1 | .\" -*- nroff -*- |
---|
2 | .\" ---------------------------------------------------------------------- |
---|
3 | .\" make-ssh-known-hosts.1 -- Make ssh-known-hosts file |
---|
4 | .\" Copyright (c) 1995 Tero Kivinen |
---|
5 | .\" All Rights Reserved. |
---|
6 | .\" |
---|
7 | .\" Make-ssh-known-hosts is distributed in the hope that it will be |
---|
8 | .\" useful, but WITHOUT ANY WARRANTY. No author or distributor accepts |
---|
9 | .\" responsibility to anyone for the consequences of using it or for |
---|
10 | .\" whether it serves any particular purpose or works at all, unless he |
---|
11 | .\" says so in writing. Refer to the General Public License for full |
---|
12 | .\" details. |
---|
13 | .\" |
---|
14 | .\" Everyone is granted permission to copy, modify and redistribute |
---|
15 | .\" make-ssh-known-hosts, but only under the conditions described in |
---|
16 | .\" the General Public License. A copy of this license is supposed to |
---|
17 | .\" have been given to you along with make-ssh-known-hosts so you can |
---|
18 | .\" know your rights and responsibilities. It should be in a file named |
---|
19 | .\" COPYING. Among other things, the copyright notice and this notice |
---|
20 | .\" must be preserved on all copies. |
---|
21 | .\" ---------------------------------------------------------------------- |
---|
22 | .\" Program: make-ssh-known-hosts.1 |
---|
23 | .\" $Source: /afs/dev.mit.edu/source/repository/third/ssh/make-ssh-known-hosts.1.in,v $ |
---|
24 | .\" Author : $Author: danw $ |
---|
25 | .\" |
---|
26 | .\" (C) Tero Kivinen 1995 <Tero.Kivinen@hut.fi> |
---|
27 | .\" |
---|
28 | .\" Creation : 03:51 Jun 28 1995 kivinen |
---|
29 | .\" Last Modification : 03:44 Jun 28 1995 kivinen |
---|
30 | .\" Last check in : $Date: 1999-03-08 17:43:00 $ |
---|
31 | .\" Revision number : $Revision: 1.1.1.2 $ |
---|
32 | .\" State : $State: Exp $ |
---|
33 | .\" Version : 1.1 |
---|
34 | .\" |
---|
35 | .\" Description : Manual page for make-ssh-known-hosts.pl |
---|
36 | .\" |
---|
37 | .\" $Log: not supported by cvs2svn $ |
---|
38 | .\" Revision 1.4 1998/07/08 00:40:14 kivinen |
---|
39 | .\" Changed to do similar commercial #ifdef processing than other |
---|
40 | .\" files. |
---|
41 | .\" |
---|
42 | .\" Revision 1.3 1998/06/11 00:07:21 kivinen |
---|
43 | .\" Fixed comment characters. |
---|
44 | .\" |
---|
45 | .\" Revision 1.2 1997/04/27 21:48:28 kivinen |
---|
46 | .\" Added F-SECURE stuff. |
---|
47 | .\" |
---|
48 | .\" Revision 1.1.1.1 1996/02/18 21:38:13 ylo |
---|
49 | .\" Imported ssh-1.2.13. |
---|
50 | .\" |
---|
51 | .\" Revision 1.5 1995/10/02 01:23:23 ylo |
---|
52 | .\" Make substitutions by configure. |
---|
53 | .\" |
---|
54 | .\" Revision 1.4 1995/08/31 09:21:35 ylo |
---|
55 | .\" Minor cleanup. |
---|
56 | .\" |
---|
57 | .\" Revision 1.3 1995/08/29 22:37:10 ylo |
---|
58 | .\" Minor cleanup. |
---|
59 | .\" |
---|
60 | .\" Revision 1.2 1995/07/15 13:26:11 ylo |
---|
61 | .\" Changes from kivinen. |
---|
62 | .\" |
---|
63 | .\" Revision 1.1.1.1 1995/07/12 22:41:05 ylo |
---|
64 | .\" Imported ssh-1.0.0. |
---|
65 | .\" |
---|
66 | .\" |
---|
67 | .\" |
---|
68 | .\" If you have any useful modifications or extensions please send them to |
---|
69 | .\" Tero.Kivinen@hut.fi |
---|
70 | .\" |
---|
71 | .\" |
---|
72 | .\" |
---|
73 | .\" |
---|
74 | .\" |
---|
75 | .\" #ifndef F_SECURE_COMMERCIAL |
---|
76 | .TH MAKE-SSH-KNOWN-HOSTS 1 "November 8, 1995" "SSH TOOLS" "SSH TOOLS" |
---|
77 | .\" #endif F_SECURE_COMMERCIAL |
