1*38a52bd3SEd Maste.\" $OpenBSD: ssh-keyscan.1,v 1.46 2022/06/03 04:00:15 dtucker Exp $ 21e8db6e2SBrian Feldman.\" 31e8db6e2SBrian Feldman.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 41e8db6e2SBrian Feldman.\" 51e8db6e2SBrian Feldman.\" Modification and redistribution in source and binary forms is 61e8db6e2SBrian Feldman.\" permitted provided that due credit is given to the author and the 7ae1f160dSDag-Erling Smørgrav.\" OpenBSD project by leaving this copyright notice intact. 81e8db6e2SBrian Feldman.\" 9*38a52bd3SEd Maste.Dd $Mdocdate: June 3 2022 $ 101e8db6e2SBrian Feldman.Dt SSH-KEYSCAN 1 111e8db6e2SBrian Feldman.Os 121e8db6e2SBrian Feldman.Sh NAME 131e8db6e2SBrian Feldman.Nm ssh-keyscan 1419261079SEd Maste.Nd gather SSH public keys from servers 151e8db6e2SBrian Feldman.Sh SYNOPSIS 161e8db6e2SBrian Feldman.Nm ssh-keyscan 1747dd1d1bSDag-Erling Smørgrav.Op Fl 46cDHv 185e8dbd04SDag-Erling Smørgrav.Op Fl f Ar file 19ae1f160dSDag-Erling Smørgrav.Op Fl p Ar port 20ae1f160dSDag-Erling Smørgrav.Op Fl T Ar timeout 21ae1f160dSDag-Erling Smørgrav.Op Fl t Ar type 22ae1f160dSDag-Erling Smørgrav.Op Ar host | addrlist namelist 231e8db6e2SBrian Feldman.Sh DESCRIPTION 241e8db6e2SBrian Feldman.Nm 2547dd1d1bSDag-Erling Smørgravis a utility for gathering the public SSH host keys of a number of 26d0c8c0bcSDag-Erling Smørgravhosts. 27d0c8c0bcSDag-Erling SmørgravIt was designed to aid in building and verifying 281e8db6e2SBrian Feldman.Pa ssh_known_hosts 2947dd1d1bSDag-Erling Smørgravfiles, 3047dd1d1bSDag-Erling Smørgravthe format of which is documented in 3147dd1d1bSDag-Erling Smørgrav.Xr sshd 8 . 321e8db6e2SBrian Feldman.Nm 331e8db6e2SBrian Feldmanprovides a minimal interface suitable for use by shell and perl 341e8db6e2SBrian Feldmanscripts. 351e8db6e2SBrian Feldman.Pp 361e8db6e2SBrian Feldman.Nm 371e8db6e2SBrian Feldmanuses non-blocking socket I/O to contact as many hosts as possible in 38d0c8c0bcSDag-Erling Smørgravparallel, so it is very efficient. 39d0c8c0bcSDag-Erling SmørgravThe keys from a domain of 1,000 401e8db6e2SBrian Feldmanhosts can be collected in tens of seconds, even when some of those 4147dd1d1bSDag-Erling Smørgravhosts are down or do not run 4247dd1d1bSDag-Erling Smørgrav.Xr sshd 8 . 43d0c8c0bcSDag-Erling SmørgravFor scanning, one does not need 44ae1f160dSDag-Erling Smørgravlogin access to the machines that are being scanned, nor does the 45ae1f160dSDag-Erling Smørgravscanning process involve any encryption. 46ae1f160dSDag-Erling Smørgrav.Pp 47ae1f160dSDag-Erling SmørgravThe options are as follows: 481e8db6e2SBrian Feldman.Bl -tag -width Ds 495e8dbd04SDag-Erling Smørgrav.It Fl 4 5047dd1d1bSDag-Erling SmørgravForce 515e8dbd04SDag-Erling Smørgrav.Nm 525e8dbd04SDag-Erling Smørgravto use IPv4 addresses only. 535e8dbd04SDag-Erling Smørgrav.It Fl 6 5447dd1d1bSDag-Erling SmørgravForce 555e8dbd04SDag-Erling Smørgrav.Nm 565e8dbd04SDag-Erling Smørgravto use IPv6 addresses only. 57acc1a9efSDag-Erling Smørgrav.It Fl c 58acc1a9efSDag-Erling SmørgravRequest certificates from target hosts instead of plain keys. 5947dd1d1bSDag-Erling Smørgrav.It Fl D 6047dd1d1bSDag-Erling SmørgravPrint keys found as SSHFP DNS records. 6147dd1d1bSDag-Erling SmørgravThe default is to print keys in a format usable as a 6247dd1d1bSDag-Erling Smørgrav.Xr ssh 1 6347dd1d1bSDag-Erling Smørgrav.Pa known_hosts 6447dd1d1bSDag-Erling Smørgravfile. 655e8dbd04SDag-Erling Smørgrav.It Fl f Ar file 665e8dbd04SDag-Erling SmørgravRead hosts or 67b83788ffSDag-Erling Smørgrav.Dq addrlist namelist 68b83788ffSDag-Erling Smørgravpairs from 69b83788ffSDag-Erling Smørgrav.Ar file , 70b83788ffSDag-Erling Smørgravone per line. 715e8dbd04SDag-Erling SmørgravIf 7247dd1d1bSDag-Erling Smørgrav.Sq - 735e8dbd04SDag-Erling Smørgravis supplied instead of a filename, 745e8dbd04SDag-Erling Smørgrav.Nm 7547dd1d1bSDag-Erling Smørgravwill read from the standard input. 7647dd1d1bSDag-Erling SmørgravInput is expected in the format: 7747dd1d1bSDag-Erling Smørgrav.Bd -literal 7847dd1d1bSDag-Erling Smørgrav1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 7947dd1d1bSDag-Erling Smørgrav.Ed 805e8dbd04SDag-Erling Smørgrav.It Fl H 815e8dbd04SDag-Erling SmørgravHash all hostnames and addresses in the output. 825e8dbd04SDag-Erling SmørgravHashed names may be used normally by 8347dd1d1bSDag-Erling Smørgrav.Xr ssh 1 845e8dbd04SDag-Erling Smørgravand 8547dd1d1bSDag-Erling Smørgrav.Xr sshd 8 , 865e8dbd04SDag-Erling Smørgravbut they do not reveal identifying information should the file's contents 875e8dbd04SDag-Erling Smørgravbe disclosed. 88ae1f160dSDag-Erling Smørgrav.It Fl p Ar port 8947dd1d1bSDag-Erling SmørgravConnect to 9047dd1d1bSDag-Erling Smørgrav.Ar port 9147dd1d1bSDag-Erling Smørgravon the remote host. 92ae1f160dSDag-Erling Smørgrav.It Fl T Ar timeout 93d0c8c0bcSDag-Erling SmørgravSet the timeout for connection attempts. 94d0c8c0bcSDag-Erling SmørgravIf 95b83788ffSDag-Erling Smørgrav.Ar timeout 961e8db6e2SBrian Feldmanseconds have elapsed since a connection was initiated to a host or since the 9747dd1d1bSDag-Erling Smørgravlast time anything was read from that host, the connection is 98d0c8c0bcSDag-Erling Smørgravclosed and the host in question considered unavailable. 9947dd1d1bSDag-Erling SmørgravThe default is 5 seconds. 100ae1f160dSDag-Erling Smørgrav.It Fl t Ar type 10147dd1d1bSDag-Erling SmørgravSpecify the type of the key to fetch from the scanned hosts. 102ae1f160dSDag-Erling SmørgravThe possible values are 1034a421b63SDag-Erling Smørgrav.Dq dsa , 104f7167e0eSDag-Erling Smørgrav.Dq ecdsa , 105f7167e0eSDag-Erling Smørgrav.Dq ed25519 , 106*38a52bd3SEd Maste.Dq ecdsa-sk , 107*38a52bd3SEd Maste.Dq ed25519-sk , 108ae1f160dSDag-Erling Smørgravor 1094f52dfbbSDag-Erling Smørgrav.Dq rsa . 110ae1f160dSDag-Erling SmørgravMultiple values may be specified by separating them with commas. 111f2618bb4SXin LIThe default is to fetch 112a0ee8cc6SDag-Erling Smørgrav.Dq rsa , 113a0ee8cc6SDag-Erling Smørgrav.Dq ecdsa , 114*38a52bd3SEd Maste.Dq ed25519 , 115*38a52bd3SEd Maste.Dq ecdsa-sk , 116f2618bb4SXin LIand 117*38a52bd3SEd Maste.Dq ed25519-sk 118f2618bb4SXin LIkeys. 119ae1f160dSDag-Erling Smørgrav.It Fl v 12047dd1d1bSDag-Erling SmørgravVerbose mode: 12147dd1d1bSDag-Erling Smørgravprint debugging messages about progress. 1221e8db6e2SBrian Feldman.El 12347dd1d1bSDag-Erling Smørgrav.Pp 12492eb0aa1SDag-Erling SmørgravIf an ssh_known_hosts file is constructed using 125ae1f160dSDag-Erling Smørgrav.Nm 126ae1f160dSDag-Erling Smørgravwithout verifying the keys, users will be vulnerable to 127d74d50a8SDag-Erling Smørgrav.Em man in the middle 128ae1f160dSDag-Erling Smørgravattacks. 129ae1f160dSDag-Erling SmørgravOn the other hand, if the security model allows such a risk, 130ae1f160dSDag-Erling Smørgrav.Nm 131ae1f160dSDag-Erling Smørgravcan help in the detection of tampered keyfiles or man in the middle 132ae1f160dSDag-Erling Smørgravattacks which have begun after the ssh_known_hosts file was created. 133ae1f160dSDag-Erling Smørgrav.Sh FILES 134ae1f160dSDag-Erling Smørgrav.Pa /etc/ssh/ssh_known_hosts 135d95e11bfSDag-Erling Smørgrav.Sh EXAMPLES 13647dd1d1bSDag-Erling SmørgravPrint the RSA host key for machine 137b83788ffSDag-Erling Smørgrav.Ar hostname : 13847dd1d1bSDag-Erling Smørgrav.Pp 13947dd1d1bSDag-Erling Smørgrav.Dl $ ssh-keyscan -t rsa hostname 140d95e11bfSDag-Erling Smørgrav.Pp 141d95e11bfSDag-Erling SmørgravFind all hosts from the file 142d95e11bfSDag-Erling Smørgrav.Pa ssh_hosts 143d95e11bfSDag-Erling Smørgravwhich have new or different keys from those in the sorted file 144d95e11bfSDag-Erling Smørgrav.Pa ssh_known_hosts : 14547dd1d1bSDag-Erling Smørgrav.Bd -literal -offset indent 146a0ee8cc6SDag-Erling Smørgrav$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e 147d95e11bfSDag-Erling Smørgrav sort -u - ssh_known_hosts | diff ssh_known_hosts - 148d95e11bfSDag-Erling Smørgrav.Ed 149d95e11bfSDag-Erling Smørgrav.Sh SEE ALSO 150d95e11bfSDag-Erling Smørgrav.Xr ssh 1 , 151d95e11bfSDag-Erling Smørgrav.Xr sshd 8 15247dd1d1bSDag-Erling Smørgrav.Rs 15347dd1d1bSDag-Erling Smørgrav.%D 2006 15447dd1d1bSDag-Erling Smørgrav.%R RFC 4255 15547dd1d1bSDag-Erling Smørgrav.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints 15647dd1d1bSDag-Erling Smørgrav.Re 157d95e11bfSDag-Erling Smørgrav.Sh AUTHORS 158021d409fSDag-Erling Smørgrav.An -nosplit 159e4a9863fSDag-Erling Smørgrav.An David Mazieres Aq Mt dm@lcs.mit.edu 160d95e11bfSDag-Erling Smørgravwrote the initial version, and 161e4a9863fSDag-Erling Smørgrav.An Wayne Davison Aq Mt wayned@users.sourceforge.net 162d95e11bfSDag-Erling Smørgravadded support for protocol version 2. 163