| version 1.107.2.5, 2002/06/02 22:56:11 |
version 1.108, 2001/04/30 11:18:52 |
|
|
| .Sh SYNOPSIS |
.Sh SYNOPSIS |
| .Nm ssh |
.Nm ssh |
| .Op Fl l Ar login_name |
.Op Fl l Ar login_name |
| .Ar hostname | user@hostname |
.Op Ar hostname | user@hostname |
| .Op Ar command |
.Op Ar command |
| .Pp |
.Pp |
| .Nm ssh |
.Nm ssh |
|
|
| .Op Fl m Ar mac_spec |
.Op Fl m Ar mac_spec |
| .Op Fl o Ar option |
.Op Fl o Ar option |
| .Op Fl p Ar port |
.Op Fl p Ar port |
| .Op Fl F Ar configfile |
|
| .Oo Fl L Xo |
.Oo Fl L Xo |
| .Sm off |
.Sm off |
| .Ar port : |
.Ar port : |
|
|
| .Sm on |
.Sm on |
| .Xc |
.Xc |
| .Oc |
.Oc |
| .Op Fl D Ar port |
.Op Ar hostname | user@hostname |
| .Ar hostname | user@hostname |
|
| .Op Ar command |
.Op Ar command |
| .Sh DESCRIPTION |
.Sh DESCRIPTION |
| .Nm |
.Nm |
|
|
| .Pp |
.Pp |
| .Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
| .Pp |
.Pp |
| When a user connects using protocol version 2 |
When a user connects using the protocol version 2 |
| similar authentication methods are available. |
different authentication methods are available. |
| Using the default values for |
Using the default values for |
| .Cm PreferredAuthentications , |
.Cm PreferredAuthentications , |
| the client will try to authenticate first using the hostbased method; |
the client will try to authenticate first using the public key method; |
| if this method fails public key authentication is attempted, |
if this method fails password authentication is attempted, |
| and finally if this method fails keyboard-interactive and |
and finally if this method fails keyboard-interactive authentication |
| password authentication are tried. |
is attempted. |
| |
If this method fails password authentication is |
| |
tried. |
| .Pp |
.Pp |
| The public key method is similar to RSA authentication described |
The public key method is similar to RSA authentication described |
| in the previous section and allows the RSA or DSA algorithm to be used: |
in the previous section and allows the RSA or DSA algorithm to be used: |
|
|
| .Pa $HOME/.ssh/id_rsa , |
.Pa $HOME/.ssh/id_rsa , |
| to sign the session identifier and sends the result to the server. |
to sign the session identifier and sends the result to the server. |
| The server checks whether the matching public key is listed in |
The server checks whether the matching public key is listed in |
| .Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys2 |
| and grants access if both the key is found and the signature is correct. |
and grants access if both the key is found and the signature is correct. |
| The session identifier is derived from a shared Diffie-Hellman value |
The session identifier is derived from a shared Diffie-Hellman value |
| and is only known to the client and the server. |
and is only known to the client and the server. |
|
|
| .Ss Escape Characters |
.Ss Escape Characters |
| .Pp |
.Pp |
| When a pseudo terminal has been requested, ssh supports a number of functions |
When a pseudo terminal has been requested, ssh supports a number of functions |
| through the use of an escape character. |
through the use of an escape character. |
| .Pp |
.Pp |
| A single tilde character can be sent as |
A single tilde character can be sent as |
| .Ic ~~ |
.Ic ~~ |
| or by following the tilde by a character other than those described below. |
(or by following the tilde by a character other than those described above). |
| The escape character must always follow a newline to be interpreted as |
The escape character must always follow a newline to be interpreted as |
| special. |
special. |
| The escape character can be changed in configuration files using the |
The escape character can be changed in configuration files using the |
| .Cm EscapeChar |
.Cm EscapeChar |
| configuration directive or on the command line by the |
configuration directive or on the command line by the |
| .Fl e |
.Fl e |
| option. |
option. |
| .Pp |
.Pp |
|
|
| List forwarded connections |
List forwarded connections |
| .It Cm ~& |
.It Cm ~& |
| Background ssh at logout when waiting for forwarded connection / X11 sessions |
Background ssh at logout when waiting for forwarded connection / X11 sessions |
| to terminate |
to terminate (protocol version 1 only) |
| .It Cm ~? |
.It Cm ~? |
| Display a list of escape characters |
Display a list of escape characters |
| .It Cm ~C |
|
| Open command line (only useful for adding port forwardings using the |
|
| .Fl L |
|
| and |
|
| .Fl R |
|
| options) |
|
| .It Cm ~R |
.It Cm ~R |
| Request rekeying of the connection (only useful for SSH protocol version 2 |
Request rekeying of the connection (only useful for SSH protocol version 2 |
| and if the peer supports it) |
and if the peer supports it) |
|
|
| .Pp |
.Pp |
| .Ss X11 and TCP forwarding |
.Ss X11 and TCP forwarding |
| .Pp |
.Pp |
| If the |
If the user is using X11 (the |
| .Cm ForwardX11 |
|
| variable is set to |
|
| .Dq yes |
|
| (or, see the description of the |
|
| .Fl X |
|
| and |
|
| .Fl x |
|
| options described later) |
|
| and the user is using X11 (the |
|
| .Ev DISPLAY |
.Ev DISPLAY |
| environment variable is set), the connection to the X11 display is |
environment variable is set), the connection to the X11 display is |
| automatically forwarded to the remote side in such a way that any X11 |
automatically forwarded to the remote side in such a way that any X11 |
|
|
| .Pp |
.Pp |
| If the user is using an authentication agent, the connection to the agent |
If the user is using an authentication agent, the connection to the agent |
| is automatically forwarded to the remote side unless disabled on |
is automatically forwarded to the remote side unless disabled on |
| the command line or in a configuration file. |
command line or in a configuration file. |
| .Pp |
.Pp |
| Forwarding of arbitrary TCP/IP connections over the secure channel can |
Forwarding of arbitrary TCP/IP connections over the secure channel can |
| be specified either on the command line or in a configuration file. |
be specified either on command line or in a configuration file. |
| One possible application of TCP/IP forwarding is a secure connection to an |
One possible application of TCP/IP forwarding is a secure connection to an |
| electronic purse; another is going through firewalls. |
electronic purse; another is going through firewalls. |
| .Pp |
.Pp |
|
|
| .Nm |
.Nm |
| automatically maintains and checks a database containing |
automatically maintains and checks a database containing |
| identifications for all hosts it has ever been used with. |
identifications for all hosts it has ever been used with. |
| Host keys are stored in |
RSA host keys are stored in |
| .Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
| |
and |
| |
host keys used in the protocol version 2 are stored in |
| |
.Pa $HOME/.ssh/known_hosts2 |
| in the user's home directory. |
in the user's home directory. |
| Additionally, the file |
Additionally, the files |
| .Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
| is automatically checked for known hosts. |
and |
| |
.Pa /etc/ssh_known_hosts2 |
| |
are automatically checked for known hosts. |
| Any new hosts are automatically added to the user's file. |
Any new hosts are automatically added to the user's file. |
| If a host's identification |
If a host's identification |
| ever changes, |
ever changes, |
|
|
| .It Fl b Ar bind_address |
.It Fl b Ar bind_address |
| Specify the interface to transmit from on machines with multiple |
Specify the interface to transmit from on machines with multiple |
| interfaces or aliased addresses. |
interfaces or aliased addresses. |
| .It Fl c Ar blowfish|3des|des |
.It Fl c Ar blowfish|3des |
| Selects the cipher to use for encrypting the session. |
Selects the cipher to use for encrypting the session. |
| .Ar 3des |
.Ar 3des |
| is used by default. |
is used by default. |
| It is believed to be secure. |
It is believed to be secure. |
| .Ar 3des |
.Ar 3des |
| (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
| |
It is presumably more secure than the |
| |
.Ar des |
| |
cipher which is no longer fully supported in |
| |
.Nm ssh . |
| .Ar blowfish |
.Ar blowfish |
| is a fast block cipher, it appears very secure and is much faster than |
is a fast block cipher, it appears very secure and is much faster than |
| .Ar 3des . |
.Ar 3des . |
| .Ar des |
|
| is only supported in the |
|
| .Nm |
|
| client for interoperability with legacy protocol 1 implementations |
|
| that do not support the |
|
| .Ar 3des |
|
| cipher. Its use is strongly discouraged due to cryptographic |
|
| weaknesses. |
|
| .It Fl c Ar cipher_spec |
.It Fl c Ar cipher_spec |
| Additionally, for protocol version 2 a comma-separated list of ciphers can |
Additionally, for protocol version 2 a comma-separated list of ciphers can |
| be specified in order of preference. |
be specified in order of preference. |
|
|
| .It Fl g |
.It Fl g |
| Allows remote hosts to connect to local forwarded ports. |
Allows remote hosts to connect to local forwarded ports. |
| .It Fl i Ar identity_file |
.It Fl i Ar identity_file |
| Selects a file from which the identity (private key) for |
Selects the file from which the identity (private key) for |
| RSA or DSA authentication is read. |
RSA or DSA authentication is read. |
| The default is |
Default is |
| .Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
| for protocol version 1, and |
in the user's home directory. |
| .Pa $HOME/.ssh/id_rsa |
|
| and |
|
| .Pa $HOME/.ssh/id_dsa |
|
| for protocol version 2. |
|
| Identity files may also be specified on |
Identity files may also be specified on |
| a per-host basis in the configuration file. |
a per-host basis in the configuration file. |
| It is possible to have multiple |
It is possible to have multiple |
| .Fl i |
.Fl i |
| options (and multiple identities specified in |
options (and multiple identities specified in |
| configuration files). |
configuration files). |
| .It Fl I Ar smartcard_device |
|
| Specifies which smartcard device to use. The argument is |
|
| the device |
|
| .Nm |
|
| should use to communicate with a smartcard used for storing the user's |
|
| private RSA key. |
|
| .It Fl k |
.It Fl k |
| Disables forwarding of Kerberos tickets and AFS tokens. |
Disables forwarding of Kerberos tickets and AFS tokens. |
| This may also be specified on a per-host basis in the configuration file. |
