ssh-keyscan

Retrieve all public SSH keys of a remote host

$ ssh-keyscan [hostname]

$ ssh-keyscan -p [port] [hostname]

$ ssh-keyscan -t [rsa,dsa,ecdsa,ed25519] [hostname]

$ ssh-keyscan -H [hostname] >> ~/.ssh/known_hosts

ssh-keyscan [options] [host ...]
ssh-keyscan -f file [options]

-H
    Hash all hostnames and IP addresses in the output. This is useful for privacy, as it prevents hostnames and IP addresses from being directly visible in the known_hosts file.

-p port
    Connect to port on the remote host instead of the default SSH port (22).

-T timeout
    Set the timeout for connection attempts in seconds. If a host does not respond within this time, it is skipped. The default timeout is 5 seconds.

-t type
    Specify the type of public key to fetch. Supported types include rsa, dsa, ecdsa, and ed25519. Multiple types can be specified as a comma-separated list (e.g., -t rsa,ed25519).

-f file
    Read hosts or host:port pairs from file, one per line. This is useful for scanning a large number of hosts efficiently.

-v
    Verbose mode. Print debugging messages about the connection and key collection process.

ssh-keyscan is a utility for collecting the public SSH host keys of remote servers. It queries hosts, retrieves their public keys, and outputs them in a format suitable for known_hosts files.

This tool is primarily used to build or update known_hosts files automatically, which helps in preventing "man-in-the-middle" attacks by ensuring that when an SSH client connects to a server, it can verify the server's identity against its stored key. It can scan multiple hosts concurrently and supports various key types, making it efficient for managing SSH host keys across numerous machines.

Security Risk: While useful for building known_hosts, ssh-keyscan itself does not verify the authenticity of the keys it fetches. An attacker performing a Man-in-the-Middle (MITM) attack could provide a forged host key. It's best used over trusted networks or to fetch keys from hosts whose identities are already established via other secure means.

DNS Spoofing: If DNS resolution is compromised, ssh-keyscan could connect to the wrong host and retrieve its key, potentially leading to a false sense of security or a valid but incorrect entry in known_hosts.

Not for Verification: This tool is for collecting keys, not for verifying that an existing known_hosts entry is correct. For runtime verification, the SSH client handles that upon connection.

The output of ssh-keyscan can be directly appended to your ~/.ssh/known_hosts file (e.g., ssh-keyscan example.com >> ~/.ssh/known_hosts) to record the host's public key. This prevents the "Are you sure you want to continue connecting (yes/no/[fingerprint])?" prompt on the first connection, streamlining automated scripts and user experience.

You can specify multiple hosts on the command line (e.g., ssh-keyscan host1 host2 host3) or use the -f option to read a list of hosts from a file, making it extremely efficient for bulk operations or managing host keys across an entire infrastructure.

ssh-keyscan is an integral part of the OpenSSH suite, which has been widely adopted as the de facto standard for secure remote access since its first release in 1999. It evolved to address the need for automated collection of host keys, simplifying the management of known_hosts files, especially in environments with many servers. Its functionality has remained largely consistent, adapting to new key types (like ECDSA and Ed25519) as they gained prominence within the SSH protocol.

ssh(1), sshd(8), ssh-keygen(1), known_hosts(5)