version 1.106, 2001/04/22 13:32:27 |
version 1.107, 2001/04/22 23:58:36 |
|
|
This form of authentication alone is normally not |
This form of authentication alone is normally not |
allowed by the server because it is not secure. |
allowed by the server because it is not secure. |
.Pp |
.Pp |
The second (and primary) authentication method is the |
The second authentication method is the |
.Pa rhosts |
.Pa rhosts |
or |
or |
.Pa hosts.equiv |
.Pa hosts.equiv |
|
|
.Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
.Pp |
.Pp |
When a user connects using the protocol version 2 |
When a user connects using the protocol version 2 |
different authentication methods are available: |
different authentication methods are available. |
At first, the client attempts to authenticate using the public key method. |
Using the default values for |
If this method fails password authentication is tried. |
.Cm PreferredAuthentications , |
|
the client will try to authenticate first using the public key method; |
|
if this method fails password authentication is attempted, |
|
and finally if this method fails keyboard-interactive authentication |
|
is attempted. |
|
If this method fails password authentication is |
|
tried. |
.Pp |
.Pp |
The public key method is similar to RSA authentication described |
The public key method is similar to RSA authentication described |
in the previous section except that the DSA or RSA algorithm is used |
in the previous section and allows the RSA or DSA algorithm to be used: |
instead. |
|
The client uses his private key, |
The client uses his private key, |
.Pa $HOME/.ssh/id_dsa |
.Pa $HOME/.ssh/id_dsa |
or |
or |
|
|
.Pp |
.Pp |
If public key authentication fails or is not available a password |
If public key authentication fails or is not available a password |
can be sent encrypted to the remote host for proving the user's identity. |
can be sent encrypted to the remote host for proving the user's identity. |
This protocol 2 implementation does not yet support Kerberos or |
|
S/Key authentication. |
|
.Pp |
.Pp |
|
Additionally, |
|
.Nm |
|
supports hostbased or challenge response authentication. |
|
.Pp |
Protocol 2 provides additional mechanisms for confidentiality |
Protocol 2 provides additional mechanisms for confidentiality |
(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
and integrity (hmac-md5, hmac-sha1). |
and integrity (hmac-md5, hmac-sha1). |
|
|
List forwarded connections |
List forwarded connections |
.It Cm ~& |
.It Cm ~& |
Background ssh at logout when waiting for forwarded connection / X11 sessions |
Background ssh at logout when waiting for forwarded connection / X11 sessions |
to terminate (this does not currently work for SSH protocol version 2) |
to terminate (protocol version 1 only) |
.It Cm ~? |
.It Cm ~? |
Display a list of escape characters |
Display a list of escape characters |
.It Cm ~R |
.It Cm ~R |
|
|
Port forwardings can also be specified in the configuration file. |
Port forwardings can also be specified in the configuration file. |
Privileged ports can be forwarded only when |
Privileged ports can be forwarded only when |
logging in as root on the remote machine. |
logging in as root on the remote machine. |
|
IPv6 addresses can be specified with an alternative syntax: |
|
.Ar port/host/hostport |
.It Fl 1 |
.It Fl 1 |
Forces |
Forces |
.Nm |
.Nm |
|
|
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
|
This option applies to protocol version 1 only. |
.It Cm BatchMode |
.It Cm BatchMode |
If set to |
If set to |
.Dq yes , |
.Dq yes , |
|
|
.Pp |
.Pp |
.Bd -literal |
.Bd -literal |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, |
aes192-cbc,aes256-cbc'' |
rijndael256-cbc,rijndael-cbc@lysator.liu.se'' |
|
.Ed |
.Ed |
.It Cm Compression |
.It Cm Compression |
Specifies whether to use compression. |
Specifies whether to use compression. |
|
|
The default level is 6, which is good for most applications. |
The default level is 6, which is good for most applications. |
The meaning of the values is the same as in |
The meaning of the values is the same as in |
.Xr gzip 1 . |
.Xr gzip 1 . |
|
Note that this option applies to protocol version 1 only. |
.It Cm ConnectionAttempts |
.It Cm ConnectionAttempts |
Specifies the number of tries (one per second) to make before falling |
Specifies the number of tries (one per second) to make before falling |
back to rsh or exiting. |
back to rsh or exiting. |
The argument must be an integer. |
The argument must be an integer. |
This may be useful in scripts if the connection sometimes fails. |
This may be useful in scripts if the connection sometimes fails. |
The default is 4. |
The default is 4. |
.It Cm PubkeyAuthentication |
|
Specifies whether to try public key authentication. |
|
The argument to this keyword must be |
|
.Dq yes |
|
or |
|
.Dq no . |
|
The default is |
|
.Dq yes . |
|
Note that this option applies to protocol version 2 only. |
|
.It Cm EscapeChar |
.It Cm EscapeChar |
Sets the escape character (default: |
Sets the escape character (default: |
.Ql ~ ) . |
.Ql ~ ) . |
|
|
Specifies a file to use for the protocol version 2 global |
Specifies a file to use for the protocol version 2 global |
host key database instead of |
host key database instead of |
.Pa /etc/ssh_known_hosts2 . |
.Pa /etc/ssh_known_hosts2 . |
.It Cm HostKeyAlias |
.It Cm HostbasedAuthentication |
Specifies an alias that should be used instead of the |
Specifies whether to try rhosts based authentication with public key |
real host name when looking up or saving the host key |
authentication. |
in the known_hosts files. |
The argument must be |
This option is useful for tunneling ssh connections |
.Dq yes |
or if you have multiple servers running on a single host. |
or |
|
.Dq no . |
|
The default is |
|
.Dq yes . |
|
This option applies to protocol version 2 only and |
|
is similar to |
|
.Cm RhostsRSAAuthentication . |
.It Cm HostKeyAlgorithms |
.It Cm HostKeyAlgorithms |
Specfies the protocol version 2 host key algorithms |
Specfies the protocol version 2 host key algorithms |
that the client wants to use in order of preference. |
that the client wants to use in order of preference. |
The default for this option is: |
The default for this option is: |
.Dq ssh-rsa,ssh-dss |
.Dq ssh-rsa,ssh-dss |
|
.It Cm HostKeyAlias |
|
Specifies an alias that should be used instead of the |
|
real host name when looking up or saving the host key |
|
in the host key database files. |
|
This option is useful for tunneling ssh connections |
|
or if you have multiple servers running on a single host. |
.It Cm HostName |
.It Cm HostName |
Specifies the real host name to log into. |
Specifies the real host name to log into. |
This can be used to specify nicknames or abbreviations for hosts. |
This can be used to specify nicknames or abbreviations for hosts. |
|
|
.Cm HostName |
.Cm HostName |
specifications). |
specifications). |
.It Cm IdentityFile |
.It Cm IdentityFile |
Specifies the file from which the user's RSA authentication identity |
Specifies the file from which the user's RSA or DSA authentication identity |
is read (default |
is read (default |
.Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
in the user's home directory). |
in the user's home directory). |
|
|
.Dq no . |
.Dq no . |
The default is |
The default is |
.Dq yes . |
.Dq yes . |
Note that this option applies to both protocol version 1 and 2. |
|
.It Cm Port |
.It Cm Port |
Specifies the port number to connect on the remote host. |
Specifies the port number to connect on the remote host. |
Default is 22. |
Default is 22. |
|
|
.Cm CheckHostIP |
.Cm CheckHostIP |
is not available for connects with a proxy command. |
is not available for connects with a proxy command. |
.Pp |
.Pp |
|
.It Cm PubkeyAuthentication |
|
Specifies whether to try public key authentication. |
|
The argument to this keyword must be |
|
.Dq yes |
|
or |
|
.Dq no . |
|
The default is |
|
.Dq yes . |
|
This option applies to protocol version 2 only. |
.It Cm RemoteForward |
.It Cm RemoteForward |
Specifies that a TCP/IP port on the remote machine be forwarded over |
Specifies that a TCP/IP port on the remote machine be forwarded over |
the secure channel to given host:port from the local machine. |
the secure channel to given host:port from the local machine. |
|
|
authentication time on slow connections when rhosts authentication is |
authentication time on slow connections when rhosts authentication is |
not used. |
not used. |
Most servers do not permit RhostsAuthentication because it |
Most servers do not permit RhostsAuthentication because it |
is not secure (see RhostsRSAAuthentication). |
is not secure (see |
|
.Cm RhostsRSAAuthentication ). |
The argument to this keyword must be |
The argument to this keyword must be |
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
The default is |
The default is |
.Dq yes . |
.Dq yes . |
|
This option applies to protocol version 1 only. |
.It Cm RhostsRSAAuthentication |
.It Cm RhostsRSAAuthentication |
Specifies whether to try rhosts based authentication with RSA host |
Specifies whether to try rhosts based authentication with RSA host |
authentication. |
authentication. |
|
|
.Dq no . |
.Dq no . |
The default is |
The default is |
.Dq yes . |
.Dq yes . |
|
This option applies to protocol version 1 only. |
.It Cm RSAAuthentication |
.It Cm RSAAuthentication |
Specifies whether to try RSA authentication. |
Specifies whether to try RSA authentication. |
The argument to this keyword must be |
The argument to this keyword must be |
|
|
.Dq no . |
.Dq no . |
The default is |
The default is |
.Dq no . |
.Dq no . |
Note that setting this option to |
Note that you need to set this option to |
.Dq no |
.Dq yes |
turns off |
if you want to use |
.Cm RhostsAuthentication |
.Cm RhostsAuthentication |
and |
and |
.Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication |
for older servers. |
with older servers. |
.It Cm User |
.It Cm User |
Specifies the user to log in as. |
Specifies the user to log in as. |
This can be useful if you have a different user name on different machines. |
This can be useful if you have a different user name on different machines. |
|
|
.Nm |
.Nm |
uses this special value to forward X11 connections over the secure |
uses this special value to forward X11 connections over the secure |
channel. |
channel. |
The user should normally not set DISPLAY explicitly, as that |
The user should normally not set |
|
.Ev DISPLAY |
|
explicitly, as that |
will render the X11 connection insecure (and will require the user to |
will render the X11 connection insecure (and will require the user to |
manually copy any required authorization cookies). |
manually copy any required authorization cookies). |
.It Ev HOME |
.It Ev HOME |
|
|
This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
.It Pa $HOME/.ssh/authorized_keys2 |
.It Pa $HOME/.ssh/authorized_keys2 |
Lists the public keys (DSA/RSA) that can be used for logging in as this user. |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 |
.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 |
|
|
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
contains RSA and |
contains RSA and |
.Pa /etc/ssh_known_hosts2 |
.Pa /etc/ssh_known_hosts2 |
contains DSA or RSA keys for protocol version 2. |
contains RSA or DSA keys for protocol version 2. |
These files should be prepared by the |
These files should be prepared by the |
system administrator to contain the public host keys of all machines in the |
system administrator to contain the public host keys of all machines in the |
organization. |
organization. |