-.\" $OpenBSD: ssh-keyscan.1,v 1.11 2001/08/23 18:08:59 stevesk Exp $
+.\" $OpenBSD: ssh-keyscan.1,v 1.17 2003/06/10 09:12:11 jmc Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\"
.Nd gather ssh public keys
.Sh SYNOPSIS
.Nm ssh-keyscan
+.Bk -words
.Op Fl v46
.Op Fl p Ar port
.Op Fl T Ar timeout
.Op Fl f Ar file
.Op Ar host | addrlist namelist
.Op Ar ...
+.Ek
.Sh DESCRIPTION
.Nm
is a utility for gathering the public ssh host keys of a number of
-hosts. It was designed to aid in building and verifying
+hosts.
+It was designed to aid in building and verifying
.Pa ssh_known_hosts
files.
.Nm
.Pp
.Nm
uses non-blocking socket I/O to contact as many hosts as possible in
-parallel, so it is very efficient. The keys from a domain of 1,000
+parallel, so it is very efficient.
+The keys from a domain of 1,000
hosts can be collected in tens of seconds, even when some of those
-hosts are down or do not run ssh. You do not need login access to the
-machines you are scanning, nor does the scanning process involve
-any encryption.
+hosts are down or do not run ssh.
+For scanning, one does not need
+login access to the machines that are being scanned, nor does the
+scanning process involve any encryption.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl p Ar port
Port to connect to on the remote host.
.It Fl T Ar timeout
-Set the timeout for connection attempts. If
+Set the timeout for connection attempts.
+If
.Pa timeout
seconds have elapsed since a connection was initiated to a host or since the
last time anything was read from that host, then the connection is
-closed and the host in question considered unavailable. Default is 5
-seconds.
+closed and the host in question considered unavailable.
+Default is 5 seconds.
.It Fl t Ar type
Specifies the type of the key to fetch from the scanned hosts.
The possible values are
to use IPv6 addresses only.
.El
.Sh SECURITY
-If you make an ssh_known_hosts file using
+If a ssh_known_hosts file is constructed using
.Nm
-without verifying the keys, you will be vulnerable to
+without verifying the keys, users will be vulnerable to
.I man in the middle
attacks.
-On the other hand, if your security model allows such a risk,
+On the other hand, if the security model allows such a risk,
.Nm
-can help you detect tampered keyfiles or man in the middle attacks which
-have begun after you created your ssh_known_hosts file.
-.Sh EXAMPLES
-.Pp
-Print the
-.Pa rsa1
-host key for machine
-.Pa hostname :
-.Bd -literal
-ssh-keyscan hostname
-.Ed
-.Pp
-Find all hosts from the file
-.Pa ssh_hosts
-which have new or different keys from those in the sorted file
-.Pa ssh_known_hosts :
-.Bd -literal
-ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\
- sort -u - ssh_known_hosts | diff ssh_known_hosts -
-.Ed
+can help in the detection of tampered keyfiles or man in the middle
+attacks which have begun after the ssh_known_hosts file was created.
.Sh FILES
.Pa Input format:
.Bd -literal
is either
.Dq ssh-rsa
or
-.Dq ssh-dsa .
+.Dq ssh-dss .
.Pp
-.Pa /etc/ssh_known_hosts
-.Sh BUGS
-It generates "Connection closed by remote host" messages on the consoles
-of all the machines it scans if the server is older than version 2.9.
-This is because it opens a connection to the ssh port, reads the public
-key, and drops the connection as soon as it gets the key.
+.Pa /etc/ssh/ssh_known_hosts
+.Sh EXAMPLES
+Print the
+.Pa rsa1
+host key for machine
+.Pa hostname :
+.Bd -literal
+$ ssh-keyscan hostname
+.Ed
+.Pp
+Find all hosts from the file
+.Pa ssh_hosts
+which have new or different keys from those in the sorted file
+.Pa ssh_known_hosts :
+.Bd -literal
+$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
+ sort -u - ssh_known_hosts | diff ssh_known_hosts -
+.Ed
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr sshd 8
.Sh AUTHORS
-David Mazieres <dm@lcs.mit.edu>
+.An David Mazieres Aq dm@lcs.mit.edu
wrote the initial version, and
-Wayne Davison <wayned@users.sourceforge.net>
+.An Wayne Davison Aq wayned@users.sourceforge.net
added support for protocol version 2.
+.Sh BUGS
+It generates "Connection closed by remote host" messages on the consoles
+of all the machines it scans if the server is older than version 2.9.
+This is because it opens a connection to the ssh port, reads the public
+key, and drops the connection as soon as it gets the key.