| version 1.42, 2018/02/23 07:38:09 |
version 1.43, 2018/03/02 21:40:15 |
|
|
| .Os |
.Os |
| .Sh NAME |
.Sh NAME |
| .Nm ssh-keyscan |
.Nm ssh-keyscan |
| .Nd gather ssh public keys |
.Nd gather SSH public keys |
| .Sh SYNOPSIS |
.Sh SYNOPSIS |
| .Nm ssh-keyscan |
.Nm ssh-keyscan |
| .Bk -words |
|
| .Op Fl 46cDHv |
.Op Fl 46cDHv |
| .Op Fl f Ar file |
.Op Fl f Ar file |
| .Op Fl p Ar port |
.Op Fl p Ar port |
| .Op Fl T Ar timeout |
.Op Fl T Ar timeout |
| .Op Fl t Ar type |
.Op Fl t Ar type |
| .Op Ar host | addrlist namelist |
.Op Ar host | addrlist namelist |
| .Ar ... |
|
| .Ek |
|
| .Sh DESCRIPTION |
.Sh DESCRIPTION |
| .Nm |
.Nm |
| is a utility for gathering the public ssh host keys of a number of |
is a utility for gathering the public SSH host keys of a number of |
| hosts. |
hosts. |
| It was designed to aid in building and verifying |
It was designed to aid in building and verifying |
| .Pa ssh_known_hosts |
.Pa ssh_known_hosts |
|
|
| parallel, so it is very efficient. |
parallel, so it is very efficient. |
| The keys from a domain of 1,000 |
The keys from a domain of 1,000 |
| hosts can be collected in tens of seconds, even when some of those |
hosts can be collected in tens of seconds, even when some of those |
| hosts are down or do not run ssh. |
hosts are down or do not run |
| |
.Xr sshd 8 . |
| For scanning, one does not need |
For scanning, one does not need |
| login access to the machines that are being scanned, nor does the |
login access to the machines that are being scanned, nor does the |
| scanning process involve any encryption. |
scanning process involve any encryption. |
| .Pp |
.Pp |
| |
Input is expected in the format: |
| |
.Bd -literal -offset 3n |
| |
1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 |
| |
.Ed |
| |
.Pp |
| |
The output format is: |
| |
.Bd -literal -offset 3n |
| |
host-or-namelist keytype base64-encoded-key |
| |
.Ed |
| |
.Pp |
| |
Where |
| |
.Ar keytype |
| |
is either |
| |
.Dq ecdsa-sha2-nistp256 , |
| |
.Dq ecdsa-sha2-nistp384 , |
| |
.Dq ecdsa-sha2-nistp521 , |
| |
.Dq ssh-ed25519 , |
| |
.Dq ssh-dss |
| |
or |
| |
.Dq ssh-rsa . |
| |
.Pp |
| The options are as follows: |
The options are as follows: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Fl 4 |
.It Fl 4 |
| Forces |
Force |
| .Nm |
.Nm |
| to use IPv4 addresses only. |
to use IPv4 addresses only. |
| .It Fl 6 |
.It Fl 6 |
| Forces |
Force |
| .Nm |
.Nm |
| to use IPv6 addresses only. |
to use IPv6 addresses only. |
| .It Fl c |
.It Fl c |
|
|
| .Ar file , |
.Ar file , |
| one per line. |
one per line. |
| If |
If |
| .Pa - |
.Sq - |
| is supplied instead of a filename, |
is supplied instead of a filename, |
| .Nm |
.Nm |
| will read hosts or |
will read from the standard input. |
| .Dq addrlist namelist |
|
| pairs from the standard input. |
|
| .It Fl H |
.It Fl H |
| Hash all hostnames and addresses in the output. |
Hash all hostnames and addresses in the output. |
| Hashed names may be used normally by |
Hashed names may be used normally by |
| .Nm ssh |
.Xr ssh 1 |
| and |
and |
| .Nm sshd , |
.Xr sshd 8 , |
| but they do not reveal identifying information should the file's contents |
but they do not reveal identifying information should the file's contents |
| be disclosed. |
be disclosed. |
| .It Fl p Ar port |
.It Fl p Ar port |
| Port to connect to on the remote host. |
Connect to |
| |
.Ar port |
| |
on the remote host. |
| .It Fl T Ar timeout |
.It Fl T Ar timeout |
| Set the timeout for connection attempts. |
Set the timeout for connection attempts. |
| If |
If |
| .Ar timeout |
.Ar timeout |
