Does `ssh-keyscan` verify the legitimacy of the host(s) it scans?

Is there any way for ssh-keyscan to automatically verify the legitimacy of the host it scans?

No. How could it? You are using it to build the known_hosts file that would be used for verification.

If not, doesn't it become security theatre and defeats the point of SSH's known_hosts verification?

In the example you've shown, it indeed does.

Although the problem isn't that ssh-keyscan is being used, but rather when and how it is used. Overall, it isn't any different from getting the regular "Verify unknown host" SSH prompt and blindly typing yes without looking at the fingerprint.

If you do it once and keep the resulting known_hosts file around, then you still get the same Trust-on-first-use behavior that we all expect from SSH. But if you throw away and regenerate known_hosts every time, with no verification against previous runs, then it's going to be a problem whether you use ssh-keyscan or not.

In short, deploying a static known_hosts file would be much more secure – GitHub's SSH hostkeys certainly don't change often, so there is really no need to re-keyscan them every time.

Tags:

Ssh

Openssh

Ssh Host Key

Related

Could a desktop application disclose location even if a VPN is used? Should I present forged documents in a Penetration Test/Red team engagement? Browser setups to stay safe from malware and unwanted stuff Is it a mistake to use a password that has previously been used (by anyone ever)? How good are Angular Route Guards from a security standpoint? how is my ISP able to inject into this webpage? What to do if caught in a physical pentest? Is Firefox's Lockwise secure? Does injecting my own key material into the authenticator undermine authenticator's attestation? How to use FDE without needing to share the encryption password I can pay by my credit card under fake name: who's responsible to check? I have just 4 hours a month to security check a cloud based application - How to use my time?

Recent Posts