diff options
Diffstat (limited to 'ssh-keyscan.0')
| -rw-r--r-- | ssh-keyscan.0 | 88 |
1 files changed, 44 insertions, 44 deletions
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 index 3c3067cc9..19031a27f 100644 --- a/ssh-keyscan.0 +++ b/ssh-keyscan.0 | |||
| @@ -1,100 +1,100 @@ | |||
| 1 | SSHM-bM-^@M-^PKEYSCAN(1) BSD General Commands Manual SSHM-bM-^@M-^PKEYSCAN(1) | 1 | SSH-KEYSCAN(1) BSD General Commands Manual SSH-KEYSCAN(1) |
| 2 | 2 | ||
| 3 | ^[[1mNAME^[[0m | 3 | NAME |
| 4 | ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mM-bMM-^R gather ssh public keys | 4 | ssh-keyscan - gather ssh public keys |
| 5 | 5 | ||
| 6 | ^[[1mSYNOPSIS^[[0m | 6 | SYNOPSIS |
| 7 | ^[[1msshM-bM-^@M-^Pkeyscan ^[[22m[^[[1mM-bMM-^Rv46^[[22m] [^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[24m] [^[[1mM-bMM-^RT ^[[4m^[[22mtimeout^[[24m] [^[[1mM-bMM-^Rt ^[[4m^[[22mtype^[[24m] [^[[1mM-bMM-^Rf ^[[4m^[[22mfile^[[24m] | 7 | ssh-keyscan [-v46] [-p port] [-T timeout] [-t type] [-f file] |
| 8 | [^[[4mhost^[[24m | ^[[4maddrlist^[[24m ^[[4mnamelist^[[24m] [^[[4m...^[[24m] | 8 | [host | addrlist namelist] [...] |
| 9 | 9 | ||
| 10 | ^[[1mDESCRIPTION^[[0m | 10 | DESCRIPTION |
| 11 | ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mis a utility for gathering the public ssh host keys of a numM-bM-^@M-^P | 11 | ssh-keyscan is a utility for gathering the public ssh host keys of a num- |
| 12 | ber of hosts. It was designed to aid in building and verifying | 12 | ber of hosts. It was designed to aid in building and verifying |
| 13 | ^[[4mssh_known_hosts^[[24m files. ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mprovides a minimal interface suitable | 13 | ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable |
| 14 | for use by shell and perl scripts. | 14 | for use by shell and perl scripts. |
| 15 | 15 | ||
| 16 | ^[[1msshM-bM-^@M-^Pkeyscan ^[[22muses nonM-bM-^@M-^Pblocking socket I/O to contact as many hosts as posM-bM-^@M-^P | 16 | ssh-keyscan uses non-blocking socket I/O to contact as many hosts as pos- |
| 17 | sible in parallel, so it is very efficient. The keys from a domain of | 17 | sible in parallel, so it is very efficient. The keys from a domain of |
| 18 | 1,000 hosts can be collected in tens of seconds, even when some of those | 18 | 1,000 hosts can be collected in tens of seconds, even when some of those |
| 19 | hosts are down or do not run ssh. For scanning, one does not need login | 19 | hosts are down or do not run ssh. For scanning, one does not need login |
| 20 | access to the machines that are being scanned, nor does the scanning proM-bM-^@M-^P | 20 | access to the machines that are being scanned, nor does the scanning pro- |
| 21 | cess involve any encryption. | 21 | cess involve any encryption. |
| 22 | 22 | ||
| 23 | The options are as follows: | 23 | The options are as follows: |
| 24 | 24 | ||
| 25 | ^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[0m | 25 | -p port |
| 26 | Port to connect to on the remote host. | 26 | Port to connect to on the remote host. |
| 27 | 27 | ||
| 28 | ^[[1mM-bMM-^RT ^[[4m^[[22mtimeout^[[0m | 28 | -T timeout |
| 29 | Set the timeout for connection attempts. If ^[[4mtimeout^[[24m seconds have | 29 | Set the timeout for connection attempts. If timeout seconds have |
