regexp
217	is a perl regular expression that matches the hosts to be taken from the
218	domain. The data matched contains all the DNS records in the form "\\|\c
219	.B fieldname=value\c
220	\\|". The fields are separated with newline, and the perl match is made in
221	multiline mode and it is case insensetive. The multiline mode means
222	that you can use a regexp like "\\|\c
223	.B ^wks=.telnet.$\c
224	\\|" to match all hosts that have WKS (well known services) field that
225	contains value "telnet".
226	.LP
227	.I Remove_regexp
228	is similar but those hosts that match the regexp are not added (it can
229	be used for example to filter out PCs and Macs using the hinfo field: "\\|\c
230	.B ^hinfo=.*(mac\|pc)\c
231	\\|").
232
233	.SH OPTIONS
234	.TP
235	.BI "\-\-initialdns " "initial_dns"\c
236	.TP
237	.BI "\-i " "initial_dns"\c
238	\&Set the initial domain name server used to query the SOA record of the
239	domain.
240
241	.TP
242	.BI "\-\-server " "domain_name_server"\c
243	.TP
244	.BI "\-se " "domain_name_server"\c
245	\&Set the master domain name server of the domain. This host is used
246	to query the DNS list of the domain.
247
248	.TP
249	.BI "\-\-subdomains " "subdomainlist"\c
250	.TP
251	.BI "\-su " "subdomainlist"\c
252	\&Comma separated list of subdomains that are added to hostnames. For
253	example, if subdomainlist is "\\|\c
254	.I ,foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
255	\\|" then when host foobar is added to
256	.B /etc/ssh_known_hosts
257	file it has aliases "\\|\c
258	.I foobar, foobar.foo, foobar.foo.bar, foobar.foo.bar.zappa, foobar.foo.bar.zappa.hut.fi\c
259	\\|". The default action is to take all subparts of the host but the
260	second last on a host by host basis. (The last element is usually the
261	country code, and something like
262	.I foobar.foo.bar.zappa.hut
263	would not make sense.)
264
265	.TP
266	.BI "\-\-debug " "debug_level"\c
267	.TP
268	.BI "\-de " "debug_level"\c
269	\&Set the debug level. Default is 5, bigger values give more output.
270	Using a big value (like 999) will print lots of debugging output.
271
272	.TP
273	.BI "\-\-timeout " "ssh_exec_timeout"\c
274	.TP
275	.BI "\-ti " "ssh_exec_timeout"\c
276	\&Timeout when executing
277	.B ssh
278	command. The default is 60 seconds.
279
280	.TP
281	.BI "\-\-pingtimeout " "ping_timeout"\c
282	.TP
283	.BI "\-pi " "ping_timeout"\c
284	\&Timeout when trying to ping the ssh port. The default is 3 seconds.
285
286	.TP
287	.BI "\-\-passwordtimeout " "timeout_when_asking_password"\c
288	.TP
289	.BI "\-pa " "timeout_when_asking_password"\c
290	\&Timeout when asking password for ssh command. Default is that no
291	passwords are queried. Use value 0 to have no timeout for password queries.
292
293	.TP
294	.BI "\-\-notrustdaemon"\c
295	.TP
296	.BI "\-notr"\c
297	\&If the
298	.B ssh
299	command fails, use the public key stored in the local known hosts file
300	and trust it is the correct key for the host. If this option is not
301	given such entries are commented out in the generated
302	.B /etc/ssh_known_hosts
303	file.
304
305	.TP
306	.BI "\-\-norecursive"\c
307	.TP
308	.BI "\-nor"\c
309	\&Tell
310	.B make-ssh-known-hosts
311	that it should only extract keys for the given domain, and not to be
312	recursive.
313
314	.TP
315	.BI "\-\-domainnamesplit"\c
316	.TP
317	.BI "\-do"\c
318	\&Split the domainname to get the list of subdomains. Use this option
319	if you don't want hostname to splitted to pieces automatically.
