version 1.167.4.3, 2004/03/04 18:18:16 |
version 1.168, 2003/03/28 10:11:43 |
|
|
.Nd OpenSSH SSH client (remote login program) |
.Nd OpenSSH SSH client (remote login program) |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Nm ssh |
.Nm ssh |
.Op Fl 1246AaCfgkNnqsTtVvXxY |
.Op Fl l Ar login_name |
|
.Ar hostname | user@hostname |
|
.Op Ar command |
|
.Pp |
|
.Nm ssh |
|
.Bk -words |
|
.Op Fl afgknqstvxACNTX1246 |
.Op Fl b Ar bind_address |
.Op Fl b Ar bind_address |
.Op Fl c Ar cipher_spec |
.Op Fl c Ar cipher_spec |
.Op Fl D Ar port |
|
.Op Fl e Ar escape_char |
.Op Fl e Ar escape_char |
.Op Fl F Ar configfile |
|
.Op Fl i Ar identity_file |
.Op Fl i Ar identity_file |
.Bk -words |
.Op Fl l Ar login_name |
|
.Op Fl m Ar mac_spec |
|
.Op Fl o Ar option |
|
.Op Fl p Ar port |
|
.Op Fl F Ar configfile |
.Oo Fl L Xo |
.Oo Fl L Xo |
.Sm off |
.Sm off |
.Ar port : |
.Ar port : |
|
|
.Xc |
.Xc |
.Oc |
.Oc |
.Ek |
.Ek |
.Op Fl l Ar login_name |
|
.Op Fl m Ar mac_spec |
|
.Op Fl o Ar option |
|
.Bk -words |
.Bk -words |
.Op Fl p Ar port |
|
.Ek |
|
.Oo Fl R Xo |
.Oo Fl R Xo |
.Sm off |
.Sm off |
.Ar port : |
.Ar port : |
|
|
.Sm on |
.Sm on |
.Xc |
.Xc |
.Oc |
.Oc |
.Oo Ar user Ns @ Oc Ns Ar hostname |
.Op Fl D Ar port |
|
.Ar hostname | user@hostname |
.Op Ar command |
.Op Ar command |
|
.Ek |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm |
.Nm |
(SSH client) is a program for logging into a remote machine and for |
(SSH client) is a program for logging into a remote machine and for |
executing commands on a remote machine. |
executing commands on a remote machine. |
It is intended to replace rlogin and rsh, |
It is intended to replace |
and provide secure encrypted communications between |
rlogin and rsh, and provide secure encrypted communications between |
two untrusted hosts over an insecure network. |
two untrusted hosts over an insecure network. |
X11 connections and arbitrary TCP/IP ports |
X11 connections and |
can also be forwarded over the secure channel. |
arbitrary TCP/IP ports can also be forwarded over the secure channel. |
.Pp |
.Pp |
.Nm |
.Nm |
connects and logs into the specified |
connects and logs into the specified |
.Ar hostname |
.Ar hostname . |
(with optional |
|
.Ar user |
|
name). |
|
The user must prove |
The user must prove |
his/her identity to the remote machine using one of several methods |
his/her identity to the remote machine using one of several methods |
depending on the protocol version used. |
depending on the protocol version used: |
.Pp |
.Pp |
If |
|
.Ar command |
|
is specified, |
|
.Ar command |
|
is executed on the remote host instead of a login shell. |
|
.Ss SSH protocol version 1 |
.Ss SSH protocol version 1 |
|
.Pp |
First, if the machine the user logs in from is listed in |
First, if the machine the user logs in from is listed in |
.Pa /etc/hosts.equiv |
.Pa /etc/hosts.equiv |
or |
or |
|
|
on the remote machine, and the user names are |
on the remote machine, and the user names are |
the same on both sides, the user is immediately permitted to log in. |
the same on both sides, the user is immediately permitted to log in. |
Second, if |
Second, if |
.Pa .rhosts |
.Pa \&.rhosts |
or |
or |
.Pa .shosts |
.Pa \&.shosts |
exists in the user's home directory on the |
exists in the user's home directory on the |
remote machine and contains a line containing the name of the client |
remote machine and contains a line containing the name of the client |
machine and the name of the user on that machine, the user is |
machine and the name of the user on that machine, the user is |
|
|
allowed by the server because it is not secure. |
allowed by the server because it is not secure. |
.Pp |
.Pp |
The second authentication method is the |
The second authentication method is the |
.Em rhosts |
.Pa rhosts |
or |
or |
.Em hosts.equiv |
.Pa hosts.equiv |
method combined with RSA-based host authentication. |
method combined with RSA-based host authentication. |
It means that if the login would be permitted by |
It means that if the login would be permitted by |
.Pa $HOME/.rhosts , |
.Pa $HOME/.rhosts , |
|
|
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
in the |
in the |
.Sx FILES |
.Sx FILES |
section), only then is login permitted. |
section), only then login is permitted. |
This authentication method closes security holes due to IP |
This authentication method closes security holes due to IP |
spoofing, DNS spoofing and routing spoofing. |
spoofing, DNS spoofing and routing spoofing. |
[Note to the administrator: |
[Note to the administrator: |
|
|
