2008-07-23 09:15:38 +00:00
|
|
|
SSH-KEYSCAN(1) OpenBSD Reference Manual SSH-KEYSCAN(1)
|
|
|
|
|
|
|
|
NAME
|
|
|
|
ssh-keyscan - gather ssh public keys
|
|
|
|
|
|
|
|
SYNOPSIS
|
|
|
|
ssh-keyscan [-46Hv] [-f file] [-p port] [-T timeout] [-t type]
|
2009-02-24 18:49:27 +00:00
|
|
|
[host | addrlist namelist] ...
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
DESCRIPTION
|
2010-11-08 10:45:44 +00:00
|
|
|
ssh-keyscan is a utility for gathering the public ssh host keys of a
|
|
|
|
number of hosts. It was designed to aid in building and verifying
|
2008-07-23 09:15:38 +00:00
|
|
|
ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable
|
|
|
|
for use by shell and perl scripts.
|
|
|
|
|
2010-11-08 10:45:44 +00:00
|
|
|
ssh-keyscan uses non-blocking socket I/O to contact as many hosts as
|
|
|
|
possible in parallel, so it is very efficient. The keys from a domain of
|
2008-07-23 09:15:38 +00:00
|
|
|
1,000 hosts can be collected in tens of seconds, even when some of those
|
|
|
|
hosts are down or do not run ssh. For scanning, one does not need login
|
2010-11-08 10:45:44 +00:00
|
|
|
access to the machines that are being scanned, nor does the scanning
|
|
|
|
process involve any encryption.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
The options are as follows:
|
|
|
|
|
|
|
|
-4 Forces ssh-keyscan to use IPv4 addresses only.
|
|
|
|
|
|
|
|
-6 Forces ssh-keyscan to use IPv6 addresses only.
|
|
|
|
|
|
|
|
-f file
|
2014-03-22 15:23:38 +00:00
|
|
|
Read hosts or ``addrlist namelist'' pairs from file, one per
|
2008-07-23 09:15:38 +00:00
|
|
|
line. If - is supplied instead of a filename, ssh-keyscan will
|
2014-03-22 15:23:38 +00:00
|
|
|
read hosts or ``addrlist namelist'' pairs from the standard
|
|
|
|
input.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
-H Hash all hostnames and addresses in the output. Hashed names may
|
2010-11-08 10:45:44 +00:00
|
|
|
be used normally by ssh and sshd, but they do not reveal
|
|
|
|
identifying information should the file's contents be disclosed.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
-p port
|
|
|
|
Port to connect to on the remote host.
|
|
|
|
|
|
|
|
-T timeout
|
|
|
|
Set the timeout for connection attempts. If timeout seconds have
|
|
|
|
elapsed since a connection was initiated to a host or since the
|
|
|
|
last time anything was read from that host, then the connection
|
2010-11-08 10:45:44 +00:00
|
|
|
is closed and the host in question considered unavailable.
|
|
|
|
Default is 5 seconds.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
-t type
|
|
|
|
Specifies the type of the key to fetch from the scanned hosts.
|
|
|
|
The possible values are ``rsa1'' for protocol version 1 and
|
2014-01-30 10:56:49 +00:00
|
|
|
``dsa'', ``ecdsa'', ``ed25519'', or ``rsa'' for protocol version
|
|
|
|
2. Multiple values may be specified by separating them with
|
|
|
|
commas. The default is to fetch ``rsa'' and ``ecdsa'' keys.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
-v Verbose mode. Causes ssh-keyscan to print debugging messages
|
|
|
|
about its progress.
|
|
|
|
|
|
|
|
SECURITY
|
2010-11-08 10:45:44 +00:00
|
|
|
If an ssh_known_hosts file is constructed using ssh-keyscan without
|
|
|
|
verifying the keys, users will be vulnerable to man in the middle
|
|
|
|
attacks. On the other hand, if the security model allows such a risk,
|
|
|
|
ssh-keyscan can help in the detection of tampered keyfiles or man in the
|
|
|
|
middle attacks which have begun after the ssh_known_hosts file was
|
|
|
|
created.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
FILES
|
|
|
|
Input format:
|
|
|
|
|
|
|
|
1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
|
|
|
|
|
|
|
|
Output format for rsa1 keys:
|
|
|
|
|
|
|
|
host-or-namelist bits exponent modulus
|
|
|
|
|
2011-02-17 11:47:40 +00:00
|
|
|
Output format for rsa, dsa and ecdsa keys:
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
host-or-namelist keytype base64-encoded-key
|
|
|
|
|
2011-02-17 11:47:40 +00:00
|
|
|
Where keytype is either ``ecdsa-sha2-nistp256'', ``ecdsa-sha2-nistp384'',
|
2014-01-30 10:56:49 +00:00
|
|
|
``ecdsa-sha2-nistp521'', ``ssh-ed25519'', ``ssh-dss'' or ``ssh-rsa''.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
/etc/ssh/ssh_known_hosts
|
|
|
|
|
|
|
|
EXAMPLES
|
2009-02-24 18:49:27 +00:00
|
|
|
Print the rsa host key for machine hostname:
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
$ ssh-keyscan hostname
|
|
|
|
|
|
|
|
Find all hosts from the file ssh_hosts which have new or different keys
|
|
|
|
from those in the sorted file ssh_known_hosts:
|
|
|
|
|
2011-02-17 11:47:40 +00:00
|
|
|
$ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \
|
2008-07-23 09:15:38 +00:00
|
|
|
sort -u - ssh_known_hosts | diff ssh_known_hosts -
|
|
|
|
|
|
|
|
SEE ALSO
|
|
|
|
ssh(1), sshd(8)
|
|
|
|
|
|
|
|
AUTHORS
|
|
|
|
David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne
|
|
|
|
Davison <wayned@users.sourceforge.net> added support for protocol version
|
|
|
|
2.
|
|
|
|
|
|
|
|
BUGS
|
|
|
|
It generates "Connection closed by remote host" messages on the consoles
|
|
|
|
of all the machines it scans if the server is older than version 2.9.
|
|
|
|
This is because it opens a connection to the ssh port, reads the public
|
|
|
|
key, and drops the connection as soon as it gets the key.
|
|
|
|
|
2014-03-22 15:23:38 +00:00
|
|
|
OpenBSD 5.5 January 28, 2014 OpenBSD 5.5
|