ssh-keyscan [-46Hv] [-f file] [-p  port]  [-T  timeout]  [-t
type]
                 [host | addrlist namelist] [...]

DESCRIPTION
     ssh-keyscan  is  a utility for gathering the public ssh host
keys of a num-
     ber of hosts.  It was designed to aid in building and  veri-
fying
     ssh_known_hosts  files.   ssh-keyscan provides a minimal in-
terface suitable
     for use by shell and perl scripts.

     ssh-keyscan uses non-blocking socket I/O to contact as  many
hosts as pos-
     sible in parallel, so it is very efficient.  The keys from a
domain of
     1,000 hosts can be collected in tens of seconds,  even  when
some of those
     hosts  are  down  or do not run ssh.  For scanning, one does
not need login
     access to the machines that are being scanned, nor does  the
scanning pro-
     cess involve any encryption.

     The options are as follows:

     -4      Forces ssh-keyscan to use IPv4 addresses only.

     -6      Forces ssh-keyscan to use IPv6 addresses only.

     -f file
             Read  hosts  or  addrlist  namelist  pairs from this
file, one per
             line.  If - is supplied instead of a filename,  ssh-
keyscan will
             read hosts or addrlist namelist pairs from the stan-
dard input.

     -H      Hash all hostnames  and  addresses  in  the  output.
Hashed names may
             be  used  normally  by ssh and sshd, but they do not
reveal identi-
             fying information should the file's contents be dis-
closed.

     -p port
             Port to connect to on the remote host.

     -T timeout
             Set the timeout for connection attempts.  If timeout
seconds have
values may
             be specified by separating them  with  commas.   The
default is
             ``rsa1''.

     -v      Verbose mode.  Causes ssh-keyscan to print debugging
messages
             about its progress.

SECURITY
     If a ssh_known_hosts file is constructed  using  ssh-keyscan
without veri-
     fying  the keys, users will be vulnerable to man in the mid-
dle attacks.
     On the other hand, if the security model allows such a risk,
ssh-keyscan
     can help in the detection of tampered keyfiles or man in the
middle at-
     tacks which have begun after the  ssh_known_hosts  file  was
created.

FILES
     Input format:

     1.2.3.4,1.2.4.4                 name.my.domain,name,n.my.do-
main,n,1.2.3.4,1.2.4.4

     Output format for rsa1 keys:

     host-or-namelist bits exponent modulus

     Output format for rsa and dsa keys:

     host-or-namelist keytype base64-encoded-key

     Where keytype is either ``ssh-rsa'' or ``ssh-dss''.

     /etc/ssh/ssh_known_hosts

EXAMPLES
     Print the rsa1 host key for machine hostname:

     $ ssh-keyscan hostname

     Find all hosts from the file ssh_hosts  which  have  new  or
different keys
     from those in the sorted file ssh_known_hosts:

     $ ssh-keyscan -t rsa,dsa -f ssh_hosts |              sort -u
- ssh_known_hosts | diff ssh_known_hosts -

SEE ALSO
     This is because it opens a connection to the ssh port, reads
the public
     key, and drops the connection as soon as it gets the key.

OpenBSD      3.8                          January     1,     1996
2