diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2000-12-05 01:15:09 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2000-12-05 01:15:09 +0000 |
commit | b6434ae0e89c6614645a6e8ef50be1c5884beaf5 (patch) | |
tree | ddd59719a473c529c0f783bd273b1ef92fdf03db /ssh-keyscan.1 | |
parent | d121f613708c3c9c82465b0788550943a918d5c8 (diff) |
20001205
- (bal) OpenSSH CVS updates:
- markus@cvs.openbsd.org 2000/12/04 19:24:02
[ssh-keyscan.c ssh-keyscan.1]
David Maziere's ssh-keyscan, ok niels@
- (bal) Updated Makefile.in to include ssh-keyscan that was just added
to the recent OpenBSD source tree.
Diffstat (limited to 'ssh-keyscan.1')
-rw-r--r-- | ssh-keyscan.1 | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 new file mode 100644 index 000000000..efd6e744a --- /dev/null +++ b/ssh-keyscan.1 | |||
@@ -0,0 +1,94 @@ | |||
1 | .Dd January 1, 1996 | ||
2 | .Dt ssh-keyscan 1 | ||
3 | .Os | ||
4 | .Sh NAME | ||
5 | .Nm ssh-keyscan | ||
6 | .Nd gather ssh public keys | ||
7 | .Sh SYNOPSIS | ||
8 | .Nm ssh-keyscan | ||
9 | .Op Fl t Ar timeout | ||
10 | .Op Ar -- | host | addrlist namelist | ||
11 | .Op Fl f Ar files ... | ||
12 | .Sh DESCRIPTION | ||
13 | .Nm | ||
14 | is a utility for gathering the public ssh host keys of a number of | ||
15 | hosts. It was designed to aid in building and verifying | ||
16 | .Pa ssh_known_hosts | ||
17 | files. | ||
18 | .Nm | ||
19 | provides a minimal interface suitable for use by shell and perl | ||
20 | scripts. | ||
21 | .Pp | ||
22 | .Nm | ||
23 | uses non-blocking socket I/O to contact as many hosts as possible in | ||
24 | parallel, so it is very efficient. The keys from a domain of 1,000 | ||
25 | hosts can be collected in tens of seconds, even when some of those | ||
26 | hosts are down or do not run ssh. You do not need login access to the | ||
27 | machines you are scanning, nor does does the scanning process involve | ||
28 | any encryption. | ||
29 | .Sh SECURITY | ||
30 | If you make an ssh_known_hosts file using | ||
31 | .Nm | ||
32 | without verifying the keys, you will be vulnerable to | ||
33 | .I man in the middle | ||
34 | attacks. | ||
35 | On the other hand, if your security model allows such a risk, | ||
36 | .Nm | ||
37 | can help you detect tampered keyfiles or man in the middle attacks which | ||
38 | have begun after you created your ssh_known_hosts file. | ||
39 | .Sh OPTIONS | ||
40 | .Bl -tag -width Ds | ||
41 | .It Fl t | ||
42 | Set the timeout for connection attempts. If | ||
43 | .Pa timeout | ||
44 | seconds have elapsed since a connection was initiated to a host or since the | ||
45 | last time anything was read from that host, then the connection is | ||
46 | closed and the host in question considered unavailable. Default is 5 | ||
47 | seconds. | ||
48 | .It Fl f | ||
49 | Read hosts or | ||
50 | .Pa addrlist namelist | ||
51 | pairs from this file, one per line. | ||
52 | If | ||
53 | .Pa - | ||
54 | is supplied instead of a filename, | ||
55 | .Nm | ||
56 | will read hosts or | ||
57 | .Pa addrlist namelist | ||
58 | pairs from the standard input. | ||
59 | .Sh EXAMPLES | ||
60 | .Pp | ||
61 | Print the host key for machine | ||
62 | .Pa hostname : | ||
63 | .Bd -literal | ||
64 | ssh-keyscan hostname | ||
65 | .Ed | ||
66 | .Pp | ||
67 | Find all hosts from the file | ||
68 | .Pa ssh_hosts | ||
69 | which have new or different keys from those in the sorted file | ||
70 | .Pa ssh_known_hosts : | ||
71 | .Bd -literal | ||
72 | ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\ | ||
73 | diff ssh_known_hosts - | ||
74 | .Ed | ||
75 | .Pp | ||
76 | .Sh FILES | ||
77 | .Pp | ||
78 | .Pa Input format: | ||
79 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 | ||
80 | .Pp | ||
81 | .Pa Output format: | ||
82 | host-or-namelist bits exponent modulus | ||
83 | .Pp | ||
84 | .Pa /etc/ssh_known_hosts | ||
85 | .Sh BUGS | ||
86 | It generates "Connection closed by remote host" messages on the consoles | ||
87 | of all the machines it scans. | ||
88 | This is because it opens a connection to the ssh port, reads the public | ||
89 | key, and drops the connection as soon as it gets the key. | ||
90 | .Sh SEE ALSO | ||
91 | .Xr ssh 1 | ||
92 | .Xr sshd 8 | ||
93 | .Sh AUTHOR | ||
94 | David Mazieres <dm@lcs.mit.edu> | ||