-.\" $OpenBSD: ssh-keyscan.1,v 1.40 2017/05/02 17:04:09 jmc Exp $
+.\" $OpenBSD: ssh-keyscan.1,v 1.41 2018/02/23 05:14:05 djm Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\"
.\" permitted provided that due credit is given to the author and the
.\" OpenBSD project by leaving this copyright notice intact.
.\"
-.Dd $Mdocdate: May 2 2017 $
+.Dd $Mdocdate: February 23 2018 $
.Dt SSH-KEYSCAN 1
.Os
.Sh NAME
.Sh SYNOPSIS
.Nm ssh-keyscan
.Bk -words
-.Op Fl 46cHv
+.Op Fl 46cDHv
.Op Fl f Ar file
.Op Fl p Ar port
.Op Fl T Ar timeout
to use IPv6 addresses only.
.It Fl c
Request certificates from target hosts instead of plain keys.
+.It Fl D
+Print keys found as SSHFP DNS records.
+The default is to print keys in a format usable as a
+.Xr ssh 1
+.Pa known_hosts
+file.
.It Fl f Ar file
Read hosts or
.Dq addrlist namelist
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr sshd 8
+.%R RFC 4255
+.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
+.%D 2006
+.Re
.Sh AUTHORS
.An -nosplit
.An David Mazieres Aq Mt dm@lcs.mit.edu
-/* $OpenBSD: ssh-keyscan.c,v 1.116 2017/11/25 06:46:22 dtucker Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.117 2018/02/23 05:14:05 djm Exp $ */
/*
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
*
#include "hostfile.h"
#include "ssherr.h"
#include "ssh_api.h"
+#include "dns.h"
/* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
Default value is AF_UNSPEC means both IPv4 and IPv6. */
int hash_hosts = 0; /* Hash hostname on output */
+int print_sshfp = 0; /* Print SSHFP records instead of known_hosts */
+
#define MAXMAXFD 256
/* The number of seconds after which to give up on a TCP connection */
char *hostport;
const char *known_host, *hashed;
+ if (print_sshfp) {
+ export_dns_rr(host, key, stdout, 0);
+ return;
+ }
+
hostport = put_host_port(host, ssh_port);
lowercase(hostport);
if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL)
confree(s);
return;
}
- fprintf(stderr, "# %s:%d %s\n", c->c_name, ssh_port, chop(buf));
+ fprintf(stderr, "%c %s:%d %s\n", print_sshfp ? ';' : '#',
+ c->c_name, ssh_port, chop(buf));
keygrab_ssh2(c);
confree(s);
}
usage(void)
{
fprintf(stderr,
- "usage: %s [-46cHv] [-f file] [-p port] [-T timeout] [-t type]\n"
+ "usage: %s [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n"
"\t\t [host | addrlist namelist] ...\n",
__progname);
exit(1);
if (argc <= 1)
usage();
- while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
+ while ((opt = getopt(argc, argv, "cDHv46p:T:t:f:")) != -1) {
switch (opt) {
case 'H':
hash_hosts = 1;
case 'c':
get_cert = 1;
break;
+ case 'D':
+ print_sshfp = 1;
+ break;
case 'p':
ssh_port = a2port(optarg);
if (ssh_port <= 0) {
-# $OpenBSD: Makefile,v 1.11 2018/01/08 15:37:28 markus Exp $
+# $OpenBSD: Makefile,v 1.12 2018/02/23 05:14:05 djm Exp $
.PATH: ${.CURDIR}/..
SRCS= ssh-keyscan.c
-SRCS+= atomicio.c cleanup.c compat.c hostfile.c ssh_api.c
+SRCS+= atomicio.c cleanup.c compat.c hostfile.c ssh_api.c dns.c
SRCS+= ${SRCS_BASE} ${SRCS_KEX} ${SRCS_KEXC} ${SRCS_KEXS} ${SRCS_KEY} \
${SRCS_PKT} ${SRCS_UTL}
PROG= ssh-keyscan
projects / openbsd / commitdiff