Annotation of src/usr.bin/ssh/ssh-keyscan.1, Revision 1.1
1.1 ! markus 1: .Dd January 1, 1996
! 2: .Dt ssh-keyscan 1
! 3: .Os
! 4: .Sh NAME
! 5: .Nm ssh-keyscan
! 6: .Nd gather ssh public keys
! 7: .Sh SYNOPSIS
! 8: .Nm ssh-keyscan
! 9: .Op Fl t Ar timeout
! 10: .Op Ar -- | host | addrlist namelist
! 11: .Op Fl f Ar files ...
! 12: .Sh DESCRIPTION
! 13: .Nm
! 14: is a utility for gathering the public ssh host keys of a number of
! 15: hosts. It was designed to aid in building and verifying
! 16: .Pa ssh_known_hosts
! 17: files.
! 18: .Nm
! 19: provides a minimal interface suitable for use by shell and perl
! 20: scripts.
! 21: .Pp
! 22: .Nm
! 23: uses non-blocking socket I/O to contact as many hosts as possible in
! 24: parallel, so it is very efficient. The keys from a domain of 1,000
! 25: hosts can be collected in tens of seconds, even when some of those
! 26: hosts are down or do not run ssh. You do not need login access to the
! 27: machines you are scanning, nor does does the scanning process involve
! 28: any encryption.
! 29: .Sh SECURITY
! 30: If you make an ssh_known_hosts file using
! 31: .Nm
! 32: without verifying the keys, you will be vulnerable to
! 33: .I man in the middle
! 34: attacks.
! 35: On the other hand, if your security model allows such a risk,
! 36: .Nm
! 37: can help you detect tampered keyfiles or man in the middle attacks which
! 38: have begun after you created your ssh_known_hosts file.
! 39: .Sh OPTIONS
! 40: .Bl -tag -width Ds
! 41: .It Fl t
! 42: Set the timeout for connection attempts. If
! 43: .Pa timeout
! 44: seconds have elapsed since a connection was initiated to a host or since the
! 45: last time anything was read from that host, then the connection is
! 46: closed and the host in question considered unavailable. Default is 5
! 47: seconds.
! 48: .It Fl f
! 49: Read hosts or
! 50: .Pa addrlist namelist
! 51: pairs from this file, one per line.
! 52: If
! 53: .Pa -
! 54: is supplied instead of a filename,
! 55: .Nm
! 56: will read hosts or
! 57: .Pa addrlist namelist
! 58: pairs from the standard input.
! 59: .Sh EXAMPLES
! 60: .Pp
! 61: Print the host key for machine
! 62: .Pa hostname :
! 63: .Bd -literal
! 64: ssh-keyscan hostname
! 65: .Ed
! 66: .Pp
! 67: Find all hosts from the file
! 68: .Pa ssh_hosts
! 69: which have new or different keys from those in the sorted file
! 70: .Pa ssh_known_hosts :
! 71: .Bd -literal
! 72: ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\
! 73: diff ssh_known_hosts -
! 74: .Ed
! 75: .Pp
! 76: .Sh FILES
! 77: .Pp
! 78: .Pa Input format:
! 79: 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
! 80: .Pp
! 81: .Pa Output format:
! 82: host-or-namelist bits exponent modulus
! 83: .Pp
! 84: .Pa /etc/ssh_known_hosts
! 85: .Sh BUGS
! 86: It generates "Connection closed by remote host" messages on the consoles
! 87: of all the machines it scans.
! 88: This is because it opens a connection to the ssh port, reads the public
! 89: key, and drops the connection as soon as it gets the key.
! 90: .Sh SEE ALSO
! 91: .Xr ssh 1
! 92: .Xr sshd 8
! 93: .Sh AUTHOR
! 94: David Mazieres <dm@lcs.mit.edu>