xref: /freebsd/crypto/openssh/ssh-keyscan.1 (revision 92eb0aa103fa16ca6fc3ae7097a6a27d993f3b3c)
192eb0aa1SDag-Erling Smørgrav.\"	$OpenBSD: ssh-keyscan.1,v 1.22 2006/09/25 04:55:38 ray Exp $
21e8db6e2SBrian Feldman.\"
31e8db6e2SBrian Feldman.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
41e8db6e2SBrian Feldman.\"
51e8db6e2SBrian Feldman.\" Modification and redistribution in source and binary forms is
61e8db6e2SBrian Feldman.\" permitted provided that due credit is given to the author and the
7ae1f160dSDag-Erling Smørgrav.\" OpenBSD project by leaving this copyright notice intact.
81e8db6e2SBrian Feldman.\"
91e8db6e2SBrian Feldman.Dd January 1, 1996
101e8db6e2SBrian Feldman.Dt SSH-KEYSCAN 1
111e8db6e2SBrian Feldman.Os
121e8db6e2SBrian Feldman.Sh NAME
131e8db6e2SBrian Feldman.Nm ssh-keyscan
141e8db6e2SBrian Feldman.Nd gather ssh public keys
151e8db6e2SBrian Feldman.Sh SYNOPSIS
161e8db6e2SBrian Feldman.Nm ssh-keyscan
17d0c8c0bcSDag-Erling Smørgrav.Bk -words
185e8dbd04SDag-Erling Smørgrav.Op Fl 46Hv
195e8dbd04SDag-Erling Smørgrav.Op Fl f Ar file
20ae1f160dSDag-Erling Smørgrav.Op Fl p Ar port
21ae1f160dSDag-Erling Smørgrav.Op Fl T Ar timeout
22ae1f160dSDag-Erling Smørgrav.Op Fl t Ar type
23ae1f160dSDag-Erling Smørgrav.Op Ar host | addrlist namelist
24ae1f160dSDag-Erling Smørgrav.Op Ar ...
25d0c8c0bcSDag-Erling Smørgrav.Ek
261e8db6e2SBrian Feldman.Sh DESCRIPTION
271e8db6e2SBrian Feldman.Nm
281e8db6e2SBrian Feldmanis a utility for gathering the public ssh host keys of a number of
29d0c8c0bcSDag-Erling Smørgravhosts.
30d0c8c0bcSDag-Erling SmørgravIt was designed to aid in building and verifying
311e8db6e2SBrian Feldman.Pa ssh_known_hosts
321e8db6e2SBrian Feldmanfiles.
331e8db6e2SBrian Feldman.Nm
341e8db6e2SBrian Feldmanprovides a minimal interface suitable for use by shell and perl
351e8db6e2SBrian Feldmanscripts.
361e8db6e2SBrian Feldman.Pp
371e8db6e2SBrian Feldman.Nm
381e8db6e2SBrian Feldmanuses non-blocking socket I/O to contact as many hosts as possible in
39d0c8c0bcSDag-Erling Smørgravparallel, so it is very efficient.
40d0c8c0bcSDag-Erling SmørgravThe keys from a domain of 1,000
411e8db6e2SBrian Feldmanhosts can be collected in tens of seconds, even when some of those
42d0c8c0bcSDag-Erling Smørgravhosts are down or do not run ssh.
43d0c8c0bcSDag-Erling SmørgravFor scanning, one does not need
44ae1f160dSDag-Erling Smørgravlogin access to the machines that are being scanned, nor does the
45ae1f160dSDag-Erling Smørgravscanning process involve any encryption.
46ae1f160dSDag-Erling Smørgrav.Pp
47ae1f160dSDag-Erling SmørgravThe options are as follows:
481e8db6e2SBrian Feldman.Bl -tag -width Ds
495e8dbd04SDag-Erling Smørgrav.It Fl 4
505e8dbd04SDag-Erling SmørgravForces
515e8dbd04SDag-Erling Smørgrav.Nm
525e8dbd04SDag-Erling Smørgravto use IPv4 addresses only.
535e8dbd04SDag-Erling Smørgrav.It Fl 6
545e8dbd04SDag-Erling SmørgravForces
555e8dbd04SDag-Erling Smørgrav.Nm
565e8dbd04SDag-Erling Smørgravto use IPv6 addresses only.
