ssh-keyscan [-v46] [-p port]  [-T  timeout]  [-t  type]  [-f
file]
                 [host | addrlist namelist] [...]

DESCRIPTION
     ssh-keyscan  is  a utility for gathering the public ssh host
keys of a num-
     ber of hosts.  It was designed to aid in building and  veri-
fying
     ssh_known_hosts  files.   ssh-keyscan provides a minimal in-
terface suitable
     for use by shell and perl scripts.

     ssh-keyscan uses non-blocking socket I/O to contact as  many
hosts as pos-
     sible in parallel, so it is very efficient.  The keys from a
domain of
     1,000 hosts can be collected in tens of seconds,  even  when
some of those
     hosts  are  down  or do not run ssh.  For scanning, one does
not need login
     access to the machines that are being scanned, nor does  the
scanning pro-
     cess involve any encryption.

     The options are as follows:

     -p port
             Port to connect to on the remote host.

     -T timeout
             Set the timeout for connection attempts.  If timeout
seconds have
             elapsed since a connection was initiated to  a  host
or since the
             last time anything was read from that host, then the
connection
             is closed and the host in  question  considered  un-
available.  De-
             fault is 5 seconds.

     -t type
             Specifies  the  type  of  the  key to fetch from the
scanned hosts.
             The possible values are ``rsa1'' for  protocol  ver-
sion 1 and
             ``rsa'' or ``dsa'' for protocol version 2.  Multiple
values may
             be specified by separating them  with  commas.   The
default is
             ``rsa1''.

     -6      Forces ssh-keyscan to use IPv6 addresses only.

SECURITY
     If  a  ssh_known_hosts file is constructed using ssh-keyscan
without veri-
     fying the keys, users will be vulnerable to attacks.  On the
other hand,
     if  the  security  model allows such a risk, ssh-keyscan can
help in the de-
     tection of tampered keyfiles or man in  the  middle  attacks
which have be-
     gun after the ssh_known_hosts file was created.

FILES
     Input format:

     1.2.3.4,1.2.4.4                 name.my.domain,name,n.my.do-
main,n,1.2.3.4,1.2.4.4

     Output format for rsa1 keys:

     host-or-namelist bits exponent modulus

     Output format for rsa and dsa keys:

     host-or-namelist keytype base64-encoded-key

     Where keytype is either ``ssh-rsa'' or ``ssh-dss''.

     /etc/ssh/ssh_known_hosts

EXAMPLES
     Print the rsa1 host key for machine hostname:

     $ ssh-keyscan hostname

     Find all hosts from the file ssh_hosts  which  have  new  or
different keys
     from those in the sorted file ssh_known_hosts:

     $ ssh-keyscan -t rsa,dsa -f ssh_hosts |              sort -u
- ssh_known_hosts | diff ssh_known_hosts -

SEE ALSO
     ssh(1), sshd(8)

AUTHORS
     David Mazieres <dm@lcs.mit.edu> wrote the  initial  version,
and
     Wayne  Davison  <wayned@users.sourceforge.net> added support
for protocol
     version 2.