blob: 79dd6aa1c0ac30d3793d9b17a4fa26c9228ae590 [file] [log] [blame]
Damien Miller5be9d9e2013-12-07 11:24:01 +11001.\" $OpenBSD: ssh-keyscan.1,v 1.32 2013/12/06 13:39:49 markus Exp $
Ben Lindstromb22c2b82001-03-05 06:50:47 +00002.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\"
5.\" Modification and redistribution in source and binary forms is
6.\" permitted provided that due credit is given to the author and the
Ben Lindstroma238f6e2001-06-09 01:30:39 +00007.\" OpenBSD project by leaving this copyright notice intact.
Ben Lindstrom36579d32001-01-29 07:39:26 +00008.\"
Damien Miller5be9d9e2013-12-07 11:24:01 +11009.Dd $Mdocdate: December 6 2013 $
Ben Lindstromb22c2b82001-03-05 06:50:47 +000010.Dt SSH-KEYSCAN 1
Ben Lindstromb6434ae2000-12-05 01:15:09 +000011.Os
12.Sh NAME
13.Nm ssh-keyscan
14.Nd gather ssh public keys
15.Sh SYNOPSIS
16.Nm ssh-keyscan
Damien Miller495dca32003-04-01 21:42:14 +100017.Bk -words
Damien Miller9a2fdbd2005-03-02 12:04:01 +110018.Op Fl 46Hv
19.Op Fl f Ar file
Ben Lindstrom325e70c2001-08-06 22:41:30 +000020.Op Fl p Ar port
21.Op Fl T Ar timeout
22.Op Fl t Ar type
Ben Lindstrom325e70c2001-08-06 22:41:30 +000023.Op Ar host | addrlist namelist
Damien Millerc1719f72008-11-03 19:27:07 +110024.Ar ...
Damien Miller495dca32003-04-01 21:42:14 +100025.Ek
Ben Lindstromb6434ae2000-12-05 01:15:09 +000026.Sh DESCRIPTION
27.Nm
28is a utility for gathering the public ssh host keys of a number of
Damien Miller495dca32003-04-01 21:42:14 +100029hosts.
30It was designed to aid in building and verifying
Ben Lindstromb6434ae2000-12-05 01:15:09 +000031.Pa ssh_known_hosts
32files.
33.Nm
34provides a minimal interface suitable for use by shell and perl
35scripts.
36.Pp
37.Nm
38uses non-blocking socket I/O to contact as many hosts as possible in
Damien Miller495dca32003-04-01 21:42:14 +100039parallel, so it is very efficient.
40The keys from a domain of 1,000
Ben Lindstromb6434ae2000-12-05 01:15:09 +000041hosts can be collected in tens of seconds, even when some of those
Damien Miller495dca32003-04-01 21:42:14 +100042hosts are down or do not run ssh.
43For scanning, one does not need
Ben Lindstrom594e2032001-09-12 18:35:30 +000044login access to the machines that are being scanned, nor does the
45scanning process involve any encryption.
Ben Lindstrom0b5afb92001-08-06 22:01:29 +000046.Pp
47The options are as follows:
Ben Lindstromb6434ae2000-12-05 01:15:09 +000048.Bl -tag -width Ds
Damien Miller9a2fdbd2005-03-02 12:04:01 +110049.It Fl 4
50Forces
51.Nm
52to use IPv4 addresses only.
53.It Fl 6
54Forces
55.Nm
56to use IPv6 addresses only.
57.It Fl f Ar file
58Read hosts or
59.Pa addrlist namelist
60pairs from this file, one per line.
61If
62.Pa -
63is supplied instead of a filename,
64.Nm
65will read hosts or
66.Pa addrlist namelist
67pairs from the standard input.
Damien Millerdb7b8172005-03-01 21:48:03 +110068.It Fl H
69Hash all hostnames and addresses in the output.
70Hashed names may be used normally by
71.Nm ssh
72and
73.Nm sshd ,
74but they do not reveal identifying information should the file's contents
75be disclosed.
Ben Lindstrom325e70c2001-08-06 22:41:30 +000076.It Fl p Ar port
77Port to connect to on the remote host.
Ben Lindstrom8d066fb2001-09-12 17:06:13 +000078.It Fl T Ar timeout
Damien Miller495dca32003-04-01 21:42:14 +100079Set the timeout for connection attempts.
80If
Ben Lindstromb6434ae2000-12-05 01:15:09 +000081.Pa timeout
82seconds have elapsed since a connection was initiated to a host or since the
83last time anything was read from that host, then the connection is
Damien Miller495dca32003-04-01 21:42:14 +100084closed and the host in question considered unavailable.
85Default is 5 seconds.
Ben Lindstrom325e70c2001-08-06 22:41:30 +000086.It Fl t Ar type
Ben Lindstrom8d066fb2001-09-12 17:06:13 +000087Specifies the type of the key to fetch from the scanned hosts.
