| version 1.175, 2003/07/22 13:35:22 |
version 1.175.2.2, 2004/08/19 22:37:32 |
|
|
| .Nd OpenSSH SSH client (remote login program) |
.Nd OpenSSH SSH client (remote login program) |
| .Sh SYNOPSIS |
.Sh SYNOPSIS |
| .Nm ssh |
.Nm ssh |
| .Op Fl l Ar login_name |
.Op Fl 1246AaCfgkMNnqsTtVvXxY |
| .Ar hostname | user@hostname |
|
| .Op Ar command |
|
| .Pp |
|
| .Nm ssh |
|
| .Bk -words |
|
| .Op Fl afgknqstvxACNTVX1246 |
|
| .Op Fl b Ar bind_address |
.Op Fl b Ar bind_address |
| .Op Fl c Ar cipher_spec |
.Op Fl c Ar cipher_spec |
| |
.Bk -words |
| |
.Op Fl D Ar port |
| .Op Fl e Ar escape_char |
.Op Fl e Ar escape_char |
| .Op Fl i Ar identity_file |
|
| .Op Fl l Ar login_name |
|
| .Op Fl m Ar mac_spec |
|
| .Op Fl o Ar option |
|
| .Op Fl p Ar port |
|
| .Op Fl F Ar configfile |
.Op Fl F Ar configfile |
| |
.Op Fl i Ar identity_file |
| .Oo Fl L Xo |
.Oo Fl L Xo |
| .Sm off |
.Sm off |
| .Ar port : |
.Ar port : |
|
|
| .Xc |
.Xc |
| .Oc |
.Oc |
| .Ek |
.Ek |
| |
.Op Fl l Ar login_name |
| |
.Op Fl m Ar mac_spec |
| |
.Op Fl o Ar option |
| .Bk -words |
.Bk -words |
| |
.Op Fl p Ar port |
| |
.Ek |
| .Oo Fl R Xo |
.Oo Fl R Xo |
| .Sm off |
.Sm off |
| .Ar port : |
.Ar port : |
|
|
| .Sm on |
.Sm on |
| .Xc |
.Xc |
| .Oc |
.Oc |
| .Op Fl D Ar port |
.Op Fl S Ar ctl |
| .Ar hostname | user@hostname |
.Oo Ar user Ns @ Oc Ns Ar hostname |
| .Op Ar command |
.Op Ar command |
| .Ek |
|
| .Sh DESCRIPTION |
.Sh DESCRIPTION |
| .Nm |
.Nm |
| (SSH client) is a program for logging into a remote machine and for |
(SSH client) is a program for logging into a remote machine and for |
| executing commands on a remote machine. |
executing commands on a remote machine. |
| It is intended to replace |
It is intended to replace rlogin and rsh, |
| rlogin and rsh, and provide secure encrypted communications between |
and provide secure encrypted communications between |
| two untrusted hosts over an insecure network. |
two untrusted hosts over an insecure network. |
| X11 connections and |
X11 connections and arbitrary TCP/IP ports |
| arbitrary TCP/IP ports can also be forwarded over the secure channel. |
can also be forwarded over the secure channel. |
| .Pp |
.Pp |
| .Nm |
.Nm |
| connects and logs into the specified |
connects and logs into the specified |
| .Ar hostname . |
.Ar hostname |
| |
(with optional |
| |
.Ar user |
| |
name). |
| The user must prove |
The user must prove |
| his/her identity to the remote machine using one of several methods |
his/her identity to the remote machine using one of several methods |
| depending on the protocol version used: |
depending on the protocol version used. |
| .Pp |
.Pp |
| |
If |
| |
.Ar command |
| |
is specified, |
| |
.Ar command |
| |
is executed on the remote host instead of a login shell. |
| .Ss SSH protocol version 1 |
.Ss SSH protocol version 1 |
| .Pp |
|
| First, if the machine the user logs in from is listed in |
First, if the machine the user logs in from is listed in |
| .Pa /etc/hosts.equiv |
.Pa /etc/hosts.equiv |
| or |
or |
|
|
| on the remote machine, and the user names are |
on the remote machine, and the user names are |
| the same on both sides, the user is immediately permitted to log in. |
the same on both sides, the user is immediately permitted to log in. |
| Second, if |
Second, if |
| .Pa \&.rhosts |
.Pa .rhosts |
| or |
or |
| .Pa \&.shosts |
.Pa .shosts |
| exists in the user's home directory on the |
exists in the user's home directory on the |
| remote machine and contains a line containing the name of the client |
remote machine and contains a line containing the name of the client |
| machine and the name of the user on that machine, the user is |
machine and the name of the user on that machine, the user is |
|
|
| allowed by the server because it is not secure. |
allowed by the server because it is not secure. |
| .Pp |
.Pp |
| The second authentication method is the |
The second authentication method is the |
| .Pa rhosts |
.Em rhosts |
| or |
or |
| .Pa hosts.equiv |
.Em hosts.equiv |
| method combined with RSA-based host authentication. |
