blob: 78255ff790f8a3ee7e3e27e436d8c650039f8570 [file] [log] [blame]
Darren Tucker7bd98e72010-01-10 10:31:12 +11001.\" $OpenBSD: ssh-keyscan.1,v 1.28 2010/01/09 23:04:13 dtucker Exp $
Ben Lindstromb22c2b82001-03-05 06:50:47 +00002.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\"
5.\" Modification and redistribution in source and binary forms is
6.\" permitted provided that due credit is given to the author and the
Ben Lindstroma238f6e2001-06-09 01:30:39 +00007.\" OpenBSD project by leaving this copyright notice intact.
Ben Lindstrom36579d32001-01-29 07:39:26 +00008.\"
Darren Tucker7bd98e72010-01-10 10:31:12 +11009.Dd $Mdocdate: January 9 2010 $
Ben Lindstromb22c2b82001-03-05 06:50:47 +000010.Dt SSH-KEYSCAN 1
Ben Lindstromb6434ae2000-12-05 01:15:09 +000011.Os
12.Sh NAME
13.Nm ssh-keyscan
14.Nd gather ssh public keys
15.Sh SYNOPSIS
16.Nm ssh-keyscan
Damien Miller495dca32003-04-01 21:42:14 +100017.Bk -words
Damien Miller9a2fdbd2005-03-02 12:04:01 +110018.Op Fl 46Hv
19.Op Fl f Ar file
Ben Lindstrom325e70c2001-08-06 22:41:30 +000020.Op Fl p Ar port
21.Op Fl T Ar timeout
22.Op Fl t Ar type
Ben Lindstrom325e70c2001-08-06 22:41:30 +000023.Op Ar host | addrlist namelist
Damien Millerc1719f72008-11-03 19:27:07 +110024.Ar ...
Damien Miller495dca32003-04-01 21:42:14 +100025.Ek
Ben Lindstromb6434ae2000-12-05 01:15:09 +000026.Sh DESCRIPTION
27.Nm
28is a utility for gathering the public ssh host keys of a number of
Damien Miller495dca32003-04-01 21:42:14 +100029hosts.
30It was designed to aid in building and verifying
Ben Lindstromb6434ae2000-12-05 01:15:09 +000031.Pa ssh_known_hosts
32files.
33.Nm
34provides a minimal interface suitable for use by shell and perl
35scripts.
36.Pp
37.Nm
38uses non-blocking socket I/O to contact as many hosts as possible in
Damien Miller495dca32003-04-01 21:42:14 +100039parallel, so it is very efficient.
40The keys from a domain of 1,000
Ben Lindstromb6434ae2000-12-05 01:15:09 +000041hosts can be collected in tens of seconds, even when some of those
Damien Miller495dca32003-04-01 21:42:14 +100042hosts are down or do not run ssh.
43For scanning, one does not need
Ben Lindstrom594e2032001-09-12 18:35:30 +000044login access to the machines that are being scanned, nor does the
45scanning process involve any encryption.
Ben Lindstrom0b5afb92001-08-06 22:01:29 +000046.Pp
47The options are as follows:
Ben Lindstromb6434ae2000-12-05 01:15:09 +000048.Bl -tag -width Ds
Damien Miller9a2fdbd2005-03-02 12:04:01 +110049.It Fl 4
50Forces
51.Nm
52to use IPv4 addresses only.
53.It Fl 6
54Forces
55.Nm
56to use IPv6 addresses only.
57.It Fl f Ar file
58Read hosts or
59.Pa addrlist namelist
60pairs from this file, one per line.
61If
62.Pa -
63is supplied instead of a filename,
64.Nm
65will read hosts or
66.Pa addrlist namelist
67pairs from the standard input.
Damien Millerdb7b8172005-03-01 21:48:03 +110068.It Fl H
69Hash all hostnames and addresses in the output.
70Hashed names may be used normally by
71.Nm ssh
72and
73.Nm sshd ,
74but they do not reveal identifying information should the file's contents
75be disclosed.
Ben Lindstrom325e70c2001-08-06 22:41:30 +000076.It Fl p Ar port
77Port to connect to on the remote host.
Ben Lindstrom8d066fb2001-09-12 17:06:13 +000078.It Fl T Ar timeout
Damien Miller495dca32003-04-01 21:42:14 +100079Set the timeout for connection attempts.