The idea is that each user creates a public/private |
The idea is that each user creates a public/private |
key pair for authentication purposes. |
key pair for authentication purposes. |
The server knows the public key, and only the user knows the private key. |
The server knows the public key, and only the user knows the private key. |
.Pp |
|
The file |
The file |
.Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
lists the public keys that are permitted for logging in. |
lists the public keys that are permitted for logging |
|
in. |
When the user logs in, the |
When the user logs in, the |
.Nm |
.Nm |
program tells the server which key pair it would like to use for |
program tells the server which key pair it would like to use for |
authentication. |
authentication. |
The server checks if this key is permitted, and if so, |
The server checks if this key is permitted, and if |
sends the user (actually the |
so, sends the user (actually the |
.Nm |
.Nm |
program running on behalf of the user) a challenge, a random number, |
program running on behalf of the user) a challenge, a random number, |
encrypted by the user's public key. |
encrypted by the user's public key. |
The challenge can only be decrypted using the proper private key. |
The challenge can only be |
The user's client then decrypts the challenge using the private key, |
decrypted using the proper private key. |
proving that he/she knows the private key |
The user's client then decrypts the |
but without disclosing it to the server. |
challenge using the private key, proving that he/she knows the private |
|
key but without disclosing it to the server. |
.Pp |
.Pp |
.Nm |
.Nm |
implements the RSA authentication protocol automatically. |
implements the RSA authentication protocol automatically. |
|
|
.Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
This stores the private key in |
This stores the private key in |
.Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
and stores the public key in |
and the public key in |
.Pa $HOME/.ssh/identity.pub |
.Pa $HOME/.ssh/identity.pub |
in the user's home directory. |
in the user's home directory. |
The user should then copy the |
The user should then copy the |
|
|
file, and has one key |
file, and has one key |
per line, though the lines can be very long). |
per line, though the lines can be very long). |
After this, the user can log in without giving the password. |
After this, the user can log in without giving the password. |
RSA authentication is much more secure than |
RSA authentication is much |
.Em rhosts |
more secure than rhosts authentication. |
authentication. |
|
.Pp |
.Pp |
The most convenient way to use RSA authentication may be with an |
The most convenient way to use RSA authentication may be with an |
authentication agent. |
authentication agent. |
|
|
The password is sent to the remote |
The password is sent to the remote |
host for checking; however, since all communications are encrypted, |
host for checking; however, since all communications are encrypted, |
the password cannot be seen by someone listening on the network. |
the password cannot be seen by someone listening on the network. |
|
.Pp |
.Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
When a user connects using protocol version 2, |
.Pp |
|
When a user connects using protocol version 2 |
similar authentication methods are available. |
similar authentication methods are available. |
Using the default values for |
Using the default values for |
.Cm PreferredAuthentications , |
.Cm PreferredAuthentications , |
the client will try to authenticate first using the hostbased method; |
the client will try to authenticate first using the hostbased method; |
if this method fails, public key authentication is attempted, |
if this method fails public key authentication is attempted, |
and finally if this method fails, keyboard-interactive and |
and finally if this method fails keyboard-interactive and |
password authentication are tried. |
password authentication are tried. |
.Pp |
.Pp |
The public key method is similar to RSA authentication described |
The public key method is similar to RSA authentication described |
|
|
The session identifier is derived from a shared Diffie-Hellman value |
The session identifier is derived from a shared Diffie-Hellman value |
and is only known to the client and the server. |
and is only known to the client and the server. |
.Pp |
.Pp |
If public key authentication fails or is not available, a password |
If public key authentication fails or is not available a password |
can be sent encrypted to the remote host to prove the user's identity. |