---|
78 | .SH NAME |
---|
79 | make-ssh-known-hosts \- make ssh_known_hosts file from DNS data |
---|
80 | .SH SYNOPSIS |
---|
81 | .na |
---|
82 | .TP |
---|
83 | .B make-ssh-known-hosts |
---|
84 | .RB "[\|" "\-\-initialdns "\c |
---|
85 | .I initial_dns\c |
---|
86 | \|] |
---|
87 | .br |
---|
88 | .RB "[\|" "\-\-server "\c |
---|
89 | .I domain_name_server\c |
---|
90 | \|] |
---|
91 | .br |
---|
92 | .RB "[\|" "\-\-subdomains "\c |
---|
93 | .I comma_separated_list_of_subdomains\c |
---|
94 | \|] |
---|
95 | .br |
---|
96 | .RB "[\|" "\-\-debug "\c |
---|
97 | .I debug_level\c |
---|
98 | \|] |
---|
99 | .br |
---|
100 | .RB "[\|" "\-\-timeout "\c |
---|
101 | .I ssh_exec_timeout\c |
---|
102 | \|] |
---|
103 | .br |
---|
104 | .RB "[\|" "\-\-pingtimeout "\c |
---|
105 | .I ping_timeout\c |
---|
106 | \|] |
---|
107 | .br |
---|
108 | .RB "[\|" "\-\-passwordtimeout "\c |
---|
109 | .I timeout_when_asking_password\c |
---|
110 | \|] |
---|
111 | .br |
---|
112 | .RB "[\|" "\-\-notrustdaemon" "\|]" |
---|
113 | .br |
---|
114 | .RB "[\|" "\-\-norecursive" "\|]" |
---|
115 | .br |
---|
116 | .RB "[\|" "\-\-domainnamesplit" "\|]" |
---|
117 | .br |
---|
118 | .RB "[\|" "\-\-silent" "\|]" |
---|
119 | .br |
---|
120 | .RB "[\|" "\-\-keyscan" "\|]" |
---|
121 | .br |
---|
122 | .RB "[\|" "\-\-nslookup "\c |
---|
123 | .I path_to_nslookup_program\c |
---|
124 | \|] |
---|
125 | .br |
---|
126 | .RB "[\|" "\-\-ssh "\c |
---|
127 | .I path_to_ssh_program\c |
---|
128 | \|] |
---|
129 | .br |
---|
130 | .IR "domain_name " "[\|" "take_regexp " "[\|" "remove_regexp"\|]\|]" |
---|
131 | |
---|
132 | .SH DESCRIPTION |
---|
133 | .LP |
---|
134 | .B make-ssh-known-hosts |
---|
135 | is a perl5 script that helps create the |
---|
136 | .I @ETCDIR@/ssh_known_hosts |
---|
137 | file, which is used by |
---|
138 | .B ssh |
---|
139 | to contain the host keys of all publicly known hosts. |
---|
140 | .B Ssh |
---|
141 | does not normally permit login using rhosts or /etc/hosts.equiv |
---|
142 | authentication unless the server knows the client's host key. In |
---|
143 | addition, the host keys are used to prevent man-in-the-middle attacks. |
---|
144 | .LP |
---|
145 | In addition to |
---|
146 | .IR @ETCDIR@/ssh_known_hosts ", |
---|
147 | .B ssh |
---|
148 | also uses the |
---|
149 | .I $HOME/.ssh/known_hosts |
---|
150 | file. This file, however, is intended to contain only those hosts |
---|
151 | that the particular user needs but are not in the global file. It is |
---|
152 | intended that the |
---|
153 | .I @ETCDIR@/ssh_known_hosts |
---|
154 | file be maintained by the system administration, and periodically |
---|
155 | updated to contain the host keys for any new hosts. |
---|
156 | .LP |
---|
157 | The |
---|
158 | .B make-ssh-known-hosts |
---|
159 | program finds all the hosts in a domain by making a DNS query to the |
---|
160 | master domain name server of the domain. The master domain name server |
---|
161 | is located by searching for the SOA record of the domain from the initial |
---|
162 | domain name server (which can be specified with the |
---|
163 | .B \-\-initialdns |
---|
164 | option). The master domain name server can also be given directly with |
---|
165 | the |
---|
166 | .B \-\-server |
---|
167 | option. |
---|
168 | .LP |
---|
169 | After getting the hostname list |
---|
170 | .B make-ssh-known-hosts |
---|
171 | tries to get the public key from every host in the domain. It first |
---|
172 | tries to connect ssh port to check check if the host is alive, and if |
