1.\" $NetBSD: ssh-keyscan.1,v 1.18 2023/07/26 17:58:16 christos Exp $ 2.\" $OpenBSD: ssh-keyscan.1,v 1.49 2023/02/10 06:41:53 jmc Exp $ 3.\" 4.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 5.\" 6.\" Modification and redistribution in source and binary forms is 7.\" permitted provided that due credit is given to the author and the 8.\" OpenBSD project by leaving this copyright notice intact. 9.\" 10.Dd February 10 2023 11.Dt SSH-KEYSCAN 1 12.Os 13.Sh NAME 14.Nm ssh-keyscan 15.Nd gather SSH public keys from servers 16.Sh SYNOPSIS 17.Nm ssh-keyscan 18.Op Fl 46cDHv 19.Op Fl f Ar file 20.Op Fl O Ar option 21.Op Fl p Ar port 22.Op Fl T Ar timeout 23.Op Fl t Ar type 24.Op Ar host | addrlist namelist 25.Sh DESCRIPTION 26.Nm 27is a utility for gathering the public SSH host keys of a number of 28hosts. 29It was designed to aid in building and verifying 30.Pa ssh_known_hosts 31files, 32the format of which is documented in 33.Xr sshd 8 . 34.Nm 35provides a minimal interface suitable for use by shell and perl 36scripts. 37.Pp 38.Nm 39uses non-blocking socket I/O to contact as many hosts as possible in 40parallel, so it is very efficient. 41The keys from a domain of 1,000 42hosts can be collected in tens of seconds, even when some of those 43hosts are down or do not run 44.Xr sshd 8 . 45For scanning, one does not need 46login access to the machines that are being scanned, nor does the 47scanning process involve any encryption. 48.Pp 49Hosts to be scanned may be specified by hostname, address or by CIDR 50network range (e.g. 192.168.16/28). 51If a network range is specified, then all addresses in that range will 52be scanned. 53.Pp 54The options are as follows: 55.Bl -tag -width Ds 56.It Fl 4 57Force 58.Nm 59to use IPv4 addresses only. 60.It Fl 6 61Force 62.Nm 63to use IPv6 addresses only. 64.It Fl c 65Request certificates from target hosts instead of plain keys. 66.It Fl D 67Print keys found as SSHFP DNS records. 68The default is to print keys in a format usable as a 69.Xr ssh 1 70.Pa known_hosts 71file. 72.It Fl f Ar file 73Read hosts or 74.Dq addrlist namelist 75pairs from 76.Ar file , 77one per line. 78If 79.Sq - 80is supplied instead of a filename, 81.Nm 82will read from the standard input. 83Names read from a file must start with an address, hostname or CIDR network 84range to be scanned. 85Addresses and hostnames may optionally be followed by comma-separated name 86or address aliases that will be copied to the output. 87For example: 88.Bd -literal 89192.168.11.0/24 9010.20.1.1 91happy.example.org 9210.0.0.1,sad.example.org 93.Ed 94.It Fl H 95Hash all hostnames and addresses in the output. 96Hashed names may be used normally by 97.Xr ssh 1 98and 99.Xr sshd 8 , 100but they do not reveal identifying information should the file's contents 101be disclosed. 102.It Fl O Ar option 103Specify a key/value option. 104At present, only a single option is supported: 105.Bl -tag -width Ds 106.It Cm hashalg Ns = Ns Ar algorithm 107Selects a hash algorithm to use when printing SSHFP records using the 108.Fl D 109flag. 110Valid algorithms are 111.Dq sha1 112and 113.Dq sha256 . 114The default is to print both. 115.El 116.It Fl p Ar port 117Connect to 118.Ar port 119on the remote host. 120.It Fl T Ar timeout 121Set the timeout for connection attempts. 122If 123.Ar timeout 124seconds have elapsed since a connection was initiated to a host or since the 125last time anything was read from that host, the connection is 126closed and the host in question considered unavailable. 127The default is 5 seconds. 128.It Fl t Ar type 129Specify the type of the key to fetch from the scanned hosts. 130The possible values are 131.Dq dsa , 132.Dq ecdsa , 133.Dq ed25519 , 134.Dq ecdsa-sk , 135.Dq ed25519-sk , 136or 137.Dq rsa . 138Multiple values may be specified by separating them with commas. 139The default is to fetch 140.Dq rsa , 141.Dq ecdsa , 142.Dq ed25519 , 143.Dq ecdsa-sk , 144and 145.Dq ed25519-sk 146keys. 147.It Fl v 148Verbose mode: 149print debugging messages about progress. 150.El 151.Pp 152If an ssh_known_hosts file is constructed using 153.Nm 154without verifying the keys, users will be vulnerable to 155.Em man in the middle 156attacks. 157On the other hand, if the security model allows such a risk, 158.Nm 159can help in the detection of tampered keyfiles or man in the middle 160attacks which have begun after the ssh_known_hosts file was created. 161.Sh FILES 162.Pa /etc/ssh/ssh_known_hosts 163.Sh EXAMPLES 164Print the RSA host key for machine 165.Ar hostname : 166.Pp 167.Dl $ ssh-keyscan -t rsa hostname 168.Pp 169Search a network range, printing all supported key types: 170.Pp 171.Dl $ ssh-keyscan 192.168.0.64/25 172.Pp 173Find all hosts from the file 174.Pa ssh_hosts 175which have new or different keys from those in the sorted file 176.Pa ssh_known_hosts : 177.Bd -literal -offset indent 178$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e 179 sort -u - ssh_known_hosts | diff ssh_known_hosts - 180.Ed 181.Sh SEE ALSO 182.Xr ssh 1 , 183.Xr sshd 8 184.Rs 185.%D 2006 186.%R RFC 4255 187.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints 188.Re 189.Sh AUTHORS 190.An -nosplit 191.An David Mazieres Aq Mt dm@lcs.mit.edu 192wrote the initial version, and 193.An Wayne Davison Aq Mt wayned@users.sourceforge.net 194added support for protocol version 2. 195