This may also be specified on a per-host basis in the configuration file. |
|
|
| option.) |
option.) |
| .It Fl N |
.It Fl N |
| Do not execute a remote command. |
Do not execute a remote command. |
| This is useful for just forwarding ports |
This is useful if you just want to forward ports |
| (protocol version 2 only). |
(protocol version 2 only). |
| .It Fl o Ar option |
.It Fl o Ar option |
| Can be used to give options in the format used in the configuration file. |
Can be used to give options in the format used in the config file. |
| This is useful for specifying options for which there is no separate |
This is useful for specifying options for which there is no separate |
| command-line flag. |
command-line flag. |
| |
The option has the same format as a line in the configuration file. |
| .It Fl p Ar port |
.It Fl p Ar port |
| Port to connect to on the remote host. |
Port to connect to on the remote host. |
| This can be specified on a |
This can be specified on a |
| per-host basis in the configuration file. |
per-host basis in the configuration file. |
| .It Fl P |
.It Fl P |
| Use a non-privileged port for outgoing connections. |
Use a non-privileged port for outgoing connections. |
| This can be used if a firewall does |
This can be used if your firewall does |
| not permit connections from privileged ports. |
not permit connections from privileged ports. |
| Note that this option turns off |
Note that this option turns off |
| .Cm RhostsAuthentication |
.Cm RhostsAuthentication |
|
|
| .It Fl q |
.It Fl q |
| Quiet mode. |
Quiet mode. |
| Causes all warning and diagnostic messages to be suppressed. |
Causes all warning and diagnostic messages to be suppressed. |
| |
Only fatal errors are displayed. |
| .It Fl s |
.It Fl s |
| May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use |
May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use |
| of SSH as a secure transport for other applications (eg. sftp). The |
of SSH as a secure transport for other application (eg. sftp). The |
| subsystem is specified as the remote command. |
subsystem is specified as the remote command. |
| .It Fl t |
.It Fl t |
| Force pseudo-tty allocation. |
Force pseudo-tty allocation. |
|
|
| slow connections, but will only slow down things on fast networks. |
slow connections, but will only slow down things on fast networks. |
| The default value can be set on a host-by-host basis in the |
The default value can be set on a host-by-host basis in the |
| configuration files; see the |
configuration files; see the |
| .Cm Compression |
.Cm Compress |
| option below. |
option below. |
| .It Fl F Ar configfile |
|
| Specifies an alternative per-user configuration file. |
|
| If a configuration file is given on the command line, |
|
| the system-wide configuration file |
|
| .Pq Pa /etc/ssh_config |
|
| will be ignored. |
|
| The default for the per-user configuration file is |
|
| .Pa $HOME/.ssh/config . |
|
| .It Fl L Ar port:host:hostport |
.It Fl L Ar port:host:hostport |
| Specifies that the given port on the local (client) host is to be |
Specifies that the given port on the local (client) host is to be |
| forwarded to the given host and port on the remote side. |
forwarded to the given host and port on the remote side. |
|
|
| logging in as root on the remote machine. |
logging in as root on the remote machine. |
| IPv6 addresses can be specified with an alternative syntax: |
IPv6 addresses can be specified with an alternative syntax: |
| .Ar port/host/hostport |
.Ar port/host/hostport |
| .It Fl D Ar port |
|
| Specifies a local |
|
| .Dq dynamic |
|
| application-level port forwarding. |
|
| This works by allocating a socket to listen to |
|
| .Ar port |
|
| on the local side, and whenever a connection is made to this port, the |
|
| connection is forwarded over the secure channel, and the application |
|
| protocol is then used to determine where to connect to from the |
|
| remote machine. Currently the SOCKS4 protocol is supported, and |
|
| .Nm |
|
| will act as a SOCKS4 server. |
|
| Only root can forward privileged ports. |
|
| Dynamic port forwardings can also be specified in the configuration file. |
|
| .It Fl 1 |
.It Fl 1 |
| Forces |
Forces |
| .Nm |
.Nm |
|
|
| .El |
.El |
| .Sh CONFIGURATION FILES |
.Sh CONFIGURATION FILES |
| .Nm |
.Nm |
| obtains configuration data from the following sources in |
obtains configuration data from the following sources (in this order): |
| the following order: |
|
| command line options, user's configuration file |
command line options, user's configuration file |
| .Pq Pa $HOME/.ssh/config , |
.Pq Pa $HOME/.ssh/config , |
| and system-wide configuration file |
and system-wide configuration file |
|
|
| .Pp |
.Pp |
| Otherwise a line is of the format |
Otherwise a line is of the format |
| .Dq keyword arguments . |
.Dq keyword arguments . |
| Configuration options may be separated by whitespace or |
|
| optional whitespace and exactly one |
|
| .Ql = ; |
|
| the latter format is useful to avoid the need to quote whitespace |
|
| when specifying configuration options using the |
|
| .Nm ssh , |
|
| .Nm scp |
|
| and |
|
| .Nm sftp |
|
| .Fl o |
|
| option. |
|
| .Pp |
|
| The possible |
The possible |
