LinuxCommandLibrary

ssh-keyscan

Obtain a server's public SSH key

TLDR

Retrieve all public SSH keys of a remote host

$ ssh-keyscan [host]
copy

Retrieve all public SSH keys of a remote host listening on a specific port
$ ssh-keyscan -p [port] [host]
copy

Retrieve certain types of public SSH keys of a remote host
$ ssh-keyscan -t [rsa,dsa,ecdsa,ed25519] [host]
copy

Manually update the SSH known_hosts file with the fingerprint of a given host
$ ssh-keyscan -H [host] >> ~/.ssh/known_hosts
copy

SYNOPSIS

ssh-keyscan [-46cHv] [-b bits] [-F filename] [-f filename] [-p port] [-T timeout] [-t type] [-V identity_file] [hostname | address]

PARAMETERS

-4
    Force ssh-keyscan to use IPv4 addresses only.

-6
    Force ssh-keyscan to use IPv6 addresses only.

-c
    Request certificates from the server and print them. Requires OpenSSH 5.6 or greater.

-H
    Hash all hostnames and addresses in the output. Useful for anonymity.

-v
    Verbose mode. Causes ssh-keyscan to print debugging messages about its progress.

-b bits
    Specify the minimum number of bits in the modulus of the key.

-F filename
    Read hostnames or addresses from filename, one per line.

-f filename
    Read hostnames or addresses from filename, treating each line as a separate argument.

-p port
    Specify the port number to connect to on the remote host.

-T timeout
    Set the timeout (in seconds) for the connection to the server.

-t type
    Specify the key type to retrieve (e.g., rsa, dsa, ecdsa, ed25519).

-V identity_file
    Use the specified identity file to authenticate to the server.

hostname | address
    The hostname or IP address of the server to scan.

DESCRIPTION

The ssh-keyscan command is a utility used to gather the public SSH host keys from a server. It connects to the specified host(s) and port(s) and retrieves their SSH host keys. This is useful for automatically populating the known_hosts file, avoiding 'man-in-the-middle' attacks by ensuring the client connects to the expected server with the correct fingerprint. ssh-keyscan verifies if the keys match the fingerprint. It supports various key types, including RSA, DSA, ECDSA, and Ed25519. It is a valuable tool for system administrators and security professionals to automate SSH key management and enhance the security of SSH connections.
Use with caution, especially when dealing with untrusted networks, as it relies on the server's honesty in providing its keys.

CAVEATS

The output of ssh-keyscan should be carefully verified before being added to the known_hosts file, especially if the command is run on an untrusted network. Accepting a key without verification opens the potential for a 'man-in-the-middle' attack.

OUTPUT FORMAT

The output of ssh-keyscan is designed to be directly appended to a user's ~/.ssh/known_hosts file or the system-wide /etc/ssh/ssh_known_hosts file. Each line contains the hostname, key type, and the base64-encoded public key.

SECURITY CONSIDERATIONS

Always verify the fingerprint of the obtained key against a trusted source (e.g., a phone call to the system administrator) before adding it to your known_hosts file. Blindly accepting keys from ssh-keyscan without verification can compromise your security.

HISTORY

ssh-keyscan was developed as part of the OpenSSH suite. It was created to automate the process of collecting SSH host keys, making it easier to manage SSH connections securely. Its usage has grown with the increasing adoption of SSH for secure remote access and system administration. Over time, features have been added to enhance its flexibility and security.

SEE ALSO

ssh(1), ssh-keygen(1), known_hosts(5)

Copied to clipboard