Ben Lindstrom325e70c2001-08-06 22:41:30 +000088The possible values are
89.Dq rsa1
90for protocol version 1 and
Damien Millereb8b60e2010-08-31 22:41:14 +100091.Dq dsa ,
92.Dq ecdsa
Ben Lindstrom325e70c2001-08-06 22:41:30 +000093or
Damien Millereb8b60e2010-08-31 22:41:14 +100094.Dq rsa
Ben Lindstrom325e70c2001-08-06 22:41:30 +000095for protocol version 2.
96Multiple values may be specified by separating them with commas.
Damien Miller839f7432012-04-22 11:24:21 +100097The default is to fetch
98.Dq rsa
99and
100.Dq ecdsa
101keys.
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000102.It Fl v
103Verbose mode.
104Causes
105.Nm
106to print debugging messages about its progress.
Ben Lindstromd26dcf32001-01-06 15:18:16 +0000107.El
Ben Lindstrom0b5afb92001-08-06 22:01:29 +0000108.Sh SECURITY
Darren Tuckerffe88e12006-10-18 07:53:06 +1000109If an ssh_known_hosts file is constructed using
Ben Lindstrom0b5afb92001-08-06 22:01:29 +0000110.Nm
Ben Lindstrom594e2032001-09-12 18:35:30 +0000111without verifying the keys, users will be vulnerable to
Darren Tucker3ca45082004-07-17 16:13:15 +1000112.Em man in the middle
Ben Lindstrom0b5afb92001-08-06 22:01:29 +0000113attacks.
Ben Lindstrom594e2032001-09-12 18:35:30 +0000114On the other hand, if the security model allows such a risk,
Ben Lindstrom0b5afb92001-08-06 22:01:29 +0000115.Nm
Ben Lindstrom594e2032001-09-12 18:35:30 +0000116can help in the detection of tampered keyfiles or man in the middle
117attacks which have begun after the ssh_known_hosts file was created.
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000118.Sh FILES
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000119.Pa Input format:
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000120.Bd -literal
Ben Lindstromb6434ae2000-12-05 01:15:09 +00001211.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000122.Ed
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000123.Pp
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000124.Pa Output format for rsa1 keys:
125.Bd -literal
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000126host-or-namelist bits exponent modulus
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000127.Ed
128.Pp
Damien Millereb8b60e2010-08-31 22:41:14 +1000129.Pa Output format for rsa, dsa and ecdsa keys:
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000130.Bd -literal
131host-or-namelist keytype base64-encoded-key
132.Ed
133.Pp
134Where
135.Pa keytype
136is either
Damien Millereb8b60e2010-08-31 22:41:14 +1000137.Dq ecdsa-sha2-nistp256 ,
138.Dq ecdsa-sha2-nistp384 ,
139.Dq ecdsa-sha2-nistp521 ,
Damien Miller5be9d9e2013-12-07 11:24:01 +1100140.Dq ssh-ed25519 ,
Damien Millereb8b60e2010-08-31 22:41:14 +1000141.Dq ssh-dss
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000142or
Damien Millereb8b60e2010-08-31 22:41:14 +1000143.Dq ssh-rsa .
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000144.Pp
Damien Miller05eda432002-02-10 18:32:28 +1100145.Pa /etc/ssh/ssh_known_hosts
Damien Millerf1ce5052003-06-11 22:04:39 +1000146.Sh EXAMPLES
147Print the
Damien Millerb2c17d42009-01-28 16:18:03 +1100148.Pa rsa
Damien Millerf1ce5052003-06-11 22:04:39 +1000149host key for machine
150.Pa hostname :
151.Bd -literal
152$ ssh-keyscan hostname
153.Ed
154.Pp
155Find all hosts from the file
156.Pa ssh_hosts
157which have new or different keys from those in the sorted file
158.Pa ssh_known_hosts :
159.Bd -literal
Damien Millereb8b60e2010-08-31 22:41:14 +1000160$ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e
Damien Millerf1ce5052003-06-11 22:04:39 +1000161 sort -u - ssh_known_hosts | diff ssh_known_hosts -
162.Ed
163.Sh SEE ALSO
164.Xr ssh 1 ,
165.Xr sshd 8
166.Sh AUTHORS
Darren Tucker28e8e592005-10-03 18:20:28 +1000167.An -nosplit
Damien Millerbf836e52013-07-18 16:14:13 +1000168.An David Mazieres Aq Mt dm@lcs.mit.edu
Damien Millerf1ce5052003-06-11 22:04:39 +1000169wrote the initial version, and
Damien Millerbf836e52013-07-18 16:14:13 +1000170.An Wayne Davison Aq Mt wayned@users.sourceforge.net
Damien Millerf1ce5052003-06-11 22:04:39 +1000171added support for protocol version 2.
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000172.Sh BUGS
173It generates "Connection closed by remote host" messages on the consoles
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000174of all the machines it scans if the server is older than version 2.9.
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000175This is because it opens a connection to the ssh port, reads the public
176key, and drops the connection as soon as it gets the key.