| keywords and their meanings are as follows (note that |
keywords and their meanings are as follows (note that the |
| keywords are case-insensitive and arguments are case-sensitive): |
configuration files are case-sensitive): |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Cm Host |
.It Cm Host |
| Restricts the following declarations (up to the next |
Restricts the following declarations (up to the next |
|
|
| If set to |
If set to |
| .Dq yes , |
.Dq yes , |
| passphrase/password querying will be disabled. |
passphrase/password querying will be disabled. |
| This option is useful in scripts and other batch jobs where no user |
This option is useful in scripts and other batch jobs where you have no |
| is present to supply the password. |
user to supply the password. |
| The argument must be |
The argument must be |
| .Dq yes |
.Dq yes |
| or |
or |
|
|
| Specifies the cipher to use for encrypting the session |
Specifies the cipher to use for encrypting the session |
| in protocol version 1. |
in protocol version 1. |
| Currently, |
Currently, |
| .Dq blowfish , |
.Dq blowfish |
| .Dq 3des , |
|
| and |
and |
| .Dq des |
.Dq 3des |
| are supported. |
are supported. |
| .Ar des |
|
| is only supported in the |
|
| .Nm |
|
| client for interoperability with legacy protocol 1 implementations |
|
| that do not support the |
|
| .Ar 3des |
|
| cipher. Its use is strongly discouraged due to cryptographic |
|
| weaknesses. |
|
| The default is |
The default is |
| .Dq 3des . |
.Dq 3des . |
| .It Cm Ciphers |
.It Cm Ciphers |
|
|
| ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
| aes192-cbc,aes256-cbc'' |
aes192-cbc,aes256-cbc'' |
| .Ed |
.Ed |
| .It Cm ClearAllForwardings |
|
| Specifies that all local, remote and dynamic port forwardings |
|
| specified in the configuration files or on the command line be |
|
| cleared. This option is primarily useful when used from the |
|
| .Nm |
|
| command line to clear port forwardings set in |
|
| configuration files, and is automatically set by |
|
| .Xr scp 1 |
|
| and |
|
| .Xr sftp 1 . |
|
| The argument must be |
|
| .Dq yes |
|
| or |
|
| .Dq no . |
|
| The default is |
|
| .Dq no . |
|
| .It Cm Compression |
.It Cm Compression |
| Specifies whether to use compression. |
Specifies whether to use compression. |
| The argument must be |
The argument must be |
|
|
| back to rsh or exiting. |
back to rsh or exiting. |
| The argument must be an integer. |
The argument must be an integer. |
| This may be useful in scripts if the connection sometimes fails. |
This may be useful in scripts if the connection sometimes fails. |
| The default is 1. |
The default is 4. |
| .It Cm DynamicForward |
|
| Specifies that a TCP/IP port on the local machine be forwarded |
|
| over the secure channel, and the application |
|
| protocol is then used to determine where to connect to from the |
|
| remote machine. The argument must be a port number. |
|
| Currently the SOCKS4 protocol is supported, and |
|
| .Nm |
|
| will act as a SOCKS4 server. |
|
| Multiple forwardings may be specified, and |
|
| additional forwardings can be given on the command line. Only |
|
| the superuser can forward privileged ports. |
|
| .It Cm EscapeChar |
.It Cm EscapeChar |
| Sets the escape character (default: |
Sets the escape character (default: |
| .Ql ~ ) . |
.Ql ~ ) . |
|
|
| .It Cm GatewayPorts |
.It Cm GatewayPorts |
| Specifies whether remote hosts are allowed to connect to local |
Specifies whether remote hosts are allowed to connect to local |
| forwarded ports. |
forwarded ports. |
| By default, |
|
| .Nm |
|
| binds local port forwardings to the loopback addresss. This |
|
| prevents other remote hosts from connecting to forwarded ports. |
|
| .Cm GatewayPorts |
|
| can be used to specify that |
|
| .Nm |
|
| should bind local port forwardings to the wildcard address, |
|
| thus allowing remote hosts to connect to forwarded ports. |
|
| The argument must be |
The argument must be |
| .Dq yes |
.Dq yes |
| or |
or |
|
|
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| .It Cm GlobalKnownHostsFile |
.It Cm GlobalKnownHostsFile |
| Specifies a file to use for the global |
Specifies a file to use for the protocol version 1 global |
| host key database instead of |
host key database instead of |
| .Pa /etc/ssh_known_hosts . |
.Pa /etc/ssh_known_hosts . |
| |
.It Cm GlobalKnownHostsFile2 |
| |
Specifies a file to use for the protocol version 2 global |
| |
host key database instead of |
| |
.Pa /etc/ssh_known_hosts2 . |
| .It Cm HostbasedAuthentication |
.It Cm HostbasedAuthentication |
| Specifies whether to try rhosts based authentication with public key |
Specifies whether to try rhosts based authentication with public key |
| authentication. |
authentication. |
|
|
| or |
or |
| .Dq no . |
.Dq no . |
| The default is |
The default is |
| .Dq no . |
.Dq yes . |
| This option applies to protocol version 2 only and |
This option applies to protocol version 2 only and |
| is similar to |
is similar to |
| .Cm RhostsRSAAuthentication . |
.Cm RhostsRSAAuthentication . |
| .It Cm HostKeyAlgorithms |
.It Cm HostKeyAlgorithms |
| Specifies the protocol version 2 host key algorithms |
Specfies the protocol version 2 host key algorithms |
