Партнёры:
Хостинг:
NAME
make-ssh-known-hosts - make ssh_known_hosts file from DNS
data
SYNOPSIS
make-ssh-known-hosts
[--initialdns initial_dns]
[--server domain_name_server]
[--subdomains comma_separated_list_of_subdomains]
[--debug debug_level]
[--timeout ssh_exec_timeout]
[--pingtimeout ping_timeout]
[--passwordtimeout timeout_when_asking_password]
[--notrustdaemon]
[--norecursive]
[--domainnamesplit]
[--silent]
[--keyscan]
[--nslookup path_to_nslookup_program]
[--ssh path_to_ssh_program]
domain_name [take_regexp [remove_regexp]]
DESCRIPTION
make-ssh-known-hosts is a perl5 script that helps create the
/etc/ssh_known_hosts file, which is used by ssh to contain
the host keys of all publicly known hosts. Ssh does not nor-
mally permit login using rhosts or /etc/hosts.equiv authen-
tication unless the server knows the client's host key. In
addition, the host keys are used to prevent man-in-the-
middle attacks.
In addition to /etc/ssh_known_hosts, ssh also uses the
$HOME/.ssh/known_hosts file. This file, however, is
intended to contain only those hosts that the particular
user needs but are not in the global file. It is intended
that the /etc/ssh_known_hosts file be maintained by the sys-
tem administration, and periodically updated to contain the
host keys for any new hosts.
The make-ssh-known-hosts program finds all the hosts in a
domain by making a DNS query to the master domain name
server of the domain. The master domain name server is
located by searching for the SOA record of the domain from
the initial domain name server (which can be specified with
the --initialdns option). The master domain name server can
also be given directly with the --server option.
After getting the hostname list make-ssh-known-hosts tries
to get the public key from every host in the domain. It
first tries to connect ssh port to check check if the host
is alive, and if so, it tries to run the command cat
/etc/ssh_host_key.pub on the remote machine using ssh. If
the command succeeds, it knows the remote machine has ssh
installed properly, and it then extracts the public key from
the output, and prints the /etc/ssh_known_hosts entry for it
to STDOUT. Because make-ssh-known-hosts is usually run
before remote machines have /etc/ssh_known_hosts file you
may have to use RSA-authentication to allow access to hosts.
If the command fails for some reason, it checks if the ssh
client still got the public key from the remote host in the
initial dialog, and if so, it will print a proper entry, and
if --notrustdaemon option is given comment it out.
Domain_name is the domain name for which the file is to be
generated. By default make-ssh-known-hosts extracts also all
subdomains of domain. Many sites will want to include
several domains in their /etc/ssh_known_hosts file. The
entries for each domain should be extracted separately by
running make-ssh-known-hosts once for each domain. The
results should then be combined to create the final file.
Take_regexp is a perl regular expression that matches the
hosts to be taken from the domain. The data matched contains
all the DNS records in the form "fieldname=value". The
fields are separated with newline, and the perl match is
made in multiline mode and it is case insensetive. The mul-
tiline mode means that you can use a regexp like
"^wks=.*telnet.*$" to match all hosts that have WKS (well
known services) field that contains value "telnet".
Remove_regexp is similar but those hosts that match the
regexp are not added (it can be used for example to filter
out PCs and Macs using the hinfo field:
"^hinfo=.*(mac|pc)").
OPTIONS
--initialdns initial_dns
-i initial_dns
Set the initial domain name server used to query the
SOA record of the domain.
--server domain_name_server
-se domain_name_server
Set the master domain name server of the domain. This
host is used to query the DNS list of the domain.
--subdomains subdomainlist
-su subdomainlist
Comma separated list of subdomains that are added to
hostnames. For example, if subdomainlist is ",foo,
foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi" then when
host foobar is added to /etc/ssh_known_hosts file it
has aliases "foobar, foobar.foo, foobar.foo.bar,
foobar.foo.bar.zappa, foobar.foo.bar.zappa.hut.fi". The
default action is to take all subparts of the host but
the second last on a host by host basis. (The last
element is usually the country code, and something like
foobar.foo.bar.zappa.hut would not make sense.)
