Annotation of src/usr.bin/ssh/ssh-keyscan.1, Revision 1.9
1.9 ! mpech 1: .\" $OpenBSD: ssh-keyscan.1,v 1.8 2001/06/23 17:48:18 itojun Exp $
1.4 deraadt 2: .\"
3: .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4: .\"
5: .\" Modification and redistribution in source and binary forms is
6: .\" permitted provided that due credit is given to the author and the
1.6 pvalchev 7: .\" OpenBSD project by leaving this copyright notice intact.
1.3 niklas 8: .\"
1.1 markus 9: .Dd January 1, 1996
1.4 deraadt 10: .Dt SSH-KEYSCAN 1
1.1 markus 11: .Os
12: .Sh NAME
13: .Nm ssh-keyscan
14: .Nd gather ssh public keys
15: .Sh SYNOPSIS
16: .Nm ssh-keyscan
17: .Op Fl t Ar timeout
18: .Op Ar -- | host | addrlist namelist
19: .Op Fl f Ar files ...
20: .Sh DESCRIPTION
21: .Nm
22: is a utility for gathering the public ssh host keys of a number of
23: hosts. It was designed to aid in building and verifying
24: .Pa ssh_known_hosts
25: files.
26: .Nm
27: provides a minimal interface suitable for use by shell and perl
28: scripts.
29: .Pp
30: .Nm
31: uses non-blocking socket I/O to contact as many hosts as possible in
32: parallel, so it is very efficient. The keys from a domain of 1,000
33: hosts can be collected in tens of seconds, even when some of those
34: hosts are down or do not run ssh. You do not need login access to the
1.5 ian 35: machines you are scanning, nor does the scanning process involve
1.1 markus 36: any encryption.
1.9 ! mpech 37: .Pp
! 38: The options are as follows:
1.1 markus 39: .Bl -tag -width Ds
40: .It Fl t
1.8 itojun 41: Set the timeout for connection attempts. If
1.1 markus 42: .Pa timeout
43: seconds have elapsed since a connection was initiated to a host or since the
44: last time anything was read from that host, then the connection is
45: closed and the host in question considered unavailable. Default is 5
46: seconds.
47: .It Fl f
1.8 itojun 48: Read hosts or
1.1 markus 49: .Pa addrlist namelist
50: pairs from this file, one per line.
51: If
52: .Pa -
53: is supplied instead of a filename,
54: .Nm
1.8 itojun 55: will read hosts or
1.1 markus 56: .Pa addrlist namelist
57: pairs from the standard input.
1.2 itojun 58: .El
1.9 ! mpech 59: .Sh SECURITY
! 60: If you make an ssh_known_hosts file using
! 61: .Nm
! 62: without verifying the keys, you will be vulnerable to
! 63: .I man in the middle
! 64: attacks.
! 65: On the other hand, if your security model allows such a risk,
! 66: .Nm
! 67: can help you detect tampered keyfiles or man in the middle attacks which
! 68: have begun after you created your ssh_known_hosts file.
1.1 markus 69: .Sh EXAMPLES
70: Print the host key for machine
71: .Pa hostname :
72: .Bd -literal
73: ssh-keyscan hostname
74: .Ed
75: .Pp
76: Find all hosts from the file
77: .Pa ssh_hosts
78: which have new or different keys from those in the sorted file
79: .Pa ssh_known_hosts :
80: .Bd -literal
1.4 deraadt 81: $ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\
1.1 markus 82: diff ssh_known_hosts -
83: .Ed
84: .Sh FILES
85: .Pa Input format:
86: 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
87: .Pp
88: .Pa Output format:
89: host-or-namelist bits exponent modulus
90: .Pp
91: .Pa /etc/ssh_known_hosts
92: .Sh BUGS
93: It generates "Connection closed by remote host" messages on the consoles
94: of all the machines it scans.
95: This is because it opens a connection to the ssh port, reads the public
96: key, and drops the connection as soon as it gets the key.
97: .Sh SEE ALSO
1.4 deraadt 98: .Xr ssh 1 ,
1.1 markus 99: .Xr sshd 8
1.7 mpech 100: .Sh AUTHORS
1.1 markus 101: David Mazieres <dm@lcs.mit.edu>