summaryrefslogtreecommitdiff
path: root/ssh-keyscan.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-keyscan.1')
-rw-r--r--ssh-keyscan.175
1 files changed, 64 insertions, 11 deletions
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 80119aa21..b348bc252 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keyscan.1,v 1.9 2001/08/02 18:37:35 mpech Exp $ 1.\" $OpenBSD: ssh-keyscan.1,v 1.10 2001/08/05 23:18:20 markus Exp $
2.\" 2.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\" 4.\"
@@ -14,9 +14,13 @@
14.Nd gather ssh public keys 14.Nd gather ssh public keys
15.Sh SYNOPSIS 15.Sh SYNOPSIS
16.Nm ssh-keyscan 16.Nm ssh-keyscan
17.Op Fl t Ar timeout 17.Op Fl v46
18.Op Ar -- | host | addrlist namelist 18.Op Fl p Ar port
19.Op Fl f Ar files ... 19.Op Fl T Ar timeout
20.Op Fl t Ar type
21.Op Fl f Ar file
22.Op Ar host | addrlist namelist
23.Op Ar ...
20.Sh DESCRIPTION 24.Sh DESCRIPTION
21.Nm 25.Nm
22is a utility for gathering the public ssh host keys of a number of 26is a utility for gathering the public ssh host keys of a number of
@@ -37,14 +41,28 @@ any encryption.
37.Pp 41.Pp
38The options are as follows: 42The options are as follows:
39.Bl -tag -width Ds 43.Bl -tag -width Ds
40.It Fl t 44.It Fl p Ar port
45Port to connect to on the remote host.
46.It Fl T
41Set the timeout for connection attempts. If 47Set the timeout for connection attempts. If
42.Pa timeout 48.Pa timeout
43seconds have elapsed since a connection was initiated to a host or since the 49seconds have elapsed since a connection was initiated to a host or since the
44last time anything was read from that host, then the connection is 50last time anything was read from that host, then the connection is
45closed and the host in question considered unavailable. Default is 5 51closed and the host in question considered unavailable. Default is 5
46seconds. 52seconds.
47.It Fl f 53.It Fl t Ar type
54Specifies the type of the key to fetch from the following hosts.
55The possible values are
56.Dq rsa1
57for protocol version 1 and
58.Dq rsa
59or
60.Dq dsa
61for protocol version 2.
62Multiple values may be specified by separating them with commas.
63The default is
64.Dq rsa1 .
65.It Fl f Ar filename
48Read hosts or 66Read hosts or
49.Pa addrlist namelist 67.Pa addrlist namelist
50pairs from this file, one per line. 68pairs from this file, one per line.
@@ -55,6 +73,19 @@ is supplied instead of a filename,
55will read hosts or 73will read hosts or
56.Pa addrlist namelist 74.Pa addrlist namelist
57pairs from the standard input. 75pairs from the standard input.
76.It Fl v
77Verbose mode.
78Causes
79.Nm
80to print debugging messages about its progress.
81.It Fl 4
82Forces
83.Nm
84to use IPv4 addresses only.
85.It Fl 6
86Forces
87.Nm
88to use IPv6 addresses only.
58.El 89.El
59.Sh SECURITY 90.Sh SECURITY
60If you make an ssh_known_hosts file using 91If you make an ssh_known_hosts file using
@@ -67,7 +98,10 @@ On the other hand, if your security model allows such a risk,
67can help you detect tampered keyfiles or man in the middle attacks which 98can help you detect tampered keyfiles or man in the middle attacks which
68have begun after you created your ssh_known_hosts file. 99have begun after you created your ssh_known_hosts file.
69.Sh EXAMPLES 100.Sh EXAMPLES
70Print the host key for machine 101.Pp
102Print the
103.Pa rsa1
104host key for machine
71.Pa hostname : 105.Pa hostname :
72.Bd -literal 106.Bd -literal
73ssh-keyscan hostname 107ssh-keyscan hostname
@@ -78,20 +112,36 @@ Find all hosts from the file
78which have new or different keys from those in the sorted file 112which have new or different keys from those in the sorted file
79.Pa ssh_known_hosts : 113.Pa ssh_known_hosts :
80.Bd -literal 114.Bd -literal
81$ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\ 115ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\
82 diff ssh_known_hosts - 116 sort -u - ssh_known_hosts | diff ssh_known_hosts -
83.Ed 117.Ed
84.Sh FILES 118.Sh FILES
85.Pa Input format: 119.Pa Input format:
120.Bd -literal
861.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 1211.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
122.Ed
87.Pp 123.Pp
88.Pa Output format: 124.Pa Output format for rsa1 keys:
125.Bd -literal
89host-or-namelist bits exponent modulus 126host-or-namelist bits exponent modulus
127.Ed
128.Pp
129.Pa Output format for rsa and dsa keys:
130.Bd -literal
131host-or-namelist keytype base64-encoded-key
132.Ed
133.Pp
134Where
135.Pa keytype
136is either
137.Dq ssh-rsa
138or
139.Dq ssh-dsa .
90.Pp 140.Pp
91.Pa /etc/ssh_known_hosts 141.Pa /etc/ssh_known_hosts
92.Sh BUGS 142.Sh BUGS
93It generates "Connection closed by remote host" messages on the consoles 143It generates "Connection closed by remote host" messages on the consoles
94of all the machines it scans. 144of all the machines it scans if the server is older than version 2.9.
95This is because it opens a connection to the ssh port, reads the public 145This is because it opens a connection to the ssh port, reads the public
96key, and drops the connection as soon as it gets the key. 146key, and drops the connection as soon as it gets the key.
97.Sh SEE ALSO 147.Sh SEE ALSO
@@ -99,3 +149,6 @@ key, and drops the connection as soon as it gets the key.
99.Xr sshd 8 149.Xr sshd 8
100.Sh AUTHORS 150.Sh AUTHORS
101David Mazieres <dm@lcs.mit.edu> 151David Mazieres <dm@lcs.mit.edu>
152wrote the initial version, and
153Wayne Davison <wayned@users.sourceforge.net>
154added support for protocol version 2.