From d984a3c6658e950881edcfb2aae464add93f68d4 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 1 Sep 2003 00:45:47 +0000 Subject: Import OpenSSH 3.4p1. --- ssh-keyscan.0 | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 ssh-keyscan.0 (limited to 'ssh-keyscan.0') diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 new file mode 100644 index 000000000..05742bf66 --- /dev/null +++ b/ssh-keyscan.0 @@ -0,0 +1,103 @@ +SSH-KEYSCAN(1) System General Commands Manual SSH-KEYSCAN(1) + +NAME + ssh-keyscan - gather ssh public keys + +SYNOPSIS + ssh-keyscan [-v46] [-p port] [-T timeout] [-t type] [-f file] + [host | addrlist namelist] [...] + +DESCRIPTION + ssh-keyscan is a utility for gathering the public ssh host keys of a numM-- + ber of hosts. It was designed to aid in building and verifying + ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable + for use by shell and perl scripts. + + ssh-keyscan uses non-blocking socket I/O to contact as many hosts as posM-- + sible in parallel, so it is very efficient. The keys from a domain of + 1,000 hosts can be collected in tens of seconds, even when some of those + hosts are down or do not run ssh. For scanning, one does not need login + access to the machines that are being scanned, nor does the scanning proM-- + cess involve any encryption. + + The options are as follows: + + -p port + Port to connect to on the remote host. + + -T timeout + Set the timeout for connection attempts. If timeout seconds have + elapsed since a connection was initiated to a host or since the + last time anything was read from that host, then the connection + is closed and the host in question considered unavailable. + Default is 5 seconds. + + -t type + Specifies the type of the key to fetch from the scanned hosts. + The possible values are ``rsa1'' for protocol version 1 and + ``rsa'' or ``dsa'' for protocol version 2. Multiple values may + be specified by separating them with commas. The default is + ``rsa1''. + + -f filename + Read hosts or addrlist namelist pairs from this file, one per + line. If - is supplied instead of a filename, ssh-keyscan will + read hosts or addrlist namelist pairs from the standard input. + + -v Verbose mode. Causes ssh-keyscan to print debugging messages + about its progress. + + -4 Forces ssh-keyscan to use IPv4 addresses only. + + -6 Forces ssh-keyscan to use IPv6 addresses only. + +SECURITY + If a ssh_known_hosts file is constructed using ssh-keyscan without veriM-- + fying the keys, users will be vulnerable to attacks. On the other hand, + if the security model allows such a risk, ssh-keyscan can help in the + detection of tampered keyfiles or man in the middle attacks which have + begun after the ssh_known_hosts file was created. + +EXAMPLES + Print the rsa1 host key for machine hostname: + + $ ssh-keyscan hostname + + Find all hosts from the file ssh_hosts which have new or different keys + from those in the sorted file ssh_known_hosts: + + $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \ + sort -u - ssh_known_hosts | diff ssh_known_hosts - + +FILES + Input format: + + 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 + + Output format for rsa1 keys: + + host-or-namelist bits exponent modulus + + Output format for rsa and dsa keys: + + host-or-namelist keytype base64-encoded-key + + Where keytype is either ``ssh-rsa'' or ``ssh-dsa''. + + /etc/ssh/ssh_known_hosts + +BUGS + It generates "Connection closed by remote host" messages on the consoles + of all the machines it scans if the server is older than version 2.9. + This is because it opens a connection to the ssh port, reads the public + key, and drops the connection as soon as it gets the key. + +SEE ALSO + ssh(1), sshd(8) + +AUTHORS + David Mazieres wrote the initial version, and Wayne + Davison added support for protocol version + 2. + +BSD January 1, 1996 BSD -- cgit v1.2.3