Linux "ssh-keyscan" Command Line Options and Examples
gather ssh public keys
ssh-keyscan is a utility for gathering the public ssh host keys of a number of hosts. It was designed to aid in building and verifying ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable for use by shell and perl scripts.
ssh-keyscan [-46cHv] [-f file] [-p port] [-T timeout] [-t type] [host | addrlist namelist] ...
Command Line Options:
Forces ssh-keyscan to use IPv4 addresses only.
ssh-keyscan -4 ...
Forces ssh-keyscan to use IPv6 addresses only.
ssh-keyscan -6 ...
Request certificates from target hosts instead of plain keys.
ssh-keyscan -c ...
Read hosts or “addrlist namelist” pairs from file, one per line. If - is supplied instead of a file‐name, ssh-keyscan will read hosts or “addrlist namelist” pairs from the standard input.
ssh-keyscan -f ...
Port to connect to on the remote host.
ssh-keyscan -p ...
Set the timeout for connection attempts. If timeout seconds have elapsed since a connection was initi‐ated to a host or since the last time anything was read from that host, then the connection is closedand the host in question considered unavailable. Default is 5 seconds.
ssh-keyscan -T ...
Specifies the type of the key to fetch from the scanned hosts. The possible values are “dsa”, “ecdsa”,“ed25519”, or “rsa”. Multiple values may be specified by separating them with commas. The default isto fetch “rsa”, “ecdsa”, and “ed25519” keys.
ssh-keyscan -t ...
SECURITYIf an ssh_known_hosts file is constructed using ssh-keyscan without verifying the keys, users will be vulnerableto man in the middle attacks. On the other hand, if the security model allows such a risk, ssh-keyscan can helpin the detection of tampered keyfiles or man in the middle attacks which have begun after the ssh_known_hostsfile was created.FILESInput format:220.127.116.11,18.104.22.168 name.my.domain,name,n.my.domain,n,22.214.171.124,126.96.36.199Output format for RSA, DSA, ECDSA, and Ed25519 keys:host-or-namelist keytype base64-encoded-keyWhere keytype is either “ecdsa-sha2-nistp256”, “ecdsa-sha2-nistp384”, “ecdsa-sha2-nistp521”, “ssh-ed25519”,“ssh-dss” or “ssh-rsa”./etc/ssh/ssh_known_hostsEXAMPLESPrint the rsa host key for machine hostname:$ ssh-keyscan hostnameFind all hosts from the file ssh_hosts which have new or different keys from those in the sorted filessh_known_hosts:$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \sort -u - ssh_known_hosts | diff ssh_known_hosts -
ssh-keyscan -v ...