-.Dd January 1, 1996
-.Dt ssh-keyscan 1
+.\" $OpenBSD: ssh-keyscan.1,v 1.28 2010/01/09 23:04:13 dtucker Exp $
+.\"
+.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
+.\"
+.\" Modification and redistribution in source and binary forms is
+.\" permitted provided that due credit is given to the author and the
+.\" OpenBSD project by leaving this copyright notice intact.
+.\"
+.Dd $Mdocdate$
+.Dt SSH-KEYSCAN 1
.Os
.Sh NAME
.Nm ssh-keyscan
.Nd gather ssh public keys
.Sh SYNOPSIS
.Nm ssh-keyscan
-.Op Fl t Ar timeout
-.Op Ar -- | host | addrlist namelist
-.Op Fl f Ar files ...
+.Bk -words
+.Op Fl 46Hv
+.Op Fl f Ar file
+.Op Fl p Ar port
+.Op Fl T Ar timeout
+.Op Fl t Ar type
+.Op Ar host | addrlist namelist
+.Ar ...
+.Ek
.Sh DESCRIPTION
.Nm
is a utility for gathering the public ssh host keys of a number of
-hosts. It was designed to aid in building and verifying
+hosts.
+It was designed to aid in building and verifying
.Pa ssh_known_hosts
files.
.Nm
.Pp
.Nm
uses non-blocking socket I/O to contact as many hosts as possible in
-parallel, so it is very efficient. The keys from a domain of 1,000
+parallel, so it is very efficient.
+The keys from a domain of 1,000
hosts can be collected in tens of seconds, even when some of those
-hosts are down or do not run ssh. You do not need login access to the
-machines you are scanning, nor does does the scanning process involve
-any encryption.
-.Sh SECURITY
-If you make an ssh_known_hosts file using
+hosts are down or do not run ssh.
+For scanning, one does not need
+login access to the machines that are being scanned, nor does the
+scanning process involve any encryption.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl 4
+Forces
.Nm
-without verifying the keys, you will be vulnerable to
-.I man in the middle
-attacks.
-On the other hand, if your security model allows such a risk,
+to use IPv4 addresses only.
+.It Fl 6
+Forces
.Nm
-can help you detect tampered keyfiles or man in the middle attacks which
-have begun after you created your ssh_known_hosts file.
-.Sh OPTIONS
-.Bl -tag -width Ds
-.It Fl t
-Set the timeout for connection attempts. If
-.Pa timeout
-seconds have elapsed since a connection was initiated to a host or since the
-last time anything was read from that host, then the connection is
-closed and the host in question considered unavailable. Default is 5
-seconds.
-.It Fl f
-Read hosts or
+to use IPv6 addresses only.
+.It Fl f Ar file
+Read hosts or
.Pa addrlist namelist
pairs from this file, one per line.
If
.Pa -
is supplied instead of a filename,
.Nm
-will read hosts or
+will read hosts or
.Pa addrlist namelist
pairs from the standard input.
+.It Fl H
+Hash all hostnames and addresses in the output.
+Hashed names may be used normally by
+.Nm ssh
+and
+.Nm sshd ,
+but they do not reveal identifying information should the file's contents
+be disclosed.
+.It Fl p Ar port
+Port to connect to on the remote host.
+.It Fl T Ar timeout
+Set the timeout for connection attempts.
+If
+.Pa timeout
+seconds have elapsed since a connection was initiated to a host or since the
+last time anything was read from that host, then the connection is
+closed and the host in question considered unavailable.
+Default is 5 seconds.
+.It Fl t Ar type
+Specifies the type of the key to fetch from the scanned hosts.
+The possible values are
+.Dq rsa1
+for protocol version 1 and
+.Dq rsa
+or
+.Dq dsa
+for protocol version 2.
+Multiple values may be specified by separating them with commas.
+The default is
+.Dq rsa .
+.It Fl v
+Verbose mode.
+Causes
+.Nm
+to print debugging messages about its progress.
.El
-.Sh EXAMPLES
+.Sh SECURITY
+If an ssh_known_hosts file is constructed using
+.Nm
+without verifying the keys, users will be vulnerable to
+.Em man in the middle
+attacks.
+On the other hand, if the security model allows such a risk,
+.Nm
+can help in the detection of tampered keyfiles or man in the middle
+attacks which have begun after the ssh_known_hosts file was created.
+.Sh FILES
+.Pa Input format:
+.Bd -literal
+1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
+.Ed
+.Pp
+.Pa Output format for rsa1 keys:
+.Bd -literal
+host-or-namelist bits exponent modulus
+.Ed
.Pp
-Print the host key for machine
+.Pa Output format for rsa and dsa keys:
+.Bd -literal
+host-or-namelist keytype base64-encoded-key
+.Ed
+.Pp
+Where
+.Pa keytype
+is either
+.Dq ssh-rsa
+or
+.Dq ssh-dss .
+.Pp
+.Pa /etc/ssh/ssh_known_hosts
+.Sh EXAMPLES
+Print the
+.Pa rsa
+host key for machine
.Pa hostname :
.Bd -literal
-ssh-keyscan hostname
+$ ssh-keyscan hostname
.Ed
.Pp
Find all hosts from the file
which have new or different keys from those in the sorted file
.Pa ssh_known_hosts :
.Bd -literal
-ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\
- diff ssh_known_hosts -
+$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
+ sort -u - ssh_known_hosts | diff ssh_known_hosts -
.Ed
-.Pp
-.Sh FILES
-.Pp
-.Pa Input format:
-1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
-.Pp
-.Pa Output format:
-host-or-namelist bits exponent modulus
-.Pp
-.Pa /etc/ssh_known_hosts
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr sshd 8
+.Sh AUTHORS
+.An -nosplit
+.An David Mazieres Aq dm@lcs.mit.edu
+wrote the initial version, and
+.An Wayne Davison Aq wayned@users.sourceforge.net
+added support for protocol version 2.
.Sh BUGS
It generates "Connection closed by remote host" messages on the consoles
-of all the machines it scans.
+of all the machines it scans if the server is older than version 2.9.
This is because it opens a connection to the ssh port, reads the public
key, and drops the connection as soon as it gets the key.
-.Sh SEE ALSO
-.Xr ssh 1
-.Xr sshd 8
-.Sh AUTHOR
-David Mazieres <dm@lcs.mit.edu>
andersk / openssh.git / blobdiff