| that the client wants to use in order of preference. |
that the client wants to use in order of preference. |
| The default for this option is: |
The default for this option is: |
| .Dq ssh-rsa,ssh-dss . |
.Dq ssh-rsa,ssh-dss |
| .It Cm HostKeyAlias |
.It Cm HostKeyAlias |
| Specifies an alias that should be used instead of the |
Specifies an alias that should be used instead of the |
| real host name when looking up or saving the host key |
real host name when looking up or saving the host key |
| in the host key database files. |
in the host key database files. |
| This option is useful for tunneling ssh connections |
This option is useful for tunneling ssh connections |
| or for multiple servers running on a single host. |
or if you have multiple servers running on a single host. |
| .It Cm HostName |
.It Cm HostName |
| Specifies the real host name to log into. |
Specifies the real host name to log into. |
| This can be used to specify nicknames or abbreviations for hosts. |
This can be used to specify nicknames or abbreviations for hosts. |
|
|
| .Cm HostName |
.Cm HostName |
| specifications). |
specifications). |
| .It Cm IdentityFile |
.It Cm IdentityFile |
| Specifies a file from which the user's RSA or DSA authentication identity |
Specifies the file from which the user's RSA or DSA authentication identity |
| is read. The default is |
is read (default |
| .Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
| for protocol version 1, and |
in the user's home directory). |
| .Pa $HOME/.ssh/id_rsa |
|
| and |
|
| .Pa $HOME/.ssh/id_dsa |
|
| for protocol version 2. |
|
| Additionally, any identities represented by the authentication agent |
Additionally, any identities represented by the authentication agent |
| will be used for authentication. |
will be used for authentication. |
| The file name may use the tilde |
The file name may use the tilde |
|
|
| multiple identity files specified in configuration files; all these |
multiple identity files specified in configuration files; all these |
| identities will be tried in sequence. |
identities will be tried in sequence. |
| .It Cm KeepAlive |
.It Cm KeepAlive |
| Specifies whether the system should send TCP keepalive messages to the |
Specifies whether the system should send keepalive messages to the |
| other side. |
other side. |
| If they are sent, death of the connection or crash of one |
If they are sent, death of the connection or crash of one |
| of the machines will be properly noticed. |
of the machines will be properly noticed. |
|
|
| This is important in scripts, and many users want it too. |
This is important in scripts, and many users want it too. |
| .Pp |
.Pp |
| To disable keepalives, the value should be set to |
To disable keepalives, the value should be set to |
| .Dq no . |
.Dq no |
| |
in both the server and the client configuration files. |
| .It Cm KerberosAuthentication |
.It Cm KerberosAuthentication |
| Specifies whether Kerberos authentication will be used. |
Specifies whether Kerberos authentication will be used. |
| The argument to this keyword must be |
The argument to this keyword must be |
|
|
| .Dq no . |
.Dq no . |
| .It Cm LocalForward |
.It Cm LocalForward |
| Specifies that a TCP/IP port on the local machine be forwarded over |
Specifies that a TCP/IP port on the local machine be forwarded over |
| the secure channel to the specified host and port from the remote machine. |
the secure channel to given host:port from the remote machine. |
| The first argument must be a port number, and the second must be |
The first argument must be a port number, and the second must be |
| .Ar host:port . |
host:port. |
| IPv6 addresses can be specified with an alternative syntax: |
|
| .Ar host/port . |
|
| Multiple forwardings may be specified, and additional |
Multiple forwardings may be specified, and additional |
| forwardings can be given on the command line. |
forwardings can be given on the command line. |
| Only the superuser can forward privileged ports. |
Only the superuser can forward privileged ports. |
|
|
| Gives the verbosity level that is used when logging messages from |
Gives the verbosity level that is used when logging messages from |
| .Nm ssh . |
.Nm ssh . |
| The possible values are: |
The possible values are: |
| QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. |
QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. |
| The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 |
The default is INFO. |
| and DEBUG3 each specify higher levels of verbose output. |
|
| .It Cm MACs |
.It Cm MACs |
| Specifies the MAC (message authentication code) algorithms |
Specifies the MAC (message authentication code) algorithms |
| in order of preference. |
in order of preference. |
| The MAC algorithm is used in protocol version 2 |
The MAC algorithm is used in protocol version 2 |
| for data integrity protection. |
for data integrity protection. |
| Multiple algorithms must be comma-separated. |
Multiple algorithms must be comma-separated. |
| The default is |
The default is |
| .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
.Pp |
| .It Cm NoHostAuthenticationForLocalhost |
.Bd -literal |