method combined with RSA-based host authentication. |
| It means that if the login would be permitted by |
It means that if the login would be permitted by |
| .Pa $HOME/.rhosts , |
.Pa $HOME/.rhosts , |
|
|
| .Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
| in the |
in the |
| .Sx FILES |
.Sx FILES |
| section), only then login is permitted. |
section), only then is login permitted. |
| This authentication method closes security holes due to IP |
This authentication method closes security holes due to IP |
| spoofing, DNS spoofing and routing spoofing. |
spoofing, DNS spoofing and routing spoofing. |
| [Note to the administrator: |
[Note to the administrator: |
|
|
| The idea is that each user creates a public/private |
The idea is that each user creates a public/private |
| key pair for authentication purposes. |
key pair for authentication purposes. |
| The server knows the public key, and only the user knows the private key. |
The server knows the public key, and only the user knows the private key. |
| |
.Pp |
| The file |
The file |
| .Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
| lists the public keys that are permitted for logging |
lists the public keys that are permitted for logging in. |
| in. |
|
| When the user logs in, the |
When the user logs in, the |
| .Nm |
.Nm |
| program tells the server which key pair it would like to use for |
program tells the server which key pair it would like to use for |
| authentication. |
authentication. |
| The server checks if this key is permitted, and if |
The server checks if this key is permitted, and if so, |
| so, sends the user (actually the |
sends the user (actually the |
| .Nm |
.Nm |
| program running on behalf of the user) a challenge, a random number, |
program running on behalf of the user) a challenge, a random number, |
| encrypted by the user's public key. |
encrypted by the user's public key. |
| The challenge can only be |
The challenge can only be decrypted using the proper private key. |
| decrypted using the proper private key. |
The user's client then decrypts the challenge using the private key, |
| The user's client then decrypts the |
proving that he/she knows the private key |
| challenge using the private key, proving that he/she knows the private |
but without disclosing it to the server. |
| key but without disclosing it to the server. |
|
| .Pp |
.Pp |
| .Nm |
.Nm |
| implements the RSA authentication protocol automatically. |
implements the RSA authentication protocol automatically. |
|
|
| .Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
| This stores the private key in |
This stores the private key in |
| .Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
| and the public key in |
and stores the public key in |
| .Pa $HOME/.ssh/identity.pub |
.Pa $HOME/.ssh/identity.pub |
| in the user's home directory. |
in the user's home directory. |
| The user should then copy the |
The user should then copy the |
|
|
| file, and has one key |
file, and has one key |
| per line, though the lines can be very long). |
per line, though the lines can be very long). |
| After this, the user can log in without giving the password. |
After this, the user can log in without giving the password. |
| RSA authentication is much |
RSA authentication is much more secure than |
| more secure than rhosts authentication. |
.Em rhosts |
| |
authentication. |
| .Pp |
.Pp |
| The most convenient way to use RSA authentication may be with an |
The most convenient way to use RSA authentication may be with an |
| authentication agent. |
authentication agent. |
|
|
| The password is sent to the remote |
The password is sent to the remote |
| host for checking; however, since all communications are encrypted, |
host for checking; however, since all communications are encrypted, |
| the password cannot be seen by someone listening on the network. |
the password cannot be seen by someone listening on the network. |
| .Pp |
|
| .Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
| .Pp |
When a user connects using protocol version 2, |