can be sent encrypted to the remote host for proving the user's identity. |
.Pp |
.Pp |
Additionally, |
Additionally, |
.Nm |
.Nm |
|
|
and integrity (hmac-md5, hmac-sha1). |
and integrity (hmac-md5, hmac-sha1). |
Note that protocol 1 lacks a strong mechanism for ensuring the |
Note that protocol 1 lacks a strong mechanism for ensuring the |
integrity of the connection. |
integrity of the connection. |
|
.Pp |
.Ss Login session and remote execution |
.Ss Login session and remote execution |
|
.Pp |
When the user's identity has been accepted by the server, the server |
When the user's identity has been accepted by the server, the server |
either executes the given command, or logs into the machine and gives |
either executes the given command, or logs into the machine and gives |
the user a normal shell on the remote machine. |
the user a normal shell on the remote machine. |
|
|
If a pseudo-terminal has been allocated (normal login session), the |
If a pseudo-terminal has been allocated (normal login session), the |
user may use the escape characters noted below. |
user may use the escape characters noted below. |
.Pp |
.Pp |
If no pseudo-tty has been allocated, |
If no pseudo tty has been allocated, the |
the session is transparent and can be used to reliably transfer binary data. |
session is transparent and can be used to reliably transfer binary |
|
data. |
On most systems, setting the escape character to |
On most systems, setting the escape character to |
.Dq none |
.Dq none |
will also make the session transparent even if a tty is used. |
will also make the session transparent even if a tty is used. |
.Pp |
.Pp |
The session terminates when the command or shell on the remote |
The session terminates when the command or shell on the remote |
machine exits and all X11 and TCP/IP connections have been closed. |
machine exits and all X11 and TCP/IP connections have been closed. |
The exit status of the remote program is returned as the exit status of |
The exit status of the remote program is returned as the exit status |
|
of |
.Nm ssh . |
.Nm ssh . |
|
.Pp |
.Ss Escape Characters |
.Ss Escape Characters |
When a pseudo-terminal has been requested, |
|
.Nm |
|
supports a number of functions through the use of an escape character. |
|
.Pp |
.Pp |
|
When a pseudo terminal has been requested, ssh supports a number of functions |
|
through the use of an escape character. |
|
.Pp |
A single tilde character can be sent as |
A single tilde character can be sent as |
.Ic ~~ |
.Ic ~~ |
or by following the tilde by a character other than those described below. |
or by following the tilde by a character other than those described below. |
|
|
are: |
are: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Cm ~. |
.It Cm ~. |
Disconnect. |
Disconnect |
.It Cm ~^Z |
.It Cm ~^Z |
Background |
Background ssh |
.Nm ssh . |
|
.It Cm ~# |
.It Cm ~# |
List forwarded connections. |
List forwarded connections |
.It Cm ~& |
.It Cm ~& |
Background |
Background ssh at logout when waiting for forwarded connection / X11 sessions |
.Nm |
to terminate |
at logout when waiting for forwarded connection / X11 sessions to terminate. |
|
.It Cm ~? |
.It Cm ~? |
Display a list of escape characters. |
Display a list of escape characters |
.It Cm ~B |
|
Send a BREAK to the remote system |
|
(only useful for SSH protocol version 2 and if the peer supports it). |
|
.It Cm ~C |
.It Cm ~C |
Open command line (only useful for adding port forwardings using the |
Open command line (only useful for adding port forwardings using the |
.Fl L |
.Fl L |
and |
and |
.Fl R |
.Fl R |
options). |
options) |
.It Cm ~R |
.It Cm ~R |
Request rekeying of the connection |
Request rekeying of the connection (only useful for SSH protocol version 2 |
(only useful for SSH protocol version 2 and if the peer supports it). |
and if the peer supports it) |
.El |
.El |
|
.Pp |
.Ss X11 and TCP forwarding |
.Ss X11 and TCP forwarding |
|
.Pp |
If the |
If the |
.Cm ForwardX11 |
.Cm ForwardX11 |
variable is set to |
variable is set to |
.Dq yes |
.Dq yes |
(or see the description of the |
(or, see the description of the |
.Fl X |
.Fl X |
and |
and |
.Fl x |
.Fl x |
|
|
.Ev DISPLAY |
.Ev DISPLAY |
value set by |
value set by |
.Nm |
.Nm |
will point to the server machine, but with a display number greater than zero. |
will point to the server machine, but with a display number greater |
|
than zero. |
This is normal, and happens because |
This is normal, and happens because |
.Nm |
.Nm |
creates a |
creates a |
|
|
.Cm ForwardAgent |
.Cm ForwardAgent |
variable is set to |
variable is set to |
.Dq yes |
.Dq yes |
(or see the description of the |
(or, see the description of the |
.Fl A |
.Fl A |
and |
and |
.Fl a |
.Fl a |
|
|
be specified either on the command line or in a configuration file. |
be specified either on the command line or in a configuration file. |
One possible application of TCP/IP forwarding is a secure connection to an |
One possible application of TCP/IP forwarding is a secure connection to an |
electronic purse; another is going through firewalls. |
electronic purse; another is going through firewalls. |
|
.Pp |
.Ss Server authentication |
.Ss Server authentication |
|
.Pp |
.Nm |
.Nm |
automatically maintains and checks a database containing |
automatically maintains and checks a database containing |
identifications for all hosts it has ever been used with. |
identifications for all hosts it has ever been used with. |
|
|
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
is automatically checked for known hosts. |
is automatically checked for known hosts. |
Any new hosts are automatically added to the user's file. |
Any new hosts are automatically added to the user's file. |
If a host's identification ever changes, |
If a host's identification |
|
ever changes, |
.Nm |
.Nm |
warns about this and disables password authentication to prevent a |
warns about this and disables password authentication to prevent a |
trojan horse from getting the user's password. |
trojan horse from getting the user's password. |
Another purpose of this mechanism is to prevent man-in-the-middle attacks |
Another purpose of |
which could otherwise be used to circumvent the encryption. |
this mechanism is to prevent man-in-the-middle attacks which could |
|
otherwise be used to circumvent the encryption. |
The |
The |
.Cm StrictHostKeyChecking |
.Cm StrictHostKeyChecking |
option can be used to prevent logins to machines whose |
option can be used to prevent logins to machines whose |
|
|
.Pp |
.Pp |
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Fl 1 |
.It Fl a |
Forces |
Disables forwarding of the authentication agent connection. |
.Nm |
|
to try protocol version 1 only. |
|
.It Fl 2 |
|
Forces |
|
.Nm |
|
to try protocol version 2 only. |
|
.It Fl 4 |
|
Forces |
|
.Nm |
|
to use IPv4 addresses only. |
|
.It Fl 6 |
|
Forces |
|
.Nm |
|
to use IPv6 addresses only. |
|
.It Fl A |
.It Fl A |
Enables forwarding of the authentication agent connection. |
Enables forwarding of the authentication agent connection. |
This can also be specified on a per-host basis in a configuration file. |
This can also be specified on a per-host basis in a configuration file. |
|
|
An attacker cannot obtain key material from the agent, |
An attacker cannot obtain key material from the agent, |
however they can perform operations on the keys that enable them to |
however they can perform operations on the keys that enable them to |
authenticate using the identities loaded into the agent. |
authenticate using the identities loaded into the agent. |
.It Fl a |
|
Disables forwarding of the authentication agent connection. |
|
.It Fl b Ar bind_address |
.It Fl b Ar bind_address |
Specify the interface to transmit from on machines with multiple |
Specify the interface to transmit from on machines with multiple |
interfaces or aliased addresses. |
interfaces or aliased addresses. |
.It Fl C |
.It Fl c Ar blowfish|3des|des |
Requests compression of all data (including stdin, stdout, stderr, and |
|
data for forwarded X11 and TCP/IP connections). |
|
The compression algorithm is the same used by |
|
.Xr gzip 1 , |
|
and the |
|
.Dq level |
|
can be controlled by the |
|
.Cm CompressionLevel |
|
option for protocol version 1. |
|
Compression is desirable on modem lines and other |
|
slow connections, but will only slow down things on fast networks. |
|
The default value can be set on a host-by-host basis in the |
|
configuration files; see the |
|
.Cm Compression |
|
option. |
|
.It Fl c Ar blowfish | 3des | des |
|
Selects the cipher to use for encrypting the session. |
Selects the cipher to use for encrypting the session. |
.Ar 3des |
.Ar 3des |
is used by default. |
is used by default. |
|
|
.Ar 3des |
.Ar 3des |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
.Ar blowfish |
.Ar blowfish |
is a fast block cipher; it appears very secure and is much faster than |
is a fast block cipher, it appears very secure and is much faster than |
.Ar 3des . |
.Ar 3des . |
.Ar des |
.Ar des |
is only supported in the |
is only supported in the |
|
|
See |
See |
.Cm Ciphers |
.Cm Ciphers |
for more information. |
