1*47dd1d1bSDag-Erling Smørgrav.\" $OpenBSD: ssh-keyscan.1,v 1.44 2018/03/05 07:03:18 jmc Exp $ 21e8db6e2SBrian Feldman.\" 31e8db6e2SBrian Feldman.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 41e8db6e2SBrian Feldman.\" 51e8db6e2SBrian Feldman.\" Modification and redistribution in source and binary forms is 61e8db6e2SBrian Feldman.\" permitted provided that due credit is given to the author and the 7ae1f160dSDag-Erling Smørgrav.\" OpenBSD project by leaving this copyright notice intact. 81e8db6e2SBrian Feldman.\" 9*47dd1d1bSDag-Erling Smørgrav.Dd $Mdocdate: March 5 2018 $ 101e8db6e2SBrian Feldman.Dt SSH-KEYSCAN 1 111e8db6e2SBrian Feldman.Os 121e8db6e2SBrian Feldman.Sh NAME 131e8db6e2SBrian Feldman.Nm ssh-keyscan 14*47dd1d1bSDag-Erling Smørgrav.Nd gather SSH public keys 151e8db6e2SBrian Feldman.Sh SYNOPSIS 161e8db6e2SBrian Feldman.Nm ssh-keyscan 17*47dd1d1bSDag-Erling Smørgrav.Op Fl 46cDHv 185e8dbd04SDag-Erling Smørgrav.Op Fl f Ar file 19ae1f160dSDag-Erling Smørgrav.Op Fl p Ar port 20ae1f160dSDag-Erling Smørgrav.Op Fl T Ar timeout 21ae1f160dSDag-Erling Smørgrav.Op Fl t Ar type 22ae1f160dSDag-Erling Smørgrav.Op Ar host | addrlist namelist 231e8db6e2SBrian Feldman.Sh DESCRIPTION 241e8db6e2SBrian Feldman.Nm 25*47dd1d1bSDag-Erling Smørgravis a utility for gathering the public SSH host keys of a number of 26d0c8c0bcSDag-Erling Smørgravhosts. 27d0c8c0bcSDag-Erling SmørgravIt was designed to aid in building and verifying 281e8db6e2SBrian Feldman.Pa ssh_known_hosts 29*47dd1d1bSDag-Erling Smørgravfiles, 30*47dd1d1bSDag-Erling Smørgravthe format of which is documented in 31*47dd1d1bSDag-Erling Smørgrav.Xr sshd 8 . 321e8db6e2SBrian Feldman.Nm 331e8db6e2SBrian Feldmanprovides a minimal interface suitable for use by shell and perl 341e8db6e2SBrian Feldmanscripts. 351e8db6e2SBrian Feldman.Pp 361e8db6e2SBrian Feldman.Nm 371e8db6e2SBrian Feldmanuses non-blocking socket I/O to contact as many hosts as possible in 38d0c8c0bcSDag-Erling Smørgravparallel, so it is very efficient. 39d0c8c0bcSDag-Erling SmørgravThe keys from a domain of 1,000 401e8db6e2SBrian Feldmanhosts can be collected in tens of seconds, even when some of those 41*47dd1d1bSDag-Erling Smørgravhosts are down or do not run 42*47dd1d1bSDag-Erling Smørgrav.Xr sshd 8 . 43d0c8c0bcSDag-Erling SmørgravFor scanning, one does not need 44ae1f160dSDag-Erling Smørgravlogin access to the machines that are being scanned, nor does the 45ae1f160dSDag-Erling Smørgravscanning process involve any encryption. 46ae1f160dSDag-Erling Smørgrav.Pp 47ae1f160dSDag-Erling SmørgravThe options are as follows: 481e8db6e2SBrian Feldman.Bl -tag -width Ds 495e8dbd04SDag-Erling Smørgrav.It Fl 4 50*47dd1d1bSDag-Erling SmørgravForce 515e8dbd04SDag-Erling Smørgrav.Nm 525e8dbd04SDag-Erling Smørgravto use IPv4 addresses only. 535e8dbd04SDag-Erling Smørgrav.It Fl 6 54*47dd1d1bSDag-Erling SmørgravForce 555e8dbd04SDag-Erling Smørgrav.Nm 565e8dbd04SDag-Erling Smørgravto use IPv6 addresses only. 57acc1a9efSDag-Erling Smørgrav.It Fl c 58acc1a9efSDag-Erling SmørgravRequest certificates from target hosts instead of plain keys. 59*47dd1d1bSDag-Erling Smørgrav.It Fl D 60*47dd1d1bSDag-Erling SmørgravPrint keys found as SSHFP DNS records. 61*47dd1d1bSDag-Erling SmørgravThe default is to print keys in a format usable as a 62*47dd1d1bSDag-Erling Smørgrav.Xr ssh 1 63*47dd1d1bSDag-Erling Smørgrav.Pa known_hosts 64*47dd1d1bSDag-Erling Smørgravfile. 655e8dbd04SDag-Erling Smørgrav.It Fl f Ar file 665e8dbd04SDag-Erling SmørgravRead hosts or 67b83788ffSDag-Erling Smørgrav.Dq addrlist namelist 68b83788ffSDag-Erling Smørgravpairs from 69b83788ffSDag-Erling Smørgrav.Ar file , 70b83788ffSDag-Erling Smørgravone per line. 715e8dbd04SDag-Erling SmørgravIf 72*47dd1d1bSDag-Erling Smørgrav.Sq - 735e8dbd04SDag-Erling Smørgravis supplied instead of a filename, 745e8dbd04SDag-Erling Smørgrav.Nm 75*47dd1d1bSDag-Erling Smørgravwill read from the standard input. 76*47dd1d1bSDag-Erling SmørgravInput is expected in the format: 77*47dd1d1bSDag-Erling Smørgrav.Bd -literal 78*47dd1d1bSDag-Erling Smørgrav1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 79*47dd1d1bSDag-Erling Smørgrav.Ed 805e8dbd04SDag-Erling Smørgrav.It Fl H 815e8dbd04SDag-Erling SmørgravHash all hostnames and addresses in the output. 825e8dbd04SDag-Erling SmørgravHashed names may be used normally by 83*47dd1d1bSDag-Erling Smørgrav.Xr ssh 1 845e8dbd04SDag-Erling Smørgravand 85*47dd1d1bSDag-Erling Smørgrav.Xr sshd 8 , 865e8dbd04SDag-Erling Smørgravbut they do not reveal identifying information should the file's contents 875e8dbd04SDag-Erling Smørgravbe disclosed. 88ae1f160dSDag-Erling Smørgrav.It Fl p Ar port 89*47dd1d1bSDag-Erling SmørgravConnect to 90*47dd1d1bSDag-Erling Smørgrav.Ar port 91*47dd1d1bSDag-Erling Smørgravon the remote host. 92ae1f160dSDag-Erling Smørgrav.It Fl T Ar timeout 93d0c8c0bcSDag-Erling SmørgravSet the timeout for connection attempts. 94d0c8c0bcSDag-Erling SmørgravIf 95b83788ffSDag-Erling Smørgrav.Ar timeout 961e8db6e2SBrian Feldmanseconds have elapsed since a connection was initiated to a host or since the 97*47dd1d1bSDag-Erling Smørgravlast time anything was read from that host, the connection is 98d0c8c0bcSDag-Erling Smørgravclosed and the host in question considered unavailable. 99*47dd1d1bSDag-Erling SmørgravThe default is 5 seconds. 100ae1f160dSDag-Erling Smørgrav.It Fl t Ar type 101*47dd1d1bSDag-Erling SmørgravSpecify the type of the key to fetch from the scanned hosts. 102ae1f160dSDag-Erling SmørgravThe possible values are 1034a421b63SDag-Erling Smørgrav.Dq dsa , 104f7167e0eSDag-Erling Smørgrav.Dq ecdsa , 105f7167e0eSDag-Erling Smørgrav.Dq ed25519 , 106ae1f160dSDag-Erling Smørgravor 1074f52dfbbSDag-Erling Smørgrav.Dq rsa . 108ae1f160dSDag-Erling SmørgravMultiple values may be specified by separating them with commas. 109f2618bb4SXin LIThe default is to fetch 110a0ee8cc6SDag-Erling Smørgrav.Dq rsa , 111a0ee8cc6SDag-Erling Smørgrav.Dq ecdsa , 112f2618bb4SXin LIand 113a0ee8cc6SDag-Erling Smørgrav.Dq ed25519 114f2618bb4SXin LIkeys. 115ae1f160dSDag-Erling Smørgrav.It Fl v 116*47dd1d1bSDag-Erling SmørgravVerbose mode: 117*47dd1d1bSDag-Erling Smørgravprint debugging messages about progress. 1181e8db6e2SBrian Feldman.El 119*47dd1d1bSDag-Erling Smørgrav.Pp 12092eb0aa1SDag-Erling SmørgravIf an ssh_known_hosts file is constructed using 121ae1f160dSDag-Erling Smørgrav.Nm 122ae1f160dSDag-Erling Smørgravwithout verifying the keys, users will be vulnerable to 123d74d50a8SDag-Erling Smørgrav.Em man in the middle 124ae1f160dSDag-Erling Smørgravattacks. 125ae1f160dSDag-Erling SmørgravOn the other hand, if the security model allows such a risk, 126ae1f160dSDag-Erling Smørgrav.Nm 127ae1f160dSDag-Erling Smørgravcan help in the detection of tampered keyfiles or man in the middle 128ae1f160dSDag-Erling Smørgravattacks which have begun after the ssh_known_hosts file was created. 129ae1f160dSDag-Erling Smørgrav.Sh FILES 130ae1f160dSDag-Erling Smørgrav.Pa /etc/ssh/ssh_known_hosts 131d95e11bfSDag-Erling Smørgrav.Sh EXAMPLES 132*47dd1d1bSDag-Erling SmørgravPrint the RSA host key for machine 133b83788ffSDag-Erling Smørgrav.Ar hostname : 134*47dd1d1bSDag-Erling Smørgrav.Pp 135*47dd1d1bSDag-Erling Smørgrav.Dl $ ssh-keyscan -t rsa hostname 136d95e11bfSDag-Erling Smørgrav.Pp 137d95e11bfSDag-Erling SmørgravFind all hosts from the file 138d95e11bfSDag-Erling Smørgrav.Pa ssh_hosts 139d95e11bfSDag-Erling Smørgravwhich have new or different keys from those in the sorted file 140d95e11bfSDag-Erling Smørgrav.Pa ssh_known_hosts : 141*47dd1d1bSDag-Erling Smørgrav.Bd -literal -offset indent 142a0ee8cc6SDag-Erling Smørgrav$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e 143d95e11bfSDag-Erling Smørgrav sort -u - ssh_known_hosts | diff ssh_known_hosts - 144d95e11bfSDag-Erling Smørgrav.Ed 145d95e11bfSDag-Erling Smørgrav.Sh SEE ALSO 146d95e11bfSDag-Erling Smørgrav.Xr ssh 1 , 147d95e11bfSDag-Erling Smørgrav.Xr sshd 8 148*47dd1d1bSDag-Erling Smørgrav.Rs 149*47dd1d1bSDag-Erling Smørgrav.%D 2006 150*47dd1d1bSDag-Erling Smørgrav.%R RFC 4255 151*47dd1d1bSDag-Erling Smørgrav.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints 152*47dd1d1bSDag-Erling Smørgrav.Re 153d95e11bfSDag-Erling Smørgrav.Sh AUTHORS 154021d409fSDag-Erling Smørgrav.An -nosplit 155e4a9863fSDag-Erling Smørgrav.An David Mazieres Aq Mt dm@lcs.mit.edu 156d95e11bfSDag-Erling Smørgravwrote the initial version, and 157e4a9863fSDag-Erling Smørgrav.An Wayne Davison Aq Mt wayned@users.sourceforge.net 158d95e11bfSDag-Erling Smørgravadded support for protocol version 2. 159