| 30 | elapsed since a connection was initiated to a host or since the | 30 | elapsed since a connection was initiated to a host or since the |
| 31 | last time anything was read from that host, then the connection | 31 | last time anything was read from that host, then the connection |
| 32 | is closed and the host in question considered unavailable. | 32 | is closed and the host in question considered unavailable. |
| 33 | Default is 5 seconds. | 33 | Default is 5 seconds. |
| 34 | 34 | ||
| 35 | ^[[1mM-bMM-^Rt ^[[4m^[[22mtype^[[0m | 35 | -t type |
| 36 | Specifies the type of the key to fetch from the scanned hosts. | 36 | Specifies the type of the key to fetch from the scanned hosts. |
| 37 | The possible values are M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\rsaM-bM-^@M-^] | 37 | The possible values are M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\rsaM-bM-^@M-^] |
| 38 | or M-bM-^@M-^\dsaM-bM-^@M-^] for protocol version 2. Multiple values may be speciM-bM-^@M-^P | 38 | or M-bM-^@M-^\dsaM-bM-^@M-^] for protocol version 2. Multiple values may be speci- |
| 39 | fied by separating them with commas. The default is M-bM-^@M-^\rsa1M-bM-^@M-^]. | 39 | fied by separating them with commas. The default is M-bM-^@M-^\rsa1M-bM-^@M-^]. |
| 40 | 40 | ||
| 41 | ^[[1mM-bMM-^Rf ^[[4m^[[22mfilename^[[0m | 41 | -f filename |
| 42 | Read hosts or ^[[4maddrlist^[[24m ^[[4mnamelist^[[24m pairs from this file, one per | 42 | Read hosts or addrlist namelist pairs from this file, one per |
| 43 | line. If ^[[4mM-bM-^@M-^P^[[24m is supplied instead of a filename, ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mwill | 43 | line. If - is supplied instead of a filename, ssh-keyscan will |
| 44 | read hosts or ^[[4maddrlist^[[24m ^[[4mnamelist^[[24m pairs from the standard input. | 44 | read hosts or addrlist namelist pairs from the standard input. |
| 45 | 45 | ||
| 46 | ^[[1mM-bMM-^Rv ^[[22mVerbose mode. Causes ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mto print debugging messages | 46 | -v Verbose mode. Causes ssh-keyscan to print debugging messages |
| 47 | about its progress. | 47 | about its progress. |
| 48 | 48 | ||
| 49 | ^[[1mM-bMM-^R4 ^[[22mForces ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mto use IPv4 addresses only. | 49 | -4 Forces ssh-keyscan to use IPv4 addresses only. |
| 50 | 50 | ||
| 51 | ^[[1mM-bMM-^R6 ^[[22mForces ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mto use IPv6 addresses only. | 51 | -6 Forces ssh-keyscan to use IPv6 addresses only. |
| 52 | 52 | ||
| 53 | ^[[1mSECURITY^[[0m | 53 | SECURITY |
| 54 | If a ssh_known_hosts file is constructed using ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mwithout veriM-bM-^@M-^P | 54 | If a ssh_known_hosts file is constructed using ssh-keyscan without veri- |
| 55 | fying the keys, users will be vulnerable to attacks. On the other hand, | 55 | fying the keys, users will be vulnerable to attacks. On the other hand, |
| 56 | if the security model allows such a risk, ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mcan help in the | 56 | if the security model allows such a risk, ssh-keyscan can help in the |
| 57 | detection of tampered keyfiles or man in the middle attacks which have | 57 | detection of tampered keyfiles or man in the middle attacks which have |
