Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1 | SSH-KEYSCAN(1) General Commands Manual SSH-KEYSCAN(1) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2 | |
| 3 | NAME |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 4 | ssh-keyscan M-bM-^@M-^S gather ssh public keys |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 5 | |
| 6 | SYNOPSIS |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 7 | ssh-keyscan [-46cHv] [-f file] [-p port] [-T timeout] [-t type] |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 8 | [host | addrlist namelist] ... |
| 9 | |
| 10 | DESCRIPTION |
| 11 | ssh-keyscan is a utility for gathering the public ssh host keys of a |
| 12 | number of hosts. It was designed to aid in building and verifying |
| 13 | ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable |
| 14 | for use by shell and perl scripts. |
| 15 | |
| 16 | ssh-keyscan uses non-blocking socket I/O to contact as many hosts as |
| 17 | possible in parallel, so it is very efficient. The keys from a domain of |
| 18 | 1,000 hosts can be collected in tens of seconds, even when some of those |
| 19 | hosts are down or do not run ssh. For scanning, one does not need login |
| 20 | access to the machines that are being scanned, nor does the scanning |
| 21 | process involve any encryption. |
| 22 | |
| 23 | The options are as follows: |
| 24 | |
| 25 | -4 Forces ssh-keyscan to use IPv4 addresses only. |
| 26 | |
| 27 | -6 Forces ssh-keyscan to use IPv6 addresses only. |
| 28 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 29 | -c Request certificates from target hosts instead of plain keys. |
| 30 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 31 | -f file |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 32 | Read hosts or M-bM-^@M-^\addrlist namelistM-bM-^@M-^] pairs from file, one per line. |
| 33 | If - is supplied instead of a filename, ssh-keyscan will read |
| 34 | hosts or M-bM-^@M-^\addrlist namelistM-bM-^@M-^] pairs from the standard input. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 35 | |
| 36 | -H Hash all hostnames and addresses in the output. Hashed names may |
| 37 | be used normally by ssh and sshd, but they do not reveal |
| 38 | identifying information should the file's contents be disclosed. |
| 39 | |
| 40 | -p port |
| 41 | Port to connect to on the remote host. |
| 42 | |
| 43 | -T timeout |
| 44 | Set the timeout for connection attempts. If timeout seconds have |
| 45 | elapsed since a connection was initiated to a host or since the |
| 46 | last time anything was read from that host, then the connection |
| 47 | is closed and the host in question considered unavailable. |
| 48 | Default is 5 seconds. |
| 49 | |
| 50 | -t type |
| 51 | Specifies the type of the key to fetch from the scanned hosts. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 52 | The possible values are M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], |
| 53 | M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2. Multiple |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 54 | values may be specified by separating them with commas. The |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 55 | default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], and M-bM-^@M-^\ed25519M-bM-^@M-^] keys. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 56 | |
| 57 | -v Verbose mode. Causes ssh-keyscan to print debugging messages |
| 58 | about its progress. |
| 59 | |
| 60 | SECURITY |
| 61 | If an ssh_known_hosts file is constructed using ssh-keyscan without |
| 62 | verifying the keys, users will be vulnerable to man in the middle |
| 63 | attacks. On the other hand, if the security model allows such a risk, |
| 64 | ssh-keyscan can help in the detection of tampered keyfiles or man in the |
| 65 | middle attacks which have begun after the ssh_known_hosts file was |
| 66 | created. |
| 67 | |
| 68 | FILES |
| 69 | Input format: |
| 70 | |
| 71 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 |
| 72 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 73 | Output format for RSA1 keys: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 74 | |
| 75 | host-or-namelist bits exponent modulus |
| 76 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 77 | Output format for RSA, DSA, ECDSA, and Ed25519 keys: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 78 | |
| 79 | host-or-namelist keytype base64-encoded-key |
| 80 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 81 | Where keytype is either M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], |
| 82 | M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 83 | |
| 84 | /etc/ssh/ssh_known_hosts |
| 85 | |
| 86 | EXAMPLES |
| 87 | Print the rsa host key for machine hostname: |
| 88 | |
| 89 | $ ssh-keyscan hostname |
| 90 | |
| 91 | Find all hosts from the file ssh_hosts which have new or different keys |
| 92 | from those in the sorted file ssh_known_hosts: |
| 93 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 94 | $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \ |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 95 | sort -u - ssh_known_hosts | diff ssh_known_hosts - |
| 96 | |
| 97 | SEE ALSO |
| 98 | ssh(1), sshd(8) |
| 99 | |
| 100 | AUTHORS |
| 101 | David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne |
| 102 | Davison <wayned@users.sourceforge.net> added support for protocol version |
| 103 | 2. |
| 104 | |
| 105 | BUGS |
| 106 | It generates "Connection closed by remote host" messages on the consoles |
| 107 | of all the machines it scans if the server is older than version 2.9. |
| 108 | This is because it opens a connection to the ssh port, reads the public |
| 109 | key, and drops the connection as soon as it gets the key. |
| 110 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 111 | OpenBSD 6.0 November 8, 2015 OpenBSD 6.0 |