ssh-keyscan
Obtain a server's public SSH key
TLDR
Retrieve all public SSH keys of a remote host
Retrieve all public SSH keys of a remote host listening on a specific port
Retrieve certain types of public SSH keys of a remote host
Manually update the SSH known_hosts file with the fingerprint of a given host
SYNOPSIS
ssh-keyscan [-46cHv] [-b bits] [-F filename] [-f filename] [-p port] [-T timeout] [-t type] [-V identity_file] [hostname | address]
PARAMETERS
-4
Force ssh-keyscan to use IPv4 addresses only.
-6
Force ssh-keyscan to use IPv6 addresses only.
-c
Request certificates from the server and print them. Requires OpenSSH 5.6 or greater.
-H
Hash all hostnames and addresses in the output. Useful for anonymity.
-v
Verbose mode. Causes ssh-keyscan to print debugging messages about its progress.
-b bits
Specify the minimum number of bits in the modulus of the key.
-F filename
Read hostnames or addresses from filename, one per line.
-f filename
Read hostnames or addresses from filename, treating each line as a separate argument.
-p port
Specify the port number to connect to on the remote host.
-T timeout
Set the timeout (in seconds) for the connection to the server.
-t type
Specify the key type to retrieve (e.g., rsa, dsa, ecdsa, ed25519).
-V identity_file
Use the specified identity file to authenticate to the server.
hostname | address
The hostname or IP address of the server to scan.
DESCRIPTION
The ssh-keyscan command is a utility used to gather the public SSH host keys from a server. It connects to the specified host(s) and port(s) and retrieves their SSH host keys. This is useful for automatically populating the known_hosts file, avoiding 'man-in-the-middle' attacks by ensuring the client connects to the expected server with the correct fingerprint. ssh-keyscan verifies if the keys match the fingerprint. It supports various key types, including RSA, DSA, ECDSA, and Ed25519. It is a valuable tool for system administrators and security professionals to automate SSH key management and enhance the security of SSH connections.
Use with caution, especially when dealing with untrusted networks, as it relies on the server's honesty in providing its keys.
CAVEATS
The output of ssh-keyscan should be carefully verified before being added to the known_hosts file, especially if the command is run on an untrusted network. Accepting a key without verification opens the potential for a 'man-in-the-middle' attack.
OUTPUT FORMAT
The output of ssh-keyscan is designed to be directly appended to a user's ~/.ssh/known_hosts file or the system-wide /etc/ssh/ssh_known_hosts file. Each line contains the hostname, key type, and the base64-encoded public key.
SECURITY CONSIDERATIONS
Always verify the fingerprint of the obtained key against a trusted source (e.g., a phone call to the system administrator) before adding it to your known_hosts file. Blindly accepting keys from ssh-keyscan without verification can compromise your security.
HISTORY
ssh-keyscan was developed as part of the OpenSSH suite. It was created to automate the process of collecting SSH host keys, making it easier to manage SSH connections securely. Its usage has grown with the increasing adoption of SSH for secure remote access and system administration. Over time, features have been added to enhance its flexibility and security.
SEE ALSO
ssh(1), ssh-keygen(1), known_hosts(5)