


MAKE-SSH-KNOWN-HOSTS(1)     SSH TOOLS	  MAKE-SSH-KNOWN-HOSTS(1)


NAME
       make-ssh-known-hosts  - make ssh_known_hosts file from DNS
       data

SYNOPSIS
       make-ssh-known-hosts
	      [--initialdns initial_dns]
	      [--server domain_name_server]
	      [--subdomains comma_separated_list_of_subdomains]
	      [--debug debug_level]
	      [--timeout ssh_exec_timeout]
	      [--pingtimeout ping_timeout]
	      [--passwordtimeout timeout_when_asking_password]
	      [--notrustdaemon]
	      [--norecursive]
	      [--domainnamesplit]
	      [--silent]
	      [--keyscan]
	      [--nslookup path_to_nslookup_program]
	      [--ssh path_to_ssh_program]
	      domain_name [take_regexp [remove_regexp]]"


DESCRIPTION
       make-ssh-known-hosts is a perl5 script that helps create
       the /usr/local/etc/ssh_known_hosts file, which is used by
       ssh to contain the host keys of all publicly known hosts.
       Ssh does not normally permit login using rhosts or
       /etc/hosts.equiv authentication unless the server knows
       the client's host key.  In addition, the host keys are
       used to prevent man-in-the-middle attacks.

       In addition to /usr/local/etc/ssh_known_hosts, ssh also
       uses the $HOME/.ssh/known_hosts file.  This file, however,
       is intended to contain only those hosts that the particu-
       lar user needs but are not in the global file.  It is
       intended that the /usr/local/etc/ssh_known_hosts file be
       maintained by the system administration, and periodically
       updated to contain the host keys for any new hosts.

       The make-ssh-known-hosts program finds all the hosts in a
       domain by making a DNS query to the master domain name
       server of the domain. The master domain name server is
       located by searching for the SOA record of the domain from
       the initial domain name server (which can be specified
       with the --initialdns option). The master domain name
       server can also be given directly with the --server
       option.

       After getting the hostname list make-ssh-known-hosts tries
       to get the public key from every host in the domain. It
       first tries to connect ssh port to check check if the host
       is alive, and if so, it tries to run the command cat
       /usr/local/etc/ssh_host_key.pub on the remote machine



SSH TOOLS		 November 8, 1995			1





MAKE-SSH-KNOWN-HOSTS(1)     SSH TOOLS	  MAKE-SSH-KNOWN-HOSTS(1)


       using ssh.  If the command succeeds, it knows the remote
       machine has ssh installed properly, and it then extracts
       the public key from the output, and prints the
       /usr/local/etc/ssh_known_hosts entry for it to STDOUT.
       Because make-ssh-known-hosts is usually run before remote
       machines have /usr/local/etc/ssh_known_hosts file you may
       have to use RSA-authentication to allow access to hosts.

       If the command fails for some reason, it checks if the ssh
       client still got the public key from the remote host in
       the initial dialog, and if so, it will print a proper
       entry, and if --notrustdaemon option is given comment it
       out.

       Domain_name is the domain name for which the file is to be
       generated. By default make-ssh-known-hosts extracts also
       all subdomains of domain. Many sites will want to include
       several domains in their /usr/local/etc/ssh_known_hosts
       file.  The entries for each domain should be extracted
       separately by running make-ssh-known-hosts once for each
       domain.	The results should then be combined to create the
       final file.

       Take_regexp is a perl regular expression that matches the
       hosts to be taken from the domain. The data matched con-
       tains all the DNS records in the form "fieldname=value".
       The fields are separated with newline, and the perl match
       is made in multiline mode and it is case insensetive. The
       multiline mode means that you can use a regexp like
       "^wks=.*telnet.*$" to match all hosts that have WKS (well
       known services) field that contains value "telnet".

       Remove_regexp is similar but those hosts that match the
       regexp are not added (it can be used for example to filter
       out PCs and Macs using the hinfo field:
       "^hinfo=.*(mac|pc)").


OPTIONS
       --initialdns initial_dns

       -i initial_dns
	      Set the initial domain name server used to query
	      the SOA record of the domain.


       --server domain_name_server

       -se domain_name_server
	      Set the master domain name server of the domain.
	      This host is used to query the DNS list of the
	      domain.





SSH TOOLS		 November 8, 1995			2





MAKE-SSH-KNOWN-HOSTS(1)     SSH TOOLS	  MAKE-SSH-KNOWN-HOSTS(1)


       --subdomains subdomainlist

       -su subdomainlist
	      Comma separated list of subdomains that are added
	      to hostnames. For example, if subdomainlist is
	      ",foo, foo.bar, foo.bar.zappa,
	      foo.bar.zappa.hut.fi" then when host foobar is
	      added to /usr/local/etc/ssh_known_hosts file it has
	      aliases "foobar, foobar.foo, foobar.foo.bar, foo-
	      bar.foo.bar.zappa, foobar.foo.bar.zappa.hut.fi".
	      The default action is to take all subparts of the
	      host but the second last on a host by host basis.
	      (The last element is usually the country code, and
	      something like foobar.foo.bar.zappa.hut would not
	      make sense.)


