version 1.14, 2002/02/13 08:33:47 |
version 1.14.6.2, 2003/09/16 20:50:44 |
|
|
.Nd gather ssh public keys |
.Nd gather ssh public keys |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Nm ssh-keyscan |
.Nm ssh-keyscan |
|
.Bk -words |
.Op Fl v46 |
.Op Fl v46 |
.Op Fl p Ar port |
.Op Fl p Ar port |
.Op Fl T Ar timeout |
.Op Fl T Ar timeout |
|
|
.Op Fl f Ar file |
.Op Fl f Ar file |
.Op Ar host | addrlist namelist |
.Op Ar host | addrlist namelist |
.Op Ar ... |
.Op Ar ... |
|
.Ek |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm |
.Nm |
is a utility for gathering the public ssh host keys of a number of |
is a utility for gathering the public ssh host keys of a number of |
hosts. It was designed to aid in building and verifying |
hosts. |
|
It was designed to aid in building and verifying |
.Pa ssh_known_hosts |
.Pa ssh_known_hosts |
files. |
files. |
.Nm |
.Nm |
|
|
.Pp |
.Pp |
.Nm |
.Nm |
uses non-blocking socket I/O to contact as many hosts as possible in |
uses non-blocking socket I/O to contact as many hosts as possible in |
parallel, so it is very efficient. The keys from a domain of 1,000 |
parallel, so it is very efficient. |
|
The keys from a domain of 1,000 |
hosts can be collected in tens of seconds, even when some of those |
hosts can be collected in tens of seconds, even when some of those |
hosts are down or do not run ssh. For scanning, one does not need |
hosts are down or do not run ssh. |
|
For scanning, one does not need |
login access to the machines that are being scanned, nor does the |
login access to the machines that are being scanned, nor does the |
scanning process involve any encryption. |
scanning process involve any encryption. |
.Pp |
.Pp |
|
|
.It Fl p Ar port |
.It Fl p Ar port |
Port to connect to on the remote host. |
Port to connect to on the remote host. |
.It Fl T Ar timeout |
.It Fl T Ar timeout |
Set the timeout for connection attempts. If |
Set the timeout for connection attempts. |
|
If |
.Pa timeout |
.Pa timeout |
seconds have elapsed since a connection was initiated to a host or since the |
seconds have elapsed since a connection was initiated to a host or since the |
last time anything was read from that host, then the connection is |
last time anything was read from that host, then the connection is |
closed and the host in question considered unavailable. Default is 5 |
closed and the host in question considered unavailable. |
seconds. |
Default is 5 seconds. |
.It Fl t Ar type |
.It Fl t Ar type |
Specifies the type of the key to fetch from the scanned hosts. |
Specifies the type of the key to fetch from the scanned hosts. |
The possible values are |
The possible values are |
|
|
.Nm |
.Nm |
can help in the detection of tampered keyfiles or man in the middle |
can help in the detection of tampered keyfiles or man in the middle |
attacks which have begun after the ssh_known_hosts file was created. |
attacks which have begun after the ssh_known_hosts file was created. |
.Sh EXAMPLES |
|
.Pp |
|
Print the |
|
.Pa rsa1 |
|
host key for machine |
|
.Pa hostname : |
|
.Bd -literal |
|
$ ssh-keyscan hostname |
|
.Ed |
|
.Pp |
|
Find all hosts from the file |
|
.Pa ssh_hosts |
|
which have new or different keys from those in the sorted file |
|
.Pa ssh_known_hosts : |
|
.Bd -literal |
|
$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\ |
|
sort -u - ssh_known_hosts | diff ssh_known_hosts - |
|
.Ed |
|
.Sh FILES |
.Sh FILES |
.Pa Input format: |
.Pa Input format: |
.Bd -literal |
.Bd -literal |
|
|
is either |
is either |
.Dq ssh-rsa |
.Dq ssh-rsa |
or |
or |
.Dq ssh-dsa . |
.Dq ssh-dss . |
.Pp |
.Pp |
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
.Sh BUGS |
.Sh EXAMPLES |
It generates "Connection closed by remote host" messages on the consoles |
Print the |
of all the machines it scans if the server is older than version 2.9. |
.Pa rsa1 |
This is because it opens a connection to the ssh port, reads the public |
host key for machine |
key, and drops the connection as soon as it gets the key. |
.Pa hostname : |
|
.Bd -literal |
|
$ ssh-keyscan hostname |
|
.Ed |
|
.Pp |
|
Find all hosts from the file |
|
.Pa ssh_hosts |
|
which have new or different keys from those in the sorted file |
|
.Pa ssh_known_hosts : |
|
.Bd -literal |
|
$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e |
|
sort -u - ssh_known_hosts | diff ssh_known_hosts - |
|
.Ed |
.Sh SEE ALSO |
.Sh SEE ALSO |
.Xr ssh 1 , |
.Xr ssh 1 , |
.Xr sshd 8 |
.Xr sshd 8 |
.Sh AUTHORS |
.Sh AUTHORS |
David Mazieres <dm@lcs.mit.edu> |
.An David Mazieres Aq dm@lcs.mit.edu |
wrote the initial version, and |
wrote the initial version, and |
Wayne Davison <wayned@users.sourceforge.net> |
.An Wayne Davison Aq wayned@users.sourceforge.net |
added support for protocol version 2. |
added support for protocol version 2. |
|
.Sh BUGS |
|
It generates "Connection closed by remote host" messages on the consoles |
|
of all the machines it scans if the server is older than version 2.9. |
|
This is because it opens a connection to the ssh port, reads the public |
|
key, and drops the connection as soon as it gets the key. |