path: root/ssh-keyscan.1
diff options
authorBen Lindstrom <>2000-12-05 01:15:09 +0000
committerBen Lindstrom <>2000-12-05 01:15:09 +0000
commitb6434ae0e89c6614645a6e8ef50be1c5884beaf5 (patch)
treeddd59719a473c529c0f783bd273b1ef92fdf03db /ssh-keyscan.1
parentd121f613708c3c9c82465b0788550943a918d5c8 (diff)
- (bal) OpenSSH CVS updates: - 2000/12/04 19:24:02 [ssh-keyscan.c ssh-keyscan.1] David Maziere's ssh-keyscan, ok niels@ - (bal) Updated to include ssh-keyscan that was just added to the recent OpenBSD source tree.
Diffstat (limited to 'ssh-keyscan.1')
1 files changed, 94 insertions, 0 deletions
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
new file mode 100644
index 00000000..efd6e744
--- /dev/null
+++ b/ssh-keyscan.1
@@ -0,0 +1,94 @@
+.Dd January 1, 1996
+.Dt ssh-keyscan 1
+.Nm ssh-keyscan
+.Nd gather ssh public keys
+.Nm ssh-keyscan
+.Op Fl t Ar timeout
+.Op Ar -- | host | addrlist namelist
+.Op Fl f Ar files ...
+is a utility for gathering the public ssh host keys of a number of
+hosts. It was designed to aid in building and verifying
+.Pa ssh_known_hosts
+provides a minimal interface suitable for use by shell and perl
+uses non-blocking socket I/O to contact as many hosts as possible in
+parallel, so it is very efficient. The keys from a domain of 1,000
+hosts can be collected in tens of seconds, even when some of those
+hosts are down or do not run ssh. You do not need login access to the
+machines you are scanning, nor does does the scanning process involve
+any encryption.
+If you make an ssh_known_hosts file using
+without verifying the keys, you will be vulnerable to
+.I man in the middle
+On the other hand, if your security model allows such a risk,
+can help you detect tampered keyfiles or man in the middle attacks which
+have begun after you created your ssh_known_hosts file.
+.Bl -tag -width Ds
+.It Fl t
+Set the timeout for connection attempts. If
+.Pa timeout
+seconds have elapsed since a connection was initiated to a host or since the
+last time anything was read from that host, then the connection is
+closed and the host in question considered unavailable. Default is 5
+.It Fl f
+Read hosts or
+.Pa addrlist namelist
+pairs from this file, one per line.
+.Pa -
+is supplied instead of a filename,
+will read hosts or
+.Pa addrlist namelist
+pairs from the standard input.
+Print the host key for machine
+.Pa hostname :
+.Bd -literal
+ssh-keyscan hostname
+Find all hosts from the file
+.Pa ssh_hosts
+which have new or different keys from those in the sorted file
+.Pa ssh_known_hosts :
+.Bd -literal
+ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\
+ diff ssh_known_hosts -
+.Pa Input format:
+.Pa Output format:
+host-or-namelist bits exponent modulus
+.Pa /etc/ssh_known_hosts
+It generates "Connection closed by remote host" messages on the consoles
+of all the machines it scans.
+This is because it opens a connection to the ssh port, reads the public
+key, and drops the connection as soon as it gets the key.
+.Xr ssh 1
+.Xr sshd 8
+David Mazieres <>