1 | .\" $OpenBSD: ssh-keyscan.1,v 1.20 2005/03/01 15:47:14 jmc Exp $ |
---|
2 | .\" |
---|
3 | .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. |
---|
4 | .\" |
---|
5 | .\" Modification and redistribution in source and binary forms is |
---|
6 | .\" permitted provided that due credit is given to the author and the |
---|
7 | .\" OpenBSD project by leaving this copyright notice intact. |
---|
8 | .\" |
---|
9 | .Dd January 1, 1996 |
---|
10 | .Dt SSH-KEYSCAN 1 |
---|
11 | .Os |
---|
12 | .Sh NAME |
---|
13 | .Nm ssh-keyscan |
---|
14 | .Nd gather ssh public keys |
---|
15 | .Sh SYNOPSIS |
---|
16 | .Nm ssh-keyscan |
---|
17 | .Bk -words |
---|
18 | .Op Fl 46Hv |
---|
19 | .Op Fl f Ar file |
---|
20 | .Op Fl p Ar port |
---|
21 | .Op Fl T Ar timeout |
---|
22 | .Op Fl t Ar type |
---|
23 | .Op Ar host | addrlist namelist |
---|
24 | .Op Ar ... |
---|
25 | .Ek |
---|
26 | .Sh DESCRIPTION |
---|
27 | .Nm |
---|
28 | is a utility for gathering the public ssh host keys of a number of |
---|
29 | hosts. |
---|
30 | It was designed to aid in building and verifying |
---|
31 | .Pa ssh_known_hosts |
---|
32 | files. |
---|
33 | .Nm |
---|
34 | provides a minimal interface suitable for use by shell and perl |
---|
35 | scripts. |
---|
36 | .Pp |
---|
37 | .Nm |
---|
38 | uses non-blocking socket I/O to contact as many hosts as possible in |
---|
39 | parallel, so it is very efficient. |
---|
40 | The keys from a domain of 1,000 |
---|
41 | hosts can be collected in tens of seconds, even when some of those |
---|
42 | hosts are down or do not run ssh. |
---|
43 | For scanning, one does not need |
---|
44 | login access to the machines that are being scanned, nor does the |
---|
45 | scanning process involve any encryption. |
---|
46 | .Pp |
---|
47 | The options are as follows: |
---|
48 | .Bl -tag -width Ds |
---|
49 | .It Fl 4 |
---|
50 | Forces |
---|
51 | .Nm |
---|
52 | to use IPv4 addresses only. |
---|
53 | .It Fl 6 |
---|
54 | Forces |
---|
55 | .Nm |
---|
56 | to use IPv6 addresses only. |
---|
57 | .It Fl f Ar file |
---|
58 | Read hosts or |
---|
59 | .Pa addrlist namelist |
---|
60 | pairs from this file, one per line. |
---|
61 | If |
---|
62 | .Pa - |
---|
63 | is supplied instead of a filename, |
---|
64 | .Nm |
---|
65 | will read hosts or |
---|
66 | .Pa addrlist namelist |
---|
67 | pairs from the standard input. |
---|
68 | .It Fl H |
---|
69 | Hash all hostnames and addresses in the output. |
---|
70 | Hashed names may be used normally by |
---|
71 | .Nm ssh |
---|
72 | and |
---|
73 | .Nm sshd , |
---|
74 | but they do not reveal identifying information should the file's contents |
---|
75 | be disclosed. |
---|
76 | .It Fl p Ar port |
---|
77 | Port to connect to on the remote host. |
---|
78 | .It Fl T Ar timeout |
---|
79 | Set the timeout for connection attempts. |
---|
80 | If |
---|
81 | .Pa timeout |
---|
82 | seconds have elapsed since a connection was initiated to a host or since the |
---|
83 | last time anything was read from that host, then the connection is |
---|
84 | closed and the host in question considered unavailable. |
---|
85 | Default is 5 seconds. |
---|
86 | .It Fl t Ar type |
---|
87 | Specifies the type of the key to fetch from the scanned hosts. |
---|
88 | The possible values are |
---|
89 | .Dq rsa1 |
---|
90 | for protocol version 1 and |
---|
91 | .Dq rsa |
---|
92 | or |
---|
93 | .Dq dsa |
---|
94 | for protocol version 2. |
---|
95 | Multiple values may be specified by separating them with commas. |
---|
96 | The default is |
---|
97 | .Dq rsa1 . |
---|
98 | .It Fl v |
---|
99 | Verbose mode. |
---|
100 | Causes |
---|
101 | .Nm |
---|
102 | to print debugging messages about its progress. |
---|
103 | .El |
---|
104 | .Sh SECURITY |
---|
105 | If a ssh_known_hosts file is constructed using |
---|
106 | .Nm |
---|
107 | without verifying the keys, users will be vulnerable to |
---|
108 | .Em man in the middle |
---|
109 | attacks. |
---|
110 | On the other hand, if the security model allows such a risk, |
---|
111 | .Nm |
---|
112 | can help in the detection of tampered keyfiles or man in the middle |
---|
113 | attacks which have begun after the ssh_known_hosts file was created. |
---|
114 | .Sh FILES |
---|
115 | .Pa Input format: |
---|
116 | .Bd -literal |
---|
117 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 |
---|
118 | .Ed |
---|
119 | .Pp |
---|
120 | .Pa Output format for rsa1 keys: |
---|
121 | .Bd -literal |
---|
122 | host-or-namelist bits exponent modulus |
---|
123 | .Ed |
---|
124 | .Pp |
---|
125 | .Pa Output format for rsa and dsa keys: |
---|
126 | .Bd -literal |
---|
127 | host-or-namelist keytype base64-encoded-key |
---|
128 | .Ed |
---|
129 | .Pp |
---|
130 | Where |
---|
131 | .Pa keytype |
---|
132 | is either |
---|
133 | .Dq ssh-rsa |
---|
134 | or |
---|
135 | .Dq ssh-dss . |
---|
136 | .Pp |
---|
137 | .Pa /etc/ssh/ssh_known_hosts |
---|
138 | .Sh EXAMPLES |
---|
139 | Print the |
---|
140 | .Pa rsa1 |
---|
141 | host key for machine |
---|
142 | .Pa hostname : |
---|
143 | .Bd -literal |
---|
144 | $ ssh-keyscan hostname |
---|
145 | .Ed |
---|
146 | .Pp |
---|
147 | Find all hosts from the file |
---|
148 | .Pa ssh_hosts |
---|
149 | which have new or different keys from those in the sorted file |
---|
150 | .Pa ssh_known_hosts : |
---|
151 | .Bd -literal |
---|
152 | $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e |
---|
153 | sort -u - ssh_known_hosts | diff ssh_known_hosts - |
---|
154 | .Ed |
---|
155 | .Sh SEE ALSO |
---|
156 | .Xr ssh 1 , |
---|
157 | .Xr sshd 8 |
---|
158 | .Sh AUTHORS |
---|
159 | .An David Mazieres Aq dm@lcs.mit.edu |
---|
160 | wrote the initial version, and |
---|
161 | .An Wayne Davison Aq wayned@users.sourceforge.net |
---|
162 | added support for protocol version 2. |
---|
163 | .Sh BUGS |
---|
164 | It generates "Connection closed by remote host" messages on the consoles |
---|
165 | of all the machines it scans if the server is older than version 2.9. |
---|
166 | This is because it opens a connection to the ssh port, reads the public |
---|
167 | key, and drops the connection as soon as it gets the key. |
---|