| When a user connects using protocol version 2 |
|
| similar authentication methods are available. |
similar authentication methods are available. |
| Using the default values for |
Using the default values for |
| .Cm PreferredAuthentications , |
.Cm PreferredAuthentications , |
| the client will try to authenticate first using the hostbased method; |
the client will try to authenticate first using the hostbased method; |
| if this method fails public key authentication is attempted, |
if this method fails, public key authentication is attempted, |
| and finally if this method fails keyboard-interactive and |
and finally if this method fails, keyboard-interactive and |
| password authentication are tried. |
password authentication are tried. |
| .Pp |
.Pp |
| The public key method is similar to RSA authentication described |
The public key method is similar to RSA authentication described |
|
|
| The session identifier is derived from a shared Diffie-Hellman value |
The session identifier is derived from a shared Diffie-Hellman value |
| and is only known to the client and the server. |
and is only known to the client and the server. |
| .Pp |
.Pp |
| If public key authentication fails or is not available a password |
If public key authentication fails or is not available, a password |
| can be sent encrypted to the remote host for proving the user's identity. |
can be sent encrypted to the remote host to prove the user's identity. |
| .Pp |
.Pp |
| Additionally, |
Additionally, |
| .Nm |
.Nm |
| supports hostbased or challenge response authentication. |
supports hostbased or challenge response authentication. |
| .Pp |
.Pp |
| Protocol 2 provides additional mechanisms for confidentiality |
Protocol 2 provides additional mechanisms for confidentiality |
| (the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) |
| and integrity (hmac-md5, hmac-sha1). |
and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). |
| Note that protocol 1 lacks a strong mechanism for ensuring the |
Note that protocol 1 lacks a strong mechanism for ensuring the |
| integrity of the connection. |
integrity of the connection. |
| .Pp |
|
| .Ss Login session and remote execution |
.Ss Login session and remote execution |
| .Pp |
|
| When the user's identity has been accepted by the server, the server |
When the user's identity has been accepted by the server, the server |
| either executes the given command, or logs into the machine and gives |
either executes the given command, or logs into the machine and gives |
| the user a normal shell on the remote machine. |
the user a normal shell on the remote machine. |
|
|
| If a pseudo-terminal has been allocated (normal login session), the |
If a pseudo-terminal has been allocated (normal login session), the |
| user may use the escape characters noted below. |
user may use the escape characters noted below. |
| .Pp |
.Pp |
| If no pseudo tty has been allocated, the |
If no pseudo-tty has been allocated, |
| session is transparent and can be used to reliably transfer binary |
the session is transparent and can be used to reliably transfer binary data. |
| data. |
|
| On most systems, setting the escape character to |
On most systems, setting the escape character to |
| .Dq none |
.Dq none |
| will also make the session transparent even if a tty is used. |
will also make the session transparent even if a tty is used. |
| .Pp |
.Pp |
| The session terminates when the command or shell on the remote |
The session terminates when the command or shell on the remote |
| machine exits and all X11 and TCP/IP connections have been closed. |
machine exits and all X11 and TCP/IP connections have been closed. |
| The exit status of the remote program is returned as the exit status |
The exit status of the remote program is returned as the exit status of |
| of |
|
| .Nm ssh . |
.Nm ssh . |
| .Pp |
|
| .Ss Escape Characters |
.Ss Escape Characters |
| |
When a pseudo-terminal has been requested, |
| |
.Nm |
| |
supports a number of functions through the use of an escape character. |
| .Pp |