for more information. |
.It Fl D Ar port |
.It Fl e Ar ch|^ch|none |
Specifies a local |
|
.Dq dynamic |
|
application-level port forwarding. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the local side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and the application |
|
protocol is then used to determine where to connect to from the |
|
remote machine. |
|
Currently the SOCKS4 and SOCKS5 protocols are supported, and |
|
.Nm |
|
will act as a SOCKS server. |
|
Only root can forward privileged ports. |
|
Dynamic port forwardings can also be specified in the configuration file. |
|
.It Fl e Ar ch | ^ch | none |
|
Sets the escape character for sessions with a pty (default: |
Sets the escape character for sessions with a pty (default: |
.Ql ~ ) . |
.Ql ~ ) . |
The escape character is only recognized at the beginning of a line. |
The escape character is only recognized at the beginning of a line. |
The escape character followed by a dot |
The escape character followed by a dot |
.Pq Ql \&. |
.Pq Ql \&. |
closes the connection; |
closes the connection, followed |
followed by control-Z suspends the connection; |
by control-Z suspends the connection, and followed by itself sends the |
and followed by itself sends the escape character once. |
escape character once. |
Setting the character to |
Setting the character to |
.Dq none |
.Dq none |
disables any escapes and makes the session fully transparent. |
disables any escapes and makes the session fully transparent. |
.It Fl F Ar configfile |
|
Specifies an alternative per-user configuration file. |
|
If a configuration file is given on the command line, |
|
the system-wide configuration file |
|
.Pq Pa /etc/ssh/ssh_config |
|
will be ignored. |
|
The default for the per-user configuration file is |
|
.Pa $HOME/.ssh/config . |
|
.It Fl f |
.It Fl f |
Requests |
Requests |
.Nm |
.Nm |
|
|
.Ic ssh -f host xterm . |
.Ic ssh -f host xterm . |
.It Fl g |
.It Fl g |
Allows remote hosts to connect to local forwarded ports. |
Allows remote hosts to connect to local forwarded ports. |
.It Fl I Ar smartcard_device |
|
Specifies which smartcard device to use. |
|
The argument is the device |
|
.Nm |
|
should use to communicate with a smartcard used for storing the user's |
|
private RSA key. |
|
.It Fl i Ar identity_file |
.It Fl i Ar identity_file |
Selects a file from which the identity (private key) for |
Selects a file from which the identity (private key) for |
RSA or DSA authentication is read. |
RSA or DSA authentication is read. |
|
|
.Fl i |
.Fl i |
options (and multiple identities specified in |
options (and multiple identities specified in |
configuration files). |
configuration files). |
|
.It Fl I Ar smartcard_device |
|
Specifies which smartcard device to use. The argument is |
|
the device |
|
.Nm |
|
should use to communicate with a smartcard used for storing the user's |
|
private RSA key. |
.It Fl k |
.It Fl k |
Disables forwarding (delegation) of GSSAPI credentials to the server. |
Disables forwarding of Kerberos tickets and AFS tokens. |
.It Fl L Xo |
This may also be specified on a per-host basis in the configuration file. |
.Sm off |
|
.Ar port : host : hostport |
|
.Sm on |
|
.Xc |
|
Specifies that the given port on the local (client) host is to be |
|
forwarded to the given host and port on the remote side. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the local side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and a connection is |
|
made to |
|
.Ar host |
|
port |
|
.Ar hostport |
|
from the remote machine. |
|
Port forwardings can also be specified in the configuration file. |
|
Only root can forward privileged ports. |
|
IPv6 addresses can be specified with an alternative syntax: |
|
.Sm off |
|
.Xo |
|
.Ar port No / Ar host No / |
|
.Ar hostport . |
|
.Xc |
|
.Sm on |
|
.It Fl l Ar login_name |
.It Fl l Ar login_name |
Specifies the user to log in as on the remote machine. |
Specifies the user to log in as on the remote machine. |
This also may be specified on a per-host basis in the configuration file. |
This also may be specified on a per-host basis in the configuration file. |
|
|
See the |
See the |
.Cm MACs |
.Cm MACs |
keyword for more information. |
keyword for more information. |
.It Fl N |
|
Do not execute a remote command. |
|
This is useful for just forwarding ports |
|
(protocol version 2 only). |
|
.It Fl n |
.It Fl n |
Redirects stdin from |
Redirects stdin from |
.Pa /dev/null |
.Pa /dev/null |
|
|
needs to ask for a password or passphrase; see also the |
needs to ask for a password or passphrase; see also the |
.Fl f |
