ssh-keyscan.1 (113908) | ssh-keyscan.1 (124208) |
---|---|
1.\" $OpenBSD: ssh-keyscan.1,v 1.15 2003/03/28 10:11:43 jmc Exp $ | 1.\" $OpenBSD: ssh-keyscan.1,v 1.17 2003/06/10 09:12:11 jmc Exp $ |
2.\" 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 4.\" 5.\" Modification and redistribution in source and binary forms is 6.\" permitted provided that due credit is given to the author and the 7.\" OpenBSD project by leaving this copyright notice intact. 8.\" 9.Dd January 1, 1996 --- 88 unchanged lines hidden (view full) --- 98.Nm 99without verifying the keys, users will be vulnerable to 100.I man in the middle 101attacks. 102On the other hand, if the security model allows such a risk, 103.Nm 104can help in the detection of tampered keyfiles or man in the middle 105attacks which have begun after the ssh_known_hosts file was created. | 2.\" 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 4.\" 5.\" Modification and redistribution in source and binary forms is 6.\" permitted provided that due credit is given to the author and the 7.\" OpenBSD project by leaving this copyright notice intact. 8.\" 9.Dd January 1, 1996 --- 88 unchanged lines hidden (view full) --- 98.Nm 99without verifying the keys, users will be vulnerable to 100.I man in the middle 101attacks. 102On the other hand, if the security model allows such a risk, 103.Nm 104can help in the detection of tampered keyfiles or man in the middle 105attacks which have begun after the ssh_known_hosts file was created. |
106.Sh EXAMPLES 107.Pp 108Print the 109.Pa rsa1 110host key for machine 111.Pa hostname : 112.Bd -literal 113$ ssh-keyscan hostname 114.Ed 115.Pp 116Find all hosts from the file 117.Pa ssh_hosts 118which have new or different keys from those in the sorted file 119.Pa ssh_known_hosts : 120.Bd -literal 121$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\ 122 sort -u - ssh_known_hosts | diff ssh_known_hosts - 123.Ed | |
124.Sh FILES 125.Pa Input format: 126.Bd -literal 1271.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 128.Ed 129.Pp 130.Pa Output format for rsa1 keys: 131.Bd -literal --- 5 unchanged lines hidden (view full) --- 137host-or-namelist keytype base64-encoded-key 138.Ed 139.Pp 140Where 141.Pa keytype 142is either 143.Dq ssh-rsa 144or | 106.Sh FILES 107.Pa Input format: 108.Bd -literal 1091.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 110.Ed 111.Pp 112.Pa Output format for rsa1 keys: 113.Bd -literal --- 5 unchanged lines hidden (view full) --- 119host-or-namelist keytype base64-encoded-key 120.Ed 121.Pp 122Where 123.Pa keytype 124is either 125.Dq ssh-rsa 126or |
145.Dq ssh-dsa . | 127.Dq ssh-dss . |
146.Pp 147.Pa /etc/ssh/ssh_known_hosts | 128.Pp 129.Pa /etc/ssh/ssh_known_hosts |
148.Sh BUGS 149It generates "Connection closed by remote host" messages on the consoles 150of all the machines it scans if the server is older than version 2.9. 151This is because it opens a connection to the ssh port, reads the public 152key, and drops the connection as soon as it gets the key. | 130.Sh EXAMPLES 131Print the 132.Pa rsa1 133host key for machine 134.Pa hostname : 135.Bd -literal 136$ ssh-keyscan hostname 137.Ed 138.Pp 139Find all hosts from the file 140.Pa ssh_hosts 141which have new or different keys from those in the sorted file 142.Pa ssh_known_hosts : 143.Bd -literal 144$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e 145 sort -u - ssh_known_hosts | diff ssh_known_hosts - 146.Ed |
153.Sh SEE ALSO 154.Xr ssh 1 , 155.Xr sshd 8 156.Sh AUTHORS | 147.Sh SEE ALSO 148.Xr ssh 1 , 149.Xr sshd 8 150.Sh AUTHORS |
157David Mazieres <dm@lcs.mit.edu> | 151.An David Mazieres Aq dm@lcs.mit.edu |
158wrote the initial version, and | 152wrote the initial version, and |
159Wayne Davison <wayned@users.sourceforge.net> | 153.An Wayne Davison Aq wayned@users.sourceforge.net |
160added support for protocol version 2. | 154added support for protocol version 2. |
155.Sh BUGS 156It generates "Connection closed by remote host" messages on the consoles 157of all the machines it scans if the server is older than version 2.9. 158This is because it opens a connection to the ssh port, reads the public 159key, and drops the connection as soon as it gets the key. |
|