Unix/Linux Go Back    

OpenSolaris 2009.06 - man page for ssh-keyscan (opensolaris section 1)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)

ssh-keyscan(1)				  User Commands 			   ssh-keyscan(1)

       ssh-keyscan - gather public ssh host keys of a number of hosts

       ssh-keyscan [-v46] [-p port] [-T timeout] [-t type]
	    [-f file] [-] [host... | addrlist namelist] [...]

       ssh-keyscan  is	a utility for gathering the public ssh host keys of a number of hosts. It
       was designed to aid in building and verifying ssh_known_hosts files. ssh-keyscan  provides
       a  minimal interface suitable for use by shell and perl scripts. The output of ssh-keyscan
       is directed to standard output.

       ssh-keyscan uses non-blocking socket I/O to contact as many hosts as possible in parallel,
       so it is very efficient. The keys from a domain of 1,000 hosts can be collected in tens of
       seconds, even when some of those hosts are down or do not run ssh. For scanning, one  does
       not  need  login  access  to  the  machines  that are being scanned, nor does the scanning
       process involve any encryption.

   File Format
       Input format:,

       Output format for rsa1 keys:

	 host-or-namelist bits exponent modulus

       Output format for rsa and dsa keys, where keytype is either ssh-rsa or `ssh-dsa:

	 host-or-namelist keytype base64-encoded-key

       The following options are supported:

       -f filename		   Read hosts or addrlist namelist pairs from this file, one  per
				   line.  If  you  specity  -  instead of a filename, ssh-keyscan
				   reads hosts or  addrlist  namelist  pairs  from  the  standard

       -p port			   Port to connect to on the remote host.

       -T timeout		   Set	the  timeout  for connection attempts. If timeout seconds
				   have elapsed since a connection was initiated  to  a  host  or
				   since the last time anything was read from that host, the con-
				   nection is closed and  the  host  in  question  is  considered
				   unavailable. The default is for timeout is 5 seconds.

       -t type			   Specify  the  type of the key to fetch from the scanned hosts.
				   The possible values for type are rsa1 for protocol  version	1
				   and rsa or dsa for protocol version 2. Specify multiple values
				   by separating them with commas. The default is rsa1.

       -v			   Specify verbose mode. Print debugging messages about progress.

       -4			   Force to use IPv4 addresses only.

       -6			   Forces to use IPv6 addresses only.

       If a ssh_known_hosts file is constructed using ssh-keyscan  without  verifying  the  keys,
       users  are  vulnerable  to  man-in-the-middle attacks. If the security model allows such a
       risk, ssh-keyscan can help in the detection  of	tampered  keyfiles  or	man-in-the-middle
       attacks which have begun after the ssh_known_hosts file was created.

       Example 1 Printing the rsa1 Host Key

       The following example prints the rsa1 host key for machine hostname:

	 $ ssh-keyscan hostname

       Example 2 Finding All Hosts

       The following commands finds all hosts from the file ssh_hosts which have new or different
       keys from those in the sorted file ssh_known_hosts:

	 $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
	      sort -u - ssh_known_hosts | diff ssh_known_hosts -


       The following exit values are returned:

       0     No usage errors. ssh-keyscan might or might not have succeeded  or  failed  to  scan
	     one, more or all of the given hosts.

       1     Usage error.

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       |Availability		     |SUNWsshu			   |
       |Interface Stability	     |Evolving			   |

       ssh(1), sshd(1M), attributes(5)

       David  Mazieres	wrote  the initial version, and Wayne Davison added suppport for protocol
       version 2.

       ssh--keyscan generates

	 Connection closed by remote host

       messages on the consoles of all machines it scans if the server is older than version 2.9.
       This  is because ssh-keyscan opens a connection to the ssh port, reads the public key, and
       drops the connection as soon as it gets the key.

SunOS 5.11				   24 Jul 2004				   ssh-keyscan(1)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums

All times are GMT -4. The time now is 02:53 PM.