1.\" $NetBSD: ssh-keyscan.1,v 1.10 2015/04/03 23:58:19 christos Exp $ 2.\" $OpenBSD: ssh-keyscan.1,v 1.36 2014/08/30 15:33:50 sobrado Exp $ 3.\" 4.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 5.\" 6.\" Modification and redistribution in source and binary forms is 7.\" permitted provided that due credit is given to the author and the 8.\" OpenBSD project by leaving this copyright notice intact. 9.\" 10.Dd August 30 2014 11.Dt SSH-KEYSCAN 1 12.Os 13.Sh NAME 14.Nm ssh-keyscan 15.Nd gather ssh public keys 16.Sh SYNOPSIS 17.Nm ssh-keyscan 18.Bk -words 19.Op Fl 46Hv 20.Op Fl f Ar file 21.Op Fl p Ar port 22.Op Fl T Ar timeout 23.Op Fl t Ar type 24.Op Ar host | addrlist namelist 25.Ar ... 26.Ek 27.Sh DESCRIPTION 28.Nm 29is a utility for gathering the public ssh host keys of a number of 30hosts. 31It was designed to aid in building and verifying 32.Pa ssh_known_hosts 33files. 34.Nm 35provides a minimal interface suitable for use by shell and perl 36scripts. 37.Pp 38.Nm 39uses non-blocking socket I/O to contact as many hosts as possible in 40parallel, so it is very efficient. 41The keys from a domain of 1,000 42hosts can be collected in tens of seconds, even when some of those 43hosts are down or do not run ssh. 44For scanning, one does not need 45login access to the machines that are being scanned, nor does the 46scanning process involve any encryption. 47.Pp 48The options are as follows: 49.Bl -tag -width Ds 50.It Fl 4 51Forces 52.Nm 53to use IPv4 addresses only. 54.It Fl 6 55Forces 56.Nm 57to use IPv6 addresses only. 58.It Fl f Ar file 59Read hosts or 60.Dq addrlist namelist 61pairs from 62.Ar file , 63one per line. 64If 65.Pa - 66is supplied instead of a filename, 67.Nm 68will read hosts or 69.Dq addrlist namelist 70pairs from the standard input. 71.It Fl H 72Hash all hostnames and addresses in the output. 73Hashed names may be used normally by 74.Nm ssh 75and 76.Nm sshd , 77but they do not reveal identifying information should the file's contents 78be disclosed. 79.It Fl p Ar port 80Port to connect to on the remote host. 81.It Fl T Ar timeout 82Set the timeout for connection attempts. 83If 84.Ar timeout 85seconds have elapsed since a connection was initiated to a host or since the 86last time anything was read from that host, then the connection is 87closed and the host in question considered unavailable. 88Default is 5 seconds. 89.It Fl t Ar type 90Specifies the type of the key to fetch from the scanned hosts. 91The possible values are 92.Dq rsa1 93for protocol version 1 and 94.Dq dsa , 95.Dq ecdsa , 96.Dq ed25519 , 97or 98.Dq rsa 99for protocol version 2. 100Multiple values may be specified by separating them with commas. 101The default is to fetch 102.Dq rsa , 103.Dq ecdsa , 104and 105.Dq ed25519 106keys. 107.It Fl v 108Verbose mode. 109Causes 110.Nm 111to print debugging messages about its progress. 112.El 113.Sh SECURITY 114If an ssh_known_hosts file is constructed using 115.Nm 116without verifying the keys, users will be vulnerable to 117.Em man in the middle 118attacks. 119On the other hand, if the security model allows such a risk, 120.Nm 121can help in the detection of tampered keyfiles or man in the middle 122attacks which have begun after the ssh_known_hosts file was created. 123.Sh FILES 124Input format: 125.Bd -literal 1261.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 127.Ed 128.Pp 129Output format for RSA1 keys: 130.Bd -literal 131host-or-namelist bits exponent modulus 132.Ed 133.Pp 134Output format for RSA, DSA, ECDSA, and Ed25519 keys: 135.Bd -literal 136host-or-namelist keytype base64-encoded-key 137.Ed 138.Pp 139Where 140.Ar keytype 141is either 142.Dq ecdsa-sha2-nistp256 , 143.Dq ecdsa-sha2-nistp384 , 144.Dq ecdsa-sha2-nistp521 , 145.Dq ssh-ed25519 , 146.Dq ssh-dss 147or 148.Dq ssh-rsa . 149.Pp 150.Pa /etc/ssh/ssh_known_hosts 151.Sh EXAMPLES 152Print the rsa host key for machine 153.Ar hostname : 154.Bd -literal 155$ ssh-keyscan hostname 156.Ed 157.Pp 158Find all hosts from the file 159.Pa ssh_hosts 160which have new or different keys from those in the sorted file 161.Pa ssh_known_hosts : 162.Bd -literal 163$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e 164 sort -u - ssh_known_hosts | diff ssh_known_hosts - 165.Ed 166.Sh SEE ALSO 167.Xr ssh 1 , 168.Xr sshd 8 169.Sh AUTHORS 170.An -nosplit 171.An David Mazieres Aq Mt dm@lcs.mit.edu 172wrote the initial version, and 173.An Wayne Davison Aq Mt wayned@users.sourceforge.net 174added support for protocol version 2. 175.Sh BUGS 176It generates "Connection closed by remote host" messages on the consoles 177of all the machines it scans if the server is older than version 2.9. 178This is because it opens a connection to the ssh port, reads the public 179key, and drops the connection as soon as it gets the key. 180