Annotation of src/usr.bin/ssh/ssh-keyscan.1, Revision 1.4.2.2
1.4.2.2 ! jason 1: .\" $OpenBSD: ssh-keyscan.1,v 1.4 2001/03/01 03:38:33 deraadt Exp $
! 2: .\"
! 3: .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
! 4: .\"
! 5: .\" Modification and redistribution in source and binary forms is
! 6: .\" permitted provided that due credit is given to the author and the
! 7: .\" OpenBSD project (for instance by leaving this copyright notice
! 8: .\" intact).
1.4 deraadt 9: .\"
1.1 markus 10: .Dd January 1, 1996
1.4.2.2 ! jason 11: .Dt SSH-KEYSCAN 1
1.1 markus 12: .Os
13: .Sh NAME
14: .Nm ssh-keyscan
15: .Nd gather ssh public keys
16: .Sh SYNOPSIS
17: .Nm ssh-keyscan
18: .Op Fl t Ar timeout
19: .Op Ar -- | host | addrlist namelist
20: .Op Fl f Ar files ...
21: .Sh DESCRIPTION
22: .Nm
23: is a utility for gathering the public ssh host keys of a number of
24: hosts. It was designed to aid in building and verifying
25: .Pa ssh_known_hosts
26: files.
27: .Nm
28: provides a minimal interface suitable for use by shell and perl
29: scripts.
30: .Pp
31: .Nm
32: uses non-blocking socket I/O to contact as many hosts as possible in
33: parallel, so it is very efficient. The keys from a domain of 1,000
34: hosts can be collected in tens of seconds, even when some of those
35: hosts are down or do not run ssh. You do not need login access to the
36: machines you are scanning, nor does does the scanning process involve
37: any encryption.
38: .Sh SECURITY
39: If you make an ssh_known_hosts file using
40: .Nm
41: without verifying the keys, you will be vulnerable to
42: .I man in the middle
43: attacks.
44: On the other hand, if your security model allows such a risk,
45: .Nm
46: can help you detect tampered keyfiles or man in the middle attacks which
47: have begun after you created your ssh_known_hosts file.
48: .Sh OPTIONS
49: .Bl -tag -width Ds
50: .It Fl t
51: Set the timeout for connection attempts. If
52: .Pa timeout
53: seconds have elapsed since a connection was initiated to a host or since the
54: last time anything was read from that host, then the connection is
55: closed and the host in question considered unavailable. Default is 5
56: seconds.
57: .It Fl f
58: Read hosts or
59: .Pa addrlist namelist
60: pairs from this file, one per line.
61: If
62: .Pa -
63: is supplied instead of a filename,
64: .Nm
65: will read hosts or
66: .Pa addrlist namelist
67: pairs from the standard input.
1.2 itojun 68: .El
1.1 markus 69: .Sh EXAMPLES
70: .Pp
71: Print the host key for machine
72: .Pa hostname :
73: .Bd -literal
74: ssh-keyscan hostname
75: .Ed
76: .Pp
77: Find all hosts from the file
78: .Pa ssh_hosts
79: which have new or different keys from those in the sorted file
80: .Pa ssh_known_hosts :
81: .Bd -literal
1.4.2.2 ! jason 82: $ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\
1.1 markus 83: diff ssh_known_hosts -
84: .Ed
85: .Pp
86: .Sh FILES
87: .Pp
88: .Pa Input format:
89: 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
90: .Pp
91: .Pa Output format:
92: host-or-namelist bits exponent modulus
93: .Pp
94: .Pa /etc/ssh_known_hosts
95: .Sh BUGS
96: It generates "Connection closed by remote host" messages on the consoles
97: of all the machines it scans.
98: This is because it opens a connection to the ssh port, reads the public
99: key, and drops the connection as soon as it gets the key.
100: .Sh SEE ALSO
1.4.2.2 ! jason 101: .Xr ssh 1 ,
1.1 markus 102: .Xr sshd 8
103: .Sh AUTHOR
104: David Mazieres <dm@lcs.mit.edu>
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keyscan.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh