No login access is required on the servers that the tool is scanning. The tool does not employ encryption either (and is therefore subject to man-in-the-middle attacks).
Examples etc.
Get the public rsa key from server srv.xy, using port 2121 (without -p, the default port 22 would be used):
$ ssh-keyscan -p 2121 -t rsa srv.xy
The output of ssh-keyscan can be piped into ssh-keygen: