[openssh-commits] [openssh] 01/08: upstream: mention that ssh-keyscan output is only as trustworthy as

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Jun 29 12:21:28 AEST 2026


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 09c2eeb9c8a0f42716d67548c75a6f4870732caa
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Fri Jun 26 06:17:13 2026 +0000

    upstream: mention that ssh-keyscan output is only as trustworthy as
    
    the network between it and the SSH server; ok markus@
    
    OpenBSD-Commit-ID: 067845df7e8eb776408de5f23a2e6e7019945834
---
 ssh-keyscan.1 | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index e17957367..7446b862f 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.53 2025/10/04 21:41:35 naddy Exp $
+.\"	$OpenBSD: ssh-keyscan.1,v 1.54 2026/06/26 06:17:13 djm Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm at lcs.mit.edu>.
 .\"
@@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: October 4 2025 $
+.Dd $Mdocdate: June 26 2026 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@@ -50,6 +50,15 @@ network range (e.g. 192.168.16/28).
 If a network range is specified, then all addresses in that range will
 be scanned.
 .Pp
+.Nm
+cannot verify the authenticity of the host keys it obtains, and an attacker
+on the network with the ability to intercept traffic could substitute their
+own host keys to enable impersonation of servers.
+Because of this,
+.Nm
+output should be verified out of band, or only used directly for host
+authentication if the network is trusted.
+.Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl 4

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list