1ae1f160dSDag-Erling Smørgrav.\" $OpenBSD: ssh-keyscan.1,v 1.14 2002/02/13 08:33:47 mpech Exp $ 21e8db6e2SBrian Feldman.\" 31e8db6e2SBrian Feldman.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 41e8db6e2SBrian Feldman.\" 51e8db6e2SBrian Feldman.\" Modification and redistribution in source and binary forms is 61e8db6e2SBrian Feldman.\" permitted provided that due credit is given to the author and the 7ae1f160dSDag-Erling Smørgrav.\" OpenBSD project by leaving this copyright notice intact. 81e8db6e2SBrian Feldman.\" 91e8db6e2SBrian Feldman.Dd January 1, 1996 101e8db6e2SBrian Feldman.Dt SSH-KEYSCAN 1 111e8db6e2SBrian Feldman.Os 121e8db6e2SBrian Feldman.Sh NAME 131e8db6e2SBrian Feldman.Nm ssh-keyscan 141e8db6e2SBrian Feldman.Nd gather ssh public keys 151e8db6e2SBrian Feldman.Sh SYNOPSIS 161e8db6e2SBrian Feldman.Nm ssh-keyscan 17ae1f160dSDag-Erling Smørgrav.Op Fl v46 18ae1f160dSDag-Erling Smørgrav.Op Fl p Ar port 19ae1f160dSDag-Erling Smørgrav.Op Fl T Ar timeout 20ae1f160dSDag-Erling Smørgrav.Op Fl t Ar type 21ae1f160dSDag-Erling Smørgrav.Op Fl f Ar file 22ae1f160dSDag-Erling Smørgrav.Op Ar host | addrlist namelist 23ae1f160dSDag-Erling Smørgrav.Op Ar ... 241e8db6e2SBrian Feldman.Sh DESCRIPTION 251e8db6e2SBrian Feldman.Nm 261e8db6e2SBrian Feldmanis a utility for gathering the public ssh host keys of a number of 271e8db6e2SBrian Feldmanhosts. It was designed to aid in building and verifying 281e8db6e2SBrian Feldman.Pa ssh_known_hosts 291e8db6e2SBrian Feldmanfiles. 301e8db6e2SBrian Feldman.Nm 311e8db6e2SBrian Feldmanprovides a minimal interface suitable for use by shell and perl 321e8db6e2SBrian Feldmanscripts. 331e8db6e2SBrian Feldman.Pp 341e8db6e2SBrian Feldman.Nm 351e8db6e2SBrian Feldmanuses non-blocking socket I/O to contact as many hosts as possible in 361e8db6e2SBrian Feldmanparallel, so it is very efficient. The keys from a domain of 1,000 371e8db6e2SBrian Feldmanhosts can be collected in tens of seconds, even when some of those 38ae1f160dSDag-Erling Smørgravhosts are down or do not run ssh. For scanning, one does not need 39ae1f160dSDag-Erling Smørgravlogin access to the machines that are being scanned, nor does the 40ae1f160dSDag-Erling Smørgravscanning process involve any encryption. 41ae1f160dSDag-Erling Smørgrav.Pp 42ae1f160dSDag-Erling SmørgravThe options are as follows: 431e8db6e2SBrian Feldman.Bl -tag -width Ds 44ae1f160dSDag-Erling Smørgrav.It Fl p Ar port 45ae1f160dSDag-Erling SmørgravPort to connect to on the remote host. 46ae1f160dSDag-Erling Smørgrav.It Fl T Ar timeout 471e8db6e2SBrian FeldmanSet the timeout for connection attempts. If 481e8db6e2SBrian Feldman.Pa timeout 491e8db6e2SBrian Feldmanseconds have elapsed since a connection was initiated to a host or since the 501e8db6e2SBrian Feldmanlast time anything was read from that host, then the connection is 511e8db6e2SBrian Feldmanclosed and the host in question considered unavailable. Default is 5 521e8db6e2SBrian Feldmanseconds. 53ae1f160dSDag-Erling Smørgrav.It Fl t Ar type 54ae1f160dSDag-Erling SmørgravSpecifies the type of the key to fetch from the scanned hosts. 55ae1f160dSDag-Erling SmørgravThe possible values are 56ae1f160dSDag-Erling Smørgrav.Dq rsa1 57ae1f160dSDag-Erling Smørgravfor protocol version 1 and 58ae1f160dSDag-Erling Smørgrav.Dq rsa 59ae1f160dSDag-Erling Smørgravor 60ae1f160dSDag-Erling Smørgrav.Dq dsa 61ae1f160dSDag-Erling Smørgravfor protocol version 2. 62ae1f160dSDag-Erling SmørgravMultiple values may be specified by separating them with commas. 63ae1f160dSDag-Erling SmørgravThe default is 64ae1f160dSDag-Erling Smørgrav.Dq rsa1 . 65ae1f160dSDag-Erling Smørgrav.It Fl f Ar filename 661e8db6e2SBrian FeldmanRead hosts or 671e8db6e2SBrian Feldman.Pa addrlist namelist 681e8db6e2SBrian Feldmanpairs from this file, one per line. 691e8db6e2SBrian FeldmanIf 701e8db6e2SBrian Feldman.Pa - 711e8db6e2SBrian Feldmanis supplied instead of a filename, 721e8db6e2SBrian Feldman.Nm 731e8db6e2SBrian Feldmanwill read hosts or 741e8db6e2SBrian Feldman.Pa addrlist namelist 751e8db6e2SBrian Feldmanpairs from the standard input. 