Mike Lockwood | 1305e95 | 2011-12-07 08:17:59 -0800 | [diff] [blame] | 1 | .\" $OpenBSD: ssh-keyscan.1,v 1.29 2010/08/31 11:54:45 djm Exp $ |
| 2 | .\" |
| 3 | .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. |
| 4 | .\" |
| 5 | .\" Modification and redistribution in source and binary forms is |
| 6 | .\" permitted provided that due credit is given to the author and the |
| 7 | .\" OpenBSD project by leaving this copyright notice intact. |
| 8 | .\" |
| 9 | .Dd $Mdocdate: August 31 2010 $ |
| 10 | .Dt SSH-KEYSCAN 1 |
| 11 | .Os |
| 12 | .Sh NAME |
| 13 | .Nm ssh-keyscan |
| 14 | .Nd gather ssh public keys |
| 15 | .Sh SYNOPSIS |
| 16 | .Nm ssh-keyscan |
| 17 | .Bk -words |
| 18 | .Op Fl 46Hv |
| 19 | .Op Fl f Ar file |
| 20 | .Op Fl p Ar port |
| 21 | .Op Fl T Ar timeout |
| 22 | .Op Fl t Ar type |
| 23 | .Op Ar host | addrlist namelist |
| 24 | .Ar ... |
| 25 | .Ek |
| 26 | .Sh DESCRIPTION |
| 27 | .Nm |
| 28 | is a utility for gathering the public ssh host keys of a number of |
| 29 | hosts. |
| 30 | It was designed to aid in building and verifying |
| 31 | .Pa ssh_known_hosts |
| 32 | files. |
| 33 | .Nm |
| 34 | provides a minimal interface suitable for use by shell and perl |
| 35 | scripts. |
| 36 | .Pp |
| 37 | .Nm |
| 38 | uses non-blocking socket I/O to contact as many hosts as possible in |
| 39 | parallel, so it is very efficient. |
| 40 | The keys from a domain of 1,000 |
| 41 | hosts can be collected in tens of seconds, even when some of those |
| 42 | hosts are down or do not run ssh. |
| 43 | For scanning, one does not need |
| 44 | login access to the machines that are being scanned, nor does the |
| 45 | scanning process involve any encryption. |
| 46 | .Pp |
| 47 | The options are as follows: |
| 48 | .Bl -tag -width Ds |
| 49 | .It Fl 4 |
| 50 | Forces |
| 51 | .Nm |
| 52 | to use IPv4 addresses only. |
| 53 | .It Fl 6 |
| 54 | Forces |
| 55 | .Nm |
| 56 | to use IPv6 addresses only. |
| 57 | .It Fl f Ar file |
| 58 | Read hosts or |
| 59 | .Pa addrlist namelist |
| 60 | pairs from this file, one per line. |
| 61 | If |
| 62 | .Pa - |
| 63 | is supplied instead of a filename, |
| 64 | .Nm |
| 65 | will read hosts or |
| 66 | .Pa addrlist namelist |
| 67 | pairs from the standard input. |
| 68 | .It Fl H |
| 69 | Hash all hostnames and addresses in the output. |
| 70 | Hashed names may be used normally by |
| 71 | .Nm ssh |
| 72 | and |
| 73 | .Nm sshd , |
| 74 | but they do not reveal identifying information should the file's contents |
| 75 | be disclosed. |
| 76 | .It Fl p Ar port |
| 77 | Port to connect to on the remote host. |
| 78 | .It Fl T Ar timeout |
| 79 | Set the timeout for connection attempts. |
| 80 | If |
| 81 | .Pa timeout |
| 82 | seconds have elapsed since a connection was initiated to a host or since the |
| 83 | last time anything was read from that host, then the connection is |
| 84 | closed and the host in question considered unavailable. |
| 85 | Default is 5 seconds. |
| 86 | .It Fl t Ar type |
| 87 | Specifies the type of the key to fetch from the scanned hosts. |
| 88 | The possible values are |
| 89 | .Dq rsa1 |
| 90 | for protocol version 1 and |
| 91 | .Dq dsa , |
| 92 | .Dq ecdsa |
| 93 | or |
| 94 | .Dq rsa |
| 95 | for protocol version 2. |
| 96 | Multiple values may be specified by separating them with commas. |
| 97 | The default is |
| 98 | .Dq rsa . |
| 99 | .It Fl v |
| 100 | Verbose mode. |
| 101 | Causes |
| 102 | .Nm |
| 103 | to print debugging messages about its progress. |
| 104 | .El |
| 105 | .Sh SECURITY |
| 106 | If an ssh_known_hosts file is constructed using |
| 107 | .Nm |
| 108 | without verifying the keys, users will be vulnerable to |
| 109 | .Em man in the middle |
| 110 | attacks. |
| 111 | On the other hand, if the security model allows such a risk, |
| 112 | .Nm |
| 113 | can help in the detection of tampered keyfiles or man in the middle |
| 114 | attacks which have begun after the ssh_known_hosts file was created. |
| 115 | .Sh FILES |
| 116 | .Pa Input format: |
| 117 | .Bd -literal |
| 118 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 |
| 119 | .Ed |
| 120 | .Pp |
| 121 | .Pa Output format for rsa1 keys: |
| 122 | .Bd -literal |
| 123 | host-or-namelist bits exponent modulus |
| 124 | .Ed |
| 125 | .Pp |
| 126 | .Pa Output format for rsa, dsa and ecdsa keys: |
| 127 | .Bd -literal |
| 128 | host-or-namelist keytype base64-encoded-key |
| 129 | .Ed |
| 130 | .Pp |
| 131 | Where |
| 132 | .Pa keytype |
| 133 | is either |
| 134 | .Dq ecdsa-sha2-nistp256 , |
| 135 | .Dq ecdsa-sha2-nistp384 , |
| 136 | .Dq ecdsa-sha2-nistp521 , |
| 137 | .Dq ssh-dss |
| 138 | or |
| 139 | .Dq ssh-rsa . |
| 140 | .Pp |
| 141 | .Pa /etc/ssh/ssh_known_hosts |
| 142 | .Sh EXAMPLES |
| 143 | Print the |
| 144 | .Pa rsa |
| 145 | host key for machine |
| 146 | .Pa hostname : |
| 147 | .Bd -literal |
| 148 | $ ssh-keyscan hostname |
| 149 | .Ed |
| 150 | .Pp |
| 151 | Find all hosts from the file |
| 152 | .Pa ssh_hosts |
| 153 | which have new or different keys from those in the sorted file |
| 154 | .Pa ssh_known_hosts : |
| 155 | .Bd -literal |
| 156 | $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e |
| 157 | sort -u - ssh_known_hosts | diff ssh_known_hosts - |
| 158 | .Ed |
| 159 | .Sh SEE ALSO |
| 160 | .Xr ssh 1 , |
| 161 | .Xr sshd 8 |
| 162 | .Sh AUTHORS |
| 163 | .An -nosplit |
| 164 | .An David Mazieres Aq dm@lcs.mit.edu |
| 165 | wrote the initial version, and |
| 166 | .An Wayne Davison Aq wayned@users.sourceforge.net |
| 167 | added support for protocol version 2. |
| 168 | .Sh BUGS |
| 169 | It generates "Connection closed by remote host" messages on the consoles |
| 170 | of all the machines it scans if the server is older than version 2.9. |
| 171 | This is because it opens a connection to the ssh port, reads the public |
| 172 | key, and drops the connection as soon as it gets the key. |