[openssh-commits] [openssh] 01/08: upstream: mention that ssh-keyscan output is only as trustworthy as
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon Jun 29 12:21:28 AEST 2026
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 09c2eeb9c8a0f42716d67548c75a6f4870732caa
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Fri Jun 26 06:17:13 2026 +0000
upstream: mention that ssh-keyscan output is only as trustworthy as
the network between it and the SSH server; ok markus@
OpenBSD-Commit-ID: 067845df7e8eb776408de5f23a2e6e7019945834
---
ssh-keyscan.1 | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index e17957367..7446b862f 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keyscan.1,v 1.53 2025/10/04 21:41:35 naddy Exp $
+.\" $OpenBSD: ssh-keyscan.1,v 1.54 2026/06/26 06:17:13 djm Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm at lcs.mit.edu>.
.\"
@@ -6,7 +6,7 @@
.\" permitted provided that due credit is given to the author and the
.\" OpenBSD project by leaving this copyright notice intact.
.\"
-.Dd $Mdocdate: October 4 2025 $
+.Dd $Mdocdate: June 26 2026 $
.Dt SSH-KEYSCAN 1
.Os
.Sh NAME
@@ -50,6 +50,15 @@ network range (e.g. 192.168.16/28).
If a network range is specified, then all addresses in that range will
be scanned.
.Pp
+.Nm
+cannot verify the authenticity of the host keys it obtains, and an attacker
+on the network with the ability to intercept traffic could substitute their
+own host keys to enable impersonation of servers.
+Because of this,
+.Nm
+output should be verified out of band, or only used directly for host
+authentication if the network is trusted.
+.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl 4
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list