source: trunk/third/ssh/make-ssh-known-hosts.1.in @ 12646

Revision 12646, 12.1 KB checked in by danw, 26 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r12645, which included commits to RCS files with non-trunk default branches.
Line 
1.\" -*- nroff -*-
2.\" ----------------------------------------------------------------------
3.\" make-ssh-known-hosts.1 -- Make ssh-known-hosts file
4.\" Copyright (c) 1995 Tero Kivinen
5.\" All Rights Reserved.
6.\"
7.\" Make-ssh-known-hosts is distributed in the hope that it will be
8.\" useful, but WITHOUT ANY WARRANTY.  No author or distributor accepts
9.\" responsibility to anyone for the consequences of using it or for
10.\" whether it serves any particular purpose or works at all, unless he
11.\" says so in writing.  Refer to the General Public License for full
12.\" details.
13.\"
14.\" Everyone is granted permission to copy, modify and redistribute
15.\" make-ssh-known-hosts, but only under the conditions described in
16.\" the General Public License.  A copy of this license is supposed to
17.\" have been given to you along with make-ssh-known-hosts so you can
18.\" know your rights and responsibilities.  It should be in a file named
19.\" COPYING.  Among other things, the copyright notice and this notice
20.\" must be preserved on all copies.
21.\" ----------------------------------------------------------------------
22.\"       Program: make-ssh-known-hosts.1
23.\"       $Source: /afs/dev.mit.edu/source/repository/third/ssh/make-ssh-known-hosts.1.in,v $
24.\"       Author : $Author: danw $
25.\"
26.\"       (C) Tero Kivinen 1995 <Tero.Kivinen@hut.fi>
27.\"
28.\"       Creation          : 03:51 Jun 28 1995 kivinen
29.\"       Last Modification : 03:44 Jun 28 1995 kivinen
30.\"       Last check in     : $Date: 1999-03-08 17:43:00 $
31.\"       Revision number   : $Revision: 1.1.1.2 $
32.\"       State             : $State: Exp $
33.\"       Version           : 1.1
34.\"
35.\"       Description       : Manual page for make-ssh-known-hosts.pl
36.\"
37.\"       $Log: not supported by cvs2svn $
38.\"       Revision 1.4  1998/07/08 00:40:14  kivinen
39.\"             Changed to do similar commercial #ifdef processing than other
40.\"             files.
41.\"
42.\"       Revision 1.3  1998/06/11 00:07:21  kivinen
43.\"             Fixed comment characters.
44.\"
45.\" Revision 1.2  1997/04/27  21:48:28  kivinen
46.\"     Added F-SECURE stuff.
47.\"
48.\"       Revision 1.1.1.1  1996/02/18 21:38:13  ylo
49.\"             Imported ssh-1.2.13.
50.\"
51.\" Revision 1.5  1995/10/02  01:23:23  ylo
52.\"     Make substitutions by configure.
53.\"
54.\" Revision 1.4  1995/08/31  09:21:35  ylo
55.\"     Minor cleanup.
56.\"
57.\" Revision 1.3  1995/08/29  22:37:10  ylo
58.\"     Minor cleanup.
59.\"
60.\" Revision 1.2  1995/07/15  13:26:11  ylo
61.\"     Changes from kivinen.
62.\"
63.\" Revision 1.1.1.1  1995/07/12  22:41:05  ylo
64.\" Imported ssh-1.0.0.
