User Commands ssh-keyscan(1)
NAME
ssh-keyscan - gather public ssh host keys of a number of
hostsSYNOPSIS
ssh-keyscan [-v46] [-p port] [-T timeout] [-t type]
[-f file] [-] [host... | addrlist namelist] [...]
DESCRIPTION
ssh-keyscan is a utility for gathering the public ssh host
keys of a number of hosts. It was designed to aid in build-
ing and verifying ssh_known_hosts files. ssh-keyscan pro-
vides a minimal interface suitable for use by shell and perlscripts. The output of ssh-keyscan is directed to standard
output.ssh-keyscan uses non-blocking socket I/O to contact as many
hosts as possible in parallel, so it is very efficient. The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those hosts are down or do not run ssh. For scanning, one does not need login access to themachines that are being scanned, nor does the scanning pro-
cess involve any encryption. File Format Input format: 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 Output format for rsa1 keys:host-or-namelist bits exponent modulus
Output format for rsa and dsa keys, where keytype is eitherssh-rsa or `ssh-dsa:
host-or-namelist keytype base64-encoded-key
OPTIONS The following options are supported:SunOS 5.11 Last change: 24 Jul 2004 1
User Commands ssh-keyscan(1)
-f filename Read hosts or addrlist namelist
pairs from this file, one perline. If you specity - instead
of a filename, ssh-keyscan reads
hosts or addrlist namelist pairs from the standard input.-p port Port to connect to on the remote
host.-T timeout Set the timeout for connection
attempts. If timeout seconds have elapsed since a connection was initiated to a host or since the last time anything was read from that host, the connectionis closed and the host in ques-
tion is considered unavailable. The default is for timeout is 5 seconds.-t type Specify the type of the key to
fetch from the scanned hosts. The possible values for type are rsa1 for protocol version 1 and rsa or dsa for protocol version 2. Specify multiple values by separating them with commas. The default is rsa1.-v Specify verbose mode. Print
debugging messages about pro-
gress.-4 Force to use IPv4 addresses
only.-6 Forces to use IPv6 addresses
only. SECURITYIf a ssh_known_hosts file is constructed using ssh-keyscan
without verifying the keys, users are vulnerable to man-in-
the-middle attacks. If the security model allows such a
risk, ssh-keyscan can help in the detection of tampered
SunOS 5.11 Last change: 24 Jul 2004 2
User Commands ssh-keyscan(1)
keyfiles or man-in-the-middle attacks which have begun after
the ssh_known_hosts file was created.
EXAMPLES
Example 1 Printing the rsa1 Host Key The following example prints the rsa1 host key for machine hostname:$ ssh-keyscan hostname
Example 2 Finding All Hosts The following commands finds all hosts from the filessh_hosts which have new or different keys from those in the
sorted file ssh_known_hosts:
$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
sort -u - ssh_known_hosts | diff ssh_known_hosts -
FILES/etc/ssh_known_hosts
EXIT STATUS The following exit values are returned:0 No usage errors. ssh-keyscan might or might not have
succeeded or failed to scan one, more or all of the given hosts. 1 Usage error.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:SunOS 5.11 Last change: 24 Jul 2004 3
User Commands ssh-keyscan(1)
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | network/ssh ||_____________________________|_____________________________|
| Interface Stability | Committed ||_____________________________|_____________________________|
SEE ALSO
ssh(1), sshd(1M), attributes(5) AUTHORS David Mazieres wrote the initial version, and Wayne Davison added suppport for protocol version 2.BUGS
ssh-keyscan generates
Connection closed by remote host messages on the consoles of all machines it scans if theserver is older than version 2.9. This is because ssh-
keyscan opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key.SunOS 5.11 Last change: 24 Jul 2004 4