summaryrefslogtreecommitdiff
path: root/ssh-keyscan.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-keyscan.1')
-rw-r--r--ssh-keyscan.1102
1 files changed, 44 insertions, 58 deletions
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index aa4a2ae83..f3d7a4078 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keyscan.1,v 1.40 2017/05/02 17:04:09 jmc Exp $ 1.\" $OpenBSD: ssh-keyscan.1,v 1.44 2018/03/05 07:03:18 jmc Exp $
2.\" 2.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\" 4.\"
@@ -6,30 +6,29 @@
6.\" permitted provided that due credit is given to the author and the 6.\" permitted provided that due credit is given to the author and the
7.\" OpenBSD project by leaving this copyright notice intact. 7.\" OpenBSD project by leaving this copyright notice intact.
8.\" 8.\"
9.Dd $Mdocdate: May 2 2017 $ 9.Dd $Mdocdate: March 5 2018 $
10.Dt SSH-KEYSCAN 1 10.Dt SSH-KEYSCAN 1
11.Os 11.Os
12.Sh NAME 12.Sh NAME
13.Nm ssh-keyscan 13.Nm ssh-keyscan
14.Nd gather ssh public keys 14.Nd gather SSH public keys
15.Sh SYNOPSIS 15.Sh SYNOPSIS
16.Nm ssh-keyscan 16.Nm ssh-keyscan
17.Bk -words 17.Op Fl 46cDHv
18.Op Fl 46cHv
19.Op Fl f Ar file 18.Op Fl f Ar file
20.Op Fl p Ar port 19.Op Fl p Ar port
21.Op Fl T Ar timeout 20.Op Fl T Ar timeout
22.Op Fl t Ar type 21.Op Fl t Ar type
23.Op Ar host | addrlist namelist 22.Op Ar host | addrlist namelist
24.Ar ...
25.Ek
26.Sh DESCRIPTION 23.Sh DESCRIPTION
27.Nm 24.Nm
28is a utility for gathering the public ssh host keys of a number of 25is a utility for gathering the public SSH host keys of a number of
29hosts. 26hosts.
30It was designed to aid in building and verifying 27It was designed to aid in building and verifying
31.Pa ssh_known_hosts 28.Pa ssh_known_hosts
32files. 29files,
30the format of which is documented in
31.Xr sshd 8 .
33.Nm 32.Nm
34provides a minimal interface suitable for use by shell and perl 33provides a minimal interface suitable for use by shell and perl
35scripts. 34scripts.
@@ -39,7 +38,8 @@ uses non-blocking socket I/O to contact as many hosts as possible in
39parallel, so it is very efficient. 38parallel, so it is very efficient.
40The keys from a domain of 1,000 39The keys from a domain of 1,000
41hosts can be collected in tens of seconds, even when some of those 40hosts can be collected in tens of seconds, even when some of those
42hosts are down or do not run ssh. 41hosts are down or do not run
42.Xr sshd 8 .
43For scanning, one does not need 43For scanning, one does not need
44login access to the machines that are being scanned, nor does the 44login access to the machines that are being scanned, nor does the
45scanning process involve any encryption. 45scanning process involve any encryption.
@@ -47,15 +47,21 @@ scanning process involve any encryption.
47The options are as follows: 47The options are as follows:
48.Bl -tag -width Ds 48.Bl -tag -width Ds
49.It Fl 4 49.It Fl 4
50Forces 50Force
51.Nm 51.Nm
52to use IPv4 addresses only. 52to use IPv4 addresses only.
53.It Fl 6 53.It Fl 6
54Forces 54Force
55.Nm 55.Nm
56to use IPv6 addresses only. 56to use IPv6 addresses only.
57.It Fl c 57.It Fl c
58Request certificates from target hosts instead of plain keys. 58Request certificates from target hosts instead of plain keys.
59.It Fl D
60Print keys found as SSHFP DNS records.
61The default is to print keys in a format usable as a
62.Xr ssh 1
63.Pa known_hosts
64file.
59.It Fl f Ar file 65.It Fl f Ar file
60Read hosts or 66Read hosts or
61.Dq addrlist namelist 67.Dq addrlist namelist
@@ -63,32 +69,36 @@ pairs from
63.Ar file , 69.Ar file ,
64one per line. 70one per line.
65If 71If
66.Pa - 72.Sq -
67is supplied instead of a filename, 73is supplied instead of a filename,
68.Nm 74.Nm
69will read hosts or 75will read from the standard input.
70.Dq addrlist namelist 76Input is expected in the format:
71pairs from the standard input. 77.Bd -literal
781.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
79.Ed
72.It Fl H 80.It Fl H
73Hash all hostnames and addresses in the output. 81Hash all hostnames and addresses in the output.