575e8dbd04SDag-Erling Smørgrav.It Fl f Ar file
585e8dbd04SDag-Erling SmørgravRead hosts or
595e8dbd04SDag-Erling Smørgrav.Pa addrlist namelist
605e8dbd04SDag-Erling Smørgravpairs from this file, one per line.
615e8dbd04SDag-Erling SmørgravIf
625e8dbd04SDag-Erling Smørgrav.Pa -
635e8dbd04SDag-Erling Smørgravis supplied instead of a filename,
645e8dbd04SDag-Erling Smørgrav.Nm
655e8dbd04SDag-Erling Smørgravwill read hosts or
665e8dbd04SDag-Erling Smørgrav.Pa addrlist namelist
675e8dbd04SDag-Erling Smørgravpairs from the standard input.
685e8dbd04SDag-Erling Smørgrav.It Fl H
695e8dbd04SDag-Erling SmørgravHash all hostnames and addresses in the output.
705e8dbd04SDag-Erling SmørgravHashed names may be used normally by
715e8dbd04SDag-Erling Smørgrav.Nm ssh
725e8dbd04SDag-Erling Smørgravand
735e8dbd04SDag-Erling Smørgrav.Nm sshd ,
745e8dbd04SDag-Erling Smørgravbut they do not reveal identifying information should the file's contents
755e8dbd04SDag-Erling Smørgravbe disclosed.
76ae1f160dSDag-Erling Smørgrav.It Fl p Ar port
77ae1f160dSDag-Erling SmørgravPort to connect to on the remote host.
78ae1f160dSDag-Erling Smørgrav.It Fl T Ar timeout
79d0c8c0bcSDag-Erling SmørgravSet the timeout for connection attempts.
80d0c8c0bcSDag-Erling SmørgravIf
811e8db6e2SBrian Feldman.Pa timeout
821e8db6e2SBrian Feldmanseconds have elapsed since a connection was initiated to a host or since the
831e8db6e2SBrian Feldmanlast time anything was read from that host, then the connection is
84d0c8c0bcSDag-Erling Smørgravclosed and the host in question considered unavailable.
85d0c8c0bcSDag-Erling SmørgravDefault is 5 seconds.
86ae1f160dSDag-Erling Smørgrav.It Fl t Ar type
87ae1f160dSDag-Erling SmørgravSpecifies the type of the key to fetch from the scanned hosts.
88ae1f160dSDag-Erling SmørgravThe possible values are
89ae1f160dSDag-Erling Smørgrav.Dq rsa1
90ae1f160dSDag-Erling Smørgravfor protocol version 1 and
91ae1f160dSDag-Erling Smørgrav.Dq rsa
92ae1f160dSDag-Erling Smørgravor
93ae1f160dSDag-Erling Smørgrav.Dq dsa
94ae1f160dSDag-Erling Smørgravfor protocol version 2.
95ae1f160dSDag-Erling SmørgravMultiple values may be specified by separating them with commas.
96ae1f160dSDag-Erling SmørgravThe default is
97ae1f160dSDag-Erling Smørgrav.Dq rsa1 .
98ae1f160dSDag-Erling Smørgrav.It Fl v
99ae1f160dSDag-Erling SmørgravVerbose mode.
100ae1f160dSDag-Erling SmørgravCauses
101ae1f160dSDag-Erling Smørgrav.Nm
102ae1f160dSDag-Erling Smørgravto print debugging messages about its progress.
1031e8db6e2SBrian Feldman.El
104ae1f160dSDag-Erling Smørgrav.Sh SECURITY
10592eb0aa1SDag-Erling SmørgravIf an ssh_known_hosts file is constructed using
106ae1f160dSDag-Erling Smørgrav.Nm
107ae1f160dSDag-Erling Smørgravwithout verifying the keys, users will be vulnerable to
108d74d50a8SDag-Erling Smørgrav.Em man in the middle
109ae1f160dSDag-Erling Smørgravattacks.
110ae1f160dSDag-Erling SmørgravOn the other hand, if the security model allows such a risk,
111ae1f160dSDag-Erling Smørgrav.Nm
112ae1f160dSDag-Erling Smørgravcan help in the detection of tampered keyfiles or man in the middle
113ae1f160dSDag-Erling Smørgravattacks which have begun after the ssh_known_hosts file was created.