--debug debug_level
-de debug_level
Set the debug level. Default is 5, bigger values give
more output. Using a big value (like 999) will print
lots of debugging output.
--timeout ssh_exec_timeout
-ti ssh_exec_timeout
Timeout when executing ssh command. The default is 60
seconds.
--pingtimeout ping_timeout
-pi ping_timeout
Timeout when trying to ping the ssh port. The default
is 3 seconds.
--passwordtimeout timeout_when_asking_password
-pa timeout_when_asking_password
Timeout when asking password for ssh command. Default
is that no passwords are queried. Use value 0 to have
no timeout for password queries.
--notrustdaemon
-notr
If the ssh command fails, use the public key stored in
the local known hosts file and trust it is the correct
key for the host. If this option is not given such
entries are commented out in the generated
/etc/ssh_known_hosts file.
--norecursive
-nor Tell make-ssh-known-hosts that it should only extract
keys for the given domain, and not to be recursive.
--domainnamesplit
-do Split the domainname to get the list of subdomains. Use
this option if you don't want hostname to splitted to
pieces automatically. Default splitting is done host
by host basis. If the domain is zappa.hut.fi, and the
host name is foo.bar then default action adds entries
"foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi" and
this options adds entries "foo.bar, foo.bar.zappa,
foo.bar.zappa.hut.fi").
--silent
-si Be silent.
--keyscan
-k Output list of all hosts in format
"ipaddr1,ipaddr2,...ipaddrn
hostname.domain.co,hostname,ipaddr1,ipaddr2,all_other_hostname_entries".
The output of this can be feeded to ssh-keyscan to
fetch keys.
--nslookup path_to_nslookup_program
-n path_to_nslookup_program
Path to the nslookup program.
--ssh path_to_ssh_program
-ss path_to_ssh_program
Path to the ssh program, including all options.
EXAMPLES
The following command:
example# make-ssh-known-hosts cs.hut.fi >
/etc/ssh_known_hosts
finds all public keys of the hosts in cs.hut.fi domain and
put them to /etc/ssh_known_hosts file splitting domain names
on a per host basis.
The command
example% make-ssh-known-hosts hut.fi '^wks=.*ssh' >
hut-hosts
finds all hosts in hut.fi domain, and its subdomains having
own name server (cs.hut.fi, tf.hut.fi, tky.hut.fi) that have
ssh service and puts their public key to hut-hosts file.
This would require that the domain name server of hut.fi
would define all hosts running ssh to have entry ssh in
their WKS record. Because nobody yet adds ssh to WKS, it
would be better to use command
example% make-ssh-known-hosts hut.fi '^wks=.*telnet' >
hut-hosts
that would take those host having telnet service. This uses
default subdomain list.
The command:
example% make-ssh-known-hosts hut.fi 'dipoli.hut.fi'
'^hinfo=.*(mac|pc)' > dipoli-hosts
finds all hosts in hut.fi domain that are in dipoli.hut.fi
subdomain (note dipoli.hut.fi does not have own name server
so its entries are in hut.fi-server) and that are not Mac or
PC.
FILES
/etc/ssh_known_hosts Global host public key list
SEE ALSO
ssh(1), sshd(8), ssh-keygen(1), ping(8), nslookup(8),
perl(1), perlre(1)
AUTHOR
Tero Kivinen <kivinen@hut.fi>
COPYING
Permission is granted to make and distribute verbatim copies
of this manual provided the copyright notice and this per-
mission notice are preserved on all copies.
Permission is granted to copy and distribute modified ver-
sions of this manual under the conditions for verbatim copy-
ing, provided that the entire resulting derived work is dis-
tributed under the terms of a permission notice identical to
this one.
Permission is granted to copy and distribute translations of
this manual into another language, under the above condi-
tions for modified versions, except that this permission
notice may be included in translations approved by the the
author instead of in the original English.
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |