Merge upstream-master into master

Commit ecb2c02d994b3e21994f31a70ff911667c262f1f upstream

This nearly (but not quite) corresponds to V_8_3_P1; subsequent
cherry-picks will correct this.

Bug: 162492243
Change-Id: I3c079d86435b7c25aefff4538dc89a3002b1e25b

1 files changed, 47 insertions, 67 deletions

diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 6bbc480c..f9df75d4 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.36 2014/08/30 15:33:50 sobrado Exp $
+.\"	$OpenBSD: ssh-keyscan.1,v 1.45 2019/11/30 07:07:59 jmc Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -6,30 +6,29 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: August 30 2014 $
+.Dd $Mdocdate: November 30 2019 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
 .Nm ssh-keyscan
-.Nd gather ssh public keys
+.Nd gather SSH public keys from servers
 .Sh SYNOPSIS
 .Nm ssh-keyscan
-.Bk -words
-.Op Fl 46Hv
+.Op Fl 46cDHv
 .Op Fl f Ar file
 .Op Fl p Ar port
 .Op Fl T Ar timeout
 .Op Fl t Ar type
 .Op Ar host | addrlist namelist
-.Ar ...
-.Ek
 .Sh DESCRIPTION
 .Nm
-is a utility for gathering the public ssh host keys of a number of
+is a utility for gathering the public SSH host keys of a number of
 hosts.
 It was designed to aid in building and verifying
 .Pa ssh_known_hosts
-files.
+files,
+the format of which is documented in
+.Xr sshd 8 .
 .Nm
 provides a minimal interface suitable for use by shell and perl
 scripts.
@@ -39,7 +38,8 @@ uses non-blocking socket I/O to contact as many hosts as possible in
 parallel, so it is very efficient.
 The keys from a domain of 1,000
 hosts can be collected in tens of seconds, even when some of those
-hosts are down or do not run ssh.
+hosts are down or do not run
+.Xr sshd 8 .
 For scanning, one does not need
 login access to the machines that are being scanned, nor does the
 scanning process involve any encryption.
@@ -47,13 +47,21 @@ scanning process involve any encryption.
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl 4
-Forces
+Force
 .Nm
 to use IPv4 addresses only.
 .It Fl 6
-Forces
+Force
 .Nm
 to use IPv6 addresses only.
+.It Fl c
+Request certificates from target hosts instead of plain keys.
+.It Fl D
+Print keys found as SSHFP DNS records.
+The default is to print keys in a format usable as a
+.Xr ssh 1
+.Pa known_hosts
+file.
 .It Fl f Ar file
 Read hosts or
 .Dq addrlist namelist
@@ -61,41 +69,42 @@ pairs from
 .Ar file ,
 one per line.
 If
-.Pa -
+.Sq -
 is supplied instead of a filename,
 .Nm
-will read hosts or
-.Dq addrlist namelist
-pairs from the standard input.
+will read from the standard input.
+Input is expected in the format:
+.Bd -literal
+1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
+.Ed
 .It Fl H
 Hash all hostnames and addresses in the output.
 Hashed names may be used normally by
-.Nm ssh
+.Xr ssh 1
 and
-.Nm sshd ,
+.Xr sshd 8 ,
 but they do not reveal identifying information should the file's contents
 be disclosed.
 .It Fl p Ar port
-Port to connect to on the remote host.
+Connect to
+.Ar port
+on the remote host.
 .It Fl T Ar timeout
 Set the timeout for connection attempts.
 If
 .Ar timeout
 seconds have elapsed since a connection was initiated to a host or since the
-last time anything was read from that host, then the connection is
+last time anything was read from that host, the connection is
 closed and the host in question considered unavailable.
-Default is 5 seconds.
+The default is 5 seconds.
 .It Fl t Ar type
-Specifies the type of the key to fetch from the scanned hosts.
+Specify the type of the key to fetch from the scanned hosts.
 The possible values are
-.Dq rsa1
-for protocol version 1 and
 .Dq dsa ,
 .Dq ecdsa ,
 .Dq ed25519 ,
 or
-.Dq rsa
-for protocol version 2.
+.Dq rsa .
 Multiple values may be specified by separating them with commas.
 The default is to fetch
 .Dq rsa ,
@@ -104,12 +113,10 @@ and
 .Dq ed25519
 keys.
 .It Fl v
-Verbose mode.
-Causes
-.Nm
-to print debugging messages about its progress.
+Verbose mode:
+print debugging messages about progress.
 .El
-.Sh SECURITY
+.Pp
 If an ssh_known_hosts file is constructed using
 .Nm
 without verifying the keys, users will be vulnerable to
@@ -120,59 +127,32 @@ On the other hand, if the security model allows such a risk,
 can help in the detection of tampered keyfiles or man in the middle
 attacks which have begun after the ssh_known_hosts file was created.
 .Sh FILES
-Input format:
-.Bd -literal
-1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
-.Ed
-.Pp
-Output format for RSA1 keys:
-.Bd -literal
-host-or-namelist bits exponent modulus
-.Ed
-.Pp
-Output format for RSA, DSA, ECDSA, and Ed25519 keys:
-.Bd -literal
-host-or-namelist keytype base64-encoded-key
-.Ed
-.Pp
-Where
-.Ar keytype
-is either
-.Dq ecdsa-sha2-nistp256 ,
-.Dq ecdsa-sha2-nistp384 ,
-.Dq ecdsa-sha2-nistp521 ,
-.Dq ssh-ed25519 ,
-.Dq ssh-dss
-or
-.Dq ssh-rsa .
-.Pp
 .Pa /etc/ssh/ssh_known_hosts
 .Sh EXAMPLES
-Print the rsa host key for machine
+Print the RSA host key for machine
 .Ar hostname :
-.Bd -literal
-$ ssh-keyscan hostname
-.Ed
+.Pp
+.Dl $ ssh-keyscan -t rsa hostname
 .Pp
 Find all hosts from the file
 .Pa ssh_hosts
 which have new or different keys from those in the sorted file
 .Pa ssh_known_hosts :
-.Bd -literal
+.Bd -literal -offset indent
 $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
 	sort -u - ssh_known_hosts | diff ssh_known_hosts -
 .Ed
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr sshd 8
+.Rs
+.%D 2006
+.%R RFC 4255
+.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
+.Re
 .Sh AUTHORS
 .An -nosplit
 .An David Mazieres Aq Mt dm@lcs.mit.edu
 wrote the initial version, and
 .An Wayne Davison Aq Mt wayned@users.sourceforge.net
 added support for protocol version 2.
-.Sh BUGS
-It generates "Connection closed by remote host" messages on the consoles
-of all the machines it scans if the server is older than version 2.9.
-This is because it opens a connection to the ssh port, reads the public
-key, and drops the connection as soon as it gets the key.