1.\" $OpenBSD: ssh-keyscan.1,v 1.52 2024/06/17 08:30:29 djm Exp $ 2.\" 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 4.\" 5.\" Modification and redistribution in source and binary forms is 6.\" permitted provided that due credit is given to the author and the 7.\" OpenBSD project by leaving this copyright notice intact. 8.\" 9.Dd $Mdocdate: June 17 2024 $ 10.Dt SSH-KEYSCAN 1 11.Os 12.Sh NAME 13.Nm ssh-keyscan 14.Nd gather SSH public keys from servers 15.Sh SYNOPSIS 16.Nm ssh-keyscan 17.Op Fl 46cDHqv 18.Op Fl f Ar file 19.Op Fl O Ar option 20.Op Fl p Ar port 21.Op Fl T Ar timeout 22.Op Fl t Ar type 23.Op Ar host | addrlist namelist 24.Sh DESCRIPTION 25.Nm 26is a utility for gathering the public SSH host keys of a number of 27hosts. 28It was designed to aid in building and verifying 29.Pa ssh_known_hosts 30files, 31the format of which is documented in 32.Xr sshd 8 . 33.Nm 34provides a minimal interface suitable for use by shell and perl 35scripts. 36.Pp 37.Nm 38uses non-blocking socket I/O to contact as many hosts as possible in 39parallel, so it is very efficient. 40The keys from a domain of 1,000 41hosts can be collected in tens of seconds, even when some of those 42hosts are down or do not run 43.Xr sshd 8 . 44For scanning, one does not need 45login access to the machines that are being scanned, nor does the 46scanning process involve any encryption. 47.Pp 48Hosts to be scanned may be specified by hostname, address or by CIDR 49network range (e.g. 192.168.16/28). 50If a network range is specified, then all addresses in that range will 51be scanned. 52.Pp 53The options are as follows: 54.Bl -tag -width Ds 55.It Fl 4 56Force 57.Nm 58to use IPv4 addresses only. 59.It Fl 6 60Force 61.Nm 62to use IPv6 addresses only. 63.It Fl c 64Request certificates from target hosts instead of plain keys. 65.It Fl D 66Print keys found as SSHFP DNS records. 67The default is to print keys in a format usable as a 68.Xr ssh 1 69.Pa known_hosts 70file. 71.It Fl f Ar file 72Read hosts or 73.Dq addrlist namelist 74pairs from 75.Ar file , 76one per line. 77If 78.Sq - 79is supplied instead of a filename, 80.Nm 81will read from the standard input. 82Names read from a file must start with an address, hostname or CIDR network 83range to be scanned. 84Addresses and hostnames may optionally be followed by comma-separated name 85or address aliases that will be copied to the output. 86For example: 87.Bd -literal 88192.168.11.0/24 8910.20.1.1 90happy.example.org 9110.0.0.1,sad.example.org 92.Ed 93.It Fl H 94Hash all hostnames and addresses in the output. 95Hashed names may be used normally by 96.Xr ssh 1 97and 98.Xr sshd 8 , 99but they do not reveal identifying information should the file's contents 100be disclosed. 101.It Fl O Ar option 102Specify a key/value option. 103At present, only a single option is supported: 104.Bl -tag -width Ds 105.It Cm hashalg Ns = Ns Ar algorithm 106Selects a hash algorithm to use when printing SSHFP records using the 107.Fl D 108flag. 109Valid algorithms are 110.Dq sha1 111and 112.Dq sha256 . 113The default is to print both. 114.El 115.It Fl p Ar port 116Connect to 117.Ar port 118on the remote host. 119.It Fl q 120Quiet mode: 121do not print server host name and banners in comments. 122.It Fl T Ar timeout 123Set the timeout for connection attempts. 124If 125.Ar timeout 126seconds have elapsed since a connection was initiated to a host or since the 127last time anything was read from that host, the connection is 128closed and the host in question considered unavailable. 129The default is 5 seconds. 130.It Fl t Ar type 131Specify the type of the key to fetch from the scanned hosts. 132The possible values are 133.Dq ecdsa , 134.Dq ed25519 , 135.Dq ecdsa-sk , 136.Dq ed25519-sk , 137or 138.Dq rsa . 139Multiple values may be specified by separating them with commas. 140The default is to fetch all the above key types. 141.It Fl v 142Verbose mode: 143print debugging messages about progress. 144.El 145.Pp 146If an ssh_known_hosts file is constructed using 147.Nm 148without verifying the keys, users will be vulnerable to 149.Em man in the middle 150attacks. 151On the other hand, if the security model allows such a risk, 152.Nm 153can help in the detection of tampered keyfiles or man in the middle 154attacks which have begun after the ssh_known_hosts file was created. 155.Sh FILES 156.Pa /etc/ssh/ssh_known_hosts 157.Sh EXAMPLES 158Print the RSA host key for machine 159.Ar hostname : 160.Pp 161.Dl $ ssh-keyscan -t rsa hostname 162.Pp 163Search a network range, printing all supported key types: 164.Pp 165.Dl $ ssh-keyscan 192.168.0.64/25 166.Pp 167Find all hosts from the file 168.Pa ssh_hosts 169which have new or different keys from those in the sorted file 170.Pa ssh_known_hosts : 171.Bd -literal -offset indent 172$ ssh-keyscan -t rsa,ecdsa,ed25519 -f ssh_hosts | \e 173 sort -u - ssh_known_hosts | diff ssh_known_hosts - 174.Ed 175.Sh SEE ALSO 176.Xr ssh 1 , 177.Xr sshd 8 178.Rs 179.%D 2006 180.%R RFC 4255 181.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints 182.Re 183.Sh AUTHORS 184.An -nosplit 185.An David Mazieres Aq Mt dm@lcs.mit.edu 186wrote the initial version, and 187.An Wayne Davison Aq Mt wayned@users.sourceforge.net 188added support for protocol version 2. 189