.Fl f |
option.) |
option.) |
|
.It Fl N |
|
Do not execute a remote command. |
|
This is useful for just forwarding ports |
|
(protocol version 2 only). |
.It Fl o Ar option |
.It Fl o Ar option |
Can be used to give options in the format used in the configuration file. |
Can be used to give options in the format used in the configuration file. |
This is useful for specifying options for which there is no separate |
This is useful for specifying options for which there is no separate |
command-line flag. |
command-line flag. |
For full details of the options listed below, and their possible values, see |
|
.Xr ssh_config 5 . |
|
.Pp |
|
.Bl -tag -width Ds -offset indent -compact |
|
.It AddressFamily |
|
.It BatchMode |
|
.It BindAddress |
|
.It ChallengeResponseAuthentication |
|
.It CheckHostIP |
|
.It Cipher |
|
.It Ciphers |
|
.It ClearAllForwardings |
|
.It Compression |
|
.It CompressionLevel |
|
.It ConnectionAttempts |
|
.It ConnectionTimeout |
|
.It DynamicForward |
|
.It EscapeChar |
|
.It ForwardAgent |
|
.It ForwardX11 |
|
.It ForwardX11Trusted |
|
.It GatewayPorts |
|
.It GlobalKnownHostsFile |
|
.It GSSAPIAuthentication |
|
.It GSSAPIDelegateCredentials |
|
.It Host |
|
.It HostbasedAuthentication |
|
.It HostKeyAlgorithms |
|
.It HostKeyAlias |
|
.It HostName |
|
.It IdentityFile |
|
.It LocalForward |
|
.It LogLevel |
|
.It MACs |
|
.It NoHostAuthenticationForLocalhost |
|
.It NumberOfPasswordPrompts |
|
.It PasswordAuthentication |
|
.It Port |
|
.It PreferredAuthentications |
|
.It Protocol |
|
.It ProxyCommand |
|
.It PubkeyAuthentication |
|
.It RemoteForward |
|
.It RhostsRSAAuthentication |
|
.It RSAAuthentication |
|
.It ServerAliveInterval |
|
.It ServerAliveCountMax |
|
.It SmartcardDevice |
|
.It StrictHostKeyChecking |
|
.It TCPKeepAlive |
|
.It UsePrivilegedPort |
|
.It User |
|
.It UserKnownHostsFile |
|
.It VerifyHostKeyDNS |
|
.It XAuthLocation |
|
.El |
|
.It Fl p Ar port |
.It Fl p Ar port |
Port to connect to on the remote host. |
Port to connect to on the remote host. |
This can be specified on a |
This can be specified on a |
|
|
.It Fl q |
.It Fl q |
Quiet mode. |
Quiet mode. |
Causes all warning and diagnostic messages to be suppressed. |
Causes all warning and diagnostic messages to be suppressed. |
.It Fl R Xo |
|
.Sm off |
|
.Ar port : host : hostport |
|
.Sm on |
|
.Xc |
|
Specifies that the given port on the remote (server) host is to be |
|
forwarded to the given host and port on the local side. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the remote side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and a connection is |
|
made to |
|
.Ar host |
|
port |
|
.Ar hostport |
|
from the local machine. |
|
Port forwardings can also be specified in the configuration file. |
|
Privileged ports can be forwarded only when |
|
logging in as root on the remote machine. |
|
IPv6 addresses can be specified with an alternative syntax: |
|
.Sm off |
|
.Xo |
|
.Ar port No / Ar host No / |
|
.Ar hostport . |
|
.Xc |
|
.Sm on |
|
.It Fl s |
.It Fl s |
May be used to request invocation of a subsystem on the remote system. |
May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use |
Subsystems are a feature of the SSH2 protocol which facilitate the use |
of SSH as a secure transport for other applications (eg. sftp). The |
of SSH as a secure transport for other applications (eg.\& |
subsystem is specified as the remote command. |
.Xr sftp 1 ) . |
|
The subsystem is specified as the remote command. |
|
.It Fl T |
|
Disable pseudo-tty allocation. |
|
.It Fl t |
.It Fl t |
Force pseudo-tty allocation. |
Force pseudo-tty allocation. |
This can be used to execute arbitrary |
This can be used to execute arbitrary |
|
|
options force tty allocation, even if |
options force tty allocation, even if |
.Nm |
.Nm |
has no local tty. |
has no local tty. |
.It Fl V |
.It Fl T |
Display the version number and exit. |
Disable pseudo-tty allocation. |
.It Fl v |
.It Fl v |
Verbose mode. |
Verbose mode. |
Causes |
Causes |
|
|
debugging connection, authentication, and configuration problems. |
debugging connection, authentication, and configuration problems. |
Multiple |
Multiple |
.Fl v |
.Fl v |
options increase the verbosity. |
options increases the verbosity. |
The maximum is 3. |
Maximum is 3. |
|
.It Fl x |
|
Disables X11 forwarding. |
.It Fl X |
.It Fl X |
Enables X11 forwarding. |
Enables X11 forwarding. |
This can also be specified on a per-host basis in a configuration file. |
This can also be specified on a per-host basis in a configuration file. |
|
|
(for the user's X authorization database) |
