| .\" $OpenBSD: ssh-keyscan.1,v 1.23 2007/05/31 19:20:16 jmc Exp $ |
| .\" |
| .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. |
| .\" |
| .\" Modification and redistribution in source and binary forms is |
| .\" permitted provided that due credit is given to the author and the |
| .\" OpenBSD project by leaving this copyright notice intact. |
| .\" |
| .Dd $Mdocdate: May 31 2007 $ |
| .Dt SSH-KEYSCAN 1 |
| .Os |
| .Sh NAME |
| .Nm ssh-keyscan |
| .Nd gather ssh public keys |
| .Sh SYNOPSIS |
| .Nm ssh-keyscan |
| .Bk -words |
| .Op Fl 46Hv |
| .Op Fl f Ar file |
| .Op Fl p Ar port |
| .Op Fl T Ar timeout |
| .Op Fl t Ar type |
| .Op Ar host | addrlist namelist |
| .Op Ar ... |
| .Ek |
| .Sh DESCRIPTION |
| .Nm |
| is a utility for gathering the public ssh host keys of a number of |
| hosts. |
| It was designed to aid in building and verifying |
| .Pa ssh_known_hosts |
| files. |
| .Nm |
| provides a minimal interface suitable for use by shell and perl |
| scripts. |
| .Pp |
| .Nm |
| uses non-blocking socket I/O to contact as many hosts as possible in |
| parallel, so it is very efficient. |
| The keys from a domain of 1,000 |
| hosts can be collected in tens of seconds, even when some of those |
| hosts are down or do not run ssh. |
| For scanning, one does not need |
| login access to the machines that are being scanned, nor does the |
| scanning process involve any encryption. |
| .Pp |
| The options are as follows: |
| .Bl -tag -width Ds |
| .It Fl 4 |
| Forces |
| .Nm |
| to use IPv4 addresses only. |
| .It Fl 6 |
| Forces |
| .Nm |
| to use IPv6 addresses only. |
| .It Fl f Ar file |
| Read hosts or |
| .Pa addrlist namelist |
| pairs from this file, one per line. |
| If |
| .Pa - |
| is supplied instead of a filename, |
| .Nm |
| will read hosts or |
| .Pa addrlist namelist |
| pairs from the standard input. |
| .It Fl H |
| Hash all hostnames and addresses in the output. |
| Hashed names may be used normally by |
| .Nm ssh |
| and |
| .Nm sshd , |
| but they do not reveal identifying information should the file's contents |
| be disclosed. |
| .It Fl p Ar port |
| Port to connect to on the remote host. |
| .It Fl T Ar timeout |
| Set the timeout for connection attempts. |
| If |
| .Pa timeout |
| seconds have elapsed since a connection was initiated to a host or since the |
| last time anything was read from that host, then the connection is |
| closed and the host in question considered unavailable. |
| Default is 5 seconds. |
| .It Fl t Ar type |
| Specifies the type of the key to fetch from the scanned hosts. |
| The possible values are |
| .Dq rsa1 |
| for protocol version 1 and |
| .Dq rsa |
| or |
| .Dq dsa |
| for protocol version 2. |
| Multiple values may be specified by separating them with commas. |
| The default is |
| .Dq rsa1 . |
| .It Fl v |
| Verbose mode. |
| Causes |
| .Nm |
| to print debugging messages about its progress. |
| .El |
| .Sh SECURITY |
| If an ssh_known_hosts file is constructed using |
| .Nm |
| without verifying the keys, users will be vulnerable to |
| .Em man in the middle |
| attacks. |
| On the other hand, if the security model allows such a risk, |
| .Nm |
| can help in the detection of tampered keyfiles or man in the middle |
| attacks which have begun after the ssh_known_hosts file was created. |
| .Sh FILES |
| .Pa Input format: |
| .Bd -literal |
| 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 |
| .Ed |
| .Pp |
| .Pa Output format for rsa1 keys: |
| .Bd -literal |
| host-or-namelist bits exponent modulus |
| .Ed |
| .Pp |
| .Pa Output format for rsa and dsa keys: |
| .Bd -literal |
| host-or-namelist keytype base64-encoded-key |
| .Ed |
| .Pp |
| Where |
| .Pa keytype |
| is either |
| .Dq ssh-rsa |
| or |
| .Dq ssh-dss . |
| .Pp |
| .Pa /etc/ssh/ssh_known_hosts |
| .Sh EXAMPLES |
| Print the |
| .Pa rsa1 |
| host key for machine |
| .Pa hostname : |
| .Bd -literal |
| $ ssh-keyscan hostname |
| .Ed |
| .Pp |
| Find all hosts from the file |
| .Pa ssh_hosts |
| which have new or different keys from those in the sorted file |
| .Pa ssh_known_hosts : |
| .Bd -literal |
| $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e |
| sort -u - ssh_known_hosts | diff ssh_known_hosts - |
| .Ed |
| .Sh SEE ALSO |
| .Xr ssh 1 , |
| .Xr sshd 8 |
| .Sh AUTHORS |
| .An -nosplit |
| .An David Mazieres Aq dm@lcs.mit.edu |
| wrote the initial version, and |
| .An Wayne Davison Aq wayned@users.sourceforge.net |
| added support for protocol version 2. |
| .Sh BUGS |
| It generates "Connection closed by remote host" messages on the consoles |
| of all the machines it scans if the server is older than version 2.9. |
| This is because it opens a connection to the ssh port, reads the public |
| key, and drops the connection as soon as it gets the key. |