| This option can be used if the home directory is shared across machines. |
``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com, |
| In this case localhost will refer to a different machine on each of |
hmac-sha1-96,hmac-md5-96'' |
| the machines and the user will get many warnings about changed host keys. |
.Ed |
| However, this option disables host authentication for localhost. |
|
| The argument to this keyword must be |
|
| .Dq yes |
|
| or |
|
| .Dq no . |
|
| The default is to check the host key for localhost. |
|
| .It Cm NumberOfPasswordPrompts |
.It Cm NumberOfPasswordPrompts |
| Specifies the number of password prompts before giving up. |
Specifies the number of password prompts before giving up. |
| The argument to this keyword must be an integer. |
The argument to this keyword must be an integer. |
|
|
| Specifies the port number to connect on the remote host. |
Specifies the port number to connect on the remote host. |
| Default is 22. |
Default is 22. |
| .It Cm PreferredAuthentications |
.It Cm PreferredAuthentications |
| Specifies the order in which the client should try protocol 2 |
Specifies the order in which the client should try protocol 2 |
| authentication methods. This allows a client to prefer one method (e.g. |
authentication methods. This allows a client to prefer one method (e.g. |
| .Cm keyboard-interactive ) |
.Cm keyboard-interactive ) |
| over another method (e.g. |
over another method (e.g. |
| .Cm password ) |
.Cm password ) |
| The default for this option is: |
The default for this option is: |
| .Dq hostbased,publickey,keyboard-interactive,password . |
.Dq publickey, password, keyboard-interactive |
| .It Cm Protocol |
.It Cm Protocol |
| Specifies the protocol versions |
Specifies the protocol versions |
| .Nm |
.Nm |
|
|
| This option applies to protocol version 2 only. |
This option applies to protocol version 2 only. |
| .It Cm RemoteForward |
.It Cm RemoteForward |
| Specifies that a TCP/IP port on the remote machine be forwarded over |
Specifies that a TCP/IP port on the remote machine be forwarded over |
| the secure channel to the specified host and port from the local machine. |
the secure channel to given host:port from the local machine. |
| The first argument must be a port number, and the second must be |
The first argument must be a port number, and the second must be |
| .Ar host:port . |
host:port. |
| IPv6 addresses can be specified with an alternative syntax: |
|
| .Ar host/port . |
|
| Multiple forwardings may be specified, and additional |
Multiple forwardings may be specified, and additional |
| forwardings can be given on the command line. |
forwardings can be given on the command line. |
| Only the superuser can forward privileged ports. |
Only the superuser can forward privileged ports. |
|
|
| authentication time on slow connections when rhosts authentication is |
authentication time on slow connections when rhosts authentication is |
| not used. |
not used. |
| Most servers do not permit RhostsAuthentication because it |
Most servers do not permit RhostsAuthentication because it |
| is not secure (see |
is not secure (see |
| .Cm RhostsRSAAuthentication ) . |
.Cm RhostsRSAAuthentication ). |
| The argument to this keyword must be |
The argument to this keyword must be |
| .Dq yes |
.Dq yes |
| or |
or |
|
|
| Note that this option applies to protocol version 1 only. |
Note that this option applies to protocol version 1 only. |
| .It Cm ChallengeResponseAuthentication |
.It Cm ChallengeResponseAuthentication |
| Specifies whether to use challenge response authentication. |
Specifies whether to use challenge response authentication. |
| |
Currently there is only support for |
| |
.Xr skey 1 |
| |
authentication. |
| The argument to this keyword must be |
The argument to this keyword must be |
| .Dq yes |
.Dq yes |
| or |
or |
| .Dq no . |
.Dq no . |
| The default is |
The default is |
| .Dq yes . |
.Dq no . |
| .It Cm SmartcardDevice |
|
| Specifies which smartcard device to use. The argument to this keyword is |
|
| the device |
|
| .Nm |
|
| should use to communicate with a smartcard used for storing the user's |
|
| private RSA key. By default, no device is specified and smartcard support |
|
| is not activated. |
|
| .It Cm StrictHostKeyChecking |
.It Cm StrictHostKeyChecking |
| If this flag is set to |
If this flag is set to |
| .Dq yes , |
.Dq yes , |
| .Nm |
.Nm |
| will never automatically add host keys to the |
will never automatically add host keys to the |
| .Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
| file, and refuses to connect to hosts whose host key has changed. |
and |
| This provides maximum protection against trojan horse attacks, |
.Pa $HOME/.ssh/known_hosts2 |
| however, can be annoying when the |
files, and refuses to connect to hosts whose host key has changed. |
| |
This provides maximum protection against trojan horse attacks. |
| |
However, it can be somewhat annoying if you don't have good |
| .Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
| file is poorly maintained, or connections to new hosts are |
and |
| frequently made. |
.Pa /etc/ssh_known_hosts2 |
| |
files installed and frequently |
| |
connect to new hosts. |
| This option forces the user to manually |