320	Default splitting is done host by host basis. If the domain is
321	zappa.hut.fi, and the host name is foo.bar then default action adds
322	entries "\\|\c
323	.I foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
324	\\|" and this options adds entries "\\|\c
325	.I foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
326	\\|").
327
328	.TP
329	.BI "\-\-silent"\c
330	.TP
331	.BI "\-si"\c
332	\&Be silent.
333
334	.TP
335	.BI "\-\-keyscan"\c
336	.TP
337	.BI "\-k"\c
338	\&Output list of all hosts in format "ipaddr1,ipaddr2,...ipaddrn
339	hostname.domain.co,hostname,ipaddr1,ipaddr2,all_other_hostname_entries".
340	The output of this can be feeded to ssh-keyscan to fetch keys.
341
342	.TP
343	.BI "\-\-nslookup " "path_to_nslookup_program"\c
344	.TP
345	.BI "\-n " "path_to_nslookup_program"\c
346	\&Path to the
347	.B nslookup
348	program.
349
350	.TP
351	.BI "\-\-ssh " "path_to_ssh_program"\c
352	.TP
353	.BI "\-ss " "path_to_ssh_program"\c
354	\&Path to the
355	.B ssh
356	program, including all options.
357
358	.SH EXAMPLES
359	.LP
360	The following command:
361	.IP
362	.B example# make-ssh-known-hosts cs.hut.fi > \c
363	.B /etc/ssh_known_hosts
364	.LP
365	finds all public keys of the hosts in
366	.B cs.hut.fi
367	domain and put them to
368	.B /etc/ssh_known_hosts
369	file splitting domain names on a per host basis.
370	.LP
371	The command
372	.IP
373	.B example% make-ssh-known-hosts hut.fi '^wks=.*ssh' > \c
374	.B hut-hosts
375	.LP
376	finds all hosts in
377	.B hut.fi
378	domain, and its subdomains having own name server (cs.hut.fi,
379	tf.hut.fi, tky.hut.fi) that have ssh service and puts their public key
380	to hut-hosts file. This would require that the domain name server of
381	hut.fi would define all hosts running ssh to have entry ssh in their
382	WKS record. Because nobody yet adds ssh to WKS, it would be better to
383	use command
384	.IP
385	.B example% make-ssh-known-hosts hut.fi '^wks=.*telnet' > \c
386	.B hut-hosts
387	.LP
388	that would take those host having telnet service. This uses default
389	subdomain list.
390
391	.LP
392	The command:
393	.IP
394	.B example% make-ssh-known-hosts hut.fi 'dipoli.hut.fi' '^hinfo=.*(mac\|pc)' > \c
395	.B dipoli-hosts
396	.LP
397	finds all hosts in hut.fi domain that are in dipoli.hut.fi subdomain
398	(note dipoli.hut.fi does not have own name server so its entries are
399	in hut.fi-server) and that are not Mac or PC.
400
401	.SH FILES
402	.ta 3i
403	/etc/ssh_known_hosts Global host public key list
404
405	.SH "SEE ALSO"
406	.BR ssh (1),
407	.BR sshd (8),
408	.BR ssh-keygen (1),
409	.BR ping (8),
410	.BR nslookup (8),
411	.BR perl (1),
412	.BR perlre (1)
413
414	.SH AUTHOR
415	Tero Kivinen <kivinen@hut.fi>
416
417	.SH COPYING
418	.LP
419	Permission is granted to make and distribute verbatim copies of
420	this manual provided the copyright notice and this permission notice
421	are preserved on all copies.
422	.LP
423	Permission is granted to copy and distribute modified versions of this
424	manual under the conditions for verbatim copying, provided that the
425	entire resulting derived work is distributed under the terms of a
426	permission notice identical to this one.
427	.LP
428	Permission is granted to copy and distribute translations of this
429	manual into another language, under the above conditions for modified
430	versions, except that this permission notice may be included in
431	translations approved by the the author instead of in the original
432	English.