.Pp |
| When a pseudo terminal has been requested, ssh supports a number of functions |
|
| through the use of an escape character. |
|
| .Pp |
|
| A single tilde character can be sent as |
A single tilde character can be sent as |
| .Ic ~~ |
.Ic ~~ |
| or by following the tilde by a character other than those described below. |
or by following the tilde by a character other than those described below. |
|
|
| are: |
are: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Cm ~. |
.It Cm ~. |
| Disconnect |
Disconnect. |
| .It Cm ~^Z |
.It Cm ~^Z |
| Background ssh |
Background |
| |
.Nm ssh . |
| .It Cm ~# |
.It Cm ~# |
| List forwarded connections |
List forwarded connections. |
| .It Cm ~& |
.It Cm ~& |
| Background ssh at logout when waiting for forwarded connection / X11 sessions |
Background |
| to terminate |
.Nm |
| |
at logout when waiting for forwarded connection / X11 sessions to terminate. |
| .It Cm ~? |
.It Cm ~? |
| Display a list of escape characters |
Display a list of escape characters. |
| .It Cm ~B |
.It Cm ~B |
| Send a BREAK to the remote system (only useful for SSH protocol version 2 |
Send a BREAK to the remote system |
| and if the peer supports it) |
(only useful for SSH protocol version 2 and if the peer supports it). |
| .It Cm ~C |
.It Cm ~C |
| Open command line (only useful for adding port forwardings using the |
Open command line. |
| |
Currently this allows the addition of port forwardings using the |
| .Fl L |
.Fl L |
| and |
and |
| .Fl R |
.Fl R |
| options) |
options (see below). |
| |
It also allows the cancellation of existing remote port-forwardings |
| |
using |
| |
.Fl KR Ar hostport . |
| |
Basic help is available, using the |
| |
.Fl h |
| |
option. |
| .It Cm ~R |
.It Cm ~R |
| Request rekeying of the connection (only useful for SSH protocol version 2 |
Request rekeying of the connection |
| and if the peer supports it) |
(only useful for SSH protocol version 2 and if the peer supports it). |
| .El |
.El |
| .Pp |
|
| .Ss X11 and TCP forwarding |
.Ss X11 and TCP forwarding |
| .Pp |
|
| If the |
If the |
| .Cm ForwardX11 |
.Cm ForwardX11 |
| variable is set to |
variable is set to |
| .Dq yes |
.Dq yes |
| (or, see the description of the |
(or see the description of the |
| .Fl X |
.Fl X |
| and |
and |
| .Fl x |
.Fl x |
|
|
| .Ev DISPLAY |
.Ev DISPLAY |
| value set by |
value set by |
| .Nm |
.Nm |
| will point to the server machine, but with a display number greater |
will point to the server machine, but with a display number greater than zero. |
| than zero. |
|
| This is normal, and happens because |
This is normal, and happens because |
| .Nm |
.Nm |
| creates a |
creates a |
|
|
| .Cm ForwardAgent |
.Cm ForwardAgent |
| variable is set to |
variable is set to |
| .Dq yes |
.Dq yes |
| (or, see the description of the |
(or see the description of the |
| .Fl A |
.Fl A |
| and |
and |
| .Fl a |
.Fl a |
|
|
| be specified either on the command line or in a configuration file. |
be specified either on the command line or in a configuration file. |
| One possible application of TCP/IP forwarding is a secure connection to an |
One possible application of TCP/IP forwarding is a secure connection to an |
| electronic purse; another is going through firewalls. |
electronic purse; another is going through firewalls. |
| .Pp |
|
| .Ss Server authentication |
.Ss Server authentication |
| .Pp |
|
| .Nm |
.Nm |
| automatically maintains and checks a database containing |
automatically maintains and checks a database containing |
| identifications for all hosts it has ever been used with. |
identifications for all hosts it has ever been used with. |
|
|
| .Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
| is automatically checked for known hosts. |
is automatically checked for known hosts. |
| Any new hosts are automatically added to the user's file. |
Any new hosts are automatically added to the user's file. |
| If a host's identification |
If a host's identification ever changes, |
| ever changes, |
|
| .Nm |
.Nm |
| warns about this and disables password authentication to prevent a |