This option forces the user to manually |
| add all new hosts. |
add all new hosts. |
| If this flag is set to |
If this flag is set to |
|
|
| .Dq no . |
.Dq no . |
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| Note that this option must be set to |
Note that you need to set this option to |
| .Dq yes |
.Dq yes |
| if |
if you want to use |
| .Cm RhostsAuthentication |
.Cm RhostsAuthentication |
| and |
and |
| .Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication |
| authentications are needed with older servers. |
with older servers. |
| .It Cm User |
.It Cm User |
| Specifies the user to log in as. |
Specifies the user to log in as. |
| This can be useful when a different user name is used on different machines. |
This can be useful if you have a different user name on different machines. |
| This saves the trouble of |
This saves the trouble of |
| having to remember to give the user name on the command line. |
having to remember to give the user name on the command line. |
| .It Cm UserKnownHostsFile |
.It Cm UserKnownHostsFile |
| Specifies a file to use for the user |
Specifies a file to use for the protocol version 1 user |
| host key database instead of |
host key database instead of |
| .Pa $HOME/.ssh/known_hosts . |
.Pa $HOME/.ssh/known_hosts . |
| |
.It Cm UserKnownHostsFile2 |
| |
Specifies a file to use for the protocol version 2 user |
| |
host key database instead of |
| |
.Pa $HOME/.ssh/known_hosts2 . |
| .It Cm UseRsh |
.It Cm UseRsh |
| Specifies that rlogin/rsh should be used for this host. |
Specifies that rlogin/rsh should be used for this host. |
| It is possible that the host does not at all support the |
It is possible that the host does not at all support the |
|
|
| .Ev USER ; |
.Ev USER ; |
| set for compatibility with systems that use this variable. |
set for compatibility with systems that use this variable. |
| .It Ev MAIL |
.It Ev MAIL |
| Set to the path of the user's mailbox. |
Set to point the user's mailbox. |
| .It Ev PATH |
.It Ev PATH |
| Set to the default |
Set to the default |
| .Ev PATH , |
.Ev PATH , |
| as specified when compiling |
as specified when compiling |
| .Nm ssh . |
.Nm ssh . |
| .It Ev SSH_ASKPASS |
|
| If |
|
| .Nm |
|
| needs a passphrase, it will read the passphrase from the current |
|
| terminal if it was run from a terminal. |
|
| If |
|
| .Nm |
|
| does not have a terminal associated with it but |
|
| .Ev DISPLAY |
|
| and |
|
| .Ev SSH_ASKPASS |
|
| are set, it will execute the program specified by |
|
| .Ev SSH_ASKPASS |
|
| and open an X11 window to read the passphrase. |
|
| This is particularly useful when calling |
|
| .Nm |
|
| from a |
|
| .Pa .Xsession |
|
| or related script. |
|
| (Note that on some machines it |
|
| may be necessary to redirect the input from |
|
| .Pa /dev/null |
|
| to make this work.) |
|
| .It Ev SSH_AUTH_SOCK |
.It Ev SSH_AUTH_SOCK |
| Identifies the path of a unix-domain socket used to communicate with the |
indicates the path of a unix-domain socket used to communicate with the |
| agent. |
agent. |
| .It Ev SSH_CLIENT |
.It Ev SSH_CLIENT |
| Identifies the client end of the connection. |
Identifies the client end of the connection. |
|
|
| to the environment. |
to the environment. |
| .Sh FILES |
.Sh FILES |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Pa $HOME/.ssh/known_hosts |
.It Pa $HOME/.ssh/known_hosts, $HOME/.ssh/known_hosts2 |
| Records host keys for all hosts the user has logged into that are not |
Records host keys for all hosts the user has logged into (that are not |
| in |
in |
| .Pa /etc/ssh_known_hosts . |
.Pa /etc/ssh_known_hosts |
| |
for protocol version 1 or |
| |
.Pa /etc/ssh_known_hosts2 |
| |
for protocol version 2). |
| See |
See |
| .Xr sshd 8 . |
.Xr sshd 8 . |
| .It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa |
.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa |
|
|
| file should be added to |
file should be added to |
| .Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
| on all machines |
on all machines |
| where the user wishes to log in using protocol version 1 RSA authentication. |
where you wish to log in using protocol version 1 RSA authentication. |
| The contents of the |
The contents of the |
| .Pa $HOME/.ssh/id_dsa.pub |
.Pa $HOME/.ssh/id_dsa.pub |
| and |
and |
| .Pa $HOME/.ssh/id_rsa.pub |
.Pa $HOME/.ssh/id_rsa.pub |
| file should be added to |
file should be added to |
| .Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys2 |
| on all machines |
on all machines |
| where the user wishes to log in using protocol version 2 DSA/RSA authentication. |
where you wish to log in using protocol version 2 DSA/RSA authentication. |
| These files are not |
These files are not |
| sensitive and can (but need not) be readable by anyone. |
sensitive and can (but need not) be readable by anyone. |
| These files are |
These files are |
|
|
| but the recommended permissions are read/write for the user, and not |
but the recommended permissions are read/write for the user, and not |
| accessible by others. |
accessible by others. |
| .It Pa $HOME/.ssh/authorized_keys |
.It Pa $HOME/.ssh/authorized_keys |
| Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