114ae1f160dSDag-Erling Smørgrav.Sh FILES
115ae1f160dSDag-Erling Smørgrav.Pa Input format:
116ae1f160dSDag-Erling Smørgrav.Bd -literal
117ae1f160dSDag-Erling Smørgrav1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
1181e8db6e2SBrian Feldman.Ed
1191e8db6e2SBrian Feldman.Pp
120ae1f160dSDag-Erling Smørgrav.Pa Output format for rsa1 keys:
121ae1f160dSDag-Erling Smørgrav.Bd -literal
1221e8db6e2SBrian Feldmanhost-or-namelist bits exponent modulus
123ae1f160dSDag-Erling Smørgrav.Ed
1241e8db6e2SBrian Feldman.Pp
125ae1f160dSDag-Erling Smørgrav.Pa Output format for rsa and dsa keys:
126ae1f160dSDag-Erling Smørgrav.Bd -literal
127ae1f160dSDag-Erling Smørgravhost-or-namelist keytype base64-encoded-key
128ae1f160dSDag-Erling Smørgrav.Ed
129ae1f160dSDag-Erling Smørgrav.Pp
130ae1f160dSDag-Erling SmørgravWhere
131ae1f160dSDag-Erling Smørgrav.Pa keytype
132ae1f160dSDag-Erling Smørgravis either
133ae1f160dSDag-Erling Smørgrav.Dq ssh-rsa
134ae1f160dSDag-Erling Smørgravor
135d95e11bfSDag-Erling Smørgrav.Dq ssh-dss .
136ae1f160dSDag-Erling Smørgrav.Pp
137ae1f160dSDag-Erling Smørgrav.Pa /etc/ssh/ssh_known_hosts
138d95e11bfSDag-Erling Smørgrav.Sh EXAMPLES
139d95e11bfSDag-Erling SmørgravPrint the
140d95e11bfSDag-Erling Smørgrav.Pa rsa1
141d95e11bfSDag-Erling Smørgravhost key for machine
142d95e11bfSDag-Erling Smørgrav.Pa hostname :
143d95e11bfSDag-Erling Smørgrav.Bd -literal
144d95e11bfSDag-Erling Smørgrav$ ssh-keyscan hostname
145d95e11bfSDag-Erling Smørgrav.Ed
146d95e11bfSDag-Erling Smørgrav.Pp
147d95e11bfSDag-Erling SmørgravFind all hosts from the file
148d95e11bfSDag-Erling Smørgrav.Pa ssh_hosts
149d95e11bfSDag-Erling Smørgravwhich have new or different keys from those in the sorted file
150d95e11bfSDag-Erling Smørgrav.Pa ssh_known_hosts :
151d95e11bfSDag-Erling Smørgrav.Bd -literal
152d95e11bfSDag-Erling Smørgrav$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
153d95e11bfSDag-Erling Smørgrav	sort -u - ssh_known_hosts | diff ssh_known_hosts -
154d95e11bfSDag-Erling Smørgrav.Ed
155d95e11bfSDag-Erling Smørgrav.Sh SEE ALSO
156d95e11bfSDag-Erling Smørgrav.Xr ssh 1 ,
157d95e11bfSDag-Erling Smørgrav.Xr sshd 8
158d95e11bfSDag-Erling Smørgrav.Sh AUTHORS
159021d409fSDag-Erling Smørgrav.An -nosplit
160d95e11bfSDag-Erling Smørgrav.An David Mazieres Aq dm@lcs.mit.edu
161d95e11bfSDag-Erling Smørgravwrote the initial version, and
162d95e11bfSDag-Erling Smørgrav.An Wayne Davison Aq wayned@users.sourceforge.net
163d95e11bfSDag-Erling Smørgravadded support for protocol version 2.
1641e8db6e2SBrian Feldman.Sh BUGS
1651e8db6e2SBrian FeldmanIt generates "Connection closed by remote host" messages on the consoles
166ae1f160dSDag-Erling Smørgravof all the machines it scans if the server is older than version 2.9.
1671e8db6e2SBrian FeldmanThis is because it opens a connection to the ssh port, reads the public
1681e8db6e2SBrian Feldmankey, and drops the connection as soon as it gets the key.
169