76ae1f160dSDag-Erling Smørgrav.It Fl v 77ae1f160dSDag-Erling SmørgravVerbose mode. 78ae1f160dSDag-Erling SmørgravCauses 79ae1f160dSDag-Erling Smørgrav.Nm 80ae1f160dSDag-Erling Smørgravto print debugging messages about its progress. 81ae1f160dSDag-Erling Smørgrav.It Fl 4 82ae1f160dSDag-Erling SmørgravForces 83ae1f160dSDag-Erling Smørgrav.Nm 84ae1f160dSDag-Erling Smørgravto use IPv4 addresses only. 85ae1f160dSDag-Erling Smørgrav.It Fl 6 86ae1f160dSDag-Erling SmørgravForces 87ae1f160dSDag-Erling Smørgrav.Nm 88ae1f160dSDag-Erling Smørgravto use IPv6 addresses only. 891e8db6e2SBrian Feldman.El 90ae1f160dSDag-Erling Smørgrav.Sh SECURITY 91ae1f160dSDag-Erling SmørgravIf a ssh_known_hosts file is constructed using 92ae1f160dSDag-Erling Smørgrav.Nm 93ae1f160dSDag-Erling Smørgravwithout verifying the keys, users will be vulnerable to 94ae1f160dSDag-Erling Smørgrav.I man in the middle 95ae1f160dSDag-Erling Smørgravattacks. 96ae1f160dSDag-Erling SmørgravOn the other hand, if the security model allows such a risk, 97ae1f160dSDag-Erling Smørgrav.Nm 98ae1f160dSDag-Erling Smørgravcan help in the detection of tampered keyfiles or man in the middle 99ae1f160dSDag-Erling Smørgravattacks which have begun after the ssh_known_hosts file was created. 1001e8db6e2SBrian Feldman.Sh EXAMPLES 1011e8db6e2SBrian Feldman.Pp 102ae1f160dSDag-Erling SmørgravPrint the 103ae1f160dSDag-Erling Smørgrav.Pa rsa1 104ae1f160dSDag-Erling Smørgravhost key for machine 1051e8db6e2SBrian Feldman.Pa hostname : 1061e8db6e2SBrian Feldman.Bd -literal 107ae1f160dSDag-Erling Smørgrav$ ssh-keyscan hostname 1081e8db6e2SBrian Feldman.Ed 1091e8db6e2SBrian Feldman.Pp 1101e8db6e2SBrian FeldmanFind all hosts from the file 1111e8db6e2SBrian Feldman.Pa ssh_hosts 1121e8db6e2SBrian Feldmanwhich have new or different keys from those in the sorted file 1131e8db6e2SBrian Feldman.Pa ssh_known_hosts : 1141e8db6e2SBrian Feldman.Bd -literal 115ae1f160dSDag-Erling Smørgrav$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\ 116ae1f160dSDag-Erling Smørgrav sort -u - ssh_known_hosts | diff ssh_known_hosts - 117ae1f160dSDag-Erling Smørgrav.Ed 118ae1f160dSDag-Erling Smørgrav.Sh FILES 119ae1f160dSDag-Erling Smørgrav.Pa Input format: 120ae1f160dSDag-Erling Smørgrav.Bd -literal 121ae1f160dSDag-Erling Smørgrav1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 1221e8db6e2SBrian Feldman.Ed 1231e8db6e2SBrian Feldman.Pp 124ae1f160dSDag-Erling Smørgrav.Pa Output format for rsa1 keys: 125ae1f160dSDag-Erling Smørgrav.Bd -literal 1261e8db6e2SBrian Feldmanhost-or-namelist bits exponent modulus 127ae1f160dSDag-Erling Smørgrav.Ed 1281e8db6e2SBrian Feldman.Pp 129ae1f160dSDag-Erling Smørgrav.Pa Output format for rsa and dsa keys: 130ae1f160dSDag-Erling Smørgrav.Bd -literal 131ae1f160dSDag-Erling Smørgravhost-or-namelist keytype base64-encoded-key 132ae1f160dSDag-Erling Smørgrav.Ed 133ae1f160dSDag-Erling Smørgrav.Pp 134ae1f160dSDag-Erling SmørgravWhere 135ae1f160dSDag-Erling Smørgrav.Pa keytype 136ae1f160dSDag-Erling Smørgravis either 137ae1f160dSDag-Erling Smørgrav.Dq ssh-rsa 138ae1f160dSDag-Erling Smørgravor 139ae1f160dSDag-Erling Smørgrav.Dq ssh-dsa . 140ae1f160dSDag-Erling Smørgrav.Pp 141ae1f160dSDag-Erling Smørgrav.Pa /etc/ssh/ssh_known_hosts 1421e8db6e2SBrian Feldman.Sh BUGS 1431e8db6e2SBrian FeldmanIt generates "Connection closed by remote host" messages on the consoles 144ae1f160dSDag-Erling Smørgravof all the machines it scans if the server is older than version 2.9. 1451e8db6e2SBrian FeldmanThis is because it opens a connection to the ssh port, reads the public 1461e8db6e2SBrian Feldmankey, and drops the connection as soon as it gets the key. 1471e8db6e2SBrian Feldman.Sh SEE ALSO 1481e8db6e2SBrian Feldman.Xr ssh 1 , 1491e8db6e2SBrian Feldman.Xr sshd 8 150ae1f160dSDag-Erling Smørgrav.Sh AUTHORS 1511e8db6e2SBrian FeldmanDavid Mazieres <dm@lcs.mit.edu> 152ae1f160dSDag-Erling Smørgravwrote the initial version, and 153ae1f160dSDag-Erling SmørgravWayne Davison <wayned@users.sourceforge.net> 154ae1f160dSDag-Erling Smørgravadded support for protocol version 2. 155