Lists the RSA keys that can be used for logging in as this user. |
| The format of this file is described in the |
The format of this file is described in the |
| .Xr sshd 8 |
.Xr sshd 8 |
| manual page. |
manual page. |
| In the simplest form the format is the same as the .pub |
In the simplest form the format is the same as the .pub |
| identity files. |
identity files (that is, each line contains the number of bits in |
| |
modulus, public exponent, modulus, and comment fields, separated by |
| |
spaces). |
| This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
| permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
| .It Pa /etc/ssh_known_hosts |
.It Pa $HOME/.ssh/authorized_keys2 |
| |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
| |
This file is not highly sensitive, but the recommended |
| |
permissions are read/write for the user, and not accessible by others. |
| |
.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 |
| Systemwide list of known host keys. |
Systemwide list of known host keys. |
| This file should be prepared by the |
.Pa /etc/ssh_known_hosts |
| |
contains RSA and |
| |
.Pa /etc/ssh_known_hosts2 |
| |
contains RSA or DSA keys for protocol version 2. |
| |
These files should be prepared by the |
| system administrator to contain the public host keys of all machines in the |
system administrator to contain the public host keys of all machines in the |
| organization. |
organization. |
| This file should be world-readable. |
This file should be world-readable. |
| This file contains |
This file contains |
| public keys, one per line, in the following format (fields separated |
public keys, one per line, in the following format (fields separated |
| by spaces): system name, public key and optional comment field. |
by spaces): system name, number of bits in modulus, public exponent, |
| |
modulus, and optional comment field. |
| When different names are used |
When different names are used |
| for the same machine, all such names should be listed, separated by |
for the same machine, all such names should be listed, separated by |
| commas. |
commas. |
|
|
| values that are not specified in the user's configuration file, and |
values that are not specified in the user's configuration file, and |
| for those users who do not have a configuration file. |
for those users who do not have a configuration file. |
| This file must be world-readable. |
This file must be world-readable. |
| .It Pa /etc/ssh_host_key, /etc/ssh_host_dsa_key, /etc/ssh_host_rsa_key |
|
| These three files contain the private parts of the host keys |
|
| and are used for |
|
| .Cm RhostsRSAAuthentication |
|
| and |
|
| .Cm HostbasedAuthentication . |
|
| Since they are readable only by root |
|
| .Nm |
|
| must be setuid root if these authentication methods are desired. |
|
| .It Pa $HOME/.rhosts |
.It Pa $HOME/.rhosts |
| This file is used in |
This file is used in |
| .Pa \&.rhosts |
.Pa \&.rhosts |
|
|
| .Xr sshd 8 |
.Xr sshd 8 |
| will be installed so that it requires successful RSA host |
will be installed so that it requires successful RSA host |
| authentication before permitting \s+2.\s0rhosts authentication. |
authentication before permitting \s+2.\s0rhosts authentication. |
| If the server machine does not have the client's host key in |
If your server machine does not have the client's host key in |
| .Pa /etc/ssh_known_hosts , |
.Pa /etc/ssh_known_hosts , |
| it can be stored in |
you can store it in |
| .Pa $HOME/.ssh/known_hosts . |
.Pa $HOME/.ssh/known_hosts . |
| The easiest way to do this is to |
The easiest way to do this is to |
| connect back to the client from the server machine using ssh; this |
connect back to the client from the server machine using ssh; this |
|
|
| having this file is to be able to use rhosts authentication with |
having this file is to be able to use rhosts authentication with |
| .Nm |
.Nm |
| without permitting login with |
without permitting login with |
| .Nm rlogin |
.Xr rlogin 1 |
| or |
or |
| .Xr rsh 1 . |
.Xr rsh 1 . |
| .It Pa /etc/hosts.equiv |
.It Pa /etc/hosts.equiv |
|
|
| .Sx ENVIRONMENT |
.Sx ENVIRONMENT |
| above. |
above. |
| .El |
.El |
| .Sh DIAGNOSTICS |
|
| .Nm |
|
| exits with the exit status of the remote command or with 255 |
|
| if an error occurred. |
|
| .Sh AUTHORS |
.Sh AUTHORS |
| OpenSSH is a derivative of the original and free |
OpenSSH is a derivative of the original and free |
| ssh 1.2.12 release by Tatu Ylonen. |
ssh 1.2.12 release by Tatu Ylonen. |
|
|
| Markus Friedl contributed the support for SSH |
Markus Friedl contributed the support for SSH |
| protocol versions 1.5 and 2.0. |
protocol versions 1.5 and 2.0. |
| .Sh SEE ALSO |
.Sh SEE ALSO |
| |
.Xr rlogin 1 , |
| .Xr rsh 1 , |
.Xr rsh 1 , |
| .Xr scp 1 , |
.Xr scp 1 , |
| .Xr sftp 1 , |
.Xr sftp 1 , |
|
|
| .%A T. Rinne |
.%A T. Rinne |
| .%A S. Lehtinen |
.%A S. Lehtinen |
| .%T "SSH Protocol Architecture" |
.%T "SSH Protocol Architecture" |
| .%N draft-ietf-secsh-architecture-12.txt |
.%N draft-ietf-secsh-architecture-07.txt |
| .%D January 2002 |
.%D January 2001 |
| .%O work in progress material |
.%O work in progress material |
| .Re |
.Re |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh