Go to main content

man pages section 1: User Commands

Exit Print View

Updated: July 2017

ssh-keyscan.openssh (1)


ssh-keyscan.openssh - gather ssh public keys


ssh-keyscan [-46cHv] [-f file] [-p port] [-T timeout] [-t type] [host |
addrlist namelist] ...


SSH-KEYSCAN(1)              General Commands Manual             SSH-KEYSCAN(1)

       ssh-keyscan - gather ssh public keys

       ssh-keyscan [-46cHv] [-f file] [-p port] [-T timeout] [-t type] [host |
       addrlist namelist] ...

       ssh-keyscan is a utility for gathering the public ssh host  keys  of  a
       number  of  hosts.   It  was  designed to aid in building and verifying
       ssh_known_hosts files.  ssh-keyscan provides a minimal interface  suit-
       able for use by shell and perl scripts.

       ssh-keyscan  uses  non-blocking  socket I/O to contact as many hosts as
       possible in parallel, so it is very efficient.  The keys from a  domain
       of  1,000  hosts can be collected in tens of seconds, even when some of
       those hosts are down or do not run ssh.  For  scanning,  one  does  not
       need  login access to the machines that are being scanned, nor does the
       scanning process involve any encryption.

       The options are as follows:

       -4     Forces ssh-keyscan to use IPv4 addresses only.

       -6     Forces ssh-keyscan to use IPv6 addresses only.

       -c     Request certificates from target hosts instead of plain keys.

       -f file
              Read hosts or ``addrlist namelist'' pairs  from  file,  one  per
              line.   If - is supplied instead of a filename, ssh-keyscan will
              read hosts or ``addrlist  namelist''  pairs  from  the  standard

       -H     Hash  all  hostnames  and addresses in the output.  Hashed names
              may be used normally by ssh and sshd, but  they  do  not  reveal
              identifying information should the file's contents be disclosed.

       -p port
              Port to connect to on the remote host.

       -T timeout
              Set  the  timeout  for  connection attempts.  If timeout seconds
              have elapsed since a connection was initiated to a host or since
              the last time anything was read from that host, then the connec-
              tion is closed and the host in question considered  unavailable.
              Default is 5 seconds.

       -t type
              Specifies  the  type of the key to fetch from the scanned hosts.
              The possible values are ``rsa1''  for  protocol  version  1  and
              ``dsa'', ``ecdsa'', ``ed25519'', or ``rsa'' for protocol version
              2.  Multiple values may be specified  by  separating  them  with
              commas.   The  default  is  to  fetch  ``rsa'',  ``ecdsa'',  and
              ``ed25519'' keys.

       -v     Verbose mode.  Causes ssh-keyscan to  print  debugging  messages
              about its progress.

       If  an  ssh_known_hosts  file  is constructed using ssh-keyscan without
       verifying the keys, users will be vulnerable to maninthemiddle attacks.
       On  the  other  hand,  if  the  security model allows such a risk, ssh-
       keyscan can help in the detection of tampered keyfiles or  man  in  the
       middle attacks which have begun after the ssh_known_hosts file was cre-

       Input format:, name.my.domain,name,n.my.domain,n,,

       Output format for RSA1 keys:

       host-or-namelist bits exponent modulus

       Output format for RSA, DSA, ECDSA, and Ed25519 keys:

       host-or-namelist keytype base64-encoded-key

       Where   keytype    is    either    ``ecdsa-sha2-nistp256'',    ``ecdsa-
       sha2-nistp384'',  ``ecdsa-sha2-nistp521'', ``ssh-ed25519'', ``ssh-dss''
       or ``ssh-rsa''.


       Print the rsa host key for machine hostname :

       $ ssh-keyscan hostname

       Find all hosts from the file ssh_hosts which have new or different keys
       from those in the sorted file ssh_known_hosts:

       $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \
            sort -u - ssh_known_hosts | diff ssh_known_hosts -

       See attributes(5) for descriptions of the following attributes:

       |Availability   | network/openssh          |
       |Stability      | Pass-through uncommitted |
       ssh(1), sshd(1M)


       David Mazieres <Mt dm@lcs.mit.edu> wrote the initial version, and

       Wayne  Davison <Mt wayned@users.sourceforge.net> added support for pro-
       tocol version 2.

       It generates "Connection closed by remote host" messages  on  the  con-
       soles  of all the machines it scans if the server is older than version
       2.9.  This is because it opens a connection to the ssh port, reads  the
       public key, and drops the connection as soon as it gets the key.

       This     software     was    built    from    source    available    at
       https://java.net/projects/solaris-userland.   The  original   community
       source    was   downloaded   from    http://mirrors.sonic.net/pub/Open-

       Further information about this software can be found on the open source
       community website at http://www.openssh.org/.

                               November 8 2015                  SSH-KEYSCAN(1)