| 58 | begun after the ssh_known_hosts file was created. | 58 | begun after the ssh_known_hosts file was created. |
| 59 | 59 | ||
| 60 | ^[[1mEXAMPLES^[[0m | 60 | EXAMPLES |
| 61 | Print the ^[[4mrsa1^[[24m host key for machine ^[[4mhostname^[[24m: | 61 | Print the rsa1 host key for machine hostname: |
| 62 | 62 | ||
| 63 | $ sshM-bM-^@M-^Pkeyscan hostname | 63 | $ ssh-keyscan hostname |
| 64 | 64 | ||
| 65 | Find all hosts from the file ^[[4mssh_hosts^[[24m which have new or different keys | 65 | Find all hosts from the file ssh_hosts which have new or different keys |
| 66 | from those in the sorted file ^[[4mssh_known_hosts^[[24m: | 66 | from those in the sorted file ssh_known_hosts: |
| 67 | 67 | ||
| 68 | $ sshM-bM-^@M-^Pkeyscan M-bM-^@M-^Pt rsa,dsa M-bM-^@M-^Pf ssh_hosts | \ | 68 | $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \ |
| 69 | sort M-bM-^@M-^Pu M-bM-^@M-^P ssh_known_hosts | diff ssh_known_hosts M-bM-^@M-^P | 69 | sort -u - ssh_known_hosts | diff ssh_known_hosts - |
| 70 | 70 | ||
| 71 | ^[[1mFILES^[[0m | 71 | FILES |
| 72 | ^[[4mInput^[[24m ^[[4mformat:^[[0m | 72 | Input format: |
| 73 | 73 | ||
| 74 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 | 74 | 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 |
| 75 | 75 | ||
| 76 | ^[[4mOutput^[[24m ^[[4mformat^[[24m ^[[4mfor^[[24m ^[[4mrsa1^[[24m ^[[4mkeys:^[[0m | 76 | Output format for rsa1 keys: |
| 77 | 77 | ||
| 78 | hostM-bM-^@M-^PorM-bM-^@M-^Pnamelist bits exponent modulus | 78 | host-or-namelist bits exponent modulus |
| 79 | 79 | ||
| 80 | ^[[4mOutput^[[24m ^[[4mformat^[[24m ^[[4mfor^[[24m ^[[4mrsa^[[24m ^[[4mand^[[24m ^[[4mdsa^[[24m ^[[4mkeys:^[[0m | 80 | Output format for rsa and dsa keys: |
| 81 | 81 | ||
| 82 | hostM-bM-^@M-^PorM-bM-^@M-^Pnamelist keytype base64M-bM-^@M-^PencodedM-bM-^@M-^Pkey | 82 | host-or-namelist keytype base64-encoded-key |
| 83 | 83 | ||
| 84 | Where ^[[4mkeytype^[[24m is either M-bM-^@M-^\sshM-bM-^@M-^PrsaM-bM-^@M-^] or M-bM-^@M-^\sshM-bM-^@M-^PdsaM-bM-^@M-^]. | 84 | Where keytype is either M-bM-^@M-^\ssh-rsaM-bM-^@M-^] or M-bM-^@M-^\ssh-dsaM-bM-^@M-^]. |
| 85 | 85 | ||
| 86 | ^[[4m/etc/ssh/ssh_known_hosts^[[0m | 86 | /etc/ssh/ssh_known_hosts |
| 87 | 87 | ||
| 88 | ^[[1mBUGS^[[0m | 88 | BUGS |
| 89 | It generates "Connection closed by remote host" messages on the consoles | 89 | It generates "Connection closed by remote host" messages on the consoles |
| 90 | of all the machines it scans if the server is older than version 2.9. | 90 | of all the machines it scans if the server is older than version 2.9. |
| 91 | This is because it opens a connection to the ssh port, reads the public | 91 | This is because it opens a connection to the ssh port, reads the public |
| 92 | key, and drops the connection as soon as it gets the key. | 92 | key, and drops the connection as soon as it gets the key. |
| 93 | 93 | ||
| 94 | ^[[1mSEE ALSO^[[0m | 94 | SEE ALSO |
| 95 | ssh(1), sshd(8) | 95 | ssh(1), sshd(8) |
| 96 | 96 | ||
| 97 | ^[[1mAUTHORS^[[0m | 97 | AUTHORS |
| 98 | David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne | 98 | David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne |
| 99 | Davison <wayned@users.sourceforge.net> added support for protocol version | 99 | Davison <wayned@users.sourceforge.net> added support for protocol version |
| 100 | 2. | 100 | 2. |