80If
Ben Lindstromb6434ae2000-12-05 01:15:09 +000081.Pa timeout
82seconds have elapsed since a connection was initiated to a host or since the
83last time anything was read from that host, then the connection is
Damien Miller495dca32003-04-01 21:42:14 +100084closed and the host in question considered unavailable.
85Default is 5 seconds.
Ben Lindstrom325e70c2001-08-06 22:41:30 +000086.It Fl t Ar type
Ben Lindstrom8d066fb2001-09-12 17:06:13 +000087Specifies the type of the key to fetch from the scanned hosts.
Ben Lindstrom325e70c2001-08-06 22:41:30 +000088The possible values are
89.Dq rsa1
90for protocol version 1 and
91.Dq rsa
92or
93.Dq dsa
94for protocol version 2.
95Multiple values may be specified by separating them with commas.
96The default is
Damien Millerbacb7fb2008-05-19 14:56:33 +100097.Dq rsa .
Ben Lindstrom325e70c2001-08-06 22:41:30 +000098.It Fl v
99Verbose mode.
100Causes
101.Nm
102to print debugging messages about its progress.
Ben Lindstromd26dcf32001-01-06 15:18:16 +0000103.El
Ben Lindstrom0b5afb92001-08-06 22:01:29 +0000104.Sh SECURITY
Darren Tuckerffe88e12006-10-18 07:53:06 +1000105If an ssh_known_hosts file is constructed using
Ben Lindstrom0b5afb92001-08-06 22:01:29 +0000106.Nm
Ben Lindstrom594e2032001-09-12 18:35:30 +0000107without verifying the keys, users will be vulnerable to
Darren Tucker3ca45082004-07-17 16:13:15 +1000108.Em man in the middle
Ben Lindstrom0b5afb92001-08-06 22:01:29 +0000109attacks.
Ben Lindstrom594e2032001-09-12 18:35:30 +0000110On the other hand, if the security model allows such a risk,
Ben Lindstrom0b5afb92001-08-06 22:01:29 +0000111.Nm
Ben Lindstrom594e2032001-09-12 18:35:30 +0000112can help in the detection of tampered keyfiles or man in the middle
113attacks which have begun after the ssh_known_hosts file was created.
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000114.Sh FILES
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000115.Pa Input format:
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000116.Bd -literal
Ben Lindstromb6434ae2000-12-05 01:15:09 +00001171.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000118.Ed
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000119.Pp
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000120.Pa Output format for rsa1 keys:
121.Bd -literal
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000122host-or-namelist bits exponent modulus
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000123.Ed
124.Pp
125.Pa Output format for rsa and dsa keys:
126.Bd -literal
127host-or-namelist keytype base64-encoded-key
128.Ed
129.Pp
130Where
131.Pa keytype
132is either
133.Dq ssh-rsa
134or
Damien Miller93506352003-05-14 13:46:33 +1000135.Dq ssh-dss .
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000136.Pp
Damien Miller05eda432002-02-10 18:32:28 +1100137.Pa /etc/ssh/ssh_known_hosts
Damien Millerf1ce5052003-06-11 22:04:39 +1000138.Sh EXAMPLES
139Print the
Damien Millerb2c17d42009-01-28 16:18:03 +1100140.Pa rsa
Damien Millerf1ce5052003-06-11 22:04:39 +1000141host key for machine
142.Pa hostname :
143.Bd -literal
144$ ssh-keyscan hostname
145.Ed
146.Pp
147Find all hosts from the file
148.Pa ssh_hosts
149which have new or different keys from those in the sorted file
150.Pa ssh_known_hosts :
151.Bd -literal
152$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
153 sort -u - ssh_known_hosts | diff ssh_known_hosts -
154.Ed
155.Sh SEE ALSO
156.Xr ssh 1 ,
157.Xr sshd 8
158.Sh AUTHORS
Darren Tucker28e8e592005-10-03 18:20:28 +1000159.An -nosplit
Damien Millerf1ce5052003-06-11 22:04:39 +1000160.An David Mazieres Aq dm@lcs.mit.edu
161wrote the initial version, and
162.An Wayne Davison Aq wayned@users.sourceforge.net
163added support for protocol version 2.
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000164.Sh BUGS
165It generates "Connection closed by remote host" messages on the consoles
Ben Lindstrom325e70c2001-08-06 22:41:30 +0000166of all the machines it scans if the server is older than version 2.9.
Ben Lindstromb6434ae2000-12-05 01:15:09 +0000167This is because it opens a connection to the ssh port, reads the public
168key, and drops the connection as soon as it gets the key.