(for the user's X authorization database) |
can access the local X11 display through the forwarded connection. |
can access the local X11 display through the forwarded connection. |
An attacker may then be able to perform activities such as keystroke monitoring. |
An attacker may then be able to perform activities such as keystroke monitoring. |
.It Fl x |
.It Fl C |
Disables X11 forwarding. |
Requests compression of all data (including stdin, stdout, stderr, and |
.It Fl Y |
data for forwarded X11 and TCP/IP connections). |
Enables trusted X11 forwarding. |
The compression algorithm is the same used by |
|
.Xr gzip 1 , |
|
and the |
|
.Dq level |
|
can be controlled by the |
|
.Cm CompressionLevel |
|
option for protocol version 1. |
|
Compression is desirable on modem lines and other |
|
slow connections, but will only slow down things on fast networks. |
|
The default value can be set on a host-by-host basis in the |
|
configuration files; see the |
|
.Cm Compression |
|
option. |
|
.It Fl F Ar configfile |
|
Specifies an alternative per-user configuration file. |
|
If a configuration file is given on the command line, |
|
the system-wide configuration file |
|
.Pq Pa /etc/ssh/ssh_config |
|
will be ignored. |
|
The default for the per-user configuration file is |
|
.Pa $HOME/.ssh/config . |
|
.It Fl L Ar port:host:hostport |
|
Specifies that the given port on the local (client) host is to be |
|
forwarded to the given host and port on the remote side. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the local side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and a connection is |
|
made to |
|
.Ar host |
|
port |
|
.Ar hostport |
|
from the remote machine. |
|
Port forwardings can also be specified in the configuration file. |
|
Only root can forward privileged ports. |
|
IPv6 addresses can be specified with an alternative syntax: |
|
.Ar port/host/hostport |
|
.It Fl R Ar port:host:hostport |
|
Specifies that the given port on the remote (server) host is to be |
|
forwarded to the given host and port on the local side. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the remote side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and a connection is |
|
made to |
|
.Ar host |
|
port |
|
.Ar hostport |
|
from the local machine. |
|
Port forwardings can also be specified in the configuration file. |
|
Privileged ports can be forwarded only when |
|
logging in as root on the remote machine. |
|
IPv6 addresses can be specified with an alternative syntax: |
|
.Ar port/host/hostport |
|
.It Fl D Ar port |
|
Specifies a local |
|
.Dq dynamic |
|
application-level port forwarding. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the local side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and the application |
|
protocol is then used to determine where to connect to from the |
|
remote machine. |
|
Currently the SOCKS4 protocol is supported, and |
|
.Nm |
|
will act as a SOCKS4 server. |
|
Only root can forward privileged ports. |
|
Dynamic port forwardings can also be specified in the configuration file. |
|
.It Fl 1 |
|
Forces |
|
.Nm |
|
to try protocol version 1 only. |
|
.It Fl 2 |
|
Forces |
|
.Nm |
|
to try protocol version 2 only. |
|
.It Fl 4 |
|
Forces |
|
.Nm |
|
to use IPv4 addresses only. |
|
.It Fl 6 |
|
Forces |
|
.Nm |
|
to use IPv6 addresses only. |
.El |
.El |
.Sh CONFIGURATION FILES |
.Sh CONFIGURATION FILES |
.Nm |
.Nm |
|
|
.Sh ENVIRONMENT |
.Sh ENVIRONMENT |
.Nm |
.Nm |
will normally set the following environment variables: |
will normally set the following environment variables: |
.Bl -tag -width LOGNAME |
.Bl -tag -width Ds |
.It Ev DISPLAY |
.It Ev DISPLAY |
The |
The |
.Ev DISPLAY |
.Ev DISPLAY |
|
|
to point to a value of the form |
to point to a value of the form |
.Dq hostname:n |
.Dq hostname:n |
where hostname indicates |
where hostname indicates |
the host where the shell runs, and n is an integer \*(Ge 1. |
the host where the shell runs, and n is an integer >= 1. |
.Nm |
.Nm |
uses this special value to forward X11 connections over the secure |
uses this special value to forward X11 connections over the secure |
channel. |
channel. |
|
|
.Dq VARNAME=value |
.Dq VARNAME=value |
to the environment if the file exists and if users are allowed to |
to the environment if the file exists and if users are allowed to |
change their environment. |
change their environment. |
For more information, see the |
See the |
.Cm PermitUserEnvironment |
.Cm PermitUserEnvironment |
option in |
option in |
.Xr sshd_config 5 . |
.Xr sshd_config 5 . |
|
|
identity file in human-readable form). |
