Google

SYNOPSIS

       make-ssh-known-hosts
              [--initialdns initial_dns]
              [--server domain_name_server]
              [--subdomains comma_separated_list_of_subdomains]
              [--debug debug_level]
              [--timeout ssh_exec_timeout]
              [--pingtimeout ping_timeout]
              [--passwordtimeout timeout_when_asking_password]
              [--notrustdaemon]
              [--norecursive]
              [--domainnamesplit]
              [--silent]
              [--keyscan]
              [--nslookup path_to_nslookup_program]
              [--ssh path_to_ssh_program]
              domain_name [take_regexp [remove_regexp]]"

DESCRIPTION

       make-ssh-known-hosts is a perl5 script that helps create the
       /etc/ssh_known_hosts file, which is used by ssh to contain the host
       keys of all publicly known hosts.  Ssh does not normally permit login
       using rhosts or /etc/hosts.equiv authentication unless the server knows
       the client's host key.  In addition, the host keys are used to prevent
       man-in-the-middle attacks.

       In addition to /etc/ssh_known_hosts, ssh also uses the
       $HOME/.ssh/known_hosts file.  This file, however, is intended to con-
       tain only those hosts that the particular user needs but are not in the
       global file.  It is intended that the /etc/ssh_known_hosts file be
       maintained by the system administration, and periodically updated to
       contain the host keys for any new hosts.

       The make-ssh-known-hosts program finds all the hosts in a domain by
       making a DNS query to the master domain name server of the domain. The
       master domain name server is located by searching for the SOA record of
       the domain from the initial domain name server (which can be specified
       with the --initialdns option). The master domain name server can also
       be given directly with the --server option.

       After getting the hostname list make-ssh-known-hosts tries to get the
       public key from every host in the domain. It first tries to connect ssh
       port to check check if the host is alive, and if so, it tries to run
       the command cat /etc/ssh_host_key.pub on the remote machine using ssh.
       If the command succeeds, it knows the remote machine has ssh installed
       properly, and it then extracts the public key from the output, and
       prints the /etc/ssh_known_hosts entry for it to STDOUT. Because make-
       ssh-known-hosts is usually run before remote machines have
       /etc/ssh_known_hosts file you may have to use RSA-authentication to
       allow access to hosts.

       the form "fieldname=value". The fields are separated with newline, and
       the perl match is made in multiline mode and it is case insensetive.
       The multiline mode means that you can use a regexp like "^wks=.*tel-
       net.*$" to match all hosts that have WKS (well known services) field
       that contains value "telnet".

       Remove_regexp is similar but those hosts that match the regexp are not
       added (it can be used for example to filter out PCs and Macs using the
       hinfo field: "^hinfo=.*(mac|pc)").

OPTIONS

       --initialdns initial_dns

       -i initial_dns
              Set the initial domain name server used to query the SOA record
              of the domain.


       --server domain_name_server

       -se domain_name_server
              Set the master domain name server of the domain. This host is
              used to query the DNS list of the domain.


       --subdomains subdomainlist

       -su subdomainlist
              Comma separated list of subdomains that are added to hostnames.
              For example, if subdomainlist is ",foo, foo.bar, foo.bar.zappa,
              foo.bar.zappa.hut.fi" then when host foobar is added to
              /etc/ssh_known_hosts file it has aliases "foobar, foobar.foo,
              foobar.foo.bar, foobar.foo.bar.zappa, foo-
              bar.foo.bar.zappa.hut.fi". The default action is to take all
              subparts of the host but the second last on a host by host
              basis.  (The last element is usually the country code, and some-
              thing like foobar.foo.bar.zappa.hut would not make sense.)


       --debug debug_level

       -de debug_level
              Set the debug level. Default is 5, bigger values give more out-
              put.  Using a big value (like 999) will print lots of debugging
              output.


       --timeout ssh_exec_timeout

       -ti ssh_exec_timeout
              Timeout when executing ssh command.  The default is 60 seconds.
              word queries.


       --notrustdaemon

       -notr  If the ssh command fails, use the public key stored in the local
              known hosts file and trust it is the correct key for the host.
              If this option is not given such entries are commented out in
              the generated /etc/ssh_known_hosts file.


       --norecursive

       -nor   Tell make-ssh-known-hosts that it should only extract keys for
              the given domain, and not to be recursive.


       --domainnamesplit

       -do    Split the domainname to get the list of subdomains. Use this
              option if you don't want hostname to splitted to pieces automat-
              ically.  Default splitting is done host by host basis. If the
              domain is zappa.hut.fi, and the host name is foo.bar then
              default action adds entries "foo, foo.bar, foo.bar.zappa,
              foo.bar.zappa.hut.fi" and this options adds entries "foo.bar,
              foo.bar.zappa, foo.bar.zappa.hut.fi").


       --silent

       -si    Be silent.


       --keyscan

       -k     Output list of all hosts in format "ipaddr1,ipaddr2,...ipaddrn
              hostname.domain.co,hostname,ipaddr1,ipaddr2,all_other_host-
              name_entries".  The output of this can be feeded to ssh-keyscan
              to fetch keys.


       --nslookup path_to_nslookup_program

       -n path_to_nslookup_program
              Path to the nslookup program.


       --ssh path_to_ssh_program

       -ss path_to_ssh_program
              Path to the ssh program, including all options.

       server (cs.hut.fi, tf.hut.fi, tky.hut.fi) that have ssh service and
       puts their public key to hut-hosts file. This would require that the
       domain name server of hut.fi would define all hosts running ssh to have
       entry ssh in their WKS record. Because nobody yet adds ssh to WKS, it
       would be better to use command

              example% make-ssh-known-hosts hut.fi '^wks=.*telnet' > hut-hosts

       that would take those host having telnet service. This uses default
       subdomain list.


       The command:

              example% make-ssh-known-hosts hut.fi 'dipoli.hut.fi'
              '^hinfo=.*(mac|pc)' > dipoli-hosts

       finds all hosts in hut.fi domain that are in dipoli.hut.fi subdomain
       (note dipoli.hut.fi does not have own name server so its entries are in
       hut.fi-server) and that are not Mac or PC.

FILES

       /etc/ssh_known_hosts          Global host public key list

SEE ALSO

       ssh(1), sshd(8), ssh-keygen(1), ping(8), nslookup(8), perl(1),
       perlre(1)

AUTHOR

       Tero Kivinen <kivinen@hut.fi>

COPYING

       Permission is granted to make and distribute verbatim copies of this
       manual provided the copyright notice and this permission notice are
       preserved on all copies.

       Permission is granted to copy and distribute modified versions of this
       manual under the conditions for verbatim copying, provided that the
       entire resulting derived work is distributed under the terms of a per-
       mission notice identical to this one.

       Permission is granted to copy and distribute translations of this man-
       ual into another language, under the above conditions for modified ver-
       sions, except that this permission notice may be included in transla-
       tions approved by the the author instead of in the original English.
Man(1) output converted with man2html