X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/5061072ffcd98e090af507a1f92ed159d08ff414..29c8227004ff680cd02dc7d4dc5f706598a584fb:/ssh-keyscan.1 diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index b348bc25..9efcf521 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.10 2001/08/05 23:18:20 markus Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.18 2004/07/12 23:34:25 brad Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -14,6 +14,7 @@ .Nd gather ssh public keys .Sh SYNOPSIS .Nm ssh-keyscan +.Bk -words .Op Fl v46 .Op Fl p Ar port .Op Fl T Ar timeout @@ -21,10 +22,12 @@ .Op Fl f Ar file .Op Ar host | addrlist namelist .Op Ar ... +.Ek .Sh DESCRIPTION .Nm is a utility for gathering the public ssh host keys of a number of -hosts. It was designed to aid in building and verifying +hosts. +It was designed to aid in building and verifying .Pa ssh_known_hosts files. .Nm @@ -33,25 +36,28 @@ scripts. .Pp .Nm uses non-blocking socket I/O to contact as many hosts as possible in -parallel, so it is very efficient. The keys from a domain of 1,000 +parallel, so it is very efficient. +The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those -hosts are down or do not run ssh. You do not need login access to the -machines you are scanning, nor does the scanning process involve -any encryption. +hosts are down or do not run ssh. +For scanning, one does not need +login access to the machines that are being scanned, nor does the +scanning process involve any encryption. .Pp The options are as follows: .Bl -tag -width Ds .It Fl p Ar port Port to connect to on the remote host. -.It Fl T -Set the timeout for connection attempts. If +.It Fl T Ar timeout +Set the timeout for connection attempts. +If .Pa timeout seconds have elapsed since a connection was initiated to a host or since the last time anything was read from that host, then the connection is -closed and the host in question considered unavailable. Default is 5 -seconds. +closed and the host in question considered unavailable. +Default is 5 seconds. .It Fl t Ar type -Specifies the type of the key to fetch from the following hosts. +Specifies the type of the key to fetch from the scanned hosts. The possible values are .Dq rsa1 for protocol version 1 and @@ -88,33 +94,15 @@ Forces to use IPv6 addresses only. .El .Sh SECURITY -If you make an ssh_known_hosts file using +If a ssh_known_hosts file is constructed using .Nm -without verifying the keys, you will be vulnerable to -.I man in the middle +without verifying the keys, users will be vulnerable to +.Em man in the middle attacks. -On the other hand, if your security model allows such a risk, +On the other hand, if the security model allows such a risk, .Nm -can help you detect tampered keyfiles or man in the middle attacks which -have begun after you created your ssh_known_hosts file. -.Sh EXAMPLES -.Pp -Print the -.Pa rsa1 -host key for machine -.Pa hostname : -.Bd -literal -ssh-keyscan hostname -.Ed -.Pp -Find all hosts from the file -.Pa ssh_hosts -which have new or different keys from those in the sorted file -.Pa ssh_known_hosts : -.Bd -literal -ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\ - sort -u - ssh_known_hosts | diff ssh_known_hosts - -.Ed +can help in the detection of tampered keyfiles or man in the middle +attacks which have begun after the ssh_known_hosts file was created. .Sh FILES .Pa Input format: .Bd -literal @@ -136,19 +124,36 @@ Where is either .Dq ssh-rsa or -.Dq ssh-dsa . +.Dq ssh-dss . .Pp -.Pa /etc/ssh_known_hosts -.Sh BUGS -It generates "Connection closed by remote host" messages on the consoles -of all the machines it scans if the server is older than version 2.9. -This is because it opens a connection to the ssh port, reads the public -key, and drops the connection as soon as it gets the key. +.Pa /etc/ssh/ssh_known_hosts +.Sh EXAMPLES +Print the +.Pa rsa1 +host key for machine +.Pa hostname : +.Bd -literal +$ ssh-keyscan hostname +.Ed +.Pp +Find all hosts from the file +.Pa ssh_hosts +which have new or different keys from those in the sorted file +.Pa ssh_known_hosts : +.Bd -literal +$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e + sort -u - ssh_known_hosts | diff ssh_known_hosts - +.Ed .Sh SEE ALSO .Xr ssh 1 , .Xr sshd 8 .Sh AUTHORS -David Mazieres +.An David Mazieres Aq dm@lcs.mit.edu wrote the initial version, and -Wayne Davison +.An Wayne Davison Aq wayned@users.sourceforge.net added support for protocol version 2. +.Sh BUGS +It generates "Connection closed by remote host" messages on the consoles +of all the machines it scans if the server is older than version 2.9. +This is because it opens a connection to the ssh port, reads the public +key, and drops the connection as soon as it gets the key.