summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ssh-keyscan.1102
-rw-r--r--ssh-keyscan.c4
2 files changed, 48 insertions, 58 deletions
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index b6bee1771..edefe76f6 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keyscan.1,v 1.42 2018/02/23 07:38:09 jmc Exp $ 1.\" $OpenBSD: ssh-keyscan.1,v 1.43 2018/03/02 21:40:15 jmc Exp $
2.\" 2.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\" 4.\"
@@ -6,26 +6,23 @@
6.\" permitted provided that due credit is given to the author and the 6.\" permitted provided that due credit is given to the author and the
7.\" OpenBSD project by leaving this copyright notice intact. 7.\" OpenBSD project by leaving this copyright notice intact.
8.\" 8.\"
9.Dd $Mdocdate: February 23 2018 $ 9.Dd $Mdocdate: March 2 2018 $
10.Dt SSH-KEYSCAN 1 10.Dt SSH-KEYSCAN 1
11.Os 11.Os
12.Sh NAME 12.Sh NAME
13.Nm ssh-keyscan 13.Nm ssh-keyscan
14.Nd gather ssh public keys 14.Nd gather SSH public keys
15.Sh SYNOPSIS 15.Sh SYNOPSIS
16.Nm ssh-keyscan 16.Nm ssh-keyscan
17.Bk -words
18.Op Fl 46cDHv 17.Op Fl 46cDHv
19.Op Fl f Ar file 18.Op Fl f Ar file
20.Op Fl p Ar port 19.Op Fl p Ar port
21.Op Fl T Ar timeout 20.Op Fl T Ar timeout
22.Op Fl t Ar type 21.Op Fl t Ar type
23.Op Ar host | addrlist namelist 22.Op Ar host | addrlist namelist
24.Ar ...
25.Ek
26.Sh DESCRIPTION 23.Sh DESCRIPTION
27.Nm 24.Nm
28is a utility for gathering the public ssh host keys of a number of 25is a utility for gathering the public SSH host keys of a number of
29hosts. 26hosts.
30It was designed to aid in building and verifying 27It was designed to aid in building and verifying
31.Pa ssh_known_hosts 28.Pa ssh_known_hosts
@@ -39,19 +36,41 @@ uses non-blocking socket I/O to contact as many hosts as possible in
39parallel, so it is very efficient. 36parallel, so it is very efficient.
40The keys from a domain of 1,000 37The keys from a domain of 1,000
41hosts can be collected in tens of seconds, even when some of those 38hosts can be collected in tens of seconds, even when some of those
42hosts are down or do not run ssh. 39hosts are down or do not run
40.Xr sshd 8 .
43For scanning, one does not need 41For scanning, one does not need
44login access to the machines that are being scanned, nor does the 42login access to the machines that are being scanned, nor does the
45scanning process involve any encryption. 43scanning process involve any encryption.
46.Pp 44.Pp
45Input is expected in the format:
46.Bd -literal -offset 3n
471.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
48.Ed
49.Pp
50The output format is:
51.Bd -literal -offset 3n
52host-or-namelist keytype base64-encoded-key
53.Ed
54.Pp
55Where
56.Ar keytype
57is either
58.Dq ecdsa-sha2-nistp256 ,
59.Dq ecdsa-sha2-nistp384 ,
60.Dq ecdsa-sha2-nistp521 ,
61.Dq ssh-ed25519 ,
62.Dq ssh-dss
63or
64.Dq ssh-rsa .
65.Pp
47The options are as follows: 66The options are as follows:
48.Bl -tag -width Ds 67.Bl -tag -width Ds
49.It Fl 4 68.It Fl 4
50Forces 69Force
51.Nm 70.Nm
52to use IPv4 addresses only. 71to use IPv4 addresses only.
53.It Fl 6 72.It Fl 6
54Forces 73Force
55.Nm 74.Nm
56to use IPv6 addresses only. 75to use IPv6 addresses only.
57.It Fl c 76.It Fl c
@@ -69,32 +88,32 @@ pairs from
69.Ar file , 88.Ar file ,
70one per line. 89one per line.
71If 90If
72.Pa - 91.Sq -
73is supplied instead of a filename, 92is supplied instead of a filename,
74.Nm 93.Nm
75will read hosts or 94will read from the standard input.
76.Dq addrlist namelist
77pairs from the standard input.
78.It Fl H 95.It Fl H
79Hash all hostnames and addresses in the output. 96Hash all hostnames and addresses in the output.
80Hashed names may be used normally by 97Hashed names may be used normally by
81.Nm ssh 98.Xr ssh 1
82and 99and
83.Nm sshd , 100.Xr sshd 8 ,
84but they do not reveal identifying information should the file's contents 101but they do not reveal identifying information should the file's contents
85be disclosed. 102be disclosed.