65.\"
66.\"
67.\"
68.\" If you have any useful modifications or extensions please send them to
69.\" Tero.Kivinen@hut.fi
70.\"
71.\"
72.\"
73.\"
74.\"
75.\" #ifndef F_SECURE_COMMERCIAL
76.TH MAKE-SSH-KNOWN-HOSTS 1 "November 8, 1995" "SSH TOOLS" "SSH TOOLS"
77.\" #endif F_SECURE_COMMERCIAL
78.SH NAME
79make-ssh-known-hosts \- make ssh_known_hosts file from DNS data
80.SH SYNOPSIS
81.na
82.TP
83.B make-ssh-known-hosts
84.RB "[\|" "\-\-initialdns "\c
85.I initial_dns\c
86\|]
87.br
88.RB "[\|" "\-\-server "\c
89.I domain_name_server\c
90\|]
91.br
92.RB "[\|" "\-\-subdomains "\c
93.I comma_separated_list_of_subdomains\c
94\|]
95.br
96.RB "[\|" "\-\-debug "\c
97.I debug_level\c
98\|]
99.br
100.RB "[\|" "\-\-timeout "\c
101.I ssh_exec_timeout\c
102\|]
103.br
104.RB "[\|" "\-\-pingtimeout "\c
105.I ping_timeout\c
106\|]
107.br
108.RB "[\|" "\-\-passwordtimeout "\c
109.I timeout_when_asking_password\c
110\|]
111.br
112.RB "[\|" "\-\-notrustdaemon" "\|]"
113.br
114.RB "[\|" "\-\-norecursive" "\|]"
115.br
116.RB "[\|" "\-\-domainnamesplit" "\|]"
117.br
118.RB "[\|" "\-\-silent" "\|]"
119.br
120.RB "[\|" "\-\-keyscan" "\|]"
121.br
122.RB "[\|" "\-\-nslookup "\c
123.I path_to_nslookup_program\c
124\|]
125.br
126.RB "[\|" "\-\-ssh "\c
127.I path_to_ssh_program\c
128\|]
129.br
130.IR "domain_name " "[\|" "take_regexp " "[\|" "remove_regexp"\|]\|]"
131
132.SH DESCRIPTION
133.LP
134.B make-ssh-known-hosts
135is a perl5 script that helps create the
136.I @ETCDIR@/ssh_known_hosts
137file, which is used by
138.B ssh
139to contain the host keys of all publicly known hosts. 
140.B Ssh
141does not normally permit login using rhosts or /etc/hosts.equiv
142authentication unless the server knows the client's host key.  In
143addition, the host keys are used to prevent man-in-the-middle attacks.
144.LP
145In addition to
146.IR @ETCDIR@/ssh_known_hosts ",
147.B ssh
148also uses the
149.I $HOME/.ssh/known_hosts
150file.  This file, however, is intended to contain only those hosts
151that the particular user needs but are not in the global file.  It is
152intended that the
153.I @ETCDIR@/ssh_known_hosts
154file be maintained by the system administration, and periodically
155updated to contain the host keys for any new hosts.
156.LP
157The
158.B make-ssh-known-hosts
159program finds all the hosts in a domain by making a DNS query to the
160master domain name server of the domain. The master domain name server
161is located by searching for the SOA record of the domain from the initial
162domain name server (which can be specified with the
163.B \-\-initialdns
164option). The master domain name server can also be given directly with
165the
166.B \-\-server
167option.
168.LP
169After getting the hostname list
170.B make-ssh-known-hosts
171tries to get the public key from every host in the domain. It first
172tries to connect ssh port to check check if the host is alive, and if
173so, it tries to run the command
174.B cat @ETCDIR@/ssh_host_key.pub
175on the remote machine using
176.BR ssh ".
177If the command succeeds, it knows the remote machine has
178.B ssh
179installed properly, and it then extracts the public key from the
180output, and prints the
181.B @ETCDIR@/ssh_known_hosts
182entry for it to
183.BR STDOUT ". Because
184.B make-ssh-known-hosts
185is usually run before
186remote machines have @ETCDIR@/ssh_known_hosts file you may have to use
187RSA-authentication to allow access to hosts.
188.LP
189If the command fails for some reason, it checks if the
190.B ssh
191client still got the public key from the remote host in the initial dialog,
192and if so, it will print a proper entry, and if
193.B \-\-notrustdaemon
194option is given comment it out.