---|
173 | so, it tries to run the command |
---|
174 | .B cat @ETCDIR@/ssh_host_key.pub |
---|
175 | on the remote machine using |
---|
176 | .BR ssh ". |
---|
177 | If the command succeeds, it knows the remote machine has |
---|
178 | .B ssh |
---|
179 | installed properly, and it then extracts the public key from the |
---|
180 | output, and prints the |
---|
181 | .B @ETCDIR@/ssh_known_hosts |
---|
182 | entry for it to |
---|
183 | .BR STDOUT ". Because |
---|
184 | .B make-ssh-known-hosts |
---|
185 | is usually run before |
---|
186 | remote machines have @ETCDIR@/ssh_known_hosts file you may have to use |
---|
187 | RSA-authentication to allow access to hosts. |
---|
188 | .LP |
---|
189 | If the command fails for some reason, it checks if the |
---|
190 | .B ssh |
---|
191 | client still got the public key from the remote host in the initial dialog, |
---|
192 | and if so, it will print a proper entry, and if |
---|
193 | .B \-\-notrustdaemon |
---|
194 | option is given comment it out. |
---|
195 | .LP |
---|
196 | .I Domain_name |
---|
197 | is the domain name for which the file is to be generated. By default |
---|
198 | .B make-ssh-known-hosts |
---|
199 | extracts also all subdomains of domain. Many sites will want to |
---|
200 | include several domains in their |
---|
201 | .I @ETCDIR@/ssh_known_hosts |
---|
202 | file. The entries for each domain should be extracted separately by |
---|
203 | running |
---|
204 | .B make-ssh-known-hosts |
---|
205 | once for each domain. The results should then be combined to create |
---|
206 | the final file. |
---|
207 | .LP |
---|
208 | .I Take_regexp |
---|
209 | is a perl regular expression that matches the hosts to be taken from the |
---|
210 | domain. The data matched contains all the DNS records in the form "\|\c |
---|
211 | .B fieldname=value\c |
---|
212 | \|". The fields are separated with newline, and the perl match is made in |
---|
213 | multiline mode and it is case insensetive. The multiline mode means |
---|
214 | that you can use a regexp like "\|\c |
---|
215 | .B ^wks=.*telnet.*$\c |
---|
216 | \|" to match all hosts that have WKS (well known services) field that |
---|
217 | contains value "telnet". |
---|
218 | .LP |
---|
219 | .I Remove_regexp |
---|
220 | is similar but those hosts that match the regexp are not added (it can |
---|
221 | be used for example to filter out PCs and Macs using the hinfo field: "\|\c |
---|
222 | .B ^hinfo=.*(mac|pc)\c |
---|
223 | \|"). |
---|
224 | |
---|
225 | .SH OPTIONS |
---|
226 | .TP |
---|
227 | .BI "\-\-initialdns " "initial_dns"\c |
---|
228 | .TP |
---|
229 | .BI "\-i " "initial_dns"\c |
---|
230 | \&Set the initial domain name server used to query the SOA record of the |
---|
231 | domain. |
---|
232 | |
---|
233 | .TP |
---|
234 | .BI "\-\-server " "domain_name_server"\c |
---|
235 | .TP |
---|
236 | .BI "\-se " "domain_name_server"\c |
---|
237 | \&Set the master domain name server of the domain. This host is used |
---|
238 | to query the DNS list of the domain. |
---|
239 | |
---|
240 | .TP |
---|
241 | .BI "\-\-subdomains " "subdomainlist"\c |
---|
242 | .TP |
---|
243 | .BI "\-su " "subdomainlist"\c |
---|
244 | \&Comma separated list of subdomains that are added to hostnames. For |
---|
245 | example, if subdomainlist is "\|\c |
---|
246 | .I ,foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c |
---|
247 | \|" then when host foobar is added to |
---|
248 | .B @ETCDIR@/ssh_known_hosts |
---|