warns about this and disables password authentication to prevent a |
| trojan horse from getting the user's password. |
trojan horse from getting the user's password. |
| Another purpose of |
Another purpose of this mechanism is to prevent man-in-the-middle attacks |
| this mechanism is to prevent man-in-the-middle attacks which could |
which could otherwise be used to circumvent the encryption. |
| otherwise be used to circumvent the encryption. |
|
| The |
The |
| .Cm StrictHostKeyChecking |
.Cm StrictHostKeyChecking |
| option can be used to prevent logins to machines whose |
option can be used to prevent logins to machines whose |
| host key is not known or has changed. |
host key is not known or has changed. |
| .Pp |
.Pp |
| |
.Nm |
| |
can be configured to verify host identification using fingerprint resource |
| |
records (SSHFP) published in DNS. |
| |
The |
| |
.Cm VerifyHostKeyDNS |
| |
option can be used to control how DNS lookups are performed. |
| |
SSHFP resource records can be generated using |
| |
.Xr ssh-keygen 1 . |
| |
.Pp |
| The options are as follows: |
The options are as follows: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Fl a |
.It Fl 1 |
| Disables forwarding of the authentication agent connection. |
Forces |
| |
.Nm |
| |
to try protocol version 1 only. |
| |
.It Fl 2 |
| |
Forces |
| |
.Nm |
| |
to try protocol version 2 only. |
| |
.It Fl 4 |
| |
Forces |
| |
.Nm |
| |
to use IPv4 addresses only. |
| |
.It Fl 6 |
| |
Forces |
| |
.Nm |
| |
to use IPv6 addresses only. |
| .It Fl A |
.It Fl A |
| Enables forwarding of the authentication agent connection. |
Enables forwarding of the authentication agent connection. |
| This can also be specified on a per-host basis in a configuration file. |
This can also be specified on a per-host basis in a configuration file. |
|
|
| An attacker cannot obtain key material from the agent, |
An attacker cannot obtain key material from the agent, |
| however they can perform operations on the keys that enable them to |
however they can perform operations on the keys that enable them to |
| authenticate using the identities loaded into the agent. |
authenticate using the identities loaded into the agent. |
| |
.It Fl a |
| |
Disables forwarding of the authentication agent connection. |
| .It Fl b Ar bind_address |
.It Fl b Ar bind_address |
| Specify the interface to transmit from on machines with multiple |
Specify the interface to transmit from on machines with multiple |
| interfaces or aliased addresses. |
interfaces or aliased addresses. |
| .It Fl c Ar blowfish|3des|des |
.It Fl C |
| Selects the cipher to use for encrypting the session. |
Requests compression of all data (including stdin, stdout, stderr, and |
| |
data for forwarded X11 and TCP/IP connections). |
| |
The compression algorithm is the same used by |
| |
.Xr gzip 1 , |
| |
and the |
| |
.Dq level |
| |
can be controlled by the |
| |
.Cm CompressionLevel |
| |
option for protocol version 1. |
| |
Compression is desirable on modem lines and other |
| |
slow connections, but will only slow down things on fast networks. |
| |
The default value can be set on a host-by-host basis in the |
| |
configuration files; see the |
| |
.Cm Compression |
| |
option. |
| |
.It Fl c Ar cipher_spec |
| |
Selects the cipher specification for encrypting the session. |
| |
.Pp |
| |
Protocol version 1 allows specification of a single cipher. |
| |
The suported values are |
| |
.Dq 3des , |
| |
.Dq blowfish |
| |
and |
| |
.Dq des . |
| .Ar 3des |
.Ar 3des |
| is used by default. |
|
| It is believed to be secure. |
|
| .Ar 3des |
|
| (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
| |
It is believed to be secure. |
| .Ar blowfish |
.Ar blowfish |
| is a fast block cipher, it appears very secure and is much faster than |
is a fast block cipher; it appears very secure and is much faster than |
| .Ar 3des . |
.Ar 3des . |
| .Ar des |
.Ar des |
| is only supported in the |
is only supported in the |
|
|
| .Ar 3des |
.Ar 3des |
| cipher. |
cipher. |
