diff options
Diffstat (limited to 'ssh-keyscan.0')
| -rw-r--r-- | ssh-keyscan.0 | 80 |
1 files changed, 35 insertions, 45 deletions
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 index 1a9751ef14a4..c0278ee0aacd 100644 --- a/ssh-keyscan.0 +++ b/ssh-keyscan.0 @@ -1,62 +1,66 @@ SSH-KEYSCAN(1) General Commands Manual SSH-KEYSCAN(1) NAME - ssh-keyscan M-bM-^@M-^S gather ssh public keys + ssh-keyscan M-bM-^@M-^S gather SSH public keys SYNOPSIS - ssh-keyscan [-46cHv] [-f file] [-p port] [-T timeout] [-t type] - [host | addrlist namelist] ... + ssh-keyscan [-46cDHv] [-f file] [-p port] [-T timeout] [-t type] + [host | addrlist namelist] DESCRIPTION - ssh-keyscan is a utility for gathering the public ssh host keys of a + ssh-keyscan is a utility for gathering the public SSH host keys of a number of hosts. It was designed to aid in building and verifying - ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable - for use by shell and perl scripts. + ssh_known_hosts files, the format of which is documented in sshd(8). + ssh-keyscan provides a minimal interface suitable for use by shell and + perl scripts. ssh-keyscan uses non-blocking socket I/O to contact as many hosts as possible in parallel, so it is very efficient. The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those - hosts are down or do not run ssh. For scanning, one does not need login - access to the machines that are being scanned, nor does the scanning - process involve any encryption. + hosts are down or do not run sshd(8). For scanning, one does not need + login access to the machines that are being scanned, nor does the + scanning process involve any encryption. The options are as follows: - -4 Forces ssh-keyscan to use IPv4 addresses only. + -4 Force ssh-keyscan to use IPv4 addresses only. - -6 Forces ssh-keyscan to use IPv6 addresses only. + -6 Force ssh-keyscan to use IPv6 addresses only. -c Request certificates from target hosts instead of plain keys. + -D Print keys found as SSHFP DNS records. The default is to print + keys in a format usable as a ssh(1) known_hosts file. + -f file Read hosts or M-bM-^@M-^\addrlist namelistM-bM-^@M-^] pairs from file, one per line. - If - is supplied instead of a filename, ssh-keyscan will read - hosts or M-bM-^@M-^\addrlist namelistM-bM-^@M-^] pairs from the standard input. + If M-bM-^@M-^X-M-bM-^@M-^Y is supplied instead of a filename, ssh-keyscan will read + from the standard input. Input is expected in the format: + + 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 -H Hash all hostnames and addresses in the output. Hashed names may - be used normally by ssh and sshd, but they do not reveal + be used normally by ssh(1) and sshd(8), but they do not reveal identifying information should the file's contents be disclosed. -p port - Port to connect to on the remote host. + Connect to port on the remote host. -T timeout Set the timeout for connection attempts. If timeout seconds have elapsed since a connection was initiated to a host or since the - last time anything was read from that host, then the connection - is closed and the host in question considered unavailable. - Default is 5 seconds. + last time anything was read from that host, the connection is + closed and the host in question considered unavailable. The + default is 5 seconds. -t type - Specifies the type of the key to fetch from the scanned hosts. - The possible values are M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^]. + Specify the type of the key to fetch from the scanned hosts. The + possible values are M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^]. Multiple values may be specified by separating them with commas. The default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], and M-bM-^@M-^\ed25519M-bM-^@M-^] keys. - -v Verbose mode. Causes ssh-keyscan to print debugging messages - about its progress. + -v Verbose mode: print debugging messages about progress. -SECURITY If an ssh_known_hosts file is constructed using ssh-keyscan without verifying the keys, users will be vulnerable to man in the middle attacks. On the other hand, if the security model allows such a risk, @@ -65,42 +69,28 @@ SECURITY created. FILES - Input format: - - 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 - - Output format for RSA, DSA, ECDSA, and Ed25519 keys: - - host-or-namelist keytype base64-encoded-key - - Where keytype is either M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], - M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. - /etc/ssh/ssh_known_hosts EXAMPLES - Print the rsa host key for machine hostname: + Print the RSA host key for machine hostname: - $ ssh-keyscan hostname + $ ssh-keyscan -t rsa hostname Find all hosts from the file ssh_hosts which have new or different keys from those in the sorted file ssh_known_hosts: - $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \ - sort -u - ssh_known_hosts | diff ssh_known_hosts - + $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \ + sort -u - ssh_known_hosts | diff ssh_known_hosts - SEE ALSO ssh(1), sshd(8) + Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC + 4255, 2006. + AUTHORS David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne Davison <wayned@users.sourceforge.net> added support for protocol version 2. -BUGS - It generates "Connection closed by remote host" messages on the consoles - of all the machines it scans if the server is older than version 2.9. - This is because it opens a connection to the ssh port, reads the public - key, and drops the connection as soon as it gets the key. - -OpenBSD 6.2 May 2, 2017 OpenBSD 6.2 +OpenBSD 6.2 March 5, 2018 OpenBSD 6.2 |