192eb0aa1SDag-Erling Smørgrav.\" $OpenBSD: ssh-keyscan.1,v 1.22 2006/09/25 04:55:38 ray Exp $ 21e8db6e2SBrian Feldman.\" 31e8db6e2SBrian Feldman.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 41e8db6e2SBrian Feldman.\" 51e8db6e2SBrian Feldman.\" Modification and redistribution in source and binary forms is 61e8db6e2SBrian Feldman.\" permitted provided that due credit is given to the author and the 7ae1f160dSDag-Erling Smørgrav.\" OpenBSD project by leaving this copyright notice intact. 81e8db6e2SBrian Feldman.\" 91e8db6e2SBrian Feldman.Dd January 1, 1996 101e8db6e2SBrian Feldman.Dt SSH-KEYSCAN 1 111e8db6e2SBrian Feldman.Os 121e8db6e2SBrian Feldman.Sh NAME 131e8db6e2SBrian Feldman.Nm ssh-keyscan 141e8db6e2SBrian Feldman.Nd gather ssh public keys 151e8db6e2SBrian Feldman.Sh SYNOPSIS 161e8db6e2SBrian Feldman.Nm ssh-keyscan 17d0c8c0bcSDag-Erling Smørgrav.Bk -words 185e8dbd04SDag-Erling Smørgrav.Op Fl 46Hv 195e8dbd04SDag-Erling Smørgrav.Op Fl f Ar file 20ae1f160dSDag-Erling Smørgrav.Op Fl p Ar port 21ae1f160dSDag-Erling Smørgrav.Op Fl T Ar timeout 22ae1f160dSDag-Erling Smørgrav.Op Fl t Ar type 23ae1f160dSDag-Erling Smørgrav.Op Ar host | addrlist namelist 24ae1f160dSDag-Erling Smørgrav.Op Ar ... 25d0c8c0bcSDag-Erling Smørgrav.Ek 261e8db6e2SBrian Feldman.Sh DESCRIPTION 271e8db6e2SBrian Feldman.Nm 281e8db6e2SBrian Feldmanis a utility for gathering the public ssh host keys of a number of 29d0c8c0bcSDag-Erling Smørgravhosts. 30d0c8c0bcSDag-Erling SmørgravIt was designed to aid in building and verifying 311e8db6e2SBrian Feldman.Pa ssh_known_hosts 321e8db6e2SBrian Feldmanfiles. 331e8db6e2SBrian Feldman.Nm 341e8db6e2SBrian Feldmanprovides a minimal interface suitable for use by shell and perl 351e8db6e2SBrian Feldmanscripts. 361e8db6e2SBrian Feldman.Pp 371e8db6e2SBrian Feldman.Nm 381e8db6e2SBrian Feldmanuses non-blocking socket I/O to contact as many hosts as possible in 39d0c8c0bcSDag-Erling Smørgravparallel, so it is very efficient. 40d0c8c0bcSDag-Erling SmørgravThe keys from a domain of 1,000 411e8db6e2SBrian Feldmanhosts can be collected in tens of seconds, even when some of those 42d0c8c0bcSDag-Erling Smørgravhosts are down or do not run ssh. 43d0c8c0bcSDag-Erling SmørgravFor scanning, one does not need 44ae1f160dSDag-Erling Smørgravlogin access to the machines that are being scanned, nor does the 45ae1f160dSDag-Erling Smørgravscanning process involve any encryption. 46ae1f160dSDag-Erling Smørgrav.Pp 47ae1f160dSDag-Erling SmørgravThe options are as follows: 481e8db6e2SBrian Feldman.Bl -tag -width Ds 495e8dbd04SDag-Erling Smørgrav.It Fl 4 505e8dbd04SDag-Erling SmørgravForces 515e8dbd04SDag-Erling Smørgrav.Nm 525e8dbd04SDag-Erling Smørgravto use IPv4 addresses only. 535e8dbd04SDag-Erling Smørgrav.It Fl 6 545e8dbd04SDag-Erling SmørgravForces 555e8dbd04SDag-Erling Smørgrav.Nm 565e8dbd04SDag-Erling Smørgravto use IPv6 addresses only. 575e8dbd04SDag-Erling Smørgrav.It Fl f Ar file 585e8dbd04SDag-Erling SmørgravRead hosts or 595e8dbd04SDag-Erling Smørgrav.Pa addrlist namelist 605e8dbd04SDag-Erling Smørgravpairs from this file, one per line. 615e8dbd04SDag-Erling SmørgravIf 625e8dbd04SDag-Erling Smørgrav.Pa - 635e8dbd04SDag-Erling Smørgravis supplied instead of a filename, 645e8dbd04SDag-Erling Smørgrav.Nm 655e8dbd04SDag-Erling Smørgravwill read hosts or 665e8dbd04SDag-Erling Smørgrav.Pa addrlist namelist 675e8dbd04SDag-Erling Smørgravpairs from the standard input. 685e8dbd04SDag-Erling Smørgrav.It Fl H 695e8dbd04SDag-Erling SmørgravHash all hostnames and addresses in the output. 705e8dbd04SDag-Erling SmørgravHashed names may be used normally by 715e8dbd04SDag-Erling Smørgrav.Nm ssh 725e8dbd04SDag-Erling Smørgravand 735e8dbd04SDag-Erling Smørgrav.Nm sshd , 745e8dbd04SDag-Erling Smørgravbut they do not reveal identifying information should the file's contents 755e8dbd04SDag-Erling Smørgravbe disclosed. 76ae1f160dSDag-Erling Smørgrav.It Fl p Ar port 77ae1f160dSDag-Erling SmørgravPort to connect to on the remote host. 78ae1f160dSDag-Erling Smørgrav.It Fl T Ar timeout 79d0c8c0bcSDag-Erling SmørgravSet the timeout for connection attempts. 80d0c8c0bcSDag-Erling SmørgravIf 811e8db6e2SBrian Feldman.Pa timeout 821e8db6e2SBrian Feldmanseconds have elapsed since a connection was initiated to a host or since the 831e8db6e2SBrian Feldmanlast time anything was read from that host, then the connection is 84d0c8c0bcSDag-Erling Smørgravclosed and the host in question considered unavailable. 85d0c8c0bcSDag-Erling SmørgravDefault is 5 seconds. 86ae1f160dSDag-Erling Smørgrav.It Fl t Ar type 87ae1f160dSDag-Erling SmørgravSpecifies the type of the key to fetch from the scanned hosts. 88ae1f160dSDag-Erling SmørgravThe possible values are 89ae1f160dSDag-Erling Smørgrav.Dq rsa1 90ae1f160dSDag-Erling Smørgravfor protocol version 1 and 91ae1f160dSDag-Erling Smørgrav.Dq rsa 92ae1f160dSDag-Erling Smørgravor 93ae1f160dSDag-Erling Smørgrav.Dq dsa 94ae1f160dSDag-Erling Smørgravfor protocol version 2. 95ae1f160dSDag-Erling SmørgravMultiple values may be specified by separating them with commas. 96ae1f160dSDag-Erling SmørgravThe default is 97ae1f160dSDag-Erling Smørgrav.Dq rsa1 . 98ae1f160dSDag-Erling Smørgrav.It Fl v 99ae1f160dSDag-Erling SmørgravVerbose mode. 100ae1f160dSDag-Erling SmørgravCauses 101ae1f160dSDag-Erling Smørgrav.Nm 102ae1f160dSDag-Erling Smørgravto print debugging messages about its progress. 1031e8db6e2SBrian Feldman.El 104ae1f160dSDag-Erling Smørgrav.Sh SECURITY 10592eb0aa1SDag-Erling SmørgravIf an ssh_known_hosts file is constructed using 106ae1f160dSDag-Erling Smørgrav.Nm 107ae1f160dSDag-Erling Smørgravwithout verifying the keys, users will be vulnerable to 108d74d50a8SDag-Erling Smørgrav.Em man in the middle 109ae1f160dSDag-Erling Smørgravattacks. 110ae1f160dSDag-Erling SmørgravOn the other hand, if the security model allows such a risk, 111ae1f160dSDag-Erling Smørgrav.Nm 112ae1f160dSDag-Erling Smørgravcan help in the detection of tampered keyfiles or man in the middle 113ae1f160dSDag-Erling Smørgravattacks which have begun after the ssh_known_hosts file was created. 114ae1f160dSDag-Erling Smørgrav.Sh FILES 115ae1f160dSDag-Erling Smørgrav.Pa Input format: 116ae1f160dSDag-Erling Smørgrav.Bd -literal 117ae1f160dSDag-Erling Smørgrav1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 1181e8db6e2SBrian Feldman.Ed 1191e8db6e2SBrian Feldman.Pp 120ae1f160dSDag-Erling Smørgrav.Pa Output format for rsa1 keys: 121ae1f160dSDag-Erling Smørgrav.Bd -literal 1221e8db6e2SBrian Feldmanhost-or-namelist bits exponent modulus 123ae1f160dSDag-Erling Smørgrav.Ed 1241e8db6e2SBrian Feldman.Pp 125ae1f160dSDag-Erling Smørgrav.Pa Output format for rsa and dsa keys: 126ae1f160dSDag-Erling Smørgrav.Bd -literal 127ae1f160dSDag-Erling Smørgravhost-or-namelist keytype base64-encoded-key 128ae1f160dSDag-Erling Smørgrav.Ed 129ae1f160dSDag-Erling Smørgrav.Pp 130ae1f160dSDag-Erling SmørgravWhere 131ae1f160dSDag-Erling Smørgrav.Pa keytype 132ae1f160dSDag-Erling Smørgravis either 133ae1f160dSDag-Erling Smørgrav.Dq ssh-rsa 134ae1f160dSDag-Erling Smørgravor 135d95e11bfSDag-Erling Smørgrav.Dq ssh-dss . 136ae1f160dSDag-Erling Smørgrav.Pp 137ae1f160dSDag-Erling Smørgrav.Pa /etc/ssh/ssh_known_hosts 138d95e11bfSDag-Erling Smørgrav.Sh EXAMPLES 139d95e11bfSDag-Erling SmørgravPrint the 140d95e11bfSDag-Erling Smørgrav.Pa rsa1 141d95e11bfSDag-Erling Smørgravhost key for machine 142d95e11bfSDag-Erling Smørgrav.Pa hostname : 143d95e11bfSDag-Erling Smørgrav.Bd -literal 144d95e11bfSDag-Erling Smørgrav$ ssh-keyscan hostname 145d95e11bfSDag-Erling Smørgrav.Ed 146d95e11bfSDag-Erling Smørgrav.Pp 147d95e11bfSDag-Erling SmørgravFind all hosts from the file 148d95e11bfSDag-Erling Smørgrav.Pa ssh_hosts 149d95e11bfSDag-Erling Smørgravwhich have new or different keys from those in the sorted file 150d95e11bfSDag-Erling Smørgrav.Pa ssh_known_hosts : 151d95e11bfSDag-Erling Smørgrav.Bd -literal 152d95e11bfSDag-Erling Smørgrav$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e 153d95e11bfSDag-Erling Smørgrav sort -u - ssh_known_hosts | diff ssh_known_hosts - 154d95e11bfSDag-Erling Smørgrav.Ed 155d95e11bfSDag-Erling Smørgrav.Sh SEE ALSO 156d95e11bfSDag-Erling Smørgrav.Xr ssh 1 , 157d95e11bfSDag-Erling Smørgrav.Xr sshd 8 158d95e11bfSDag-Erling Smørgrav.Sh AUTHORS 159021d409fSDag-Erling Smørgrav.An -nosplit 160d95e11bfSDag-Erling Smørgrav.An David Mazieres Aq dm@lcs.mit.edu 161d95e11bfSDag-Erling Smørgravwrote the initial version, and 162d95e11bfSDag-Erling Smørgrav.An Wayne Davison Aq wayned@users.sourceforge.net 163d95e11bfSDag-Erling Smørgravadded support for protocol version 2. 1641e8db6e2SBrian Feldman.Sh BUGS 1651e8db6e2SBrian FeldmanIt generates "Connection closed by remote host" messages on the consoles 166ae1f160dSDag-Erling Smørgravof all the machines it scans if the server is older than version 2.9. 1671e8db6e2SBrian FeldmanThis is because it opens a connection to the ssh port, reads the public 1681e8db6e2SBrian Feldmankey, and drops the connection as soon as it gets the key. 169