.Dd Sep 08, 2018
.Dt sshwot-verify 1
.Os
.Sh NAME
.Nm sshwot-verify
.Nd Search sshwot files for matching fingerprints
.Sh SYNOPSIS
.Nm
.Op Fl p , Fl -port Ar port
.Ar host
.Ar fingerprint
.Op Ar sshwot-file Op Ar sshwot-file ....
.Sh DESCRIPTION
.Nm
searches through either the given sshwot files or the files located in the
directory
.Pa ~/.sshwot
for a matching host and fingerprint for the ones given in the command line.
.Pp
If
.Nm
finds a matching host and a matching fingerprint, it prints
.Do
.Li [ok]
.Dc
followed by the file name (without the
.Li .sshwot
extension), the host and the comment that was given to that host and fingerprint
combination in that file.
.Pp
If it finds a matching host, but the fingerprint doesn't match, it prints
.Do
.Li [fail]
.Dc
followed by the same information as when the fingerprint matches.
.Pp
If there were no cases where both the host and the fingerprint match in a given
file, but there was another host which had the same fingerprint,
.Nm
will print
.Do
.Li [same fingerprint]
.Dc
followed by the same fields as before. However, since the hostnames are stored
hashed, it can't know what the hostname was here, and so it prints
.Do
.Li (unknown host)
.Dc
in its place.
.Pp
The reasoning for not printing these in case there is a full
match in the file is that these are mainly useful when some other host is
impersonating the host you are trying to reach or if the host has several
different domains and you are trying to verify one that is not in the sshwot
files. In the first case, since the given host and fingerprint combination is
verified in the same file, there is no danger of that. In the second case, this
information is likewise useless, since the file did in fact contain the given
domain. In addition to that, it for hosts that have several domains it is quite
common for them all to be in the same sshwot file, so unconditionally printing
them out would make the output contain useless noise in normal use cases.
.Pp
.Nm
can only handle fingerprints in the SHA256 format, which begins with
.Do
.Li SHA256:
.Dc
and then follows that with 43 base64 digits.
.Sh OPTIONS
.Bl -tag
.It Fl p , Fl -port Ar port
Search for keys specifically for an sshd running in the given port on the given
host.
.Nm
will still accept keys generally for the host if a specific port is given. This
is because the same is true for the
.Pa known_hosts
file of OpenSSH.
.El
.Sh EXIT STATUS
.Nm
returns the code 0 if at least one match was found and there were no matching
hosts with different fingerprint. A non-zero exit code is returned otherwise.
.Sh EXAMPLES
.Li sshwot-verify example.com SHA256:Q9E3qf0ypXqIUGUhhKIDxNnZkUIIwXuDfsaK4vLI55U
.Pp
Checks the fingerprint for the host
.Li example.com
against the files stored in
.Pa ~/.sshwot
.Pp
.Li sshwot-verify -p 443 secret.example.com SHA256:ZCHE6V++5H/pOeZVjMBF9+9R8ayVDS7IpSa3SpptQDY example.com-keys.sshwot
.Pp
Checks the fingerprint for the sshd running at port 443 on
.Li example.com
against the fingerprints stored in the file
.Pa example.com-keys.sshwot
.Sh SEE ALSO
.Xr sshwot-export-known-hosts 1 ,
.Xr sshwot-filter 1 ,
.Xr sshwot 5