249 | file it has aliases "\|\c |
---|
250 | .I foobar, foobar.foo, foobar.foo.bar, foobar.foo.bar.zappa, foobar.foo.bar.zappa.hut.fi\c |
---|
251 | \|". The default action is to take all subparts of the host but the |
---|
252 | second last on a host by host basis. (The last element is usually the |
---|
253 | country code, and something like |
---|
254 | .I foobar.foo.bar.zappa.hut |
---|
255 | would not make sense.) |
---|
256 | |
---|
257 | .TP |
---|
258 | .BI "\-\-debug " "debug_level"\c |
---|
259 | .TP |
---|
260 | .BI "\-de " "debug_level"\c |
---|
261 | \&Set the debug level. Default is 5, bigger values give more output. |
---|
262 | Using a big value (like 999) will print lots of debugging output. |
---|
263 | |
---|
264 | .TP |
---|
265 | .BI "\-\-timeout " "ssh_exec_timeout"\c |
---|
266 | .TP |
---|
267 | .BI "\-ti " "ssh_exec_timeout"\c |
---|
268 | \&Timeout when executing |
---|
269 | .B ssh |
---|
270 | command. The default is 60 seconds. |
---|
271 | |
---|
272 | .TP |
---|
273 | .BI "\-\-pingtimeout " "ping_timeout"\c |
---|
274 | .TP |
---|
275 | .BI "\-pi " "ping_timeout"\c |
---|
276 | \&Timeout when trying to ping the ssh port. The default is 3 seconds. |
---|
277 | |
---|
278 | .TP |
---|
279 | .BI "\-\-passwordtimeout " "timeout_when_asking_password"\c |
---|
280 | .TP |
---|
281 | .BI "\-pa " "timeout_when_asking_password"\c |
---|
282 | \&Timeout when asking password for ssh command. Default is that no |
---|
283 | passwords are queried. Use value 0 to have no timeout for password queries. |
---|
284 | |
---|
285 | .TP |
---|
286 | .BI "\-\-notrustdaemon"\c |
---|
287 | .TP |
---|
288 | .BI "\-notr"\c |
---|
289 | \&If the |
---|
290 | .B ssh |
---|
291 | command fails, use the public key stored in the local known hosts file |
---|
292 | and trust it is the correct key for the host. If this option is not |
---|
293 | given such entries are commented out in the generated |
---|
294 | .B @ETCDIR@/ssh_known_hosts |
---|
295 | file. |
---|
296 | |
---|
297 | .TP |
---|
298 | .BI "\-\-norecursive"\c |
---|
299 | .TP |
---|
300 | .BI "\-nor"\c |
---|
301 | \&Tell |
---|
302 | .B make-ssh-known-hosts |
---|
303 | that it should only extract keys for the given domain, and not to be |
---|
304 | recursive. |
---|
305 | |
---|
306 | .TP |
---|
307 | .BI "\-\-domainnamesplit"\c |
---|
308 | .TP |
---|
309 | .BI "\-do"\c |
---|
310 | \&Split the domainname to get the list of subdomains. Use this option |
---|
311 | if you don't want hostname to splitted to pieces automatically. |
---|
312 | Default splitting is done host by host basis. If the domain is |
---|
313 | zappa.hut.fi, and the host name is foo.bar then default action adds |
---|
314 | entries "\|\c |
---|
315 | .I foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c |
---|
316 | \|" and this options adds entries "\|\c |
---|
317 | .I foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c |
---|
318 | \|"). |
---|
319 | |
---|
320 | .TP |
---|
321 | .BI "\-\-silent"\c |
---|
322 | .TP |
---|
323 | .BI "\-si"\c |
---|
324 | \&Be silent. |
---|
325 | |
---|
326 | .TP |
---|
327 | .BI "\-\-keyscan"\c |
---|
328 | .TP |
---|
329 | .BI "\-k"\c |
---|
330 | \&Output list of all hosts in format "ipaddr1,ipaddr2,...ipaddrn |
---|
331 | hostname.domain.co,hostname,ipaddr1,ipaddr2,all_other_hostname_entries". |
---|
332 | The output of this can be feeded to ssh-keyscan to fetch keys. |
---|
333 | |
---|
334 | .TP |
---|
335 | .BI "\-\-nslookup " "path_to_nslookup_program"\c |
---|
336 | .TP |
