ssh-keyscan.0   [plain text]



SSH-KEYSCAN(1)              System Reference Manual             SSH-KEYSCAN(1)

NAME
     ssh-keyscan - gather ssh public keys

SYNOPSIS
     ssh-keyscan [-t timeout] [-- | host | addrlist namelist] [-f files ...]

DESCRIPTION
     ssh-keyscan is a utility for gathering the public ssh host keys of a numM--
     ber of hosts.  It was designed to aid in building and verifying
     ssh_known_hosts files.  ssh-keyscan provides a minimal interface suitable
     for use by shell and perl scripts.

     ssh-keyscan uses non-blocking socket I/O to contact as many hosts as posM--
     sible in parallel, so it is very efficient.  The keys from a domain of
     1,000 hosts can be collected in tens of seconds, even when some of those
     hosts are down or do not run ssh.  You do not need login access to the
     machines you are scanning, nor does the scanning process involve any enM--
     cryption.

SECURITY
     If you make an ssh_known_hosts file using ssh-keyscan without verifying
     the keys, you will be vulnerable to attacks.  On the other hand, if your
     security model allows such a risk, ssh-keyscan can help you detect tamM--
     pered keyfiles or man in the middle attacks which have begun after you
     created your ssh_known_hosts file.

OPTIONS
     -t      Set the timeout for connection attempts.  If timeout seconds have
             elapsed since a connection was initiated to a host or since the
             last time anything was read from that host, then the connection
             is closed and the host in question considered unavailable.  DeM--
             fault is 5 seconds.

     -f      Read hosts or addrlist namelist pairs from this file, one per
             line.  If - is supplied instead of a filename, ssh-keyscan will
             read hosts or addrlist namelist pairs from the standard input.

EXAMPLES
     Print the host key for machine hostname:

     ssh-keyscan hostname

     Find all hosts from the file ssh_hosts which have new or different keys
     from those in the sorted file ssh_known_hosts:

     $ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \
             diff ssh_known_hosts -

FILES
     Input format: 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.doM--
     main,n,1.2.3.4,1.2.4.4

     Output format: host-or-namelist bits exponent modulus

     /etc/ssh_known_hosts

BUGS
     It generates "Connection closed by remote host" messages on the consoles
     of all the machines it scans.  This is because it opens a connection to
     the ssh port, reads the public key, and drops the connection as soon as
     it gets the key.

SEE ALSO
     ssh(1),  sshd(8)

AUTHOR
     David Mazieres <dm@lcs.mit.edu>

BSD Experimental                January 1, 1996                              2