diff options
| author | Colin Watson <cjwatson@debian.org> | 2018-04-03 08:20:28 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2018-04-03 08:20:28 +0100 |
| commit | ed6ae9c1a014a08ff5db3d768f01f2e427eeb476 (patch) | |
| tree | 601025e307745d351946c01ab13f419ddb6dae29 /ssh-keyscan.0 | |
| parent | 62f54f20bf351468e0124f63cc2902ee40d9b0e9 (diff) | |
| parent | a0349a1cc4a18967ad1dbff5389bcdf9da098814 (diff) | |
Import openssh_7.7p1.orig.tar.gz
Diffstat (limited to 'ssh-keyscan.0')
| -rw-r--r-- | ssh-keyscan.0 | 80 |
1 files changed, 35 insertions, 45 deletions
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 index 1a9751ef1..c0278ee0a 100644 --- a/ssh-keyscan.0 +++ b/ssh-keyscan.0 | |||
| @@ -1,62 +1,66 @@ | |||
| 1 | SSH-KEYSCAN(1) General Commands Manual SSH-KEYSCAN(1) | 1 | SSH-KEYSCAN(1) General Commands Manual SSH-KEYSCAN(1) |
| 2 | 2 | ||
| 3 | NAME | 3 | NAME |
| 4 | ssh-keyscan M-bM-^@M-^S gather ssh public keys | 4 | ssh-keyscan M-bM-^@M-^S gather SSH public keys |
| 5 | 5 | ||
| 6 | SYNOPSIS | 6 | SYNOPSIS |
| 7 | ssh-keyscan [-46cHv] [-f file] [-p port] [-T timeout] [-t type] | 7 | ssh-keyscan [-46cDHv] [-f file] [-p port] [-T timeout] [-t type] |
| 8 | [host | addrlist namelist] ... | 8 | [host | addrlist namelist] |
| 9 | 9 | ||
| 10 | DESCRIPTION | 10 | DESCRIPTION |
| 11 | ssh-keyscan is a utility for gathering the public ssh host keys of a | 11 | ssh-keyscan is a utility for gathering the public SSH host keys of a |
| 12 | number of hosts. It was designed to aid in building and verifying | 12 | number of hosts. It was designed to aid in building and verifying |
| 13 | ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable | 13 | ssh_known_hosts files, the format of which is documented in sshd(8). |
| 14 | for use by shell and perl scripts. | 14 | ssh-keyscan provides a minimal interface suitable for use by shell and |
| 15 | perl scripts. | ||
| 15 | 16 | ||
| 16 | ssh-keyscan uses non-blocking socket I/O to contact as many hosts as | 17 | ssh-keyscan uses non-blocking socket I/O to contact as many hosts as |
| 17 | possible in parallel, so it is very efficient. The keys from a domain of | 18 | possible in parallel, so it is very efficient. The keys from a domain of |
| 18 | 1,000 hosts can be collected in tens of seconds, even when some of those | 19 | 1,000 hosts can be collected in tens of seconds, even when some of those |
| 19 | hosts are down or do not run ssh. For scanning, one does not need login | 20 | hosts are down or do not run sshd(8). For scanning, one does not need |
| 20 | access to the machines that are being scanned, nor does the scanning | 21 | login access to the machines that are being scanned, nor does the |
| 21 | process involve any encryption. | 22 | scanning process involve any encryption. |
| 22 | 23 | ||
| 23 | The options are as follows: | 24 | The options are as follows: |
| 24 | 25 | ||
| 25 | -4 Forces ssh-keyscan to use IPv4 addresses only. | 26 | -4 Force ssh-keyscan to use IPv4 addresses only. |
| 26 | 27 | ||
| 27 | -6 Forces ssh-keyscan to use IPv6 addresses only. | 28 | -6 Force ssh-keyscan to use IPv6 addresses only. |
| 28 | 29 | ||
| 29 | -c Request certificates from target hosts instead of plain keys. | 30 | -c Request certificates from target hosts instead of plain keys. |
| 30 | 31 | ||
| 32 | -D Print keys found as SSHFP DNS records. The default is to print | ||
| 33 | keys in a format usable as a ssh(1) known_hosts file. | ||
| 34 | |||
| 31 | -f file | 35 | -f file |
| 32 | Read hosts or M-bM-^@M-^\addrlist namelistM-bM-^@M-^] pairs from file, one per line. | 36 | Read hosts or M-bM-^@M-^\addrlist namelistM-bM-^@M-^] pairs from file, one per line. |
| 33 | If - is supplied instead of a filename, ssh-keyscan will read | 37 | If M-bM-^@M-^X-M-bM-^@M-^Y is supplied instead of a filename, ssh-keyscan will read |
| 34 | hosts or M-bM-^@M-^\addrlist namelistM-bM-^@M-^] pairs from the standard input. | 38 | from the standard input. Input is expected in the format: |
| 39 | |||
| 40 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 | ||
| 35 | 41 | ||
| 36 | -H Hash all hostnames and addresses in the output. Hashed names may | 42 | -H Hash all hostnames and addresses in the output. Hashed names may |
| 37 | be used normally by ssh and sshd, but they do not reveal | 43 | be used normally by ssh(1) and sshd(8), but they do not reveal |
| 38 | identifying information should the file's contents be disclosed. | 44 | identifying information should the file's contents be disclosed. |
| 39 | 45 | ||
| 40 | -p port | 46 | -p port |
| 41 | Port to connect to on the remote host. | 47 | Connect to port on the remote host. |
| 42 | 48 | ||
| 43 | -T timeout | 49 | -T timeout |
| 44 | Set the timeout for connection attempts. If timeout seconds have | 50 | Set the timeout for connection attempts. If timeout seconds have |
| 45 | elapsed since a connection was initiated to a host or since the | 51 | elapsed since a connection was initiated to a host or since the |
| 46 | last time anything was read from that host, then the connection | 52 | last time anything was read from that host, the connection is |
| 47 | is closed and the host in question considered unavailable. | 53 | closed and the host in question considered unavailable. The |
| 48 | Default is 5 seconds. | 54 | default is 5 seconds. |
| 49 | 55 | ||
| 50 | -t type | 56 | -t type |
| 51 | Specifies the type of the key to fetch from the scanned hosts. | 57 | Specify the type of the key to fetch from the scanned hosts. The |
| 52 | The possible values are M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^]. | 58 | possible values are M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^]. |
| 53 | Multiple values may be specified by separating them with commas. | 59 | Multiple values may be specified by separating them with commas. |
| 54 | The default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], and M-bM-^@M-^\ed25519M-bM-^@M-^] keys. | 60 | The default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], and M-bM-^@M-^\ed25519M-bM-^@M-^] keys. |
| 55 | 61 | ||
| 56 | -v Verbose mode. Causes ssh-keyscan to print debugging messages | 62 | -v Verbose mode: print debugging messages about progress. |
| 57 | about its progress. | ||
| 58 | 63 | ||
| 59 | SECURITY | ||
| 60 | If an ssh_known_hosts file is constructed using ssh-keyscan without | 64 | If an ssh_known_hosts file is constructed using ssh-keyscan without |
| 61 | verifying the keys, users will be vulnerable to man in the middle | 65 | verifying the keys, users will be vulnerable to man in the middle |
| 62 | attacks. On the other hand, if the security model allows such a risk, | 66 | attacks. On the other hand, if the security model allows such a risk, |
| @@ -65,42 +69,28 @@ SECURITY | |||
| 65 | created. | 69 | created. |
| 66 | 70 | ||
| 67 | FILES | 71 | FILES |
| 68 | Input format: | ||
| 69 | |||
| 70 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 | ||
| 71 | |||
| 72 | Output format for RSA, DSA, ECDSA, and Ed25519 keys: | ||
| 73 | |||
| 74 | host-or-namelist keytype base64-encoded-key | ||
| 75 | |||
| 76 | Where keytype is either M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], | ||
| 77 | M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. | ||
| 78 | |||
| 79 | /etc/ssh/ssh_known_hosts | 72 | /etc/ssh/ssh_known_hosts |
| 80 | 73 | ||
| 81 | EXAMPLES | 74 | EXAMPLES |
| 82 | Print the rsa host key for machine hostname: | 75 | Print the RSA host key for machine hostname: |
| 83 | 76 | ||
| 84 | $ ssh-keyscan hostname | 77 | $ ssh-keyscan -t rsa hostname |
| 85 | 78 | ||
| 86 | Find all hosts from the file ssh_hosts which have new or different keys | 79 | Find all hosts from the file ssh_hosts which have new or different keys |
| 87 | from those in the sorted file ssh_known_hosts: | 80 | from those in the sorted file ssh_known_hosts: |
| 88 | 81 | ||
| 89 | $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \ | 82 | $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \ |
| 90 | sort -u - ssh_known_hosts | diff ssh_known_hosts - | 83 | sort -u - ssh_known_hosts | diff ssh_known_hosts - |
| 91 | 84 | ||
| 92 | SEE ALSO | 85 | SEE ALSO |
| 93 | ssh(1), sshd(8) | 86 | ssh(1), sshd(8) |
| 94 | 87 | ||
| 88 | Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC | ||
| 89 | 4255, 2006. | ||
| 90 | |||
| 95 | AUTHORS | 91 | AUTHORS |
| 96 | David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne | 92 | David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne |
| 97 | Davison <wayned@users.sourceforge.net> added support for protocol version | 93 | Davison <wayned@users.sourceforge.net> added support for protocol version |
| 98 | 2. | 94 | 2. |
| 99 | 95 | ||
| 100 | BUGS | 96 | OpenBSD 6.2 March 5, 2018 OpenBSD 6.2 |
| 101 | It generates "Connection closed by remote host" messages on the consoles | ||
| 102 | of all the machines it scans if the server is older than version 2.9. | ||
| 103 | This is because it opens a connection to the ssh port, reads the public | ||
| 104 | key, and drops the connection as soon as it gets the key. | ||
| 105 | |||
| 106 | OpenBSD 6.2 May 2, 2017 OpenBSD 6.2 | ||