       --debug debug_level

       -de debug_level
	      Set the debug level. Default is 5, bigger values
	      give more output.  Using a big value (like 999)
	      will print lots of debugging output.


       --timeout ssh_exec_timeout

       -ti ssh_exec_timeout
	      Timeout when executing ssh command.  The default is
	      60 seconds.


       --pingtimeout ping_timeout

       -pi ping_timeout
	      Timeout when trying to ping the ssh port.  The
	      default is 3 seconds.


       --passwordtimeout timeout_when_asking_password

       -pa timeout_when_asking_password
	      Timeout when asking password for ssh command.
	      Default is that no passwords are queried. Use value
	      0 to have no timeout for password queries.


       --notrustdaemon

       -notr  If the ssh command fails, use the public key stored
	      in the local known hosts file and trust it is the
	      correct key for the host. If this option is not
	      given such entries are commented out in the gener-
	      ated /usr/local/etc/ssh_known_hosts file.



SSH TOOLS		 November 8, 1995			3





MAKE-SSH-KNOWN-HOSTS(1)     SSH TOOLS	  MAKE-SSH-KNOWN-HOSTS(1)


       --norecursive

       -nor   Tell make-ssh-known-hosts that it should only
	      extract keys for the given domain, and not to be
	      recursive.


       --domainnamesplit

       -do    Split the domainname to get the list of subdomains.
	      Use this option if you don't want hostname to
	      splitted to pieces automatically.  Default split-
	      ting is done host by host basis. If the domain is
	      zappa.hut.fi, and the host name is foo.bar then
	      default action adds entries "foo, foo.bar,
	      foo.bar.zappa, foo.bar.zappa.hut.fi" and this
	      options adds entries "foo.bar, foo.bar.zappa,
	      foo.bar.zappa.hut.fi").


       --silent

       -si    Be silent.


       --keyscan

       -k     Output list of all hosts in format
	      "ipaddr1,ipaddr2,...ipaddrn host-
	      name.domain.co,host-
	      name,ipaddr1,ipaddr2,all_other_hostname_entries".
	      The output of this can be feeded to ssh-keyscan to
	      fetch keys.


       --nslookup path_to_nslookup_program

       -n path_to_nslookup_program
	      Path to the nslookup program.


       --ssh path_to_ssh_program

       -ss path_to_ssh_program
	      Path to the ssh program, including all options.


EXAMPLES
       The following command:

	      example# make-ssh-known-hosts cs.hut.fi >
	      /usr/local/etc/ssh_known_hosts

       finds all public keys of the hosts in cs.hut.fi domain and



SSH TOOLS		 November 8, 1995			4





MAKE-SSH-KNOWN-HOSTS(1)     SSH TOOLS	  MAKE-SSH-KNOWN-HOSTS(1)


       put them to /usr/local/etc/ssh_known_hosts file splitting
       domain names on a per host basis.

       The command

	      example% make-ssh-known-hosts hut.fi '^wks=.*ssh' >
	      hut-hosts

       finds all hosts in hut.fi domain, and its subdomains hav-
       ing own name server (cs.hut.fi, tf.hut.fi, tky.hut.fi)
       that have ssh service and puts their public key to hut-
       hosts file. This would require that the domain name server
       of hut.fi would define all hosts running ssh to have entry
       ssh in their WKS record. Because nobody yet adds ssh to
       WKS, it would be better to use command

	      example% make-ssh-known-hosts hut.fi '^wks=.*tel-
	      net' > hut-hosts

       that would take those host having telnet service. This
       uses default subdomain list.


       The command:

	      example% make-ssh-known-hosts hut.fi
	      'dipoli.hut.fi' '^hinfo=.*(mac|pc)' > dipoli-hosts

       finds all hosts in hut.fi domain that are in dipoli.hut.fi
       subdomain (note dipoli.hut.fi does not have own name
       server so its entries are in hut.fi-server) and that are
       not Mac or PC.


FILES
       /usr/local/etc/ssh_known_hostsGlobal host public key list


SEE ALSO
       ssh(1), sshd(8), ssh-keygen(1), ping(8), nslookup(8),
       perl(1), perlre(1)


AUTHOR
       Tero Kivinen <kivinen@hut.fi>


COPYING
       Permission is granted to make and distribute verbatim
       copies of this manual provided the copyright notice and
       this permission notice are preserved on all copies.

       Permission is granted to copy and distribute modified ver-
       sions of this manual under the conditions for verbatim



SSH TOOLS		 November 8, 1995			5





MAKE-SSH-KNOWN-HOSTS(1)     SSH TOOLS	  MAKE-SSH-KNOWN-HOSTS(1)


       copying, provided that the entire resulting derived work
       is distributed under the terms of a permission notice
       identical to this one.

       Permission is granted to copy and distribute translations
       of this manual into another language, under the above con-
       ditions for modified versions, except that this permission
       notice may be included in translations approved by the the
       author instead of in the original English.
















































SSH TOOLS		 November 8, 1995			6