| Its use is strongly discouraged due to cryptographic weaknesses. |
Its use is strongly discouraged due to cryptographic weaknesses. |
| .It Fl c Ar cipher_spec |
The default is |
| Additionally, for protocol version 2 a comma-separated list of ciphers can |
.Dq 3des . |
| be specified in order of preference. |
.Pp |
| See |
For protocol version 2 |
| .Cm Ciphers |
.Ar cipher_spec |
| for more information. |
is a comma-separated list of ciphers |
| .It Fl e Ar ch|^ch|none |
listed in order of preference. |
| |
The supported ciphers are |
| |
.Dq 3des-cbc , |
| |
.Dq aes128-cbc , |
| |
.Dq aes192-cbc , |
| |
.Dq aes256-cbc , |
| |
.Dq aes128-ctr , |
| |
.Dq aes192-ctr , |
| |
.Dq aes256-ctr , |
| |
.Dq arcfour , |
| |
.Dq blowfish-cbc , |
| |
and |
| |
.Dq cast128-cbc . |
| |
The default is |
| |
.Bd -literal |
| |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
| |
aes192-cbc,aes256-cbc'' |
| |
.Ed |
| |
.It Fl D Ar port |
| |
Specifies a local |
| |
.Dq dynamic |
| |
application-level port forwarding. |
| |
This works by allocating a socket to listen to |
| |
.Ar port |
| |
on the local side, and whenever a connection is made to this port, the |
| |
connection is forwarded over the secure channel, and the application |
| |
protocol is then used to determine where to connect to from the |
| |
remote machine. |
| |
Currently the SOCKS4 and SOCKS5 protocols are supported, and |
| |
.Nm |
| |
will act as a SOCKS server. |
| |
Only root can forward privileged ports. |
| |
Dynamic port forwardings can also be specified in the configuration file. |
| |
.It Fl e Ar ch | ^ch | none |
| Sets the escape character for sessions with a pty (default: |
Sets the escape character for sessions with a pty (default: |
| .Ql ~ ) . |
.Ql ~ ) . |
| The escape character is only recognized at the beginning of a line. |
The escape character is only recognized at the beginning of a line. |
| The escape character followed by a dot |
The escape character followed by a dot |
| .Pq Ql \&. |
.Pq Ql \&. |
| closes the connection, followed |
closes the connection; |
| by control-Z suspends the connection, and followed by itself sends the |
followed by control-Z suspends the connection; |
| escape character once. |
and followed by itself sends the escape character once. |
| Setting the character to |
Setting the character to |
| .Dq none |
.Dq none |
| disables any escapes and makes the session fully transparent. |
disables any escapes and makes the session fully transparent. |
| |
.It Fl F Ar configfile |
| |
Specifies an alternative per-user configuration file. |
| |
If a configuration file is given on the command line, |
| |
the system-wide configuration file |
| |
.Pq Pa /etc/ssh/ssh_config |
| |
will be ignored. |
| |
The default for the per-user configuration file is |
| |
.Pa $HOME/.ssh/config . |
| .It Fl f |
.It Fl f |
| Requests |
Requests |
| .Nm |
.Nm |
|
|
| .Ic ssh -f host xterm . |
.Ic ssh -f host xterm . |
| .It Fl g |
.It Fl g |
| Allows remote hosts to connect to local forwarded ports. |
Allows remote hosts to connect to local forwarded ports. |
| |
.It Fl I Ar smartcard_device |
| |
Specifies which smartcard device to use. |
| |
The argument is the device |
| |
.Nm |
| |
should use to communicate with a smartcard used for storing the user's |
| |
private RSA key. |
| .It Fl i Ar identity_file |
.It Fl i Ar identity_file |
| Selects a file from which the identity (private key) for |
Selects a file from which the identity (private key) for |
| RSA or DSA authentication is read. |
RSA or DSA authentication is read. |
|
|
| .Fl i |
.Fl i |
| options (and multiple identities specified in |
options (and multiple identities specified in |
| configuration files). |
configuration files). |
| .It Fl I Ar smartcard_device |
|
| Specifies which smartcard device to use. |
|
| The argument is the device |
|
| .Nm |
|
| should use to communicate with a smartcard used for storing the user's |
|
| private RSA key. |
|
| .It Fl k |
.It Fl k |
| Disables forwarding of Kerberos tickets. |
Disables forwarding (delegation) of GSSAPI credentials to the server. |
