  |
     |
ssh-keyfetch
ssh-keyfetch — Host key tool for the Secure Shell client
Description
ssh-keyfetch is a tool that downloads server host keys and optionally sets them as known host keys for the Secure Shell client. It is typically used by the system administrator during the initial setup phase.
By default the host key is fetched from the server and saved in file key_host_port.suffix in the current directory.
Options
The following options are available:
-a, --set-trustedInstead of writing the public key to a file, add the public key as a known host key to the user-specific directory:
$HOME/.ssh2/hostkeys. This option cannot be combined with-Cor-K.![[Caution]](images/caution.gif)
Caution When ssh-keyfetch is run with the
-aoption, it accepts the received host keys automatically without prompting the user. You should verify the validity of keys by verifying the key fingerprints after receiving them or you risk being subject to a man-in-the-middle attack.To validate the host key, obtain the host key fingerprint from a trusted source (for example by calling the server administrator) and verify it against the output from command:
ssh-keygen-g3 --fingerprint <hostname>
-A, --fetch-anyProbe for and fetch either server public key or certificate.
-C, --fetch-certificateProbe for and fetch the server certificate only.
-d, --debugdebug-levelEnable debugging.
-D, --debug-defaultEnable debugging with default level.
-f, --filename-formatnameformatFilename format for known host keys. Accepted values are
plainandhashed. The default isplain.-F, --fingerprint-type[=babble|babble-upper|pgp-2|pgp-5|hex|hex-upper]Public key fingerprint type for fingerprints displayed in messages and log. Most popular types are
babble(the SSH babble format) andhex. The default isbabble. See also the option--rfc4716.-H, --hash[=md5|sha1]Specifies the digest algorithm for fingerprint generation. Valid options are
md5andsha1.-K, --kex-key-formatstypelistExplicitly specify the host-key types accepted in protocol key exchange. For experts only. See RFC 4253 for details.
-l, --logReport successfully received keys in log format. The log format consists of one line per key, six fields per line. The fields are:
- accept|save
- replace|append
- hostname
- ip-port
- user-id
- key-file-path
- fingerprint
-o, --output-fileoutput-fileWrite result to
output-file. A minus sign ("-") denotes standard output.-O, --output-directoryoutput-dirWrite result to
output-dir. The default is the current directory.-p, --portportServer port (default:
22).-P, --fetch-public-keyProbe for and fetch the server public key only. This is the default behaviour.
-q, --quietQuiet mode, report only errors.
-R, --rfc4716Displays the public key fingerprints in the format specified in RFC 4716. The digest algorithm (hash) is md5, and the output format is the 16-bytes output in lowercase HEX separated with colons (:).
-S, --proxy-urlsocks-urlSpecifies the SOCKS server to use.
-t, --timeouttimeoutConnection timeout in seconds (default:
10seconds).--append[=yes|no]Instead of appending a new host key, overwrite the existing known host keys for this host. Optional values are
yesandno. The default is to append.-V, --versionDisplays version string and exits.
Environment Variables
In order to run ssh-keyfetch the following environment variables must be set:
- _BPXK_AUTOCVT
=ON If this variable is not set correctly ssh-keyfetch fails to start.
- _CEE_RUNOPTS
='FILETAG(AUTOCVT,NOAUTOTAG),TRAP(ON)' If this variable is not set correctly ssh-keyfetch fails to start.
- SSH_SOCKS_SERVER
The address of the SOCKS server used by ssh-keyfetch.
Examples
Connect to the server through a SOCKS proxy:
$ ssh-keyfetch -S socks://fw.example.com:1080/10.0.0.0/8 server.outside.example Public key from server.outside.example:22 saved. File: server.outside.example.pub Fingerprint: xucar-bened-liryt-lumup-minad-tozuc-pesyp-vafah-mugyd-susic-guxix
Accept the server key as a known key for Tectia Client and report in the more rigid log format:
$ ssh-keyfetch -a -l newhost Accepted newhost 22 testuser /home/testuser/.ssh2/hostkeys/key_22_newhost.pub xigad-hozuf-kykek-vogid-dumid-bydop-mulym-zegar-nybuv-muled-syxyx
Accept the server key as a known key for Tectia client tools for z/OS and store the key to global configuration hostkeys directory:
$ ssh-keyfetch -a --output-directory /etc/ssh2/hostkeys Accepted newhost 22 testuser /etc/ssh2/hostkeys/key_22_anotherhost.pub bydop-mulym-zegar-nybuv-muled-syxyx-xigad-hozuf-kykek-vogid-dumid
Accept the server key as a known key for Tectia Client and use an uninformative hash as the filename for the stored known key:
$ ssh-keyfetch -f hashed -a newhost Public key from newhost:22 accepted as trusted hostkey. File: /home/testuser/.ssh2/hostkeys/keys_420b23ca959ab165e52e117a90baa89d92ffc535 Fingerprint: xigad-hozuf-kykek-vogid-dumid-bydop-mulym-zegar-nybuv-muled-syxyx
Fetch the X.509 certificate of the server running in port 222 and display the content with ssh-certview:
$ ssh-keyfetch -C -p 222 -o - newhost | ssh-certview -
Certificate =
SubjectName = <C=FI, O=SSH, OU=DEV, CN=newhost.ssh.com>
IssuerName = <C=FI, O=SSH, CN=Sickle CA>
SerialNumber= 24593438
Validity =
NotBefore = 2007 Sep 13th, 15:10:00 GMT
NotAfter = 2008 Sep 12th, 15:10:00 GMT
PublicKeyInfo =
PublicKey =
Algorithm = RSA
Modulus n (1024 bits) :
...
Fingerprints =
MD5 = 3c:71:17:9b:c2:12:26:cf:96:27:fb:d7:a8:19:37:89
SHA-1 =
14:72:f3:0f:20:5e:75:ed:d2:c3:86:4b:69:45:00:47:ae:fe:31:64
This explicit key exchange type list is equivalent to specifying option -A:
$ ssh-keyfetch -K ssh-rsa,ssh-dss,x509v3-sign-rsa,x509v3-sign-dss newhost Public key from newhost:22 saved. File: key_newhost_22.pub Fingerprint: xigad-hozuf-kykek-vogid-dumid-bydop-mulym-zegar-nybuv-muled-syxyx
| |
Copyright 
2014 SSH Communications Security Corporation
This software is protected by international copyright laws. All rights reserved.
Contact Information