2 files changed, 48 insertions, 58 deletions
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index b6bee177..edefe76f 100644
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keyscan.1,v 1.42 2018/02/23 07:38:09 jmc Exp $
+.\" $OpenBSD: ssh-keyscan.1,v 1.43 2018/03/02 21:40:15 jmc Exp $
.\" Copyright 1995, 1996 by David Mazieres <firstname.lastname@example.org>.
@@ -6,26 +6,23 @@
.\" permitted provided that due credit is given to the author and the
.\" OpenBSD project by leaving this copyright notice intact.
-.Dd $Mdocdate: February 23 2018 $
+.Dd $Mdocdate: March 2 2018 $
.Dt SSH-KEYSCAN 1
-.Nd gather ssh public keys
+.Nd gather SSH public keys
.Op Fl 46cDHv
.Op Fl f Ar file
.Op Fl p Ar port
.Op Fl T Ar timeout
.Op Fl t Ar type
.Op Ar host | addrlist namelist
-is a utility for gathering the public ssh host keys of a number of
+is a utility for gathering the public SSH host keys of a number of
It was designed to aid in building and verifying
@@ -39,19 +36,41 @@ uses non-blocking socket I/O to contact as many hosts as possible in
parallel, so it is very efficient.
The keys from a domain of 1,000
hosts can be collected in tens of seconds, even when some of those
-hosts are down or do not run ssh.
+hosts are down or do not run
+.Xr sshd 8 .
For scanning, one does not need
login access to the machines that are being scanned, nor does the
scanning process involve any encryption.
+Input is expected in the format:
+.Bd -literal -offset 3n
+The output format is:
+.Bd -literal -offset 3n
+host-or-namelist keytype base64-encoded-key
+.Dq ecdsa-sha2-nistp256 ,
+.Dq ecdsa-sha2-nistp384 ,
+.Dq ecdsa-sha2-nistp521 ,
+.Dq ssh-ed25519 ,
+.Dq ssh-rsa .
The options are as follows:
.Bl -tag -width Ds
.It Fl 4
to use IPv4 addresses only.
.It Fl 6
to use IPv6 addresses only.
.It Fl c
@@ -69,32 +88,32 @@ pairs from
.Ar file ,
one per line.
is supplied instead of a filename,
-will read hosts or
-.Dq addrlist namelist
-pairs from the standard input.
+will read from the standard input.
.It Fl H
Hash all hostnames and addresses in the output.
Hashed names may be used normally by
+.Xr ssh 1
-.Nm sshd ,
+.Xr sshd 8 ,
but they do not reveal identifying information should the file's contents
.It Fl p Ar port
-Port to connect to on the remote host.
+on the remote host.
.It Fl T Ar timeout
Set the timeout for connection attempts.
seconds have elapsed since a connection was initiated to a host or since the
-last time anything was read from that host, then the connection is
+last time anything was read from that host, the connection is
closed and the host in question considered unavailable.
-Default is 5 seconds.
+The default is 5 seconds.
.It Fl t Ar type
-Specifies the type of the key to fetch from the scanned hosts.
+Specify the type of the key to fetch from the scanned hosts.
The possible values are
.Dq dsa ,
.Dq ecdsa ,
@@ -109,12 +128,10 @@ and
.It Fl v
-to print debugging messages about its progress.
+print debugging messages about progress.
If an ssh_known_hosts file is constructed using
without verifying the keys, users will be vulnerable to
@@ -125,40 +142,18 @@ On the other hand, if the security model allows such a risk,
can help in the detection of tampered keyfiles or man in the middle
attacks which have begun after the ssh_known_hosts file was created.
-Output format for RSA, DSA, ECDSA, and Ed25519 keys:
-host-or-namelist keytype base64-encoded-key
-.Dq ecdsa-sha2-nistp256 ,
-.Dq ecdsa-sha2-nistp384 ,
-.Dq ecdsa-sha2-nistp521 ,
-.Dq ssh-ed25519 ,
-.Dq ssh-rsa .
-Print the rsa host key for machine
+Print the RSA host key for machine
.Ar hostname :
-$ ssh-keyscan hostname
+.Dl $ ssh-keyscan -t rsa hostname
Find all hosts from the file
which have new or different keys from those in the sorted file
.Pa ssh_known_hosts :
+.Bd -literal -offset indent
$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
sort -u - ssh_known_hosts | diff ssh_known_hosts -
@@ -176,8 +171,3 @@ $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
wrote the initial version, and
.An Wayne Davison Aq Mt email@example.com
added support for protocol version 2.
-It generates "Connection closed by remote host" messages on the consoles
-of all the machines it scans if the server is older than version 2.9.
-This is because it opens a connection to the ssh port, reads the public
-key, and drops the connection as soon as it gets the key.
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 53536860..381fb084 100644
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.118 2018/02/23 15:58:38 markus Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.119 2018/03/02 21:40:15 jmc Exp $ */
* Copyright 1995, 1996 by David Mazieres <firstname.lastname@example.org>.
@@ -636,7 +636,7 @@ usage(void)
"usage: %s [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n"
- "\t\t [host | addrlist namelist] ...\n",
+ "\t\t [host | addrlist namelist]\n",