diff options
author | des <des@FreeBSD.org> | 2008-07-22 18:58:19 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2008-07-22 18:58:19 +0000 |
commit | 666aa9cc1660793c97ef29a6cb66dfbb894dde8f (patch) | |
tree | 209e642fbe2a816041f67bc27c9800879f5541bc /crypto/openssh/ssh-keyscan.1 | |
parent | 624d93001f28e236c027516d88282351eb7bffbe (diff) | |
download | FreeBSD-src-666aa9cc1660793c97ef29a6cb66dfbb894dde8f.zip FreeBSD-src-666aa9cc1660793c97ef29a6cb66dfbb894dde8f.tar.gz |
Revert part of 180714 - the intent was to flatten dist, not to nuke it.
Diffstat (limited to 'crypto/openssh/ssh-keyscan.1')
-rw-r--r-- | crypto/openssh/ssh-keyscan.1 | 168 |
1 files changed, 168 insertions, 0 deletions
diff --git a/crypto/openssh/ssh-keyscan.1 b/crypto/openssh/ssh-keyscan.1 new file mode 100644 index 0000000..a3656fc --- /dev/null +++ b/crypto/openssh/ssh-keyscan.1 @@ -0,0 +1,168 @@ +.\" $OpenBSD: ssh-keyscan.1,v 1.22 2006/09/25 04:55:38 ray Exp $ +.\" +.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. +.\" +.\" Modification and redistribution in source and binary forms is +.\" permitted provided that due credit is given to the author and the +.\" OpenBSD project by leaving this copyright notice intact. +.\" +.Dd January 1, 1996 +.Dt SSH-KEYSCAN 1 +.Os +.Sh NAME +.Nm ssh-keyscan +.Nd gather ssh public keys +.Sh SYNOPSIS +.Nm ssh-keyscan +.Bk -words +.Op Fl 46Hv +.Op Fl f Ar file +.Op Fl p Ar port +.Op Fl T Ar timeout +.Op Fl t Ar type +.Op Ar host | addrlist namelist +.Op Ar ... +.Ek +.Sh DESCRIPTION +.Nm +is a utility for gathering the public ssh host keys of a number of +hosts. +It was designed to aid in building and verifying +.Pa ssh_known_hosts +files. +.Nm +provides a minimal interface suitable for use by shell and perl +scripts. +.Pp +.Nm +uses non-blocking socket I/O to contact as many hosts as possible in +parallel, so it is very efficient. +The keys from a domain of 1,000 +hosts can be collected in tens of seconds, even when some of those +hosts are down or do not run ssh. +For scanning, one does not need +login access to the machines that are being scanned, nor does the +scanning process involve any encryption. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl 4 +Forces +.Nm +to use IPv4 addresses only. +.It Fl 6 +Forces +.Nm +to use IPv6 addresses only. +.It Fl f Ar file +Read hosts or +.Pa addrlist namelist +pairs from this file, one per line. +If +.Pa - +is supplied instead of a filename, +.Nm +will read hosts or +.Pa addrlist namelist +pairs from the standard input. +.It Fl H +Hash all hostnames and addresses in the output. +Hashed names may be used normally by +.Nm ssh +and +.Nm sshd , +but they do not reveal identifying information should the file's contents +be disclosed. +.It Fl p Ar port +Port to connect to on the remote host. +.It Fl T Ar timeout +Set the timeout for connection attempts. +If +.Pa timeout +seconds have elapsed since a connection was initiated to a host or since the +last time anything was read from that host, then the connection is +closed and the host in question considered unavailable. +Default is 5 seconds. +.It Fl t Ar type +Specifies the type of the key to fetch from the scanned hosts. +The possible values are +.Dq rsa1 +for protocol version 1 and +.Dq rsa +or +.Dq dsa +for protocol version 2. +Multiple values may be specified by separating them with commas. +The default is +.Dq rsa1 . +.It Fl v +Verbose mode. +Causes +.Nm +to print debugging messages about its progress. +.El +.Sh SECURITY +If an ssh_known_hosts file is constructed using +.Nm +without verifying the keys, users will be vulnerable to +.Em man in the middle +attacks. +On the other hand, if the security model allows such a risk, +.Nm +can help in the detection of tampered keyfiles or man in the middle +attacks which have begun after the ssh_known_hosts file was created. +.Sh FILES +.Pa Input format: +.Bd -literal +1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 +.Ed +.Pp +.Pa Output format for rsa1 keys: +.Bd -literal +host-or-namelist bits exponent modulus +.Ed +.Pp +.Pa Output format for rsa and dsa keys: +.Bd -literal +host-or-namelist keytype base64-encoded-key +.Ed +.Pp +Where +.Pa keytype +is either +.Dq ssh-rsa +or +.Dq ssh-dss . +.Pp +.Pa /etc/ssh/ssh_known_hosts +.Sh EXAMPLES +Print the +.Pa rsa1 +host key for machine +.Pa hostname : +.Bd -literal +$ ssh-keyscan hostname +.Ed +.Pp +Find all hosts from the file +.Pa ssh_hosts +which have new or different keys from those in the sorted file +.Pa ssh_known_hosts : +.Bd -literal +$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e + sort -u - ssh_known_hosts | diff ssh_known_hosts - +.Ed +.Sh SEE ALSO +.Xr ssh 1 , +.Xr sshd 8 +.Sh AUTHORS +.An -nosplit +.An David Mazieres Aq dm@lcs.mit.edu +wrote the initial version, and +.An Wayne Davison Aq wayned@users.sourceforge.net +added support for protocol version 2. +.Sh BUGS +It generates "Connection closed by remote host" messages on the consoles +of all the machines it scans if the server is older than version 2.9. +This is because it opens a connection to the ssh port, reads the public +key, and drops the connection as soon as it gets the key. |