| SSH-KEYSCAN(1) | General Commands Manual | SSH-KEYSCAN(1) | 
ssh-keyscan —
| ssh-keyscan | [ -46cDHv] [-ffile] [-Ooption] [-pport] [-Ttimeout] [-ttype] [host |
      addrlist namelist] | 
ssh-keyscan is a utility for gathering the public SSH
  host keys of a number of hosts. It was designed to aid in building and
  verifying ssh_known_hosts files, the format of which
  is documented in sshd(8).
  ssh-keyscan provides a minimal interface suitable for
  use by shell and perl scripts.
ssh-keyscan uses non-blocking socket I/O
    to contact as many hosts as possible in parallel, so it is very efficient.
    The keys from a domain of 1,000 hosts can be collected in tens of seconds,
    even when some of those hosts are down or do not run
    sshd(8). For scanning, one does
    not need login access to the machines that are being scanned, nor does the
    scanning process involve any encryption.
Hosts to be scanned may be specified by hostname, address or by CIDR network range (e.g. 192.168.16/28). If a network range is specified, then all addresses in that range will be scanned.
The options are as follows:
-4ssh-keyscan to use IPv4 addresses only.-6ssh-keyscan to use IPv6 addresses only.-c-D-f
    filessh-keyscan will read from
      the standard input. Names read from a file must start with an address,
      hostname or CIDR network range to be scanned. Addresses and hostnames may
      optionally be followed by comma-separated name or address aliases that
      will be copied to the output. For example:
    
192.168.11.0/24
10.20.1.1
happy.example.org
10.0.0.1,sad.example.org
    
    -H-O
    optionhashalg=algorithm-D flag. Valid algorithms are
          “sha1” and “sha256”. The default is to
          print both.-p
    port-T
    timeout-t
    type-vIf an ssh_known_hosts file is constructed using
    ssh-keyscan without verifying the keys, users will
    be vulnerable to man in the middle attacks. On the other
    hand, if the security model allows such a risk,
    ssh-keyscan can help in the detection of tampered
    keyfiles or man in the middle attacks which have begun after the
    ssh_known_hosts file was created.
$ ssh-keyscan -t rsa
  hostnameSearch a network range, printing all supported key types:
$ ssh-keyscan
  192.168.0.64/25Find all hosts from the file ssh_hosts which have new or different keys from those in the sorted file ssh_known_hosts:
$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \ sort -u - ssh_known_hosts | diff ssh_known_hosts -
Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC 4255, 2006.
| February 10 2023 | NetBSD 9.4 |