=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keyscan.1,v retrieving revision 1.5.2.2 retrieving revision 1.6 diff -u -r1.5.2.2 -r1.6 --- src/usr.bin/ssh/ssh-keyscan.1 2002/03/09 00:20:45 1.5.2.2 +++ src/usr.bin/ssh/ssh-keyscan.1 2001/06/05 05:05:39 1.6 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.5.2.2 2002/03/09 00:20:45 miod Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.6 2001/06/05 05:05:39 pvalchev Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -14,13 +14,9 @@ .Nd gather ssh public keys .Sh SYNOPSIS .Nm ssh-keyscan -.Op Fl v46 -.Op Fl p Ar port -.Op Fl T Ar timeout -.Op Fl t Ar type -.Op Fl f Ar file -.Op Ar host | addrlist namelist -.Op Ar ... +.Op Fl t Ar timeout +.Op Ar -- | host | addrlist namelist +.Op Fl f Ar files ... .Sh DESCRIPTION .Nm is a utility for gathering the public ssh host keys of a number of @@ -35,76 +31,46 @@ uses non-blocking socket I/O to contact as many hosts as possible in parallel, so it is very efficient. The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those -hosts are down or do not run ssh. For scanning, one does not need -login access to the machines that are being scanned, nor does the -scanning process involve any encryption. -.Pp -The options are as follows: +hosts are down or do not run ssh. You do not need login access to the +machines you are scanning, nor does the scanning process involve +any encryption. +.Sh SECURITY +If you make an ssh_known_hosts file using +.Nm +without verifying the keys, you will be vulnerable to +.I man in the middle +attacks. +On the other hand, if your security model allows such a risk, +.Nm +can help you detect tampered keyfiles or man in the middle attacks which +have begun after you created your ssh_known_hosts file. +.Sh OPTIONS .Bl -tag -width Ds -.It Fl p Ar port -Port to connect to on the remote host. -.It Fl T Ar timeout -Set the timeout for connection attempts. If +.It Fl t +Set the timeout for connection attempts. If .Pa timeout seconds have elapsed since a connection was initiated to a host or since the last time anything was read from that host, then the connection is closed and the host in question considered unavailable. Default is 5 seconds. -.It Fl t Ar type -Specifies the type of the key to fetch from the scanned hosts. -The possible values are -.Dq rsa1 -for protocol version 1 and -.Dq rsa -or -.Dq dsa -for protocol version 2. -Multiple values may be specified by separating them with commas. -The default is -.Dq rsa1 . -.It Fl f Ar filename -Read hosts or +.It Fl f +Read hosts or .Pa addrlist namelist pairs from this file, one per line. If .Pa - is supplied instead of a filename, .Nm -will read hosts or +will read hosts or .Pa addrlist namelist pairs from the standard input. -.It Fl v -Verbose mode. -Causes -.Nm -to print debugging messages about its progress. -.It Fl 4 -Forces -.Nm -to use IPv4 addresses only. -.It Fl 6 -Forces -.Nm -to use IPv6 addresses only. .El -.Sh SECURITY -If a ssh_known_hosts file is constructed using -.Nm -without verifying the keys, users will be vulnerable to -.I man in the middle -attacks. -On the other hand, if the security model allows such a risk, -.Nm -can help in the detection of tampered keyfiles or man in the middle -attacks which have begun after the ssh_known_hosts file was created. .Sh EXAMPLES .Pp -Print the -.Pa rsa1 -host key for machine +Print the host key for machine .Pa hostname : .Bd -literal -$ ssh-keyscan hostname +ssh-keyscan hostname .Ed .Pp Find all hosts from the file @@ -112,43 +78,26 @@ which have new or different keys from those in the sorted file .Pa ssh_known_hosts : .Bd -literal -$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\ - sort -u - ssh_known_hosts | diff ssh_known_hosts - +$ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\ + diff ssh_known_hosts - .Ed +.Pp .Sh FILES +.Pp .Pa Input format: -.Bd -literal 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 -.Ed .Pp -.Pa Output format for rsa1 keys: -.Bd -literal +.Pa Output format: host-or-namelist bits exponent modulus -.Ed .Pp -.Pa Output format for rsa and dsa keys: -.Bd -literal -host-or-namelist keytype base64-encoded-key -.Ed -.Pp -Where -.Pa keytype -is either -.Dq ssh-rsa -or -.Dq ssh-dsa . -.Pp .Pa /etc/ssh_known_hosts .Sh BUGS It generates "Connection closed by remote host" messages on the consoles -of all the machines it scans if the server is older than version 2.9. +of all the machines it scans. This is because it opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key. .Sh SEE ALSO .Xr ssh 1 , .Xr sshd 8 -.Sh AUTHORS +.Sh AUTHOR David Mazieres -wrote the initial version, and -Wayne Davison -added support for protocol version 2.