74Hashed names may be used normally by 82Hashed names may be used normally by
75.Nm ssh 83.Xr ssh 1
76and 84and
77.Nm sshd , 85.Xr sshd 8 ,
78but they do not reveal identifying information should the file's contents 86but they do not reveal identifying information should the file's contents
79be disclosed. 87be disclosed.
80.It Fl p Ar port 88.It Fl p Ar port
81Port to connect to on the remote host. 89Connect to
90.Ar port
91on the remote host.
82.It Fl T Ar timeout 92.It Fl T Ar timeout
83Set the timeout for connection attempts. 93Set the timeout for connection attempts.
84If 94If
85.Ar timeout 95.Ar timeout
86seconds have elapsed since a connection was initiated to a host or since the 96seconds have elapsed since a connection was initiated to a host or since the
87last time anything was read from that host, then the connection is 97last time anything was read from that host, the connection is
88closed and the host in question considered unavailable. 98closed and the host in question considered unavailable.
89Default is 5 seconds. 99The default is 5 seconds.
90.It Fl t Ar type 100.It Fl t Ar type
91Specifies the type of the key to fetch from the scanned hosts. 101Specify the type of the key to fetch from the scanned hosts.
92The possible values are 102The possible values are
93.Dq dsa , 103.Dq dsa ,
94.Dq ecdsa , 104.Dq ecdsa ,
@@ -103,12 +113,10 @@ and
103.Dq ed25519 113.Dq ed25519
104keys. 114keys.
105.It Fl v 115.It Fl v
106Verbose mode. 116Verbose mode:
107Causes 117print debugging messages about progress.
108.Nm
109to print debugging messages about its progress.
110.El 118.El
111.Sh SECURITY 119.Pp
112If an ssh_known_hosts file is constructed using 120If an ssh_known_hosts file is constructed using
113.Nm 121.Nm
114without verifying the keys, users will be vulnerable to 122without verifying the keys, users will be vulnerable to
@@ -119,54 +127,32 @@ On the other hand, if the security model allows such a risk,
119can help in the detection of tampered keyfiles or man in the middle 127can help in the detection of tampered keyfiles or man in the middle
120attacks which have begun after the ssh_known_hosts file was created. 128attacks which have begun after the ssh_known_hosts file was created.
121.Sh FILES 129.Sh FILES
122Input format:
123.Bd -literal
1241.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
125.Ed
126.Pp
127Output format for RSA, DSA, ECDSA, and Ed25519 keys:
128.Bd -literal
129host-or-namelist keytype base64-encoded-key
130.Ed
131.Pp
132Where
133.Ar keytype
134is either
135.Dq ecdsa-sha2-nistp256 ,
136.Dq ecdsa-sha2-nistp384 ,
137.Dq ecdsa-sha2-nistp521 ,
138.Dq ssh-ed25519 ,
139.Dq ssh-dss
140or
141.Dq ssh-rsa .
142.Pp
143.Pa /etc/ssh/ssh_known_hosts 130.Pa /etc/ssh/ssh_known_hosts
144.Sh EXAMPLES 131.Sh EXAMPLES
145Print the rsa host key for machine 132Print the RSA host key for machine
146.Ar hostname : 133.Ar hostname :
147.Bd -literal 134.Pp
148$ ssh-keyscan hostname 135.Dl $ ssh-keyscan -t rsa hostname
149.Ed
150.Pp 136.Pp
151Find all hosts from the file 137Find all hosts from the file
152.Pa ssh_hosts 138.Pa ssh_hosts
153which have new or different keys from those in the sorted file 139which have new or different keys from those in the sorted file
154.Pa ssh_known_hosts : 140.Pa ssh_known_hosts :
155.Bd -literal 141.Bd -literal -offset indent
156$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e 142$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
157 sort -u - ssh_known_hosts | diff ssh_known_hosts - 143 sort -u - ssh_known_hosts | diff ssh_known_hosts -
158.Ed 144.Ed
159.Sh SEE ALSO 145.Sh SEE ALSO
160.Xr ssh 1 , 146.Xr ssh 1 ,
161.Xr sshd 8 147.Xr sshd 8
148.Rs
149.%D 2006
150.%R RFC 4255
151.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
152.Re
162.Sh AUTHORS 153.Sh AUTHORS
163.An -nosplit 154.An -nosplit
164.An David Mazieres Aq Mt dm@lcs.mit.edu 155.An David Mazieres Aq Mt dm@lcs.mit.edu
165wrote the initial version, and 156wrote the initial version, and
166.An Wayne Davison Aq Mt wayned@users.sourceforge.net 157.An Wayne Davison Aq Mt wayned@users.sourceforge.net
167added support for protocol version 2. 158added support for protocol version 2.
168.Sh BUGS
169It generates "Connection closed by remote host" messages on the consoles
170of all the machines it scans if the server is older than version 2.9.
171This is because it opens a connection to the ssh port, reads the public
172key, and drops the connection as soon as it gets the key.