summaryrefslogtreecommitdiffstats
path: root/ssh-keyscan.0
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-keyscan.0')
-rw-r--r--ssh-keyscan.0121
1 files changed, 121 insertions, 0 deletions
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
new file mode 100644
index 0000000..ee73788
--- /dev/null
+++ b/ssh-keyscan.0
@@ -0,0 +1,121 @@
+SSH-KEYSCAN(1) General Commands Manual SSH-KEYSCAN(1)
+
+NAME
+ ssh-keyscan M-bM-^@M-^S gather SSH public keys from servers
+
+SYNOPSIS
+ ssh-keyscan [-46cDHv] [-f file] [-O option] [-p port] [-T timeout]
+ [-t type] [host | addrlist namelist]
+
+DESCRIPTION
+ ssh-keyscan is a utility for gathering the public SSH host keys of a
+ number of hosts. It was designed to aid in building and verifying
+ ssh_known_hosts files, the format of which is documented in sshd(8).
+ ssh-keyscan provides a minimal interface suitable for use by shell and
+ perl scripts.
+
+ ssh-keyscan uses non-blocking socket I/O to contact as many hosts as
+ possible in parallel, so it is very efficient. The keys from a domain of
+ 1,000 hosts can be collected in tens of seconds, even when some of those
+ hosts are down or do not run sshd(8). For scanning, one does not need
+ login access to the machines that are being scanned, nor does the
+ scanning process involve any encryption.
+
+ Hosts to be scanned may be specified by hostname, address or by CIDR
+ network range (e.g. 192.168.16/28). If a network range is specified,
+ then all addresses in that range will be scanned.
+
+ The options are as follows:
+
+ -4 Force ssh-keyscan to use IPv4 addresses only.
+
+ -6 Force ssh-keyscan to use IPv6 addresses only.
+
+ -c Request certificates from target hosts instead of plain keys.
+
+ -D Print keys found as SSHFP DNS records. The default is to print
+ keys in a format usable as a ssh(1) known_hosts file.
+
+ -f file
+ Read hosts or M-bM-^@M-^\addrlist namelistM-bM-^@M-^] pairs from file, one per line.
+ If M-bM-^@M-^X-M-bM-^@M-^Y is supplied instead of a filename, ssh-keyscan will read
+ from the standard input. Names read from a file must start with
+ an address, hostname or CIDR network range to be scanned.
+ Addresses and hostnames may optionally be followed by comma-
+ separated name or address aliases that will be copied to the
+ output. For example:
+
+ 192.168.11.0/24
+ 10.20.1.1
+ happy.example.org
+ 10.0.0.1,sad.example.org
+
+ -H Hash all hostnames and addresses in the output. Hashed names may
+ be used normally by ssh(1) and sshd(8), but they do not reveal
+ identifying information should the file's contents be disclosed.
+
+ -O option
+ Specify a key/value option. At present, only a single option is
+ supported:
+
+ hashalg=algorithm
+ Selects a hash algorithm to use when printing SSHFP
+ records using the -D flag. Valid algorithms are M-bM-^@M-^\sha1M-bM-^@M-^]
+ and M-bM-^@M-^\sha256M-bM-^@M-^]. The default is to print both.
+
+ -p port
+ Connect to port on the remote host.
+
+ -T timeout
+ Set the timeout for connection attempts. If timeout seconds have
+ elapsed since a connection was initiated to a host or since the
+ last time anything was read from that host, the connection is
+ closed and the host in question considered unavailable. The
+ default is 5 seconds.
+
+ -t type
+ Specify the type of the key to fetch from the scanned hosts. The
+ possible values are M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], M-bM-^@M-^\ecdsa-skM-bM-^@M-^],
+ M-bM-^@M-^\ed25519-skM-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^]. Multiple values may be specified by
+ separating them with commas. The default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^],
+ M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], M-bM-^@M-^\ecdsa-skM-bM-^@M-^], and M-bM-^@M-^\ed25519-skM-bM-^@M-^] keys.
+
+ -v Verbose mode: print debugging messages about progress.
+
+ If an ssh_known_hosts file is constructed using ssh-keyscan without
+ verifying the keys, users will be vulnerable to man in the middle
+ attacks. On the other hand, if the security model allows such a risk,
+ ssh-keyscan can help in the detection of tampered keyfiles or man in the
+ middle attacks which have begun after the ssh_known_hosts file was
+ created.
+
+FILES
+ /etc/ssh/ssh_known_hosts
+
+EXAMPLES
+ Print the RSA host key for machine hostname:
+
+ $ ssh-keyscan -t rsa hostname
+
+ Search a network range, printing all supported key types:
+
+ $ ssh-keyscan 192.168.0.64/25
+
+ Find all hosts from the file ssh_hosts which have new or different keys
+ from those in the sorted file ssh_known_hosts:
+
+ $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \
+ sort -u - ssh_known_hosts | diff ssh_known_hosts -
+
+SEE ALSO
+ ssh(1), sshd(8)
+
+ Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC
+ 4255, 2006.
+
+AUTHORS
+ David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne
+ Davison <wayned@users.sourceforge.net> added support for protocol version
+ 2.
+
+OpenBSD 7.3 February 10, 2023 OpenBSD 7.3