1.\" $NetBSD: ssh-keyscan.1,v 1.19 2024/07/08 22:33:44 christos Exp $ 2.\" $OpenBSD: ssh-keyscan.1,v 1.52 2024/06/17 08:30:29 djm Exp $ 3.\" 4.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 5.\" 6.\" Modification and redistribution in source and binary forms is 7.\" permitted provided that due credit is given to the author and the 8.\" OpenBSD project by leaving this copyright notice intact. 9.\" 10.Dd June 17 2024 11.Dt SSH-KEYSCAN 1 12.Os 13.Sh NAME 14.Nm ssh-keyscan 15.Nd gather SSH public keys from servers 16.Sh SYNOPSIS 17.Nm ssh-keyscan 18.Op Fl 46cDHqv 19.Op Fl f Ar file 20.Op Fl O Ar option 21.Op Fl p Ar port 22.Op Fl T Ar timeout 23.Op Fl t Ar type 24.Op Ar host | addrlist namelist 25.Sh DESCRIPTION 26.Nm 27is a utility for gathering the public SSH host keys of a number of 28hosts. 29It was designed to aid in building and verifying 30.Pa ssh_known_hosts 31files, 32the format of which is documented in 33.Xr sshd 8 . 34.Nm 35provides a minimal interface suitable for use by shell and perl 36scripts. 37.Pp 38.Nm 39uses non-blocking socket I/O to contact as many hosts as possible in 40parallel, so it is very efficient. 41The keys from a domain of 1,000 42hosts can be collected in tens of seconds, even when some of those 43hosts are down or do not run 44.Xr sshd 8 . 45For scanning, one does not need 46login access to the machines that are being scanned, nor does the 47scanning process involve any encryption. 48.Pp 49Hosts to be scanned may be specified by hostname, address or by CIDR 50network range (e.g. 192.168.16/28). 51If a network range is specified, then all addresses in that range will 52be scanned. 53.Pp 54The options are as follows: 55.Bl -tag -width Ds 56.It Fl 4 57Force 58.Nm 59to use IPv4 addresses only. 60.It Fl 6 61Force 62.Nm 63to use IPv6 addresses only. 64.It Fl c 65Request certificates from target hosts instead of plain keys. 66.It Fl D 67Print keys found as SSHFP DNS records. 68The default is to print keys in a format usable as a 69.Xr ssh 1 70.Pa known_hosts 71file. 72.It Fl f Ar file 73Read hosts or 74.Dq addrlist namelist 75pairs from 76.Ar file , 77one per line. 78If 79.Sq - 80is supplied instead of a filename, 81.Nm 82will read from the standard input. 83Names read from a file must start with an address, hostname or CIDR network 84range to be scanned. 85Addresses and hostnames may optionally be followed by comma-separated name 86or address aliases that will be copied to the output. 87For example: 88.Bd -literal 89192.168.11.0/24 9010.20.1.1 91happy.example.org 9210.0.0.1,sad.example.org 93.Ed 94.It Fl H 95Hash all hostnames and addresses in the output. 96Hashed names may be used normally by 97.Xr ssh 1 98and 99.Xr sshd 8 , 100but they do not reveal identifying information should the file's contents 101be disclosed. 102.It Fl O Ar option 103Specify a key/value option. 104At present, only a single option is supported: 105.Bl -tag -width Ds 106.It Cm hashalg Ns = Ns Ar algorithm 107Selects a hash algorithm to use when printing SSHFP records using the 108.Fl D 109flag. 110Valid algorithms are 111.Dq sha1 112and 113.Dq sha256 . 114The default is to print both. 115.El 116.It Fl p Ar port 117Connect to 118.Ar port 119on the remote host. 120.It Fl q 121Quiet mode: 122do not print server host name and banners in comments. 123.It Fl T Ar timeout 124Set the timeout for connection attempts. 125If 126.Ar timeout 127seconds have elapsed since a connection was initiated to a host or since the 128last time anything was read from that host, the connection is 129closed and the host in question considered unavailable. 130The default is 5 seconds. 131.It Fl t Ar type 132Specify the type of the key to fetch from the scanned hosts. 133The possible values are 134.Dq ecdsa , 135.Dq ed25519 , 136.Dq ecdsa-sk , 137.Dq ed25519-sk , 138or 139.Dq rsa . 140Multiple values may be specified by separating them with commas. 141The default is to fetch all the above key types. 142.It Fl v 143Verbose mode: 144print debugging messages about progress. 145.El 146.Pp 147If an ssh_known_hosts file is constructed using 148.Nm 149without verifying the keys, users will be vulnerable to 150.Em man in the middle 151attacks. 152On the other hand, if the security model allows such a risk, 153.Nm 154can help in the detection of tampered keyfiles or man in the middle 155attacks which have begun after the ssh_known_hosts file was created. 156.Sh FILES 157.Pa /etc/ssh/ssh_known_hosts 158.Sh EXAMPLES 159Print the RSA host key for machine 160.Ar hostname : 161.Pp 162.Dl $ ssh-keyscan -t rsa hostname 163.Pp 164Search a network range, printing all supported key types: 165.Pp 166.Dl $ ssh-keyscan 192.168.0.64/25 167.Pp 168Find all hosts from the file 169.Pa ssh_hosts 170which have new or different keys from those in the sorted file 171.Pa ssh_known_hosts : 172.Bd -literal -offset indent 173$ ssh-keyscan -t rsa,ecdsa,ed25519 -f ssh_hosts | \e 174 sort -u - ssh_known_hosts | diff ssh_known_hosts - 175.Ed 176.Sh SEE ALSO 177.Xr ssh 1 , 178.Xr sshd 8 179.Rs 180.%D 2006 181.%R RFC 4255 182.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints 183.Re 184.Sh AUTHORS 185.An -nosplit 186.An David Mazieres Aq Mt dm@lcs.mit.edu 187wrote the initial version, and 188.An Wayne Davison Aq Mt wayned@users.sourceforge.net 189added support for protocol version 2. 190