Home / server / Questions / 528680
Accepted
Dustin Oprea
Asked: 2013-08-06 01:34:16 +0800 CST

SSH host-keys: "ssh-keygen -H" vs "ssh-keyscan"

  • 772

"ssh-keygen -F " seems to return one host-key for a given hostname (first matched?), and "ssh-keyscan " seems to return all matched, but the order is not clear.

What's the specific difference between the two?

ssh

1 Answers

  1. Best Answer

    From the ssh-keygen(1) manpage:

    -H      Hash a known_hosts file.  This replaces all hostnames and addresses with hashed
        representations within the specified file; the original content is moved to a
        file with a .old suffix.  These hashes may be used normally by ssh and sshd, but 
        they do not reveal identifying information should the file's contents be 
        disclosed.  This option will not modify existing hashed hostnames and is 
        therefore safe to use on files that mix hashed and non-hashed names.

    and from the ssh-keyscan(1) manpage:

    -H      Hash all hostnames and addresses in the output.  Hashed names may be used 
        normally by ssh and sshd, but they do not reveal identifying information should
        the file's contents be disclosed.

    The former rums locally, hashing your ~/.ssh/known_hosts file, while the latter contacts a remote server to request its keys.

    • 0