| This may also be specified on a per-host basis in the configuration file. |
.It Fl L Xo |
| |
.Sm off |
| |
.Ar port : host : hostport |
| |
.Sm on |
| |
.Xc |
| |
Specifies that the given port on the local (client) host is to be |
| |
forwarded to the given host and port on the remote side. |
| |
This works by allocating a socket to listen to |
| |
.Ar port |
| |
on the local side, and whenever a connection is made to this port, the |
| |
connection is forwarded over the secure channel, and a connection is |
| |
made to |
| |
.Ar host |
| |
port |
| |
.Ar hostport |
| |
from the remote machine. |
| |
Port forwardings can also be specified in the configuration file. |
| |
Only root can forward privileged ports. |
| |
IPv6 addresses can be specified with an alternative syntax: |
| |
.Sm off |
| |
.Xo |
| |
.Ar port No / Ar host No / |
| |
.Ar hostport . |
| |
.Xc |
| |
.Sm on |
| .It Fl l Ar login_name |
.It Fl l Ar login_name |
| Specifies the user to log in as on the remote machine. |
Specifies the user to log in as on the remote machine. |
| This also may be specified on a per-host basis in the configuration file. |
This also may be specified on a per-host basis in the configuration file. |
| |
.It Fl M |
| |
Places the |
| |
.Nm |
| |
client into |
| |
.Dq master |
| |
mode for connection sharing. |
| |
Refer to the description of |
| |
.Cm ControlMaster |
| |
in |
| |
.Xr ssh_config 5 |
| |
for details. |
| .It Fl m Ar mac_spec |
.It Fl m Ar mac_spec |
| Additionally, for protocol version 2 a comma-separated list of MAC |
Additionally, for protocol version 2 a comma-separated list of MAC |
| (message authentication code) algorithms can |
(message authentication code) algorithms can |
|
|
| See the |
See the |
| .Cm MACs |
.Cm MACs |
| keyword for more information. |
keyword for more information. |
| |
.It Fl N |
| |
Do not execute a remote command. |
| |
This is useful for just forwarding ports |
| |
(protocol version 2 only). |
| .It Fl n |
.It Fl n |
| Redirects stdin from |
Redirects stdin from |
| .Pa /dev/null |
.Pa /dev/null |
|
|
| needs to ask for a password or passphrase; see also the |
needs to ask for a password or passphrase; see also the |
| .Fl f |
.Fl f |
| option.) |
option.) |
| .It Fl N |
|
| Do not execute a remote command. |
|
| This is useful for just forwarding ports |
|
| (protocol version 2 only). |
|
| .It Fl o Ar option |
.It Fl o Ar option |
| Can be used to give options in the format used in the configuration file. |
Can be used to give options in the format used in the configuration file. |
| This is useful for specifying options for which there is no separate |
This is useful for specifying options for which there is no separate |
| command-line flag. |
command-line flag. |
| |
For full details of the options listed below, and their possible values, see |
| |
.Xr ssh_config 5 . |
| |
.Pp |
| |
.Bl -tag -width Ds -offset indent -compact |
| |
.It AddressFamily |
| |
.It BatchMode |
| |
.It BindAddress |
| |
.It ChallengeResponseAuthentication |
| |
.It CheckHostIP |
| |
.It Cipher |
| |
.It Ciphers |
| |
.It ClearAllForwardings |
| |
.It Compression |
| |
.It CompressionLevel |
| |
.It ConnectionAttempts |
| |
.It ConnectTimeout |
| |
.It ControlMaster |
| |
.It ControlPath |
| |
.It DynamicForward |
| |
.It EscapeChar |
| |
.It ForwardAgent |
| |
.It ForwardX11 |
| |
.It ForwardX11Trusted |
| |
.It GatewayPorts |
| |
.It GlobalKnownHostsFile |
| |
.It GSSAPIAuthentication |
| |
.It GSSAPIDelegateCredentials |
| |
.It Host |
| |
.It HostbasedAuthentication |
| |
.It HostKeyAlgorithms |
| |
.It HostKeyAlias |
| |
.It HostName |
| |
.It IdentityFile |
| |
.It IdentitiesOnly |
| |
.It LocalForward |
| |
.It LogLevel |
| |
.It MACs |
| |
.It NoHostAuthenticationForLocalhost |
| |
.It NumberOfPasswordPrompts |
| |
.It PasswordAuthentication |
| |
.It Port |
| |
.It PreferredAuthentications |
| |
.It Protocol |
| |
.It ProxyCommand |
| |
.It PubkeyAuthentication |
| |
.It RemoteForward |
| |
.It RhostsRSAAuthentication |
| |
.It RSAAuthentication |
| |
.It SendEnv |
| |
