diff options
Diffstat (limited to 'ssh-keyscan.0')
-rw-r--r-- | ssh-keyscan.0 | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 new file mode 100644 index 000000000..19031a27f --- /dev/null +++ b/ssh-keyscan.0 | |||
@@ -0,0 +1,102 @@ | |||
1 | SSH-KEYSCAN(1) BSD General Commands Manual SSH-KEYSCAN(1) | ||
2 | |||
3 | NAME | ||
4 | ssh-keyscan - gather ssh public keys | ||
5 | |||
6 | SYNOPSIS | ||
7 | ssh-keyscan [-v46] [-p port] [-T timeout] [-t type] [-f file] | ||
8 | [host | addrlist namelist] [...] | ||
9 | |||
10 | DESCRIPTION | ||
11 | ssh-keyscan is a utility for gathering the public ssh host keys of a num- | ||
12 | ber of hosts. It was designed to aid in building and verifying | ||
13 | ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable | ||
14 | for use by shell and perl scripts. | ||
15 | |||
16 | ssh-keyscan uses non-blocking socket I/O to contact as many hosts as pos- | ||
17 | sible in parallel, so it is very efficient. The keys from a domain of | ||
18 | 1,000 hosts can be collected in tens of seconds, even when some of those | ||
19 | hosts are down or do not run ssh. For scanning, one does not need login | ||
20 | access to the machines that are being scanned, nor does the scanning pro- | ||
21 | cess involve any encryption. | ||
22 | |||
23 | The options are as follows: | ||
24 | |||
25 | -p port | ||
26 | Port to connect to on the remote host. | ||
27 | |||
28 | -T timeout | ||
29 | Set the timeout for connection attempts. If timeout seconds have | ||
30 | elapsed since a connection was initiated to a host or since the | ||
31 | last time anything was read from that host, then the connection | ||
32 | is closed and the host in question considered unavailable. | ||
33 | Default is 5 seconds. | ||
34 | |||
35 | -t type | ||
36 | Specifies the type of the key to fetch from the scanned hosts. | ||
37 | The possible values are M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\rsaM-bM-^@M-^] | ||
38 | or M-bM-^@M-^\dsaM-bM-^@M-^] for protocol version 2. Multiple values may be speci- | ||
39 | fied by separating them with commas. The default is M-bM-^@M-^\rsa1M-bM-^@M-^]. | ||
40 | |||
41 | -f filename | ||
42 | Read hosts or addrlist namelist pairs from this file, one per | ||
43 | line. If - is supplied instead of a filename, ssh-keyscan will | ||
44 | read hosts or addrlist namelist pairs from the standard input. | ||
45 | |||
46 | -v Verbose mode. Causes ssh-keyscan to print debugging messages | ||
47 | about its progress. | ||
48 | |||
49 | -4 Forces ssh-keyscan to use IPv4 addresses only. | ||
50 | |||
51 | -6 Forces ssh-keyscan to use IPv6 addresses only. | ||
52 | |||
53 | SECURITY | ||
54 | If a ssh_known_hosts file is constructed using ssh-keyscan without veri- | ||
55 | fying the keys, users will be vulnerable to attacks. On the other hand, | ||
56 | if the security model allows such a risk, ssh-keyscan can help in the | ||
57 | detection of tampered keyfiles or man in the middle attacks which have | ||
58 | begun after the ssh_known_hosts file was created. | ||
59 | |||
60 | EXAMPLES | ||
61 | Print the rsa1 host key for machine hostname: | ||
62 | |||
63 | $ ssh-keyscan hostname | ||
64 | |||
65 | Find all hosts from the file ssh_hosts which have new or different keys | ||
66 | from those in the sorted file ssh_known_hosts: | ||
67 | |||
68 | $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \ | ||
69 | sort -u - ssh_known_hosts | diff ssh_known_hosts - | ||
70 | |||
71 | FILES | ||
72 | Input format: | ||
73 | |||
74 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 | ||
75 | |||
76 | Output format for rsa1 keys: | ||
77 | |||
78 | host-or-namelist bits exponent modulus | ||
79 | |||
80 | Output format for rsa and dsa keys: | ||
81 | |||
82 | host-or-namelist keytype base64-encoded-key | ||
83 | |||
84 | Where keytype is either M-bM-^@M-^\ssh-rsaM-bM-^@M-^] or M-bM-^@M-^\ssh-dsaM-bM-^@M-^]. | ||
85 | |||
86 | /etc/ssh/ssh_known_hosts | ||
87 | |||
88 | BUGS | ||
89 | It generates "Connection closed by remote host" messages on the consoles | ||
90 | of all the machines it scans if the server is older than version 2.9. | ||
91 | This is because it opens a connection to the ssh port, reads the public | ||
92 | key, and drops the connection as soon as it gets the key. | ||
93 | |||
94 | SEE ALSO | ||
95 | ssh(1), sshd(8) | ||
96 | |||
97 | AUTHORS | ||
98 | David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne | ||
99 | Davison <wayned@users.sourceforge.net> added support for protocol version | ||
100 | 2. | ||
101 | |||
102 | BSD January 1, 1996 BSD | ||