Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1‎ > ‎


     ssh-keyscan - gather public ssh host keys  of  a  number  of

     ssh-keyscan [-v46] [-p port]  [-T  timeout]  [-t  type]  [-f
     file] [-] [host... | addrlist namelist]  [...]

     ssh-keyscan is a utility for gathering the public  ssh  host
     keys  of a number of hosts. It was designed to aid in build-
     ing and verifying ssh_known_hosts  files.  ssh-keyscan  pro-
     vides a minimal interface suitable for use by shell and perl
     scripts.  The output of ssh-keyscan is directed to  standard

     ssh-keyscan uses non-blocking socket I/O to contact as  many
     hosts  as possible in parallel, so it is very efficient. The
     keys from a domain of 1,000 hosts can be collected  in  tens
     of seconds, even when some of those hosts are down or do not
     run ssh. For scanning, one does not need login access to the
     machines  that are being scanned, nor does the scanning pro-
     cess involve any encryption.

  File Format
     Input format:,

     Output format for rsa1 keys:

     host-or-namelist bits exponent modulus

     Output format for rsa and dsa keys, where keytype is  either
     ssh-rsa or `ssh-dsa:

     host-or-namelist keytype base64-encoded-key

     The following options are supported:

     -f filename             Read  hosts  or  addrlist   namelist
                             pairs  from this file, one per line.
                             If  you  specity  -  instead  of   a
                             filename, ssh-keyscan reads hosts or
                             addrlist  namelist  pairs  from  the
                             standard input.

     -p port                 Port to connect  to  on  the  remote

     -T timeout              Set  the  timeout   for   connection
                             attempts.  If  timeout  seconds have
                             elapsed since a connection was  ini-
                             tiated  to  a host or since the last
                             time anything  was  read  from  that
                             host,  the  connection is closed and
                             the host in question  is  considered
                             unavailable.   The  default  is  for
                             timeout is 5 seconds.

     -t type                 Specify the type of the key to fetch
                             from the scanned hosts. The possible
                             values for type are rsa1 for  proto-
                             col  version  1  and  rsa or dsa for
                             protocol version 2. Specify multiple
                             values  by separating them with com-
                             mas. The default is rsa1.

     -v                      Specify verbose mode.  Print  debug-
                             ging messages about progress.

     -4                      Force to use IPv4 addresses only.

     -6                      Forces to use IPv6 addresses only.

     If a ssh_known_hosts file is constructed  using  ssh-keyscan
     without  verifying the keys, users are vulnerable to man-in-
     the-middle attacks. If the  security  model  allows  such  a
     risk, ssh-keyscan can help in the detection of tampered key-
     files or man-in-the-middle attacks which  have  begun  after
     the ssh_known_hosts file was created.

     Example 1: Printing the rsa1 Host Key

     The following example prints the rsa1 host key  for  machine

     $ ssh-keyscan hostname

     Example 2: Finding All Hosts

     The  following  commands  finds  all  hosts  from  the  file
     ssh_hosts which have new or different keys from those in the
     sorted file ssh_known_hosts:

     $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
          sort -u - ssh_known_hosts | diff ssh_known_hosts -


     The following exit values are returned:

     0        No usage errors. ssh-keyscan  might  or  might  not
              have  succeeded  or failed to scan one, more or all
              of the given hosts.

     1        Usage error.

     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWsshu                    |
    | Interface Stability         | Evolving                    |

     ssh(1), sshd(1M), attributes(5)

     David Mazieres wrote the initial version, and Wayne  Davison
     added suppport for protocol version 2.

     ssh-keyscan generates

     Connection closed by remote host
     messages on the consoles of all machines  it  scans  if  the
     server  is  older  than  version  2.9.  This is because ssh-
     keyscan opens a connection to the ssh port, reads the public
     key, and drops the connection as soon as it gets the key.

Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.