X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/4371658c4329ff0ca55a5bf27bf451b5b47f8fb9..851a428e76e2ea81cf1594174858f228e9dc7734:/ssh-keyscan.1 diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index eace55dd..01f31846 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,13 +1,12 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.4 2001/03/01 03:38:33 deraadt Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.28 2010/01/09 23:04:13 dtucker Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" .\" Modification and redistribution in source and binary forms is .\" permitted provided that due credit is given to the author and the -.\" OpenBSD project (for instance by leaving this copyright notice -.\" intact). +.\" OpenBSD project by leaving this copyright notice intact. .\" -.Dd January 1, 1996 +.Dd $Mdocdate$ .Dt SSH-KEYSCAN 1 .Os .Sh NAME @@ -15,13 +14,20 @@ .Nd gather ssh public keys .Sh SYNOPSIS .Nm ssh-keyscan -.Op Fl t Ar timeout -.Op Ar -- | host | addrlist namelist -.Op Fl f Ar files ... +.Bk -words +.Op Fl 46Hv +.Op Fl f Ar file +.Op Fl p Ar port +.Op Fl T Ar timeout +.Op Fl t Ar type +.Op Ar host | addrlist namelist +.Ar ... +.Ek .Sh DESCRIPTION .Nm is a utility for gathering the public ssh host keys of a number of -hosts. It was designed to aid in building and verifying +hosts. +It was designed to aid in building and verifying .Pa ssh_known_hosts files. .Nm @@ -30,48 +36,112 @@ scripts. .Pp .Nm uses non-blocking socket I/O to contact as many hosts as possible in -parallel, so it is very efficient. The keys from a domain of 1,000 +parallel, so it is very efficient. +The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those -hosts are down or do not run ssh. You do not need login access to the -machines you are scanning, nor does does the scanning process involve -any encryption. -.Sh SECURITY -If you make an ssh_known_hosts file using +hosts are down or do not run ssh. +For scanning, one does not need +login access to the machines that are being scanned, nor does the +scanning process involve any encryption. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl 4 +Forces .Nm -without verifying the keys, you will be vulnerable to -.I man in the middle -attacks. -On the other hand, if your security model allows such a risk, +to use IPv4 addresses only. +.It Fl 6 +Forces .Nm -can help you detect tampered keyfiles or man in the middle attacks which -have begun after you created your ssh_known_hosts file. -.Sh OPTIONS -.Bl -tag -width Ds -.It Fl t -Set the timeout for connection attempts. If -.Pa timeout -seconds have elapsed since a connection was initiated to a host or since the -last time anything was read from that host, then the connection is -closed and the host in question considered unavailable. Default is 5 -seconds. -.It Fl f -Read hosts or +to use IPv6 addresses only. +.It Fl f Ar file +Read hosts or .Pa addrlist namelist pairs from this file, one per line. If .Pa - is supplied instead of a filename, .Nm -will read hosts or +will read hosts or .Pa addrlist namelist pairs from the standard input. +.It Fl H +Hash all hostnames and addresses in the output. +Hashed names may be used normally by +.Nm ssh +and +.Nm sshd , +but they do not reveal identifying information should the file's contents +be disclosed. +.It Fl p Ar port +Port to connect to on the remote host. +.It Fl T Ar timeout +Set the timeout for connection attempts. +If +.Pa timeout +seconds have elapsed since a connection was initiated to a host or since the +last time anything was read from that host, then the connection is +closed and the host in question considered unavailable. +Default is 5 seconds. +.It Fl t Ar type +Specifies the type of the key to fetch from the scanned hosts. +The possible values are +.Dq rsa1 +for protocol version 1 and +.Dq rsa +or +.Dq dsa +for protocol version 2. +Multiple values may be specified by separating them with commas. +The default is +.Dq rsa . +.It Fl v +Verbose mode. +Causes +.Nm +to print debugging messages about its progress. .El -.Sh EXAMPLES +.Sh SECURITY +If an ssh_known_hosts file is constructed using +.Nm +without verifying the keys, users will be vulnerable to +.Em man in the middle +attacks. +On the other hand, if the security model allows such a risk, +.Nm +can help in the detection of tampered keyfiles or man in the middle +attacks which have begun after the ssh_known_hosts file was created. +.Sh FILES +.Pa Input format: +.Bd -literal +1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 +.Ed .Pp -Print the host key for machine +.Pa Output format for rsa1 keys: +.Bd -literal +host-or-namelist bits exponent modulus +.Ed +.Pp +.Pa Output format for rsa and dsa keys: +.Bd -literal +host-or-namelist keytype base64-encoded-key +.Ed +.Pp +Where +.Pa keytype +is either +.Dq ssh-rsa +or +.Dq ssh-dss . +.Pp +.Pa /etc/ssh/ssh_known_hosts +.Sh EXAMPLES +Print the +.Pa rsa +host key for machine .Pa hostname : .Bd -literal -ssh-keyscan hostname +$ ssh-keyscan hostname .Ed .Pp Find all hosts from the file @@ -79,26 +149,20 @@ Find all hosts from the file which have new or different keys from those in the sorted file .Pa ssh_known_hosts : .Bd -literal -$ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\ - diff ssh_known_hosts - +$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e + sort -u - ssh_known_hosts | diff ssh_known_hosts - .Ed -.Pp -.Sh FILES -.Pp -.Pa Input format: -1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 -.Pp -.Pa Output format: -host-or-namelist bits exponent modulus -.Pp -.Pa /etc/ssh_known_hosts +.Sh SEE ALSO +.Xr ssh 1 , +.Xr sshd 8 +.Sh AUTHORS +.An -nosplit +.An David Mazieres Aq dm@lcs.mit.edu +wrote the initial version, and +.An Wayne Davison Aq wayned@users.sourceforge.net +added support for protocol version 2. .Sh BUGS It generates "Connection closed by remote host" messages on the consoles -of all the machines it scans. +of all the machines it scans if the server is older than version 2.9. This is because it opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key. -.Sh SEE ALSO -.Xr ssh 1 , -.Xr sshd 8 -.Sh AUTHOR -David Mazieres