summaryrefslogtreecommitdiff
path: root/ssh-keyscan.1
diff options
context:
space:
mode:
authorBen Lindstrom <mouring@eviladmin.org>2000-12-05 01:15:09 +0000
committerBen Lindstrom <mouring@eviladmin.org>2000-12-05 01:15:09 +0000
commitb6434ae0e89c6614645a6e8ef50be1c5884beaf5 (patch)
treeddd59719a473c529c0f783bd273b1ef92fdf03db /ssh-keyscan.1
parentd121f613708c3c9c82465b0788550943a918d5c8 (diff)
20001205
- (bal) OpenSSH CVS updates: - markus@cvs.openbsd.org 2000/12/04 19:24:02 [ssh-keyscan.c ssh-keyscan.1] David Maziere's ssh-keyscan, ok niels@ - (bal) Updated Makefile.in to include ssh-keyscan that was just added to the recent OpenBSD source tree.
Diffstat (limited to 'ssh-keyscan.1')
-rw-r--r--ssh-keyscan.194
1 files changed, 94 insertions, 0 deletions
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
new file mode 100644
index 00000000..efd6e744
--- /dev/null
+++ b/ssh-keyscan.1
@@ -0,0 +1,94 @@
+.Dd January 1, 1996
+.Dt ssh-keyscan 1
+.Os
+.Sh NAME
+.Nm ssh-keyscan
+.Nd gather ssh public keys
+.Sh SYNOPSIS
+.Nm ssh-keyscan
+.Op Fl t Ar timeout
+.Op Ar -- | host | addrlist namelist
+.Op Fl f Ar files ...
+.Sh DESCRIPTION
+.Nm
+is a utility for gathering the public ssh host keys of a number of
+hosts. It was designed to aid in building and verifying
+.Pa ssh_known_hosts
+files.
+.Nm
+provides a minimal interface suitable for use by shell and perl
+scripts.
+.Pp
+.Nm
+uses non-blocking socket I/O to contact as many hosts as possible in
+parallel, so it is very efficient. The keys from a domain of 1,000
+hosts can be collected in tens of seconds, even when some of those
+hosts are down or do not run ssh. You do not need login access to the
+machines you are scanning, nor does does the scanning process involve
+any encryption.
+.Sh SECURITY
+If you make an ssh_known_hosts file using
+.Nm
+without verifying the keys, you will be vulnerable to
+.I man in the middle
+attacks.
+On the other hand, if your security model allows such a risk,
+.Nm
+can help you detect tampered keyfiles or man in the middle attacks which
+have begun after you created your ssh_known_hosts file.
+.Sh OPTIONS
+.Bl -tag -width Ds
+.It Fl t
+Set the timeout for connection attempts. If
+.Pa timeout
+seconds have elapsed since a connection was initiated to a host or since the
+last time anything was read from that host, then the connection is
+closed and the host in question considered unavailable. Default is 5
+seconds.
+.It Fl f
+Read hosts or
+.Pa addrlist namelist
+pairs from this file, one per line.
+If
+.Pa -
+is supplied instead of a filename,
+.Nm
+will read hosts or
+.Pa addrlist namelist
+pairs from the standard input.
+.Sh EXAMPLES
+.Pp
+Print the host key for machine
+.Pa hostname :
+.Bd -literal
+ssh-keyscan hostname
+.Ed
+.Pp
+Find all hosts from the file
+.Pa ssh_hosts
+which have new or different keys from those in the sorted file
+.Pa ssh_known_hosts :
+.Bd -literal
+ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\
+ diff ssh_known_hosts -
+.Ed
+.Pp
+.Sh FILES
+.Pp
+.Pa Input format:
+1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
+.Pp
+.Pa Output format:
+host-or-namelist bits exponent modulus
+.Pp
+.Pa /etc/ssh_known_hosts
+.Sh BUGS
+It generates "Connection closed by remote host" messages on the consoles
+of all the machines it scans.
+This is because it opens a connection to the ssh port, reads the public
+key, and drops the connection as soon as it gets the key.
+.Sh SEE ALSO
+.Xr ssh 1
+.Xr sshd 8
+.Sh AUTHOR
+David Mazieres <dm@lcs.mit.edu>