Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH Tectia

ssh-keyfetch

ssh-keyfetch — Host key tool for the Secure Shell client

Synopsis

ssh-keyfetch [options...]
[host]

Description

ssh-keyfetch is a tool that downloads server host keys and optionally sets them trusted for the Secure Shell client. It is typically used by the system administrator during the initial setup phase.

By default the host key is fetched from the server and saved in file key_host_port.suffix in the current directory.

Options

The following options are available:

-a, --set-trusted

Instead of writing the public key to a file, add the public key as a trusted host key. Use with care. This option cannot be combined with -C or -K.

-A, --fetch-any

Probe for and fetch either server public key or certificate.

-C, --fetch-certificate

Probe for and fetch the server certificate only.

-d, --debug debug-level

Enable debugging.

-D, --debug-default

Enable debugging with default level.

-f, --filename-format nameformat

Filename format for trusted hostkeys. Accepted values are plain and hashed. The default is plain.

-F, --fingerprint-type [ =babble | babble-upper | pgp-2 | pgp-5 | hex | hex-upper ]

Public key fingerprint type for fingerprints displayed in messages and log. Most popular types are babble (the SSH babble format) and hex. The default is babble. See also the option --rfc4716.

-H, --hash [ =md5 | sha1 ]

Specifies the digest algorithm for fingerprint generation. Valid options are md5 and sha1.

-K, --kex-key-formats typelist

Explicitly specify the host-key types accepted in protocol key exchange. For experts only. See RFC 4253 for details.

-l, --log

Report succesfully received keys in log format. The log format consists of one line per key, six fields per line. The fields are:

  • accept|save
  • replace|append
  • hostname
  • ip-port
  • user-id
  • key-file-path
  • fingerprint

-o, --output-file output-file

Write result to output-file. A minus sign ("-") denotes standard output.

-O, --output-directory output-dir

Write result to output-dir. The default is the current directory.

-p, --port port

Server port (default: 22).

-P, --fetch-public-key

Probe for and fetch the server public key only. This is the default behaviour.

-q, --quiet

Quiet mode, report only errors.

-R, --rfc4716

Displays the public key fingerprints in the format specified in RFC 4716. The digest algorithm (hash) is md5, and the output format is the 16-bytes output in lowercase HEX separated with colons (:).

-S, --proxy-url socks-url

Specifies the SOCKS server to use.

-t, --timeout timeout

Connection timeout in seconds (default: 10 seconds).

--append [ =yes | no ]

Instead of appending a new host key, overwrite the existing trusted host keys for this host. Optional values are yes and no. The default is to append.

-V, --version

Displays version string and exits.

Environment Variables

SSH_SOCKS_SERVER

The address of the SOCKS server used by ssh-keyfetch.

Examples

Connect to the server through a SOCKS proxy:

$ ssh-keyfetch -S socks://fw.example.com:1080/10.0.0.0/8 server.outside.example
Public key from server.outside.example:22 saved.
 File: server.outside.example.pub
 Fingerprint: xucar-bened-liryt-lumup-minad-tozuc-pesyp-vafah-mugyd-susic-guxix

Accept the server key as a trusted key for SSH Tectia Client and report in the more rigid log format:

$ ssh-keyfetch -a -l  newhost
Accepted newhost 22 testuser /home/testuser/.ssh2/hostkeys/key_22_newhost.pub 
xigad-hozuf-kykek-vogid-dumid-bydop-mulym-zegar-nybuv-muled-syxyx

Accept the server key as a trusted key for SSH Tectia Client and use an uninformative hash as the filename for the stored trusted key:

$ ssh-keyfetch -f hashed -a  newhost
Public key from newhost:22 accepted as trusted hostkey.
 File:
 /home/testuser/.ssh2/hostkeys/keys_420b23ca959ab165e52e117a90baa89d92ffc535
 Fingerprint:
 xigad-hozuf-kykek-vogid-dumid-bydop-mulym-zegar-nybuv-muled-syxyx

Fetch the X.509 certificate of the server running in port 222 and display the content with ssh-certview:

$ ssh-keyfetch -C -p 222 -o - newhost | ssh-certview -
Certificate = 
  SubjectName = <C=FI, O=SSH, OU=DEV, CN=newhost.ssh.com>
  IssuerName = <C=FI, O=SSH, CN=Sickle CA>
  SerialNumber= 24593438
  Validity = 
    NotBefore = 2007 Sep 13th, 15:10:00 GMT
    NotAfter  = 2008 Sep 12th, 15:10:00 GMT
  PublicKeyInfo = 
    PublicKey =
      Algorithm = RSA
      Modulus n  (1024 bits) :
...
  Fingerprints = 
    MD5 = 3c:71:17:9b:c2:12:26:cf:96:27:fb:d7:a8:19:37:89
    SHA-1 =
    14:72:f3:0f:20:5e:75:ed:d2:c3:86:4b:69:45:00:47:ae:fe:31:64

This explicit key exchange type list is equivalent to specifying option -A:

$ ssh-keyfetch -K ssh-rsa,ssh-dss,x509v3-sign-rsa,x509v3-sign-dss newhost 
Public key from newhost:22 saved.
 File: key_newhost_22.pub
 Fingerprint:
 xigad-hozuf-kykek-vogid-dumid-bydop-mulym-zegar-nybuv-muled-syxyx

===AUTO_SCHEMA_MARKUP===