mirror of
				https://github.com/PowerShell/Win32-OpenSSH.git
				synced 2025-10-25 17:53:59 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			173 lines
		
	
	
		
			4.1 KiB
		
	
	
	
		
			Groff
		
	
	
	
	
	
			
		
		
	
	
			173 lines
		
	
	
		
			4.1 KiB
		
	
	
	
		
			Groff
		
	
	
	
	
	
| .\"	$OpenBSD: ssh-keyscan.1,v 1.29 2010/08/31 11:54:45 djm Exp $
 | |
| .\"
 | |
| .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 | |
| .\"
 | |
| .\" Modification and redistribution in source and binary forms is
 | |
| .\" permitted provided that due credit is given to the author and the
 | |
| .\" OpenBSD project by leaving this copyright notice intact.
 | |
| .\"
 | |
| .Dd $Mdocdate: August 31 2010 $
 | |
| .Dt SSH-KEYSCAN 1
 | |
| .Os
 | |
| .Sh NAME
 | |
| .Nm ssh-keyscan
 | |
| .Nd gather ssh public keys
 | |
| .Sh SYNOPSIS
 | |
| .Nm ssh-keyscan
 | |
| .Bk -words
 | |
| .Op Fl 46Hv
 | |
| .Op Fl f Ar file
 | |
| .Op Fl p Ar port
 | |
| .Op Fl T Ar timeout
 | |
| .Op Fl t Ar type
 | |
| .Op Ar host | addrlist namelist
 | |
| .Ar ...
 | |
| .Ek
 | |
| .Sh DESCRIPTION
 | |
| .Nm
 | |
| is a utility for gathering the public ssh host keys of a number of
 | |
| hosts.
 | |
| It was designed to aid in building and verifying
 | |
| .Pa ssh_known_hosts
 | |
| files.
 | |
| .Nm
 | |
| provides a minimal interface suitable for use by shell and perl
 | |
| scripts.
 | |
| .Pp
 | |
| .Nm
 | |
| uses non-blocking socket I/O to contact as many hosts as possible in
 | |
| parallel, so it is very efficient.
 | |
| The keys from a domain of 1,000
 | |
| hosts can be collected in tens of seconds, even when some of those
 | |
| hosts are down or do not run ssh.
 | |
| For scanning, one does not need
 | |
| login access to the machines that are being scanned, nor does the
 | |
| scanning process involve any encryption.
 | |
| .Pp
 | |
| The options are as follows:
 | |
| .Bl -tag -width Ds
 | |
| .It Fl 4
 | |
| Forces
 | |
| .Nm
 | |
| to use IPv4 addresses only.
 | |
| .It Fl 6
 | |
| Forces
 | |
| .Nm
 | |
| to use IPv6 addresses only.
 | |
| .It Fl f Ar file
 | |
| Read hosts or
 | |
| .Pa addrlist namelist
 | |
| pairs from this file, one per line.
 | |
| If
 | |
| .Pa -
 | |
| is supplied instead of a filename,
 | |
| .Nm
 | |
| will read hosts or
 | |
| .Pa addrlist namelist
 | |
| pairs from the standard input.
 | |
| .It Fl H
 | |
| Hash all hostnames and addresses in the output.
 | |
| Hashed names may be used normally by
 | |
| .Nm ssh
 | |
| and
 | |
| .Nm sshd ,
 | |
| but they do not reveal identifying information should the file's contents
 | |
| be disclosed.
 | |
| .It Fl p Ar port
 | |
| Port to connect to on the remote host.
 | |
| .It Fl T Ar timeout
 | |
| Set the timeout for connection attempts.
 | |
| If
 | |
| .Pa timeout
 | |
| seconds have elapsed since a connection was initiated to a host or since the
 | |
| last time anything was read from that host, then the connection is
 | |
| closed and the host in question considered unavailable.
 | |
| Default is 5 seconds.
 | |
| .It Fl t Ar type
 | |
| Specifies the type of the key to fetch from the scanned hosts.
 | |
| The possible values are
 | |
| .Dq rsa1
 | |
| for protocol version 1 and
 | |
| .Dq dsa ,
 | |
| .Dq ecdsa
 | |
| or
 | |
| .Dq rsa
 | |
| for protocol version 2.
 | |
| Multiple values may be specified by separating them with commas.
 | |
| The default is
 | |
| .Dq rsa .
 | |
| .It Fl v
 | |
| Verbose mode.
 | |
| Causes
 | |
| .Nm
 | |
| to print debugging messages about its progress.
 | |
| .El
 | |
| .Sh SECURITY
 | |
| If an ssh_known_hosts file is constructed using
 | |
| .Nm
 | |
| without verifying the keys, users will be vulnerable to
 | |
| .Em man in the middle
 | |
| attacks.
 | |
| On the other hand, if the security model allows such a risk,
 | |
| .Nm
 | |
| can help in the detection of tampered keyfiles or man in the middle
 | |
| attacks which have begun after the ssh_known_hosts file was created.
 | |
| .Sh FILES
 | |
| .Pa Input format:
 | |
| .Bd -literal
 | |
| 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
 | |
| .Ed
 | |
| .Pp
 | |
| .Pa Output format for rsa1 keys:
 | |
| .Bd -literal
 | |
| host-or-namelist bits exponent modulus
 | |
| .Ed
 | |
| .Pp
 | |
| .Pa Output format for rsa, dsa and ecdsa keys:
 | |
| .Bd -literal
 | |
| host-or-namelist keytype base64-encoded-key
 | |
| .Ed
 | |
| .Pp
 | |
| Where
 | |
| .Pa keytype
 | |
| is either
 | |
| .Dq ecdsa-sha2-nistp256 ,
 | |
| .Dq ecdsa-sha2-nistp384 ,
 | |
| .Dq ecdsa-sha2-nistp521 ,
 | |
| .Dq ssh-dss
 | |
| or
 | |
| .Dq ssh-rsa .
 | |
| .Pp
 | |
| .Pa /etc/ssh/ssh_known_hosts
 | |
| .Sh EXAMPLES
 | |
| Print the
 | |
| .Pa rsa
 | |
| host key for machine
 | |
| .Pa hostname :
 | |
| .Bd -literal
 | |
| $ ssh-keyscan hostname
 | |
| .Ed
 | |
| .Pp
 | |
| Find all hosts from the file
 | |
| .Pa ssh_hosts
 | |
| which have new or different keys from those in the sorted file
 | |
| .Pa ssh_known_hosts :
 | |
| .Bd -literal
 | |
| $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e
 | |
| 	sort -u - ssh_known_hosts | diff ssh_known_hosts -
 | |
| .Ed
 | |
| .Sh SEE ALSO
 | |
| .Xr ssh 1 ,
 | |
| .Xr sshd 8
 | |
| .Sh AUTHORS
 | |
| .An -nosplit
 | |
| .An David Mazieres Aq dm@lcs.mit.edu
 | |
| wrote the initial version, and
 | |
| .An Wayne Davison Aq wayned@users.sourceforge.net
 | |
| added support for protocol version 2.
 | |
| .Sh BUGS
 | |
| It generates "Connection closed by remote host" messages on the consoles
 | |
| of all the machines it scans if the server is older than version 2.9.
 | |
| This is because it opens a connection to the ssh port, reads the public
 | |
| key, and drops the connection as soon as it gets the key.
 |