1 | SSH-KEYSCAN(1) System General Commands Manual SSH-KEYSCAN(1) |
---|
2 | |
---|
3 | NAME |
---|
4 | ssh-keyscan - gather ssh public keys |
---|
5 | |
---|
6 | SYNOPSIS |
---|
7 | ssh-keyscan [-v46] [-p port] [-T timeout] [-t type] [-f file] |
---|
8 | [host | addrlist namelist] [...] |
---|
9 | |
---|
10 | DESCRIPTION |
---|
11 | ssh-keyscan is a utility for gathering the public ssh host keys of a numM-- |
---|
12 | ber of hosts. It was designed to aid in building and verifying |
---|
13 | ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable |
---|
14 | for use by shell and perl scripts. |
---|
15 | |
---|
16 | ssh-keyscan uses non-blocking socket I/O to contact as many hosts as posM-- |
---|
17 | sible in parallel, so it is very efficient. The keys from a domain of |
---|
18 | 1,000 hosts can be collected in tens of seconds, even when some of those |
---|
19 | hosts are down or do not run ssh. For scanning, one does not need login |
---|
20 | access to the machines that are being scanned, nor does the scanning proM-- |
---|
21 | cess involve any encryption. |
---|
22 | |
---|
23 | The options are as follows: |
---|
24 | |
---|
25 | -p port |
---|
26 | Port to connect to on the remote host. |
---|
27 | |
---|
28 | -T timeout |
---|
29 | Set the timeout for connection attempts. If timeout seconds have |
---|
30 | elapsed since a connection was initiated to a host or since the |
---|
31 | last time anything was read from that host, then the connection |
---|
32 | is closed and the host in question considered unavailable. |
---|
33 | Default is 5 seconds. |
---|
34 | |
---|
35 | -t type |
---|
36 | Specifies the type of the key to fetch from the scanned hosts. |
---|
37 | The possible values are ``rsa1'' for protocol version 1 and |
---|
38 | ``rsa'' or ``dsa'' for protocol version 2. Multiple values may |
---|
39 | be specified by separating them with commas. The default is |
---|
40 | ``rsa1''. |
---|
41 | |
---|
42 | -f filename |
---|
43 | Read hosts or addrlist namelist pairs from this file, one per |
---|
44 | line. If - is supplied instead of a filename, ssh-keyscan will |
---|
45 | read hosts or addrlist namelist pairs from the standard input. |
---|
46 | |
---|
47 | -v Verbose mode. Causes ssh-keyscan to print debugging messages |
---|
48 | about its progress. |
---|
49 | |
---|
50 | -4 Forces ssh-keyscan to use IPv4 addresses only. |
---|
51 | |
---|
52 | -6 Forces ssh-keyscan to use IPv6 addresses only. |
---|
53 | |
---|
54 | SECURITY |
---|
55 | If a ssh_known_hosts file is constructed using ssh-keyscan without veriM-- |
---|
56 | fying the keys, users will be vulnerable to attacks. On the other hand, |
---|
57 | if the security model allows such a risk, ssh-keyscan can help in the |
---|
58 | detection of tampered keyfiles or man in the middle attacks which have |
---|
59 | begun after the ssh_known_hosts file was created. |
---|
60 | |
---|
61 | EXAMPLES |
---|
62 | Print the rsa1 host key for machine hostname: |
---|
63 | |
---|
64 | $ ssh-keyscan hostname |
---|
65 | |
---|
66 | Find all hosts from the file ssh_hosts which have new or different keys |
---|
67 | from those in the sorted file ssh_known_hosts: |
---|
68 | |
---|
69 | $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \ |
---|
70 | sort -u - ssh_known_hosts | diff ssh_known_hosts - |
---|
71 | |
---|
72 | FILES |
---|
73 | Input format: |
---|
74 | |
---|
75 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 |
---|
76 | |
---|
77 | Output format for rsa1 keys: |
---|
78 | |
---|
79 | host-or-namelist bits exponent modulus |
---|
80 | |
---|
81 | Output format for rsa and dsa keys: |
---|
82 | |
---|
83 | host-or-namelist keytype base64-encoded-key |
---|
84 | |
---|
85 | Where keytype is either ``ssh-rsa'' or ``ssh-dsa''. |
---|
86 | |
---|
87 | /etc/ssh/ssh_known_hosts |
---|
88 | |
---|
89 | BUGS |
---|
90 | It generates "Connection closed by remote host" messages on the consoles |
---|
91 | of all the machines it scans if the server is older than version 2.9. |
---|
92 | This is because it opens a connection to the ssh port, reads the public |
---|
93 | key, and drops the connection as soon as it gets the key. |
---|
94 | |
---|
95 | SEE ALSO |
---|
96 | ssh(1), sshd(8) |
---|
97 | |
---|
98 | AUTHORS |
---|
99 | David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne |
---|
100 | Davison <wayned@users.sourceforge.net> added support for protocol version |
---|
101 | 2. |
---|
102 | |
---|
103 | BSD January 1, 1996 BSD |
---|