-.\" $OpenBSD: ssh-keyscan.1,v 1.16 2003/05/12 18:35:18 markus Exp $
+.\" $OpenBSD: ssh-keyscan.1,v 1.25 2008/11/01 11:14:36 sobrado Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\"
.\" permitted provided that due credit is given to the author and the
.\" OpenBSD project by leaving this copyright notice intact.
.\"
-.Dd January 1, 1996
+.Dd $Mdocdate$
.Dt SSH-KEYSCAN 1
.Os
.Sh NAME
.Sh SYNOPSIS
.Nm ssh-keyscan
.Bk -words
-.Op Fl v46
+.Op Fl 46Hv
+.Op Fl f Ar file
.Op Fl p Ar port
.Op Fl T Ar timeout
.Op Fl t Ar type
-.Op Fl f Ar file
.Op Ar host | addrlist namelist
-.Op Ar ...
+.Ar ...
.Ek
.Sh DESCRIPTION
.Nm
.Pp
The options are as follows:
.Bl -tag -width Ds
+.It Fl 4
+Forces
+.Nm
+to use IPv4 addresses only.
+.It Fl 6
+Forces
+.Nm
+to use IPv6 addresses only.
+.It Fl f Ar file
+Read hosts or
+.Pa addrlist namelist
+pairs from this file, one per line.
+If
+.Pa -
+is supplied instead of a filename,
+.Nm
+will read hosts or
+.Pa addrlist namelist
+pairs from the standard input.
+.It Fl H
+Hash all hostnames and addresses in the output.
+Hashed names may be used normally by
+.Nm ssh
+and
+.Nm sshd ,
+but they do not reveal identifying information should the file's contents
+be disclosed.
.It Fl p Ar port
Port to connect to on the remote host.
.It Fl T Ar timeout
for protocol version 2.
Multiple values may be specified by separating them with commas.
The default is
-.Dq rsa1 .
-.It Fl f Ar filename
-Read hosts or
-.Pa addrlist namelist
-pairs from this file, one per line.
-If
-.Pa -
-is supplied instead of a filename,
-.Nm
-will read hosts or
-.Pa addrlist namelist
-pairs from the standard input.
+.Dq rsa .
.It Fl v
Verbose mode.
Causes
.Nm
to print debugging messages about its progress.
-.It Fl 4
-Forces
-.Nm
-to use IPv4 addresses only.
-.It Fl 6
-Forces
-.Nm
-to use IPv6 addresses only.
.El
.Sh SECURITY
-If a ssh_known_hosts file is constructed using
+If an ssh_known_hosts file is constructed using
.Nm
without verifying the keys, users will be vulnerable to
-.I man in the middle
+.Em man in the middle
attacks.
On the other hand, if the security model allows such a risk,
.Nm
can help in the detection of tampered keyfiles or man in the middle
attacks which have begun after the ssh_known_hosts file was created.
-.Sh EXAMPLES
-.Pp
-Print the
-.Pa rsa1
-host key for machine
-.Pa hostname :
-.Bd -literal
-$ ssh-keyscan hostname
-.Ed
-.Pp
-Find all hosts from the file
-.Pa ssh_hosts
-which have new or different keys from those in the sorted file
-.Pa ssh_known_hosts :
-.Bd -literal
-$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\
- sort -u - ssh_known_hosts | diff ssh_known_hosts -
-.Ed
.Sh FILES
.Pa Input format:
.Bd -literal
.Dq ssh-dss .
.Pp
.Pa /etc/ssh/ssh_known_hosts
-.Sh BUGS
-It generates "Connection closed by remote host" messages on the consoles
-of all the machines it scans if the server is older than version 2.9.
-This is because it opens a connection to the ssh port, reads the public
-key, and drops the connection as soon as it gets the key.
+.Sh EXAMPLES
+Print the
+.Pa rsa1
+host key for machine
+.Pa hostname :
+.Bd -literal
+$ ssh-keyscan hostname
+.Ed
+.Pp
+Find all hosts from the file
+.Pa ssh_hosts
+which have new or different keys from those in the sorted file
+.Pa ssh_known_hosts :
+.Bd -literal
+$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
+ sort -u - ssh_known_hosts | diff ssh_known_hosts -
+.Ed
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr sshd 8
.Sh AUTHORS
-David Mazieres <dm@lcs.mit.edu>
+.An -nosplit
+.An David Mazieres Aq dm@lcs.mit.edu
wrote the initial version, and
-Wayne Davison <wayned@users.sourceforge.net>
+.An Wayne Davison Aq wayned@users.sourceforge.net
added support for protocol version 2.
+.Sh BUGS
+It generates "Connection closed by remote host" messages on the consoles
+of all the machines it scans if the server is older than version 2.9.
+This is because it opens a connection to the ssh port, reads the public
+key, and drops the connection as soon as it gets the key.