identity file in human-readable form). |
The contents of the |
The contents of the |
.Pa $HOME/.ssh/identity.pub |
.Pa $HOME/.ssh/identity.pub |
file should be added to the file |
file should be added to |
.Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
on all machines |
on all machines |
where the user wishes to log in using protocol version 1 RSA authentication. |
where the user wishes to log in using protocol version 1 RSA authentication. |
|
|
The format of this file is described in the |
The format of this file is described in the |
.Xr sshd 8 |
.Xr sshd 8 |
manual page. |
manual page. |
In the simplest form the format is the same as the |
In the simplest form the format is the same as the .pub |
.Pa .pub |
|
identity files. |
identity files. |
This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
|
|
When different names are used |
When different names are used |
for the same machine, all such names should be listed, separated by |
for the same machine, all such names should be listed, separated by |
commas. |
commas. |
The format is described in the |
The format is described on the |
.Xr sshd 8 |
.Xr sshd 8 |
manual page. |
manual page. |
.Pp |
.Pp |
|
|
is not setuid root. |
is not setuid root. |
.It Pa $HOME/.rhosts |
.It Pa $HOME/.rhosts |
This file is used in |
This file is used in |
.Em rhosts |
.Pa \&.rhosts |
authentication to list the |
authentication to list the |
host/user pairs that are permitted to log in. |
host/user pairs that are permitted to log in. |
(Note that this file is |
(Note that this file is |
|
|
Note that by default |
Note that by default |
.Xr sshd 8 |
.Xr sshd 8 |
will be installed so that it requires successful RSA host |
will be installed so that it requires successful RSA host |
authentication before permitting |
authentication before permitting \s+2.\s0rhosts authentication. |
.Em rhosts |
|
authentication. |
|
If the server machine does not have the client's host key in |
If the server machine does not have the client's host key in |
.Pa /etc/ssh/ssh_known_hosts , |
.Pa /etc/ssh/ssh_known_hosts , |
it can be stored in |
it can be stored in |
|
|
.Pa $HOME/.ssh/known_hosts . |
.Pa $HOME/.ssh/known_hosts . |
.It Pa $HOME/.shosts |
.It Pa $HOME/.shosts |
This file is used exactly the same way as |
This file is used exactly the same way as |
.Pa .rhosts . |
.Pa \&.rhosts . |
The purpose for |
The purpose for |
having this file is to be able to use rhosts authentication with |
having this file is to be able to use rhosts authentication with |
.Nm |
.Nm |
without permitting login with |
without permitting login with |
.Xr rlogin |
.Nm rlogin |
or |
or |
.Xr rsh 1 . |
.Xr rsh 1 . |
.It Pa /etc/hosts.equiv |
.It Pa /etc/hosts.equiv |
This file is used during |
This file is used during |
.Em rhosts |
.Pa \&.rhosts authentication. |
authentication. |
|
It contains |
It contains |
canonical hosts names, one per line (the full format is described in the |
canonical hosts names, one per line (the full format is described on |
|
the |
.Xr sshd 8 |
.Xr sshd 8 |
manual page). |
manual page). |
If the client host is found in this file, login is |
If the client host is found in this file, login is |
|
|
.Nm |
.Nm |
exits with the exit status of the remote command or with 255 |
exits with the exit status of the remote command or with 255 |
if an error occurred. |
if an error occurred. |
|
.Sh AUTHORS |
|
OpenSSH is a derivative of the original and free |
|
ssh 1.2.12 release by Tatu Ylonen. |
|
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
|
Theo de Raadt and Dug Song |
|
removed many bugs, re-added newer features and |
|
created OpenSSH. |
|
Markus Friedl contributed the support for SSH |
|
protocol versions 1.5 and 2.0. |
.Sh SEE ALSO |
.Sh SEE ALSO |
.Xr gzip 1 , |
|
.Xr rsh 1 , |
.Xr rsh 1 , |
.Xr scp 1 , |
.Xr scp 1 , |
.Xr sftp 1 , |
.Xr sftp 1 , |
|
|
.Xr ssh-agent 1 , |
.Xr ssh-agent 1 , |
.Xr ssh-keygen 1 , |
.Xr ssh-keygen 1 , |
.Xr telnet 1 , |
.Xr telnet 1 , |
.Xr hosts.equiv 5 , |
|
.Xr ssh_config 5 , |
.Xr ssh_config 5 , |
.Xr ssh-keysign 8 , |
.Xr ssh-keysign 8 , |
.Xr sshd 8 |
.Xr sshd 8 |
|
|
.%D January 2002 |
.%D January 2002 |
.%O work in progress material |
.%O work in progress material |
.Re |
.Re |
.Sh AUTHORS |
|
OpenSSH is a derivative of the original and free |
|
ssh 1.2.12 release by Tatu Ylonen. |
|
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
|
Theo de Raadt and Dug Song |
|
removed many bugs, re-added newer features and |
|
created OpenSSH. |
|
Markus Friedl contributed the support for SSH |
|
protocol versions 1.5 and 2.0. |
|