source: trunk/third/ssh/make-ssh-known-hosts.1.in @ 10564

Revision 10564, 11.9 KB checked in by danw, 27 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r10563, which included commits to RCS files with non-trunk default branches.
Line 
1.\" -*- nroff -*-
2.\" ----------------------------------------------------------------------
3.\" make-ssh-known-hosts.1 -- Make ssh-known-hosts file
4.\" Copyright (c) 1995 Tero Kivinen
5.\" All Rights Reserved.
6.\"
7.\" Make-ssh-known-hosts is distributed in the hope that it will be
8.\" useful, but WITHOUT ANY WARRANTY.  No author or distributor accepts
9.\" responsibility to anyone for the consequences of using it or for
10.\" whether it serves any particular purpose or works at all, unless he
11.\" says so in writing.  Refer to the General Public License for full
12.\" details.
13.\"
14.\" Everyone is granted permission to copy, modify and redistribute
15.\" make-ssh-known-hosts, but only under the conditions described in
16.\" the General Public License.  A copy of this license is supposed to
17.\" have been given to you along with make-ssh-known-hosts so you can
18.\" know your rights and responsibilities.  It should be in a file named
19.\" COPYING.  Among other things, the copyright notice and this notice
20.\" must be preserved on all copies.
21.\" ----------------------------------------------------------------------
22.\"       Program: make-ssh-known-hosts.1
23.\"       $Source: /afs/dev.mit.edu/source/repository/third/ssh/make-ssh-known-hosts.1.in,v $
24.\"       Author : $Author: danw $
25.\"
26.\"       (C) Tero Kivinen 1995 <Tero.Kivinen@hut.fi>
27.\"
28.\"       Creation          : 03:51 Jun 28 1995 kivinen
29.\"       Last Modification : 03:44 Jun 28 1995 kivinen
30.\"       Last check in     : $Date: 1997-10-17 22:26:00 $
31.\"       Revision number   : $Revision: 1.1.1.1 $
32.\"       State             : $State: Exp $
33.\"       Version           : 1.1
34.\"
35.\"       Description       : Manual page for make-ssh-known-hosts.pl
36.\"
37.\"       $Log: not supported by cvs2svn $
38.\"       Revision 1.2  1997/04/27 21:48:28  kivinen
39.\"             Added F-SECURE stuff.
40.\"
41.\"       Revision 1.1.1.1  1996/02/18 21:38:13  ylo
42.\"             Imported ssh-1.2.13.
43.\"
44.\" Revision 1.5  1995/10/02  01:23:23  ylo
45.\"     Make substitutions by configure.
46.\"
47.\" Revision 1.4  1995/08/31  09:21:35  ylo
48.\"     Minor cleanup.
49.\"
50.\" Revision 1.3  1995/08/29  22:37:10  ylo
51.\"     Minor cleanup.
52.\"
53.\" Revision 1.2  1995/07/15  13:26:11  ylo
54.\"     Changes from kivinen.
55.\"
56.\" Revision 1.1.1.1  1995/07/12  22:41:05  ylo
57.\" Imported ssh-1.0.0.
58.\"
59.\"
60.\"
61.\" If you have any useful modifications or extensions please send them to
62.\" Tero.Kivinen@hut.fi
63.\"
64.\"
65.nr CO 0
66.ie \n(CO .TH MAKE-SSH-KNOWN-HOSTS 1 "November 8, 1995" "F-SECURE SSH TOOLS"" F-SECURE SSH TOOLS"
67.el .TH MAKE-SSH-KNOWN-HOSTS 1 "November 8, 1995" "SSH TOOLS" "SSH TOOLS"
68.SH NAME
69make-ssh-known-hosts \- make ssh_known_hosts file from DNS data
70.SH SYNOPSIS
71.na
72.TP
73.B make-ssh-known-hosts
74.RB "[\|" "\-\-initialdns "\c
75.I initial_dns\c
76\|]
77.br
78.RB "[\|" "\-\-server "\c
79.I domain_name_server\c
80\|]
81.br
82.RB "[\|" "\-\-subdomains "\c
83.I comma_separated_list_of_subdomains\c
84\|]
85.br
86.RB "[\|" "\-\-debug "\c
87.I debug_level\c
88\|]
89.br
90.RB "[\|" "\-\-timeout "\c
91.I ssh_exec_timeout\c
92\|]
93.br
94.RB "[\|" "\-\-pingtimeout "\c
95.I ping_timeout\c
96\|]
97.br
98.RB "[\|" "\-\-passwordtimeout "\c
99.I timeout_when_asking_password\c
100\|]
101.br
102.RB "[\|" "\-\-notrustdaemon" "\|]"
103.br
104.RB "[\|" "\-\-norecursive" "\|]"
105.br
106.RB "[\|" "\-\-domainnamesplit" "\|]"
107.br
108.RB "[\|" "\-\-silent" "\|]"
109.br
110.RB "[\|" "\-\-keyscan" "\|]"
111.br
112.RB "[\|" "\-\-nslookup "\c
113.I path_to_nslookup_program\c
114\|]
115.br
116.RB "[\|" "\-\-ssh "\c
117.I path_to_ssh_program\c
118\|]
119.br
120.IR "domain_name " "[\|" "take_regexp " "[\|" "remove_regexp"\|]\|]"
121
122.SH DESCRIPTION
123.LP
124.B make-ssh-known-hosts
125is a perl5 script that helps create the
126.I @ETCDIR@/ssh_known_hosts
127file, which is used by
128.B ssh
129to contain the host keys of all publicly known hosts. 
130.B Ssh
131does not normally permit login using rhosts or /etc/hosts.equiv
132authentication unless the server knows the client's host key.  In
133addition, the host keys are used to prevent man-in-the-middle attacks.
134.LP
135In addition to
136.IR @ETCDIR@/ssh_known_hosts ",
137.B ssh
138also uses the
139.I $HOME/.ssh/known_hosts
140file.  This file, however, is intended to contain only those hosts
141that the particular user needs but are not in the global file.  It is
142intended that the
143.I @ETCDIR@/ssh_known_hosts
144file be maintained by the system administration, and periodically
145updated to contain the host keys for any new hosts.
146.LP
147The
148.B make-ssh-known-hosts
149program finds all the hosts in a domain by making a DNS query to the
150master domain name server of the domain. The master domain name server
151is located by searching for the SOA record of the domain from the initial
152domain name server (which can be specified with the
153.B \-\-initialdns
154option). The master domain name server can also be given directly with
155the
156.B \-\-server
157option.
158.LP
159After getting the hostname list
160.B make-ssh-known-hosts
161tries to get the public key from every host in the domain. It first
162tries to connect ssh port to check check if the host is alive, and if
163so, it tries to run the command
164.B cat @ETCDIR@/ssh_host_key.pub
165on the remote machine using
166.BR ssh ".
167If the command succeeds, it knows the remote machine has
168.B ssh
169installed properly, and it then extracts the public key from the
170output, and prints the
171.B @ETCDIR@/ssh_known_hosts
172entry for it to
173.BR STDOUT ". Because
174.B make-ssh-known-hosts
175is usually run before
176remote machines have @ETCDIR@/ssh_known_hosts file you may have to use
177RSA-authentication to allow access to hosts.
178.LP
179If the command fails for some reason, it checks if the
180.B ssh
181client still got the public key from the remote host in the initial dialog,
182and if so, it will print a proper entry, and if
183.B \-\-notrustdaemon
184option is given comment it out.
185.LP
186.I Domain_name
187is the domain name for which the file is to be generated. By default
188.B make-ssh-known-hosts
189extracts also all subdomains of domain. Many sites will want to
190include several domains in their
191.I @ETCDIR@/ssh_known_hosts
192file.  The entries for each domain should be extracted separately by
193running
194.B make-ssh-known-hosts
195once for each domain.  The results should then be combined to create
196the final file.
197.LP
198.I Take_regexp
199is a perl regular expression that matches the hosts to be taken from the
200domain. The data matched contains all the DNS records in the form "\|\c
201.B fieldname=value\c
202\|". The fields are separated with newline, and the perl match is made in
203multiline mode and it is case insensetive. The multiline mode means
204that you can use a regexp like "\|\c
205.B ^wks=.*telnet.*$\c
206\|" to match all hosts that have WKS (well known services) field that
207contains value "telnet".
208.LP
209.I Remove_regexp
210is similar but those hosts that match the regexp are not added (it can
211be used for example to filter out PCs and Macs using the hinfo field: "\|\c
212.B ^hinfo=.*(mac|pc)\c
213\|").
214
215.SH OPTIONS
216.TP
217.BI "\-\-initialdns " "initial_dns"\c
218.TP
219.BI "\-i " "initial_dns"\c
220\&Set the initial domain name server used to query the SOA record of the
221domain.
222
223.TP
224.BI "\-\-server " "domain_name_server"\c
225.TP
226.BI "\-se " "domain_name_server"\c
227\&Set the master domain name server of the domain. This host is used
228to query the DNS list of the domain.
229
230.TP
231.BI "\-\-subdomains " "subdomainlist"\c
232.TP
233.BI "\-su " "subdomainlist"\c
234\&Comma separated list of subdomains that are added to hostnames. For
235example, if subdomainlist is "\|\c
236.I ,foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
237\|" then when host foobar is added to
238.B @ETCDIR@/ssh_known_hosts
239file it has aliases "\|\c
240.I foobar, foobar.foo, foobar.foo.bar, foobar.foo.bar.zappa, foobar.foo.bar.zappa.hut.fi\c
241\|". The default action is to take all subparts of the host but the
242second last on a host by host basis.  (The last element is usually the
243country code, and something like
244.I foobar.foo.bar.zappa.hut
245would not make sense.)
246
247.TP
248.BI "\-\-debug " "debug_level"\c
249.TP
250.BI "\-de " "debug_level"\c
251\&Set the debug level. Default is 5, bigger values give more output.
252Using a big value (like 999) will print lots of debugging output.
253
254.TP
255.BI "\-\-timeout " "ssh_exec_timeout"\c
256.TP
257.BI "\-ti " "ssh_exec_timeout"\c
258\&Timeout when executing
259.B ssh
260command.  The default is 60 seconds.
261
262.TP
263.BI "\-\-pingtimeout " "ping_timeout"\c
264.TP
265.BI "\-pi " "ping_timeout"\c
266\&Timeout when trying to ping the ssh port.  The default is 3 seconds.
267
268.TP
269.BI "\-\-passwordtimeout " "timeout_when_asking_password"\c
270.TP
271.BI "\-pa " "timeout_when_asking_password"\c
272\&Timeout when asking password for ssh command. Default is that no
273passwords are queried. Use value 0 to have no timeout for password queries.
274
275.TP
276.BI "\-\-notrustdaemon"\c
277.TP
278.BI "\-notr"\c
279\&If the
280.B ssh
281command fails, use the public key stored in the local known hosts file
282and trust it is the correct key for the host. If this option is not
283given such entries are commented out in the generated
284.B @ETCDIR@/ssh_known_hosts
285file.
286
287.TP
288.BI "\-\-norecursive"\c
289.TP
290.BI "\-nor"\c
291\&Tell
292.B make-ssh-known-hosts
293that it should only extract keys for the given domain, and not to be
294recursive.
295
296.TP
297.BI "\-\-domainnamesplit"\c
298.TP
299.BI "\-do"\c
300\&Split the domainname to get the list of subdomains. Use this option
301if you don't want hostname to splitted to pieces automatically.
302Default splitting is done host by host basis. If the domain is
303zappa.hut.fi, and the host name is foo.bar then default action adds
304entries "\|\c
305.I foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
306\|" and this options adds entries "\|\c
307.I foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
308\|").
309
310.TP
311.BI "\-\-silent"\c
312.TP
313.BI "\-si"\c
314\&Be silent.
315
316.TP
317.BI "\-\-keyscan"\c
318.TP
319.BI "\-k"\c
320\&Output list of all hosts in format "ipaddr1,ipaddr2,...ipaddrn
321hostname.domain.co,hostname,ipaddr1,ipaddr2,all_other_hostname_entries".
322The output of this can be feeded to ssh-keyscan to fetch keys.
323
324.TP
325.BI "\-\-nslookup " "path_to_nslookup_program"\c
326.TP
327.BI "\-n " "path_to_nslookup_program"\c
328\&Path to the
329.B nslookup
330program.
331
332.TP
333.BI "\-\-ssh " "path_to_ssh_program"\c
334.TP
335.BI "\-ss " "path_to_ssh_program"\c
336\&Path to the
337.B ssh
338program, including all options.
339
340.SH EXAMPLES
341.LP
342The following command:
343.IP
344.B example# make-ssh-known-hosts cs.hut.fi > \c
345.B @ETCDIR@/ssh_known_hosts
346.LP
347finds all public keys of the hosts in
348.B cs.hut.fi
349domain and put them to
350.B @ETCDIR@/ssh_known_hosts
351file splitting domain names on a per host basis.
352.LP
353The command
354.IP
355.B example% make-ssh-known-hosts hut.fi '^wks=.*ssh' > \c
356.B hut-hosts
357.LP
358finds all hosts in
359.B hut.fi
360domain, and its subdomains having own name server (cs.hut.fi,
361tf.hut.fi, tky.hut.fi) that have ssh service and puts their public key
362to hut-hosts file. This would require that the domain name server of
363hut.fi would define all hosts running ssh to have entry ssh in their
364WKS record. Because nobody yet adds ssh to WKS, it would be better to
365use command
366.IP
367.B example% make-ssh-known-hosts hut.fi '^wks=.*telnet' > \c
368.B hut-hosts
369.LP
370that would take those host having telnet service. This uses default
371subdomain list.
372
373.LP
374The command:
375.IP
376.B example% make-ssh-known-hosts hut.fi 'dipoli.hut.fi' '^hinfo=.*(mac|pc)' > \c
377.B dipoli-hosts
378.LP
379finds all hosts in hut.fi domain that are in dipoli.hut.fi subdomain
380(note dipoli.hut.fi does not have own name server so its entries are
381in hut.fi-server) and that are not Mac or PC.
382
383.SH FILES
384.ta 3i
385@ETCDIR@/ssh_known_hosts        Global host public key list
386
387.SH "SEE ALSO"
388.BR ssh (1),
389.BR sshd (8),
390.BR ssh-keygen (1),
391.BR ping (8),
392.BR nslookup (8),
393.BR perl (1),
394.BR perlre (1)
395
396.SH AUTHOR
397Tero Kivinen <kivinen@hut.fi>
398
399.SH COPYING
400.LP
401Permission is granted to make and distribute verbatim copies of
402this manual provided the copyright notice and this permission notice
403are preserved on all copies.
404.LP
405Permission is granted to copy and distribute modified versions of this
406manual under the conditions for verbatim copying, provided that the
407entire resulting derived work is distributed under the terms of a
408permission notice identical to this one.
409.LP
410Permission is granted to copy and distribute translations of this
411manual into another language, under the above conditions for modified
412versions, except that this permission notice may be included in
413translations approved by the the author instead of in the original
414English.
Note: See TracBrowser for help on using the repository browser.