|
- .\" $OpenBSD: ssh-keyscan.1,v 1.49 2023/02/10 06:41:53 jmc Exp $
- .\"
- .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
- .\"
- .\" Modification and redistribution in source and binary forms is
- .\" permitted provided that due credit is given to the author and the
- .\" OpenBSD project by leaving this copyright notice intact.
- .\"
- .Dd $Mdocdate: February 10 2023 $
- .Dt SSH-KEYSCAN 1
- .Os
- .Sh NAME
- .Nm ssh-keyscan
- .Nd gather SSH public keys from servers
- .Sh SYNOPSIS
- .Nm ssh-keyscan
- .Op Fl 46cDHv
- .Op Fl f Ar file
- .Op Fl O Ar option
- .Op Fl p Ar port
- .Op Fl T Ar timeout
- .Op Fl t Ar type
- .Op Ar host | addrlist namelist
- .Sh DESCRIPTION
- .Nm
- is a utility for gathering the public SSH host keys of a number of
- hosts.
- It was designed to aid in building and verifying
- .Pa ssh_known_hosts
- files,
- the format of which is documented in
- .Xr sshd 8 .
- .Nm
- provides a minimal interface suitable for use by shell and perl
- scripts.
- .Pp
- .Nm
- uses non-blocking socket I/O to contact as many hosts as possible in
- parallel, so it is very efficient.
- The keys from a domain of 1,000
- hosts can be collected in tens of seconds, even when some of those
- hosts are down or do not run
- .Xr sshd 8 .
- For scanning, one does not need
- login access to the machines that are being scanned, nor does the
- scanning process involve any encryption.
- .Pp
- Hosts to be scanned may be specified by hostname, address or by CIDR
- network range (e.g. 192.168.16/28).
- If a network range is specified, then all addresses in that range will
- be scanned.
- .Pp
- The options are as follows:
- .Bl -tag -width Ds
- .It Fl 4
- Force
- .Nm
- to use IPv4 addresses only.
- .It Fl 6
- Force
- .Nm
- to use IPv6 addresses only.
- .It Fl c
- Request certificates from target hosts instead of plain keys.
- .It Fl D
- Print keys found as SSHFP DNS records.
- The default is to print keys in a format usable as a
- .Xr ssh 1
- .Pa known_hosts
- file.
- .It Fl f Ar file
- Read hosts or
- .Dq addrlist namelist
- pairs from
- .Ar file ,
- one per line.
- If
- .Sq -
- is supplied instead of a filename,
- .Nm
- will read from the standard input.
- Names read from a file must start with an address, hostname or CIDR network
- range to be scanned.
- Addresses and hostnames may optionally be followed by comma-separated name
- or address aliases that will be copied to the output.
- For example:
- .Bd -literal
- 192.168.11.0/24
- 10.20.1.1
- happy.example.org
- 10.0.0.1,sad.example.org
- .Ed
- .It Fl H
- Hash all hostnames and addresses in the output.
- Hashed names may be used normally by
- .Xr ssh 1
- and
- .Xr sshd 8 ,
- but they do not reveal identifying information should the file's contents
- be disclosed.
- .It Fl O Ar option
- Specify a key/value option.
- At present, only a single option is supported:
- .Bl -tag -width Ds
- .It Cm hashalg Ns = Ns Ar algorithm
- Selects a hash algorithm to use when printing SSHFP records using the
- .Fl D
- flag.
- Valid algorithms are
- .Dq sha1
- and
- .Dq sha256 .
- The default is to print both.
- .El
- .It Fl p Ar port
- Connect to
- .Ar port
- on the remote host.
- .It Fl T Ar timeout
- Set the timeout for connection attempts.
- If
- .Ar timeout
- seconds have elapsed since a connection was initiated to a host or since the
- last time anything was read from that host, the connection is
- closed and the host in question considered unavailable.
- The default is 5 seconds.
- .It Fl t Ar type
- Specify the type of the key to fetch from the scanned hosts.
- The possible values are
- .Dq dsa ,
- .Dq ecdsa ,
- .Dq ed25519 ,
- .Dq ecdsa-sk ,
- .Dq ed25519-sk ,
- or
- .Dq rsa .
- Multiple values may be specified by separating them with commas.
- The default is to fetch
- .Dq rsa ,
- .Dq ecdsa ,
- .Dq ed25519 ,
- .Dq ecdsa-sk ,
- and
- .Dq ed25519-sk
- keys.
- .It Fl v
- Verbose mode:
- print debugging messages about progress.
- .El
- .Pp
- If an ssh_known_hosts file is constructed using
- .Nm
- without verifying the keys, users will be vulnerable to
- .Em man in the middle
- attacks.
- On the other hand, if the security model allows such a risk,
- .Nm
- can help in the detection of tampered keyfiles or man in the middle
- attacks which have begun after the ssh_known_hosts file was created.
- .Sh FILES
- .Pa /etc/ssh/ssh_known_hosts
- .Sh EXAMPLES
- Print the RSA host key for machine
- .Ar hostname :
- .Pp
- .Dl $ ssh-keyscan -t rsa hostname
- .Pp
- Search a network range, printing all supported key types:
- .Pp
- .Dl $ ssh-keyscan 192.168.0.64/25
- .Pp
- Find all hosts from the file
- .Pa ssh_hosts
- which have new or different keys from those in the sorted file
- .Pa ssh_known_hosts :
- .Bd -literal -offset indent
- $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
- sort -u - ssh_known_hosts | diff ssh_known_hosts -
- .Ed
- .Sh SEE ALSO
- .Xr ssh 1 ,
- .Xr sshd 8
- .Rs
- .%D 2006
- .%R RFC 4255
- .%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
- .Re
- .Sh AUTHORS
- .An -nosplit
- .An David Mazieres Aq Mt dm@lcs.mit.edu
- wrote the initial version, and
- .An Wayne Davison Aq Mt wayned@users.sourceforge.net
- added support for protocol version 2.
|