195.LP
196.I Domain_name
197is the domain name for which the file is to be generated. By default
198.B make-ssh-known-hosts
199extracts also all subdomains of domain. Many sites will want to
200include several domains in their
201.I @ETCDIR@/ssh_known_hosts
202file.  The entries for each domain should be extracted separately by
203running
204.B make-ssh-known-hosts
205once for each domain.  The results should then be combined to create
206the final file.
207.LP
208.I Take_regexp
209is a perl regular expression that matches the hosts to be taken from the
210domain. The data matched contains all the DNS records in the form "\|\c
211.B fieldname=value\c
212\|". The fields are separated with newline, and the perl match is made in
213multiline mode and it is case insensetive. The multiline mode means
214that you can use a regexp like "\|\c
215.B ^wks=.*telnet.*$\c
216\|" to match all hosts that have WKS (well known services) field that
217contains value "telnet".
218.LP
219.I Remove_regexp
220is similar but those hosts that match the regexp are not added (it can
221be used for example to filter out PCs and Macs using the hinfo field: "\|\c
222.B ^hinfo=.*(mac|pc)\c
223\|").
224
225.SH OPTIONS
226.TP
227.BI "\-\-initialdns " "initial_dns"\c
228.TP
229.BI "\-i " "initial_dns"\c
230\&Set the initial domain name server used to query the SOA record of the
231domain.
232
233.TP
234.BI "\-\-server " "domain_name_server"\c
235.TP
236.BI "\-se " "domain_name_server"\c
237\&Set the master domain name server of the domain. This host is used
238to query the DNS list of the domain.
239
240.TP
241.BI "\-\-subdomains " "subdomainlist"\c
242.TP
243.BI "\-su " "subdomainlist"\c
244\&Comma separated list of subdomains that are added to hostnames. For
245example, if subdomainlist is "\|\c
246.I ,foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
247\|" then when host foobar is added to
248.B @ETCDIR@/ssh_known_hosts
249file it has aliases "\|\c
250.I foobar, foobar.foo, foobar.foo.bar, foobar.foo.bar.zappa, foobar.foo.bar.zappa.hut.fi\c
251\|". The default action is to take all subparts of the host but the
252second last on a host by host basis.  (The last element is usually the
253country code, and something like
254.I foobar.foo.bar.zappa.hut
255would not make sense.)
256
257.TP
258.BI "\-\-debug " "debug_level"\c
259.TP
260.BI "\-de " "debug_level"\c
261\&Set the debug level. Default is 5, bigger values give more output.
262Using a big value (like 999) will print lots of debugging output.
263
264.TP
265.BI "\-\-timeout " "ssh_exec_timeout"\c
266.TP
267.BI "\-ti " "ssh_exec_timeout"\c
268\&Timeout when executing
269.B ssh
270command.  The default is 60 seconds.
271
272.TP
273.BI "\-\-pingtimeout " "ping_timeout"\c
274.TP
275.BI "\-pi " "ping_timeout"\c
276\&Timeout when trying to ping the ssh port.  The default is 3 seconds.
277
278.TP
279.BI "\-\-passwordtimeout " "timeout_when_asking_password"\c
280.TP
281.BI "\-pa " "timeout_when_asking_password"\c
282\&Timeout when asking password for ssh command. Default is that no
283passwords are queried. Use value 0 to have no timeout for password queries.
284
285.TP
286.BI "\-\-notrustdaemon"\c
287.TP
288.BI "\-notr"\c
289\&If the
290.B ssh
291command fails, use the public key stored in the local known hosts file
292and trust it is the correct key for the host. If this option is not
293given such entries are commented out in the generated
294.B @ETCDIR@/ssh_known_hosts
295file.
296
297.TP
298.BI "\-\-norecursive"\c
299.TP
300.BI "\-nor"\c
301\&Tell
302.B make-ssh-known-hosts
303that it should only extract keys for the given domain, and not to be
304recursive.
305
306.TP
307.BI "\-\-domainnamesplit"\c
308.TP
309.BI "\-do"\c
310\&Split the domainname to get the list of subdomains. Use this option
311if you don't want hostname to splitted to pieces automatically.
312Default splitting is done host by host basis. If the domain is
313zappa.hut.fi, and the host name is foo.bar then default action adds
314entries "\|\c
315.I foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
316\|" and this options adds entries "\|\c
317.I foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
318\|").
319
320.TP
321.BI "\-\-silent"\c
322.TP
323.BI "\-si"\c
324\&Be silent.
325
326.TP
327.BI "\-\-keyscan"\c
328.TP
329.BI "\-k"\c
330\&Output list of all hosts in format "ipaddr1,ipaddr2,...ipaddrn
331hostname.domain.co,hostname,ipaddr1,ipaddr2,all_other_hostname_entries".
332The output of this can be feeded to ssh-keyscan to fetch keys.
333
334.TP
335.BI "\-\-nslookup " "path_to_nslookup_program"\c
336.TP
337.BI "\-n " "path_to_nslookup_program"\c
338\&Path to the
339.B nslookup
340program.
341
342.TP
343.BI "\-\-ssh " "path_to_ssh_program"\c
344.TP
345.BI "\-ss " "path_to_ssh_program"\c
346\&Path to the
347.B ssh
348program, including all options.
349
350.SH EXAMPLES
351.LP
352The following command:
353.IP
354.B example# make-ssh-known-hosts cs.hut.fi > \c
355.B @ETCDIR@/ssh_known_hosts
356.LP
357finds all public keys of the hosts in
358.B cs.hut.fi
359domain and put them to
360.B @ETCDIR@/ssh_known_hosts
361file splitting domain names on a per host basis.
362.LP
363The command
364.IP
365.B example% make-ssh-known-hosts hut.fi '^wks=.*ssh' > \c
366.B hut-hosts
367.LP
368finds all hosts in
369.B hut.fi
370domain, and its subdomains having own name server (cs.hut.fi,
371tf.hut.fi, tky.hut.fi) that have ssh service and puts their public key
372to hut-hosts file. This would require that the domain name server of
373hut.fi would define all hosts running ssh to have entry ssh in their
374WKS record. Because nobody yet adds ssh to WKS, it would be better to
375use command
376.IP
377.B example% make-ssh-known-hosts hut.fi '^wks=.*telnet' > \c
378.B hut-hosts
379.LP
380that would take those host having telnet service. This uses default
381subdomain list.
382
383.LP
384The command:
385.IP
386.B example% make-ssh-known-hosts hut.fi 'dipoli.hut.fi' '^hinfo=.*(mac|pc)' > \c
387.B dipoli-hosts
388.LP
389finds all hosts in hut.fi domain that are in dipoli.hut.fi subdomain
390(note dipoli.hut.fi does not have own name server so its entries are
391in hut.fi-server) and that are not Mac or PC.
392
393.SH FILES
394.ta 3i
395@ETCDIR@/ssh_known_hosts        Global host public key list
396
397.SH "SEE ALSO"
398.BR ssh (1),
399.BR sshd (8),
400.BR ssh-keygen (1),
401.BR ping (8),
402.BR nslookup (8),
403.BR perl (1),
404.BR perlre (1)
405
406.SH AUTHOR
407Tero Kivinen <kivinen@hut.fi>
408
409.SH COPYING
410.LP
411Permission is granted to make and distribute verbatim copies of
412this manual provided the copyright notice and this permission notice
413are preserved on all copies.
414.LP
415Permission is granted to copy and distribute modified versions of this
416manual under the conditions for verbatim copying, provided that the
417entire resulting derived work is distributed under the terms of a
418permission notice identical to this one.
419.LP
420Permission is granted to copy and distribute translations of this
421manual into another language, under the above conditions for modified
422versions, except that this permission notice may be included in
423translations approved by the the author instead of in the original
424English.
Note: See TracBrowser for help on using the repository browser.