Why does ssh-keyscan not use .ssh/config?

Damien Miller djm at mindrot.org
Wed Mar 1 14:33:53 AEDT 2023


On Mon, 27 Feb 2023, Keine Eile wrote:

> Hi ML members,
> 
> is there a reason, why ssh-keyscan does not use Host definitions from
> .ssh/config but does only relys on DNS host names? I have a quite long list of
> host names and a not that well maintained name server.

Mostly to keep ssh-keyscan simple. ssh_config contains a lot more
options than Host/Hostname that we'd need to implement if we supported
it in other tools including:

ProxyCommand/ProxyJump
Match (further complicated by Match supporting username, but ssh-keyscan not)
CanonicalizeHostname and Canonicalize*
BindInterface/BindAddress

There are other options too, and implementing them all would be quite
a bit of work.

I'd suggest writing a script or alias using `ssh -G` to resolve the hostname
and plumb it to ssh-keyscan. E.g.

mykeyscan() {
	for x in "$@" ; do
		ssh-keyscan `ssh -G "$x" | grep "^hostname " | awk '{print $2}'`
	done
}

-d


More information about the openssh-unix-dev mailing list