Bug 2821

Summary: ssh-keyscan cannot generate SSHFP fingerprints
Product: Portable OpenSSH Reporter: Ulrich M. Schwarz <schwarz>
Component: ssh-keyscanAssignee: Damien Miller <djm>
Status: CLOSED FIXED    
Severity: enhancement CC: djm, dtucker
Priority: P5    
Version: 7.6p1   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 2782    
Attachments:
Description Flags
Add ssh-keyscan -D flag for output in SSHFP format dtucker: ok+

Description Ulrich M. Schwarz 2018-01-19 00:45:22 AEDT
It seems kind of odd that ssh-keyscan does not offer an equivalent to ssh-keygen's -r to easily generate SSHFP fingerprints for more than one host, without logging into each host. 
All the information needed is already fetched (i.e. the public keys) or known (i.e. the hostname), but as is, you'd have to generate the known_hosts output and then parse it again and hash it yourself or create temporary files for each line, as you can't pipe into ssh-keygen.

I realize that this mass-generation pretty much only occurs when you initially commit to deploying SSHFP, but all the code is already there…
Comment 1 Damien Miller 2018-02-23 13:55:26 AEDT
Created attachment 3127 [details]
Add ssh-keyscan -D flag for output in SSHFP format

Good idea, this is trivial to implement. Here's a patch.
Comment 2 Damien Miller 2018-02-23 16:09:17 AEDT
That's applied and will be in OpenSSH 7.7 - thanks!
Comment 3 Damien Miller 2021-04-23 14:53:11 AEST
closing resolved bugs as of 8.6p1 release