Introduction

On Alpine Linux, ssh-keyscan is not a separate standalone tool you install by name. It is part of the OpenSSH client packages, so the fix is to install the correct OpenSSH package for your Alpine release and then verify that ssh-keyscan is present in the path.

Which Package Provides ssh-keyscan

The exact package split can vary by Alpine release, which is why older answers sometimes look inconsistent. On recent Alpine package indexes, ssh-keyscan is provided through the OpenSSH client package set, commonly via openssh-client-common with openssh-client acting as the practical install target on many systems.

In other words, if ssh-keyscan is missing, install the OpenSSH client tools rather than searching for a package literally named ssh-keyscan.

The first command to try is:

apk add openssh-client

If your release uses a more granular package split and that does not provide the binary, install the lower-level client package directly:

apk add openssh-client-common

After installation, confirm the binary exists:

command -v ssh-keyscan
ssh-keyscan -h

Typical Container Example

A very common Alpine use case is inside a Docker image where you want to pre-populate known_hosts for Git or SSH automation.

1FROM alpine:3.20
2
3RUN apk add --no-cache openssh-client \
4    && mkdir -p /root/.ssh \
5    && ssh-keyscan -H github.com >> /root/.ssh/known_hosts

This works well for CI images and lightweight deployment containers.

If you prefer a shell example instead of a Dockerfile:

1apk add --no-cache openssh-client
2mkdir -p ~/.ssh
3ssh-keyscan -H github.com >> ~/.ssh/known_hosts
4chmod 700 ~/.ssh
5chmod 600 ~/.ssh/known_hosts

The -H flag hashes hostnames in the output, which is often desirable for privacy in shared environments.

Why ssh-keyscan Is Useful

ssh-keyscan retrieves public host keys from SSH servers without opening an interactive session. It is commonly used to avoid prompts such as The authenticity of host cannot be established during automated jobs.

A typical automation pattern is:

ssh-keyscan -t rsa,ecdsa,ed25519 example.com >> ~/.ssh/known_hosts

That lets later SSH or Git commands verify the server key against known_hosts without stopping for manual input.

Security Caveat

ssh-keyscan is a collection tool, not a trust oracle. If you use it blindly on a hostile network, you can still record the wrong host key.

The secure approach is:

• fetch the key with ssh-keyscan
• verify the fingerprint through a trusted out-of-band channel
• only then treat the key as authoritative

This matters most the first time a host is added. After that, normal SSH host key verification protects against unexpected changes.

Troubleshooting On Alpine

If apk add openssh-client succeeds but ssh-keyscan is still missing, check which OpenSSH packages are actually installed:

apk info | grep openssh

You can also ask the package manager what provides the file on that specific release:

apk search -v openssh

In stripped-down container images, another frequent issue is trying to run ssh-keyscan before DNS works or before outbound port 22 is reachable. That looks like an installation problem even though the binary is present.

For example, this command tests both name resolution and network reachability by trying to fetch the host key:

ssh-keyscan -T 5 github.com

If that times out, the package installation is probably fine and the issue is network access.

Do Not Confuse ssh-keyscan With ssh-keygen

These tools solve different problems:

• 'ssh-keyscan fetches server host keys from remote hosts'
• 'ssh-keygen generates keys and manages local key material'

It is common to install OpenSSH and then use both, but they are not interchangeable.

Common Pitfalls

• Looking for an Alpine package literally named ssh-keyscan instead of installing the OpenSSH client tools.
• Assuming package names are identical across every Alpine release.
• Treating a network timeout as proof that the binary is not installed.
• Appending host keys to known_hosts without verifying the fingerprint through a trusted channel.
• Forgetting to create ~/.ssh before redirecting output into known_hosts.

Summary

• On Alpine, ssh-keyscan comes from the OpenSSH client package set.
• Start with apk add openssh-client; on some releases the relevant split package is openssh-client-common.
• Verify installation with command -v ssh-keyscan.
• 'ssh-keyscan is useful for automation, especially when preparing known_hosts.'
• Do not rely on first-use key collection alone for security-sensitive environments.