101 lines
3.1 KiB
Groff
101 lines
3.1 KiB
Groff
.Dd Sep 08, 2018
|
|
.Dt sshwot-verify 1
|
|
.Os
|
|
.Sh NAME
|
|
.Nm sshwot-verify
|
|
.Nd Search sshwot files for matching fingerprints
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl p , Fl -port Ar port
|
|
.Ar host
|
|
.Ar fingerprint
|
|
.Op Ar sshwot-file Op Ar sshwot-file ....
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
searches through either the given sshwot files or the files located in the
|
|
directory
|
|
.Pa ~/.sshwot
|
|
for a matching host and fingerprint for the ones given in the command line.
|
|
.Pp
|
|
If
|
|
.Nm
|
|
finds a matching host and a matching fingerprint, it prints
|
|
.Do
|
|
.Li [ok]
|
|
.Dc
|
|
followed by the file name (without the
|
|
.Li .sshwot
|
|
extension), the host and the comment that was given to that host and fingerprint
|
|
combination in that file.
|
|
.Pp
|
|
If it finds a matching host, but the fingerprint doesn't match, it prints
|
|
.Do
|
|
.Li [fail]
|
|
.Dc
|
|
followed by the same information as when the fingerprint matches.
|
|
.Pp
|
|
If there were no cases where both the host and the fingerprint match in a given
|
|
file, but there was another host which had the same fingerprint,
|
|
.Nm
|
|
will print
|
|
.Do
|
|
.Li [same fingerprint]
|
|
.Dc
|
|
followed by the same fields as before. However, since the hostnames are stored
|
|
hashed, it can't know what the hostname was here, and so it prints
|
|
.Do
|
|
.Li (unknown host)
|
|
.Dc
|
|
in its place.
|
|
.Pp
|
|
The reasoning for not printing these in case there is a full
|
|
match in the file is that these are mainly useful when some other host is
|
|
impersonating the host you are trying to reach or if the host has several
|
|
different domains and you are trying to verify one that is not in the sshwot
|
|
files. In the first case, since the given host and fingerprint combination is
|
|
verified in the same file, there is no danger of that. In the second case, this
|
|
information is likewise useless, since the file did in fact contain the given
|
|
domain. In addition to that, it for hosts that have several domains it is quite
|
|
common for them all to be in the same sshwot file, so unconditionally printing
|
|
them out would make the output contain useless noise in normal use cases.
|
|
.Pp
|
|
.Nm
|
|
can only handle fingerprints in the SHA256 format, which begins with
|
|
.Do
|
|
.Li SHA256:
|
|
.Dc
|
|
and then follows that with 43 base64 digits.
|
|
.Sh OPTIONS
|
|
.Bl -tag
|
|
.It Fl p , Fl -port Ar port
|
|
Search for keys specifically for an sshd running in the given port on the given
|
|
host.
|
|
.Nm
|
|
will still accept keys generally for the host if a specific port is given. This
|
|
is because the same is true for the
|
|
.Pa known_hosts
|
|
file of OpenSSH.
|
|
.El
|
|
.Sh EXIT STATUS
|
|
.Nm
|
|
returns the code 0 if at least one match was found and there were no matching
|
|
hosts with different fingerprint. A non-zero exit code is returned otherwise.
|
|
.Sh EXAMPLES
|
|
.Li sshwot-verify example.com SHA256:Q9E3qf0ypXqIUGUhhKIDxNnZkUIIwXuDfsaK4vLI55U
|
|
.Pp
|
|
Checks the fingerprint for the host
|
|
.Li example.com
|
|
against the files stored in
|
|
.Pa ~/.sshwot
|
|
.Pp
|
|
.Li sshwot-verify -p 443 secret.example.com SHA256:ZCHE6V++5H/pOeZVjMBF9+9R8ayVDS7IpSa3SpptQDY example.com-keys.sshwot
|
|
.Pp
|
|
Checks the fingerprint for the sshd running at port 443 on
|
|
.Li example.com
|
|
against the fingerprints stored in the file
|
|
.Pa example.com-keys.sshwot
|
|
.Sh SEE ALSO
|
|
.Xr sshwot-export-known-hosts 1 ,
|
|
.Xr sshwot-filter 1 ,
|
|
.Xr sshwot 5
|