1.\" $OpenBSD: ssh-keyscan.1,v 1.47 2022/10/28 02:29:34 djm Exp $ 2.\" 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 4.\" 5.\" Modification and redistribution in source and binary forms is 6.\" permitted provided that due credit is given to the author and the 7.\" OpenBSD project by leaving this copyright notice intact. 8.\" 9.Dd $Mdocdate: October 28 2022 $ 10.Dt SSH-KEYSCAN 1 11.Os 12.Sh NAME 13.Nm ssh-keyscan 14.Nd gather SSH public keys from servers 15.Sh SYNOPSIS 16.Nm ssh-keyscan 17.Op Fl 46cDHv 18.Op Fl f Ar file 19.Op Fl p Ar port 20.Op Fl T Ar timeout 21.Op Fl t Ar type 22.Op Ar host | addrlist namelist 23.Sh DESCRIPTION 24.Nm 25is a utility for gathering the public SSH host keys of a number of 26hosts. 27It was designed to aid in building and verifying 28.Pa ssh_known_hosts 29files, 30the format of which is documented in 31.Xr sshd 8 . 32.Nm 33provides a minimal interface suitable for use by shell and perl 34scripts. 35.Pp 36.Nm 37uses non-blocking socket I/O to contact as many hosts as possible in 38parallel, so it is very efficient. 39The keys from a domain of 1,000 40hosts can be collected in tens of seconds, even when some of those 41hosts are down or do not run 42.Xr sshd 8 . 43For scanning, one does not need 44login access to the machines that are being scanned, nor does the 45scanning process involve any encryption. 46.Pp 47Hosts to be scanned may be specified by hostname, address or by CIDR 48network range (e.g. 192.168.16/28). 49If a network range is specified, then all addresses in that range will 50be scanned. 51.Pp 52The options are as follows: 53.Bl -tag -width Ds 54.It Fl 4 55Force 56.Nm 57to use IPv4 addresses only. 58.It Fl 6 59Force 60.Nm 61to use IPv6 addresses only. 62.It Fl c 63Request certificates from target hosts instead of plain keys. 64.It Fl D 65Print keys found as SSHFP DNS records. 66The default is to print keys in a format usable as a 67.Xr ssh 1 68.Pa known_hosts 69file. 70.It Fl f Ar file 71Read hosts or 72.Dq addrlist namelist 73pairs from 74.Ar file , 75one per line. 76If 77.Sq - 78is supplied instead of a filename, 79.Nm 80will read from the standard input. 81Names read from a file must start with an address, hostname or CIDR network 82range to be scanned. 83Addresses and hostnames may optionally be followed by comma-separated name 84or address aliases that will be copied to the output. 85For example: 86.Bd -literal 87192.168.11.0/24 8810.20.1.1 89happy.example.org 9010.0.0.1,sad.example.org 91.Ed 92.It Fl H 93Hash all hostnames and addresses in the output. 94Hashed names may be used normally by 95.Xr ssh 1 96and 97.Xr sshd 8 , 98but they do not reveal identifying information should the file's contents 99be disclosed. 100.It Fl p Ar port 101Connect to 102.Ar port 103on the remote host. 104.It Fl T Ar timeout 105Set the timeout for connection attempts. 106If 107.Ar timeout 108seconds have elapsed since a connection was initiated to a host or since the 109last time anything was read from that host, the connection is 110closed and the host in question considered unavailable. 111The default is 5 seconds. 112.It Fl t Ar type 113Specify the type of the key to fetch from the scanned hosts. 114The possible values are 115.Dq dsa , 116.Dq ecdsa , 117.Dq ed25519 , 118.Dq ecdsa-sk , 119.Dq ed25519-sk , 120or 121.Dq rsa . 122Multiple values may be specified by separating them with commas. 123The default is to fetch 124.Dq rsa , 125.Dq ecdsa , 126.Dq ed25519 , 127.Dq ecdsa-sk , 128and 129.Dq ed25519-sk 130keys. 131.It Fl v 132Verbose mode: 133print debugging messages about progress. 134.El 135.Pp 136If an ssh_known_hosts file is constructed using 137.Nm 138without verifying the keys, users will be vulnerable to 139.Em man in the middle 140attacks. 141On the other hand, if the security model allows such a risk, 142.Nm 143can help in the detection of tampered keyfiles or man in the middle 144attacks which have begun after the ssh_known_hosts file was created. 145.Sh FILES 146.Pa /etc/ssh/ssh_known_hosts 147.Sh EXAMPLES 148Print the RSA host key for machine 149.Ar hostname : 150.Pp 151.Dl $ ssh-keyscan -t rsa hostname 152.Pp 153Search a network range, printing all supported key types: 154.Pp 155.Dl $ ssh-keyscan 192.168.0.64/25 156.Pp 157Find all hosts from the file 158.Pa ssh_hosts 159which have new or different keys from those in the sorted file 160.Pa ssh_known_hosts : 161.Bd -literal -offset indent 162$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e 163 sort -u - ssh_known_hosts | diff ssh_known_hosts - 164.Ed 165.Sh SEE ALSO 166.Xr ssh 1 , 167.Xr sshd 8 168.Rs 169.%D 2006 170.%R RFC 4255 171.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints 172.Re 173.Sh AUTHORS 174.An -nosplit 175.An David Mazieres Aq Mt dm@lcs.mit.edu 176wrote the initial version, and 177.An Wayne Davison Aq Mt wayned@users.sourceforge.net 178added support for protocol version 2. 179