ssh-keyfetch (ssh-keyfetch.exe on Windows) is a tool that downloads server host keys and optionally sets them as known host keys for the Secure Shell client. It is typically used by the system administrator during the initial setup phase.
By default the host key is fetched from the server and saved in file
key_
host_port
.suffix
in the current directory.
The following options are available:
-a, --set-trusted
Instead of writing the public key to a file, add the public key as a
known host key to the user-specific directory:
$HOME/.ssh2/hostkeys
(%APPDATA%\SSH\HostKeys
on Windows).
This option cannot be combined with -C
or -K
.
Caution | |
---|---|
When ssh-keyfetch is run with the
To validate the host key, obtain the host key fingerprint from a trusted source (for example by calling the server administrator) and verify it against the output from command: ssh-keygen-g3 --fingerprint <hostname> |
-A, --fetch-any
Probe for and fetch either server public key or certificate.
-C, --fetch-certificate
Probe for and fetch the server certificate only.
-d, --debug
debug-level
Enable debugging.
-D, --debug-default
Enable debugging with default level.
-f, --filename-format
nameformat
Filename format for known host keys. Accepted values are
plain
and
hashed
. The default is plain
.
-F, --fingerprint-type
[
=babble
| babble-upper
| pgp-2
| pgp-5
| hex
| hex-upper
| base64
]
Public key fingerprint type for fingerprints displayed in messages and
log. Most popular types are babble
(the SSH
babble format) and hex
. The default is
babble
. See also the option --rfc4716
.
-H, --hash
[
md5
| sha1
| sha256
]
Specifies the digest algorithm for fingerprint generation. Valid options are
md5
, sha1
, and sha256
.
-K, --kex-key-formats
typelist
Explicitly specify the host-key types accepted in protocol key exchange. For experts only. See RFC 4253 for details.
-l, --log
Report successfully received keys in log format. The log format consists of one line per key, six fields per line. The fields are:
-o, --output-file
output-file
Write result to output-file
. A minus
sign ("-
") denotes standard output.
-O, --output-directory
output-dir
Write result to output-dir
. The default is
the current directory.
-p, --port
port
Server port (default: 22
).
-P, --fetch-public-key
Probe for and fetch the server public key only. This is the default behaviour.
-q, --quiet
Quiet mode, report only errors.
-R, --rfc4716
Displays the public key fingerprints in the format specified in RFC 4716. The digest algorithm (hash) is md5, and the output format is the 16-bytes output in lowercase HEX separated with colons (:).
-S, --proxy-url
socks-url
Specifies the SOCKS server to use.
-t, --timeout
timeout
Connection timeout in seconds (default: 10
seconds).
--append
[
=yes
| no
]
Instead of appending a new host key, overwrite the existing known
host keys for this host. Optional values are yes
and
no
. The default is to append.
-V, --version
Displays version string and exits.
Connect to the server through a SOCKS proxy:
$ ssh-keyfetch -S socks://fw.example.com:1080/10.0.0.0/8 server.outside.example Public key from server.outside.example:22 saved. File: server.outside.example.pub Fingerprint: xucar-bened-liryt-lumup-minad-tozuc-pesyp-vafah-mugyd-susic-guxix
Accept the server key as a known key for Tectia Client and report in the more rigid log format:
$ ssh-keyfetch -a -l newhost Accepted newhost 22 testuser /home/testuser/.ssh2/hostkeys/key_22_newhost.pub xigad-hozuf-kykek-vogid-dumid-bydop-mulym-zegar-nybuv-muled-syxyx
Accept the server key as a known key for Tectia Server and
store the key to global configuration hostkeys
directory:
$ ssh-keyfetch -a --output-directory /etc/ssh2/hostkeys Accepted newhost 22 testuser /etc/ssh2/hostkeys/key_22_anotherhost.pub bydop-mulym-zegar-nybuv-muled-syxyx-xigad-hozuf-kykek-vogid-dumid
Accept the server key as a known key for Tectia Client and use an uninformative hash as the filename for the stored known key:
$ ssh-keyfetch -f hashed -a newhost Public key from newhost:22 accepted as trusted hostkey. File: /home/testuser/.ssh2/hostkeys/keys_420b23ca959ab165e52e117a90baa89d92ffc535 Fingerprint: xigad-hozuf-kykek-vogid-dumid-bydop-mulym-zegar-nybuv-muled-syxyx
Accept RSA, ECDSA and ed25519 server keys as a known key for Tectia Client:
$ for t in ecdsa ed25519 rsa; do ssh-keyfetch --set-trusted -k $t newhost done Public key from newhost accepted as trusted hostkey. File: /home/testuser/.ssh2/hostkeys/key_22_newhost.pub Fingerprint: xecok-rebop-cufar-hotod-geses-dusim-deluv-deren-dyviv-bapad-moxex Public key from newhost:22 accepted as trusted hostkey. File: /home/testuser/.ssh2/hostkeys/key_22_newhost.pub Fingerprint: xuzib-sehat-pemys-zulor-foran-tizur-repyh-boryd-nogeb-refip-raxax Public key from newhost:22 accepted as trusted hostkey. File: /home/testuser/.ssh2/hostkeys/key_22_newhost.pub Fingerprint: xifon-sorer-pysys-vumab-mosuz-pefor-pevab-givaz-feguc-nyven-lexux
Fetch the X.509 certificate of the server running in port 222 and display the content with ssh-certview:
$ ssh-keyfetch -C -p 222 -o - newhost | ssh-certview - Certificate = SubjectName = <C=FI, O=SSH, OU=DEV, CN=newhost.ssh.com> IssuerName = <C=FI, O=SSH, CN=Sickle CA> SerialNumber= 24593438 Validity = NotBefore = 2007 Sep 13th, 15:10:00 GMT NotAfter = 2008 Sep 12th, 15:10:00 GMT PublicKeyInfo = PublicKey = Algorithm = RSA Modulus n (1024 bits) : ... Fingerprints = MD5 = 3c:71:17:9b:c2:12:26:cf:96:27:fb:d7:a8:19:37:89 SHA-1 = 14:72:f3:0f:20:5e:75:ed:d2:c3:86:4b:69:45:00:47:ae:fe:31:64
This explicit key exchange type list is equivalent to specifying
option -A
:
$ ssh-keyfetch -K ssh-rsa-sha512@ssh.com,ssh-rsa-sha384@ssh.com,ssh-rsa-sha256@ssh.com,ssh-rsa-sha224@ssh.com,ssh-rsa,ssh-dss-sha512@ssh.com,ssh-dss-sha384@ssh.com,ssh-dss-sha256@ssh.com,ssh-dss-sha224@ssh.com,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 newhost Public key from newhost:22 saved. File: key_newhost_22.pub Fingerprint: xigad-hozuf-kykek-vogid-dumid-bydop-mulym-zegar-nybuv-muled-syxyx