| seconds have elapsed since a connection was initiated to a host or since the |
seconds have elapsed since a connection was initiated to a host or since the |
| last time anything was read from that host, then the connection is |
last time anything was read from that host, the connection is |
| closed and the host in question considered unavailable. |
closed and the host in question considered unavailable. |
| Default is 5 seconds. |
The default is 5 seconds. |
| .It Fl t Ar type |
.It Fl t Ar type |
| Specifies the type of the key to fetch from the scanned hosts. |
Specify the type of the key to fetch from the scanned hosts. |
| The possible values are |
The possible values are |
| .Dq dsa , |
.Dq dsa , |
| .Dq ecdsa , |
.Dq ecdsa , |
|
|
| .Dq ed25519 |
.Dq ed25519 |
| keys. |
keys. |
| .It Fl v |
.It Fl v |
| Verbose mode. |
Verbose mode: |
| Causes |
print debugging messages about progress. |
| .Nm |
|
| to print debugging messages about its progress. |
|
| .El |
.El |
| .Sh SECURITY |
.Pp |
| If an ssh_known_hosts file is constructed using |
If an ssh_known_hosts file is constructed using |
| .Nm |
.Nm |
| without verifying the keys, users will be vulnerable to |
without verifying the keys, users will be vulnerable to |
|
|
| can help in the detection of tampered keyfiles or man in the middle |
can help in the detection of tampered keyfiles or man in the middle |
| attacks which have begun after the ssh_known_hosts file was created. |
attacks which have begun after the ssh_known_hosts file was created. |
| .Sh FILES |
.Sh FILES |
| Input format: |
|
| .Bd -literal |
|
| 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 |
|
| .Ed |
|
| .Pp |
|
| Output format for RSA, DSA, ECDSA, and Ed25519 keys: |
|
| .Bd -literal |
|
| host-or-namelist keytype base64-encoded-key |
|
| .Ed |
|
| .Pp |
|
| Where |
|
| .Ar keytype |
|
| is either |
|
| .Dq ecdsa-sha2-nistp256 , |
|
| .Dq ecdsa-sha2-nistp384 , |
|
| .Dq ecdsa-sha2-nistp521 , |
|
| .Dq ssh-ed25519 , |
|
| .Dq ssh-dss |
|
| or |
|
| .Dq ssh-rsa . |
|
| .Pp |
|
| .Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
| .Sh EXAMPLES |
.Sh EXAMPLES |
| Print the rsa host key for machine |
Print the RSA host key for machine |
| .Ar hostname : |
.Ar hostname : |
| .Bd -literal |
|
| $ ssh-keyscan hostname |
|
| .Ed |
|
| .Pp |
.Pp |
| |
.Dl $ ssh-keyscan -t rsa hostname |
| |
.Pp |
| Find all hosts from the file |
Find all hosts from the file |
| .Pa ssh_hosts |
.Pa ssh_hosts |
| which have new or different keys from those in the sorted file |
which have new or different keys from those in the sorted file |
| .Pa ssh_known_hosts : |
.Pa ssh_known_hosts : |
| .Bd -literal |
.Bd -literal -offset indent |
| $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e |
$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e |
| sort -u - ssh_known_hosts | diff ssh_known_hosts - |
sort -u - ssh_known_hosts | diff ssh_known_hosts - |
| .Ed |
.Ed |
|
|
| wrote the initial version, and |
wrote the initial version, and |
| .An Wayne Davison Aq Mt wayned@users.sourceforge.net |
.An Wayne Davison Aq Mt wayned@users.sourceforge.net |
| added support for protocol version 2. |
added support for protocol version 2. |
| .Sh BUGS |
|
| It generates "Connection closed by remote host" messages on the consoles |
|
| of all the machines it scans if the server is older than version 2.9. |
|
| This is because it opens a connection to the ssh port, reads the public |
|
| key, and drops the connection as soon as it gets the key. |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keyscan.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh