version 1.139.2.1, 2001/11/14 03:24:39 |
version 1.139.2.2, 2002/03/07 17:37:47 |
|
|
.Pa /etc/shosts.equiv , |
.Pa /etc/shosts.equiv , |
and if additionally the server can verify the client's |
and if additionally the server can verify the client's |
host key (see |
host key (see |
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
and |
and |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
in the |
in the |
|
|
.Pp |
.Pp |
.Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
.Pp |
.Pp |
When a user connects using the protocol version 2 |
When a user connects using protocol version 2 |
different authentication methods are available. |
similar authentication methods are available. |
Using the default values for |
Using the default values for |
.Cm PreferredAuthentications , |
.Cm PreferredAuthentications , |
the client will try to authenticate first using the hostbased method; |
the client will try to authenticate first using the hostbased method; |
|
|
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
in the user's home directory. |
in the user's home directory. |
Additionally, the file |
Additionally, the file |
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
is automatically checked for known hosts. |
is automatically checked for known hosts. |
Any new hosts are automatically added to the user's file. |
Any new hosts are automatically added to the user's file. |
If a host's identification |
If a host's identification |
|
|
.It Fl g |
.It Fl g |
Allows remote hosts to connect to local forwarded ports. |
Allows remote hosts to connect to local forwarded ports. |
.It Fl i Ar identity_file |
.It Fl i Ar identity_file |
Selects the file from which the identity (private key) for |
Selects a file from which the identity (private key) for |
RSA or DSA authentication is read. |
RSA or DSA authentication is read. |
Default is |
The default is |
.Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
in the user's home directory. |
for protocol version 1, and |
|
.Pa $HOME/.ssh/id_rsa |
|
and |
|
.Pa $HOME/.ssh/id_dsa |
|
for protocol version 2. |
Identity files may also be specified on |
Identity files may also be specified on |
a per-host basis in the configuration file. |
a per-host basis in the configuration file. |
It is possible to have multiple |
It is possible to have multiple |
|
|
.It Fl q |
.It Fl q |
Quiet mode. |
Quiet mode. |
Causes all warning and diagnostic messages to be suppressed. |
Causes all warning and diagnostic messages to be suppressed. |
Only fatal errors are displayed. |
|
.It Fl s |
.It Fl s |
May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use |
May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use |
of SSH as a secure transport for other applications (eg. sftp). The |
of SSH as a secure transport for other applications (eg. sftp). The |
|
|
Specifies an alternative per-user configuration file. |
Specifies an alternative per-user configuration file. |
If a configuration file is given on the command line, |
If a configuration file is given on the command line, |
the system-wide configuration file |
the system-wide configuration file |
.Pq Pa /etc/ssh_config |
.Pq Pa /etc/ssh/ssh_config |
will be ignored. |
will be ignored. |
The default for the per-user configuration file is |
The default for the per-user configuration file is |
.Pa $HOME/.ssh/config . |
.Pa $HOME/.ssh/config . |
|
|
command line options, user's configuration file |
command line options, user's configuration file |
.Pq Pa $HOME/.ssh/config , |
.Pq Pa $HOME/.ssh/config , |
and system-wide configuration file |
and system-wide configuration file |
.Pq Pa /etc/ssh_config . |
.Pq Pa /etc/ssh/ssh_config . |
For each parameter, the first obtained value |
For each parameter, the first obtained value |
will be used. |
will be used. |
The configuration files contain sections bracketed by |
The configuration files contain sections bracketed by |
|
|
.It Cm GlobalKnownHostsFile |
.It Cm GlobalKnownHostsFile |
Specifies a file to use for the global |
Specifies a file to use for the global |
host key database instead of |
host key database instead of |
.Pa /etc/ssh_known_hosts . |
.Pa /etc/ssh/ssh_known_hosts . |
.It Cm HostbasedAuthentication |
.It Cm HostbasedAuthentication |
Specifies whether to try rhosts based authentication with public key |
Specifies whether to try rhosts based authentication with public key |
authentication. |
authentication. |
|
|
Specifies the protocol version 2 host key algorithms |
Specifies the protocol version 2 host key algorithms |
that the client wants to use in order of preference. |
that the client wants to use in order of preference. |
The default for this option is: |
The default for this option is: |
.Dq ssh-rsa,ssh-dss |
.Dq ssh-rsa,ssh-dss . |
.It Cm HostKeyAlias |
.It Cm HostKeyAlias |
Specifies an alias that should be used instead of the |
Specifies an alias that should be used instead of the |
real host name when looking up or saving the host key |
real host name when looking up or saving the host key |
|
|
.Cm HostName |
.Cm HostName |
specifications). |
specifications). |
.It Cm IdentityFile |
.It Cm IdentityFile |
Specifies the file from which the user's RSA or DSA authentication identity |
Specifies a file from which the user's RSA or DSA authentication identity |
is read (default |
is read. The default is |
.Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
in the user's home directory). |
for protocol version 1, and |
|
.Pa $HOME/.ssh/id_rsa |
|
and |
|
.Pa $HOME/.ssh/id_dsa |
|
for protocol version 2. |
Additionally, any identities represented by the authentication agent |
Additionally, any identities represented by the authentication agent |
will be used for authentication. |
will be used for authentication. |
The file name may use the tilde |
The file name may use the tilde |
|
|
multiple identity files specified in configuration files; all these |
multiple identity files specified in configuration files; all these |
identities will be tried in sequence. |
identities will be tried in sequence. |
.It Cm KeepAlive |
.It Cm KeepAlive |
Specifies whether the system should send keepalive messages to the |
Specifies whether the system should send TCP keepalive messages to the |
other side. |
other side. |
If they are sent, death of the connection or crash of one |
If they are sent, death of the connection or crash of one |
of the machines will be properly noticed. |
of the machines will be properly noticed. |
|
|
This is important in scripts, and many users want it too. |
This is important in scripts, and many users want it too. |
.Pp |
.Pp |
To disable keepalives, the value should be set to |
To disable keepalives, the value should be set to |
.Dq no |
.Dq no . |
in both the server and the client configuration files. |
|
.It Cm KerberosAuthentication |
.It Cm KerberosAuthentication |
Specifies whether Kerberos authentication will be used. |
Specifies whether Kerberos authentication will be used. |
The argument to this keyword must be |
The argument to this keyword must be |
|
|
Gives the verbosity level that is used when logging messages from |
Gives the verbosity level that is used when logging messages from |
.Nm ssh . |
.Nm ssh . |
The possible values are: |
The possible values are: |
QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. |
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. |
The default is INFO. |
The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 |
|
and DEBUG3 each specify higher levels of verbose output. |
.It Cm MACs |
.It Cm MACs |
Specifies the MAC (message authentication code) algorithms |
Specifies the MAC (message authentication code) algorithms |
in order of preference. |
in order of preference. |
|
|
over another method (e.g. |
over another method (e.g. |
.Cm password ) |
.Cm password ) |
The default for this option is: |
The default for this option is: |
.Dq hostbased,publickey,keyboard-interactive,password |
.Dq hostbased,publickey,keyboard-interactive,password . |
.It Cm Protocol |
.It Cm Protocol |
Specifies the protocol versions |
Specifies the protocol versions |
.Nm |
.Nm |
|
|
file, and refuses to connect to hosts whose host key has changed. |
file, and refuses to connect to hosts whose host key has changed. |
This provides maximum protection against trojan horse attacks, |
This provides maximum protection against trojan horse attacks, |
however, can be annoying when the |
however, can be annoying when the |
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
file is poorly maintained, or connections to new hosts are |
file is poorly maintained, or connections to new hosts are |
frequently made. |
frequently made. |
This option forces the user to manually |
This option forces the user to manually |
|
|
.It Pa $HOME/.ssh/known_hosts |
.It Pa $HOME/.ssh/known_hosts |
Records host keys for all hosts the user has logged into that are not |
Records host keys for all hosts the user has logged into that are not |
in |
in |
.Pa /etc/ssh_known_hosts . |
.Pa /etc/ssh/ssh_known_hosts . |
See |
See |
.Xr sshd 8 . |
.Xr sshd 8 . |
.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa |
.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa |
|
|
identity files. |
identity files. |
This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
.It Pa /etc/ssh_known_hosts |
.It Pa /etc/ssh/ssh_known_hosts |
Systemwide list of known host keys. |
Systemwide list of known host keys. |
This file should be prepared by the |
This file should be prepared by the |
system administrator to contain the public host keys of all machines in the |
system administrator to contain the public host keys of all machines in the |
|
|
does not convert the user-supplied name to a canonical name before |
does not convert the user-supplied name to a canonical name before |
checking the key, because someone with access to the name servers |
checking the key, because someone with access to the name servers |
would then be able to fool host authentication. |
would then be able to fool host authentication. |
.It Pa /etc/ssh_config |
.It Pa /etc/ssh/ssh_config |
Systemwide configuration file. |
Systemwide configuration file. |
This file provides defaults for those |
This file provides defaults for those |
values that are not specified in the user's configuration file, and |
values that are not specified in the user's configuration file, and |
for those users who do not have a configuration file. |
for those users who do not have a configuration file. |
This file must be world-readable. |
This file must be world-readable. |
.It Pa /etc/ssh_host_key, /etc/ssh_host_dsa_key, /etc/ssh_host_rsa_key |
.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key |
These three files contain the private parts of the host keys |
These three files contain the private parts of the host keys |
and are used for |
and are used for |
.Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication |
|
|
will be installed so that it requires successful RSA host |
will be installed so that it requires successful RSA host |
authentication before permitting \s+2.\s0rhosts authentication. |
authentication before permitting \s+2.\s0rhosts authentication. |
If the server machine does not have the client's host key in |
If the server machine does not have the client's host key in |
.Pa /etc/ssh_known_hosts , |
.Pa /etc/ssh/ssh_known_hosts , |
it can be stored in |
it can be stored in |
.Pa $HOME/.ssh/known_hosts . |
.Pa $HOME/.ssh/known_hosts . |
The easiest way to do this is to |
The easiest way to do this is to |
|
|
This file may be useful to permit logins using |
This file may be useful to permit logins using |
.Nm |
.Nm |
but not using rsh/rlogin. |
but not using rsh/rlogin. |
.It Pa /etc/sshrc |
.It Pa /etc/ssh/sshrc |
Commands in this file are executed by |
Commands in this file are executed by |
.Nm |
.Nm |
when the user logs in just before the user's shell (or command) is started. |
when the user logs in just before the user's shell (or command) is started. |
|
|
.Sx ENVIRONMENT |
.Sx ENVIRONMENT |
above. |
above. |
.El |
.El |
|
.Sh DIAGNOSTICS |
|
.Nm |
|
exits with the exit status of the remote command or with 255 |
|
if an error occurred. |
.Sh AUTHORS |
.Sh AUTHORS |
OpenSSH is a derivative of the original and free |
OpenSSH is a derivative of the original and free |
ssh 1.2.12 release by Tatu Ylonen. |
ssh 1.2.12 release by Tatu Ylonen. |