86.It Fl p Ar port 103.It Fl p Ar port
87Port to connect to on the remote host. 104Connect to
105.Ar port
106on the remote host.
88.It Fl T Ar timeout 107.It Fl T Ar timeout
89Set the timeout for connection attempts. 108Set the timeout for connection attempts.
90If 109If
91.Ar timeout 110.Ar timeout
92seconds have elapsed since a connection was initiated to a host or since the 111seconds have elapsed since a connection was initiated to a host or since the
93last time anything was read from that host, then the connection is 112last time anything was read from that host, the connection is
94closed and the host in question considered unavailable. 113closed and the host in question considered unavailable.
95Default is 5 seconds. 114The default is 5 seconds.
96.It Fl t Ar type 115.It Fl t Ar type
97Specifies the type of the key to fetch from the scanned hosts. 116Specify the type of the key to fetch from the scanned hosts.
98The possible values are 117The possible values are
99.Dq dsa , 118.Dq dsa ,
100.Dq ecdsa , 119.Dq ecdsa ,
@@ -109,12 +128,10 @@ and
109.Dq ed25519 128.Dq ed25519
110keys. 129keys.
111.It Fl v 130.It Fl v
112Verbose mode. 131Verbose mode:
113Causes 132print debugging messages about progress.
114.Nm
115to print debugging messages about its progress.
116.El 133.El
117.Sh SECURITY 134.Pp
118If an ssh_known_hosts file is constructed using 135If an ssh_known_hosts file is constructed using
119.Nm 136.Nm
120without verifying the keys, users will be vulnerable to 137without verifying the keys, users will be vulnerable to
@@ -125,40 +142,18 @@ On the other hand, if the security model allows such a risk,
125can help in the detection of tampered keyfiles or man in the middle 142can help in the detection of tampered keyfiles or man in the middle
126attacks which have begun after the ssh_known_hosts file was created. 143attacks which have begun after the ssh_known_hosts file was created.
127.Sh FILES 144.Sh FILES
128Input format:
129.Bd -literal
1301.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
131.Ed
132.Pp
133Output format for RSA, DSA, ECDSA, and Ed25519 keys:
134.Bd -literal
135host-or-namelist keytype base64-encoded-key
136.Ed
137.Pp
138Where
139.Ar keytype
140is either
141.Dq ecdsa-sha2-nistp256 ,
142.Dq ecdsa-sha2-nistp384 ,
143.Dq ecdsa-sha2-nistp521 ,
144.Dq ssh-ed25519 ,
145.Dq ssh-dss
146or
147.Dq ssh-rsa .
148.Pp
149.Pa /etc/ssh/ssh_known_hosts 145.Pa /etc/ssh/ssh_known_hosts
150.Sh EXAMPLES 146.Sh EXAMPLES
151Print the rsa host key for machine 147Print the RSA host key for machine
152.Ar hostname : 148.Ar hostname :
153.Bd -literal 149.Pp
154$ ssh-keyscan hostname 150.Dl $ ssh-keyscan -t rsa hostname
155.Ed
156.Pp 151.Pp
157Find all hosts from the file 152Find all hosts from the file
158.Pa ssh_hosts 153.Pa ssh_hosts
159which have new or different keys from those in the sorted file 154which have new or different keys from those in the sorted file
160.Pa ssh_known_hosts : 155.Pa ssh_known_hosts :
161.Bd -literal 156.Bd -literal -offset indent
162$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e 157$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
163 sort -u - ssh_known_hosts | diff ssh_known_hosts - 158 sort -u - ssh_known_hosts | diff ssh_known_hosts -
164.Ed 159.Ed
@@ -176,8 +171,3 @@ $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
176wrote the initial version, and 171wrote the initial version, and
177.An Wayne Davison Aq Mt wayned@users.sourceforge.net 172.An Wayne Davison Aq Mt wayned@users.sourceforge.net
178added support for protocol version 2. 173added support for protocol version 2.
179.Sh BUGS
180It generates "Connection closed by remote host" messages on the consoles
181of all the machines it scans if the server is older than version 2.9.
182This is because it opens a connection to the ssh port, reads the public
183key, and drops the connection as soon as it gets the key.
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 535368602..381fb0844 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keyscan.c,v 1.118 2018/02/23 15:58:38 markus Exp $ */ 1/* $OpenBSD: ssh-keyscan.c,v 1.119 2018/03/02 21:40:15 jmc Exp $ */
2/* 2/*
3 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4 * 4 *
@@ -636,7 +636,7 @@ usage(void)
636{ 636{
637 fprintf(stderr, 637 fprintf(stderr,
638 "usage: %s [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n" 638 "usage: %s [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n"
639 "\t\t [host | addrlist namelist] ...\n", 639 "\t\t [host | addrlist namelist]\n",
640 __progname); 640 __progname);
641 exit(1); 641 exit(1);
642} 642}