---|
337 | .BI "\-n " "path_to_nslookup_program"\c |
---|
338 | \&Path to the |
---|
339 | .B nslookup |
---|
340 | program. |
---|
341 | |
---|
342 | .TP |
---|
343 | .BI "\-\-ssh " "path_to_ssh_program"\c |
---|
344 | .TP |
---|
345 | .BI "\-ss " "path_to_ssh_program"\c |
---|
346 | \&Path to the |
---|
347 | .B ssh |
---|
348 | program, including all options. |
---|
349 | |
---|
350 | .SH EXAMPLES |
---|
351 | .LP |
---|
352 | The following command: |
---|
353 | .IP |
---|
354 | .B example# make-ssh-known-hosts cs.hut.fi > \c |
---|
355 | .B @ETCDIR@/ssh_known_hosts |
---|
356 | .LP |
---|
357 | finds all public keys of the hosts in |
---|
358 | .B cs.hut.fi |
---|
359 | domain and put them to |
---|
360 | .B @ETCDIR@/ssh_known_hosts |
---|
361 | file splitting domain names on a per host basis. |
---|
362 | .LP |
---|
363 | The command |
---|
364 | .IP |
---|
365 | .B example% make-ssh-known-hosts hut.fi '^wks=.*ssh' > \c |
---|
366 | .B hut-hosts |
---|
367 | .LP |
---|
368 | finds all hosts in |
---|
369 | .B hut.fi |
---|
370 | domain, and its subdomains having own name server (cs.hut.fi, |
---|
371 | tf.hut.fi, tky.hut.fi) that have ssh service and puts their public key |
---|
372 | to hut-hosts file. This would require that the domain name server of |
---|
373 | hut.fi would define all hosts running ssh to have entry ssh in their |
---|
374 | WKS record. Because nobody yet adds ssh to WKS, it would be better to |
---|
375 | use command |
---|
376 | .IP |
---|
377 | .B example% make-ssh-known-hosts hut.fi '^wks=.*telnet' > \c |
---|
378 | .B hut-hosts |
---|
379 | .LP |
---|
380 | that would take those host having telnet service. This uses default |
---|
381 | subdomain list. |
---|
382 | |
---|
383 | .LP |
---|
384 | The command: |
---|
385 | .IP |
---|
386 | .B example% make-ssh-known-hosts hut.fi 'dipoli.hut.fi' '^hinfo=.*(mac|pc)' > \c |
---|
387 | .B dipoli-hosts |
---|
388 | .LP |
---|
389 | finds all hosts in hut.fi domain that are in dipoli.hut.fi subdomain |
---|
390 | (note dipoli.hut.fi does not have own name server so its entries are |
---|
391 | in hut.fi-server) and that are not Mac or PC. |
---|
392 | |
---|
393 | .SH FILES |
---|
394 | .ta 3i |
---|
395 | @ETCDIR@/ssh_known_hosts Global host public key list |
---|
396 | |
---|
397 | .SH "SEE ALSO" |
---|
398 | .BR ssh (1), |
---|
399 | .BR sshd (8), |
---|
400 | .BR ssh-keygen (1), |
---|
401 | .BR ping (8), |
---|
402 | .BR nslookup (8), |
---|
403 | .BR perl (1), |
---|
404 | .BR perlre (1) |
---|
405 | |
---|
406 | .SH AUTHOR |
---|
407 | Tero Kivinen <kivinen@hut.fi> |
---|
408 | |
---|
409 | .SH COPYING |
---|
410 | .LP |
---|
411 | Permission is granted to make and distribute verbatim copies of |
---|
412 | this manual provided the copyright notice and this permission notice |
---|
413 | are preserved on all copies. |
---|
414 | .LP |
---|
415 | Permission is granted to copy and distribute modified versions of this |
---|
416 | manual under the conditions for verbatim copying, provided that the |
---|
417 | entire resulting derived work is distributed under the terms of a |
---|
418 | permission notice identical to this one. |
---|
419 | .LP |
---|
420 | Permission is granted to copy and distribute translations of this |
---|
421 | manual into another language, under the above conditions for modified |
---|
422 | versions, except that this permission notice may be included in |
---|
423 | translations approved by the the author instead of in the original |
---|
424 | English. |
---|