blob: 5f86f2755e58fd79e71138f0dd8d6f28e823f6d3 [file] [log] [blame]
Ben Lindstromd2bf0d62001-06-25 04:10:54 +00001.\" $OpenBSD: ssh-keyscan.1,v 1.7 2001/06/22 10:17:51 mpech Exp $
Ben Lindstromb22c2b82001-03-05 06:50:47 +00002.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\"
5.\" Modification and redistribution in source and binary forms is
6.\" permitted provided that due credit is given to the author and the
Ben Lindstroma238f6e2001-06-09 01:30:39 +00007.\" OpenBSD project by leaving this copyright notice intact.
Ben Lindstrom36579d32001-01-29 07:39:26 +00008.\"
Ben Lindstromb6434ae2000-12-05 01:15:09 +00009.Dd January 1, 1996
Ben Lindstromb22c2b82001-03-05 06:50:47 +000010.Dt SSH-KEYSCAN 1
Ben Lindstromb6434ae2000-12-05 01:15:09 +000011.Os
12.Sh NAME
13.Nm ssh-keyscan
14.Nd gather ssh public keys
15.Sh SYNOPSIS
16.Nm ssh-keyscan
17.Op Fl t Ar timeout
18.Op Ar -- | host | addrlist namelist
19.Op Fl f Ar files ...
20.Sh DESCRIPTION
21.Nm
22is a utility for gathering the public ssh host keys of a number of
23hosts. It was designed to aid in building and verifying
24.Pa ssh_known_hosts
25files.
26.Nm
27provides a minimal interface suitable for use by shell and perl
28scripts.
29.Pp
30.Nm
31uses non-blocking socket I/O to contact as many hosts as possible in
32parallel, so it is very efficient. The keys from a domain of 1,000
33hosts can be collected in tens of seconds, even when some of those
34hosts are down or do not run ssh. You do not need login access to the
Ben Lindstromf73e05e2001-04-19 20:31:02 +000035machines you are scanning, nor does the scanning process involve
Ben Lindstromb6434ae2000-12-05 01:15:09 +000036any encryption.
37.Sh SECURITY
38If you make an ssh_known_hosts file using
39.Nm
40without verifying the keys, you will be vulnerable to
41.I man in the middle
42attacks.
43On the other hand, if your security model allows such a risk,
44.Nm
45can help you detect tampered keyfiles or man in the middle attacks which
46have begun after you created your ssh_known_hosts file.
47.Sh OPTIONS
48.Bl -tag -width Ds
49.It Fl t
50Set the timeout for connection attempts. If
51.Pa timeout
52seconds have elapsed since a connection was initiated to a host or since the
53last time anything was read from that host, then the connection is
54closed and the host in question considered unavailable. Default is 5
55seconds.
56.It Fl f
57Read hosts or
58.Pa addrlist namelist
59pairs from this file, one per line.
60If
61.Pa -
62is supplied instead of a filename,
63.Nm
64will read hosts or
65.Pa addrlist namelist
66pairs from the standard input.
Ben Lindstromd26dcf32001-01-06 15:18:16 +000067.El
Ben Lindstromb6434ae2000-12-05 01:15:09 +000068.Sh EXAMPLES
Ben Lindstromb6434ae2000-12-05 01:15:09 +000069Print the host key for machine
70.Pa hostname :
71.Bd -literal
72ssh-keyscan hostname
73.Ed
74.Pp
75Find all hosts from the file
76.Pa ssh_hosts
77which have new or different keys from those in the sorted file
78.Pa ssh_known_hosts :
79.Bd -literal
Ben Lindstromb22c2b82001-03-05 06:50:47 +000080$ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\
Ben Lindstromb6434ae2000-12-05 01:15:09 +000081 diff ssh_known_hosts -
82.Ed
Ben Lindstromb6434ae2000-12-05 01:15:09 +000083.Sh FILES
Ben Lindstromb6434ae2000-12-05 01:15:09 +000084.Pa Input format:
851.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
86.Pp
87.Pa Output format:
88host-or-namelist bits exponent modulus
89.Pp
90.Pa /etc/ssh_known_hosts
91.Sh BUGS
92It generates "Connection closed by remote host" messages on the consoles
93of all the machines it scans.
94This is because it opens a connection to the ssh port, reads the public
95key, and drops the connection as soon as it gets the key.
96.Sh SEE ALSO
Ben Lindstromb22c2b82001-03-05 06:50:47 +000097.Xr ssh 1 ,
Ben Lindstromb6434ae2000-12-05 01:15:09 +000098.Xr sshd 8
Ben Lindstromd2bf0d62001-06-25 04:10:54 +000099.Sh AUTHORS
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000100David Mazieres <dm@lcs.mit.edu>