ssh-keyscan Command Cheat Sheet
ssh-keyscan is a utility for gathering the public SSH host keys of a number of hosts. It is extremely useful for automating the population of ~/.ssh/known_hosts to prevent interactive prompts.
Synopsis
ssh-keyscan [options] [host | addrlist]
Basic Usage
Scan a Single Host
Print the RSA, ECDSA, and ED25519 host keys to stdout.
ssh-keyscan github.com
Append to known_hosts
This prevents the "Are you sure you want to continue connecting?" prompt.
ssh-keyscan github.com >> ~/.ssh/known_hosts
Scanning Options
Scan Specific Port (-p)
If the server runs on a non-standard port.
ssh-keyscan -p 2222 gitlab.com
Scan IPs from a File (-f)
Scan a list of servers.
ssh-keyscan -f hosts.txt
Scan Key Type (-t)
Only look for Ed25519 keys (faster and modern).
ssh-keyscan -t ed25519 github.com
Verification
Hash Output (-H)
Hash the hostnames in the output (standard for modern known_hosts files) to protect privacy.
ssh-keyscan -H github.com
Usage in Scripts (CI/CD)
A common pattern in Dockerfiles or CI pipelines:
mkdir -p ~/.ssh
ssh-keyscan gitlab.com >> ~/.ssh/known_hosts
Notes
- Speed:
ssh-keyscanuses non-blocking I/O and can scan hundreds of hosts in parallel. - Security: It does not verify the keys it receives. It blindly trusts the server. Use only on trusted networks or verify the fingerprints manually afterwards if security is critical.