suzanne.soy/man-pages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gh-pages
man-pages/man1/ssh-keyscan.1.html
Suzanne Soy 4c89183f2b Added man pages from my system
2021-03-31 01:06:50 +01:00

339 lines
5.3 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of SSH-KEYSCAN</TITLE>
</HEAD><BODY>
<H1>SSH-KEYSCAN</H1>
Section: User Commands (1)<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<BR>BSD mandoc<BR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
<B>ssh-keyscan</B>
- gather SSH public keys from servers
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>
<B>ssh-keyscan</B>
[-<B>46cDHv </B>[-<B>f </B><I>file</I>
]
]
[-<B>p </B><I>port</I>
]
[-<B>T </B><I>timeout</I>
]
[-<B>t </B><I>type</I>
]
[<I>host | addrlist namelist</I>
]
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>
<B>ssh-keyscan</B>
is a utility for gathering the public SSH host keys of a number of
hosts.
It was designed to aid in building and verifying
ssh_known_hosts
files,
the format of which is documented in
<A HREF="/cgi-bin/man/man2html?8+sshd">sshd</A>(8).
<B>ssh-keyscan</B>
provides a minimal interface suitable for use by shell and perl
scripts.
<P>
<B>ssh-keyscan</B>
uses non-blocking socket I/O to contact as many hosts as possible in
parallel, so it is very efficient.
The keys from a domain of 1,000
hosts can be collected in tens of seconds, even when some of those
hosts are down or do not run
<A HREF="/cgi-bin/man/man2html?8+sshd">sshd</A>(8).
For scanning, one does not need
login access to the machines that are being scanned, nor does the
scanning process involve any encryption.
<P>
The options are as follows:
<DL COMPACT>
<P>
<DT id="1"><B>-4</B>
<DD>
Force
<B>ssh-keyscan</B>
to use IPv4 addresses only.
<DT id="2"><B>-6</B>
<DD>
Force
<B>ssh-keyscan</B>
to use IPv6 addresses only.
<DT id="3"><B>-c</B>
<DD>
Request certificates from target hosts instead of plain keys.
<DT id="4"><B>-D</B>
<DD>
Print keys found as SSHFP DNS records.
The default is to print keys in a format usable as a
<A HREF="/cgi-bin/man/man2html?1+ssh">ssh</A>(1)
known_hosts
file.
<DT id="5"><B>-f </B><I>file</I>
<DD>
Read hosts or
``addrlist namelist''
pairs from
<I>file</I>
one per line.
If
`-'
is supplied instead of a filename,
<B>ssh-keyscan</B>
will read from the standard input.
Input is expected in the format:
<PRE>
1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
</PRE>
<DT id="6"><B>-H</B>
<DD>
Hash all hostnames and addresses in the output.
Hashed names may be used normally by
<A HREF="/cgi-bin/man/man2html?1+ssh">ssh</A>(1)
and
<A HREF="/cgi-bin/man/man2html?8+sshd">sshd</A>(8),
but they do not reveal identifying information should the file's contents
be disclosed.
<DT id="7"><B>-p </B><I>port</I>
<DD>
Connect to
<I>port</I>
on the remote host.
<DT id="8"><B>-T </B><I>timeout</I>
<DD>
Set the timeout for connection attempts.
If
<I>timeout</I>
seconds have elapsed since a connection was initiated to a host or since the
last time anything was read from that host, the connection is
closed and the host in question considered unavailable.
The default is 5 seconds.
<DT id="9"><B>-t </B><I>type</I>
<DD>
Specify the type of the key to fetch from the scanned hosts.
The possible values are
``dsa''
``ecdsa''
``ed25519''
or
``rsa''
Multiple values may be specified by separating them with commas.
The default is to fetch
``rsa''
``ecdsa''
and
``ed25519''
keys.
<DT id="10"><B>-v</B>
<DD>
Verbose mode:
print debugging messages about progress.
</DL>
<P>
<P>
If an ssh_known_hosts file is constructed using
<B>ssh-keyscan</B>
without verifying the keys, users will be vulnerable to
<I>man in the middle</I>
attacks.
On the other hand, if the security model allows such a risk,
<B>ssh-keyscan</B>
can help in the detection of tampered keyfiles or man in the middle
attacks which have begun after the ssh_known_hosts file was created.
<A NAME="lbAE">&nbsp;</A>
<H2>FILES</H2>
/etc/ssh/ssh_known_hosts
<A NAME="lbAF">&nbsp;</A>
<H2>EXAMPLES</H2>
Print the RSA host key for machine
<I>hostname</I>
<P>
<BLOCKQUOTE><TT>$ ssh-keyscan -t rsa hostname</TT></BLOCKQUOTE>
<P>
Find all hosts from the file
ssh_hosts
which have new or different keys from those in the sorted file
ssh_known_hosts
<BLOCKQUOTE>
<PRE>
$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \
sort -u - ssh_known_hosts | diff ssh_known_hosts -
</PRE>
</BLOCKQUOTE>
<A NAME="lbAG">&nbsp;</A>
<H2>SEE ALSO</H2>
<A HREF="/cgi-bin/man/man2html?1+ssh">ssh</A>(1),
<A HREF="/cgi-bin/man/man2html?8+sshd">sshd</A>(8)
<DL COMPACT><DT id="11"><DD>
2006
<I>RFC 4255</I>
<I>Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints</I>
</DL>
<A NAME="lbAH">&nbsp;</A>
<H2>AUTHORS</H2>
An -nosplit
An David Mazieres Aq Mt <A HREF="mailto:dm@lcs.mit.edu">dm@lcs.mit.edu</A>
wrote the initial version, and
An Wayne Davison Aq Mt <A HREF="mailto:wayned@users.sourceforge.net">wayned@users.sourceforge.net</A>
added support for protocol version 2.
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="12"><A HREF="#lbAB">NAME</A><DD>
<DT id="13"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="14"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="15"><A HREF="#lbAE">FILES</A><DD>
<DT id="16"><A HREF="#lbAF">EXAMPLES</A><DD>
<DT id="17"><A HREF="#lbAG">SEE ALSO</A><DD>
<DT id="18"><A HREF="#lbAH">AUTHORS</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:05:27 GMT, March 31, 2021
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink