diff options
| author | Colin Watson <cjwatson@debian.org> | 2010-03-31 00:43:52 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2010-03-31 00:43:52 +0100 |
| commit | 004a7fb9c6a00b13dc98f56599918a54a3506d10 (patch) | |
| tree | c8cb70b404e798f78982f06cd892ab82ecb1e03e /ssh-keyscan.0 | |
| parent | d13d995a202c562c80d7e7a11c43504c505481d1 (diff) | |
| parent | 1e4cfeee6c17b02af09418c5afe4a4d71aaaf0c8 (diff) | |
Import 5.4p1 tarball
Diffstat (limited to 'ssh-keyscan.0')
| -rw-r--r-- | ssh-keyscan.0 | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 new file mode 100644 index 000000000..1100a69b6 --- /dev/null +++ b/ssh-keyscan.0 | |||
| @@ -0,0 +1,107 @@ | |||
| 1 | SSH-KEYSCAN(1) OpenBSD Reference Manual SSH-KEYSCAN(1) | ||
| 2 | |||
| 3 | NAME | ||
| 4 | ssh-keyscan - gather ssh public keys | ||
| 5 | |||
| 6 | SYNOPSIS | ||
| 7 | ssh-keyscan [-46Hv] [-f file] [-p port] [-T timeout] [-t type] | ||
| 8 | [host | addrlist namelist] ... | ||
| 9 | |||
| 10 | DESCRIPTION | ||
| 11 | ssh-keyscan is a utility for gathering the public ssh host keys of a num- | ||
| 12 | ber of hosts. It was designed to aid in building and verifying | ||
| 13 | ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable | ||
| 14 | for use by shell and perl scripts. | ||
| 15 | |||
| 16 | ssh-keyscan uses non-blocking socket I/O to contact as many hosts as pos- | ||
| 17 | sible in parallel, so it is very efficient. The keys from a domain of | ||
| 18 | 1,000 hosts can be collected in tens of seconds, even when some of those | ||
| 19 | hosts are down or do not run ssh. For scanning, one does not need login | ||
| 20 | access to the machines that are being scanned, nor does the scanning pro- | ||
| 21 | cess involve any encryption. | ||
| 22 | |||
| 23 | The options are as follows: | ||
| 24 | |||
| 25 | -4 Forces ssh-keyscan to use IPv4 addresses only. | ||
| 26 | |||
| 27 | -6 Forces ssh-keyscan to use IPv6 addresses only. | ||
| 28 | |||
| 29 | -f file | ||
| 30 | Read hosts or addrlist namelist pairs from this file, one per | ||
| 31 | line. If - is supplied instead of a filename, ssh-keyscan will | ||
| 32 | read hosts or addrlist namelist pairs from the standard input. | ||
| 33 | |||
| 34 | -H Hash all hostnames and addresses in the output. Hashed names may | ||
| 35 | be used normally by ssh and sshd, but they do not reveal identi- | ||
| 36 | fying information should the file's contents be disclosed. | ||
| 37 | |||
| 38 | -p port | ||
| 39 | Port to connect to on the remote host. | ||
| 40 | |||
| 41 | -T timeout | ||
| 42 | Set the timeout for connection attempts. If timeout seconds have | ||
| 43 | elapsed since a connection was initiated to a host or since the | ||
| 44 | last time anything was read from that host, then the connection | ||
| 45 | is closed and the host in question considered unavailable. De- | ||
| 46 | fault is 5 seconds. | ||
| 47 | |||
| 48 | -t type | ||
| 49 | Specifies the type of the key to fetch from the scanned hosts. | ||
| 50 | The possible values are ``rsa1'' for protocol version 1 and | ||
| 51 | ``rsa'' or ``dsa'' for protocol version 2. Multiple values may | ||
| 52 | be specified by separating them with commas. The default is | ||
| 53 | ``rsa''. | ||
| 54 | |||
| 55 | -v Verbose mode. Causes ssh-keyscan to print debugging messages | ||
| 56 | about its progress. | ||
| 57 | |||
| 58 | SECURITY | ||
| 59 | If an ssh_known_hosts file is constructed using ssh-keyscan without veri- | ||
| 60 | fying the keys, users will be vulnerable to man in the middle attacks. | ||
| 61 | On the other hand, if the security model allows such a risk, ssh-keyscan | ||
| 62 | can help in the detection of tampered keyfiles or man in the middle at- | ||
| 63 | tacks which have begun after the ssh_known_hosts file was created. | ||
| 64 | |||
| 65 | FILES | ||
| 66 | Input format: | ||
| 67 | |||
| 68 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 | ||
| 69 | |||
| 70 | Output format for rsa1 keys: | ||
| 71 | |||
| 72 | host-or-namelist bits exponent modulus | ||
| 73 | |||
| 74 | Output format for rsa and dsa keys: | ||
| 75 | |||
| 76 | host-or-namelist keytype base64-encoded-key | ||
| 77 | |||
| 78 | Where keytype is either ``ssh-rsa'' or ``ssh-dss''. | ||
| 79 | |||
| 80 | /etc/ssh/ssh_known_hosts | ||
| 81 | |||
| 82 | EXAMPLES | ||
| 83 | Print the rsa host key for machine hostname: | ||
| 84 | |||
| 85 | $ ssh-keyscan hostname | ||
| 86 | |||
| 87 | Find all hosts from the file ssh_hosts which have new or different keys | ||
| 88 | from those in the sorted file ssh_known_hosts: | ||
| 89 | |||
| 90 | $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \ | ||
| 91 | sort -u - ssh_known_hosts | diff ssh_known_hosts - | ||
| 92 | |||
| 93 | SEE ALSO | ||
| 94 | ssh(1), sshd(8) | ||
| 95 | |||
| 96 | AUTHORS | ||
| 97 | David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne | ||
| 98 | Davison <wayned@users.sourceforge.net> added support for protocol version | ||
| 99 | 2. | ||
| 100 | |||
| 101 | BUGS | ||
| 102 | It generates "Connection closed by remote host" messages on the consoles | ||
| 103 | of all the machines it scans if the server is older than version 2.9. | ||
| 104 | This is because it opens a connection to the ssh port, reads the public | ||
| 105 | key, and drops the connection as soon as it gets the key. | ||
| 106 | |||
| 107 | OpenBSD 4.6 January 9, 2010 2 | ||