.It ServerAliveInterval |
| |
.It ServerAliveCountMax |
| |
.It SmartcardDevice |
| |
.It StrictHostKeyChecking |
| |
.It TCPKeepAlive |
| |
.It UsePrivilegedPort |
| |
.It User |
| |
.It UserKnownHostsFile |
| |
.It VerifyHostKeyDNS |
| |
.It XAuthLocation |
| |
.El |
| .It Fl p Ar port |
.It Fl p Ar port |
| Port to connect to on the remote host. |
Port to connect to on the remote host. |
| This can be specified on a |
This can be specified on a |
|
|
| .It Fl q |
.It Fl q |
| Quiet mode. |
Quiet mode. |
| Causes all warning and diagnostic messages to be suppressed. |
Causes all warning and diagnostic messages to be suppressed. |
| |
.It Fl R Xo |
| |
.Sm off |
| |
.Ar port : host : hostport |
| |
.Sm on |
| |
.Xc |
| |
Specifies that the given port on the remote (server) host is to be |
| |
forwarded to the given host and port on the local side. |
| |
This works by allocating a socket to listen to |
| |
.Ar port |
| |
on the remote side, and whenever a connection is made to this port, the |
| |
connection is forwarded over the secure channel, and a connection is |
| |
made to |
| |
.Ar host |
| |
port |
| |
.Ar hostport |
| |
from the local machine. |
| |
Port forwardings can also be specified in the configuration file. |
| |
Privileged ports can be forwarded only when |
| |
logging in as root on the remote machine. |
| |
IPv6 addresses can be specified with an alternative syntax: |
| |
.Sm off |
| |
.Xo |
| |
.Ar port No / Ar host No / |
| |
.Ar hostport . |
| |
.Xc |
| |
.Sm on |
| |
.It Fl S Ar ctl |
| |
Specifies the location of a control socket for connection sharing. |
| |
Refer to the description of |
| |
.Cm ControlPath |
| |
and |
| |
.Cm ControlMaster |
| |
in |
| |
.Xr ssh_config 5 |
| |
for details. |
| .It Fl s |
.It Fl s |
| May be used to request invocation of a subsystem on the remote system. |
May be used to request invocation of a subsystem on the remote system. |
| Subsystems are a feature of the SSH2 protocol which facilitate the use |
Subsystems are a feature of the SSH2 protocol which facilitate the use |
| of SSH as a secure transport for other applications (eg. sftp). |
of SSH as a secure transport for other applications (eg.\& |
| |
.Xr sftp 1 ) . |
| The subsystem is specified as the remote command. |
The subsystem is specified as the remote command. |
| |
.It Fl T |
| |
Disable pseudo-tty allocation. |
| .It Fl t |
.It Fl t |
| Force pseudo-tty allocation. |
Force pseudo-tty allocation. |
| This can be used to execute arbitrary |
This can be used to execute arbitrary |
|
|
| options force tty allocation, even if |
options force tty allocation, even if |
| .Nm |
.Nm |
| has no local tty. |
has no local tty. |
| .It Fl T |
.It Fl V |
| Disable pseudo-tty allocation. |
Display the version number and exit. |
| .It Fl v |
.It Fl v |
| Verbose mode. |
Verbose mode. |
| Causes |
Causes |
|
|
| .Fl v |
.Fl v |
| options increase the verbosity. |
options increase the verbosity. |
| The maximum is 3. |
The maximum is 3. |
| .It Fl V |
|
| Display the version number and exit. |
|
| .It Fl x |
|
| Disables X11 forwarding. |
|
| .It Fl X |
.It Fl X |
| Enables X11 forwarding. |
Enables X11 forwarding. |
| This can also be specified on a per-host basis in a configuration file. |
This can also be specified on a per-host basis in a configuration file. |
|
|
| (for the user's X authorization database) |
(for the user's X authorization database) |
| can access the local X11 display through the forwarded connection. |
can access the local X11 display through the forwarded connection. |
| An attacker may then be able to perform activities such as keystroke monitoring. |
An attacker may then be able to perform activities such as keystroke monitoring. |
| .It Fl C |
.It Fl x |
| Requests compression of all data (including stdin, stdout, stderr, and |
Disables X11 forwarding. |
| data for forwarded X11 and TCP/IP connections). |
.It Fl Y |
| The compression algorithm is the same used by |
Enables trusted X11 forwarding. |
| .Xr gzip 1 , |
|
| and the |
|
| .Dq level |
|
| can be controlled by the |
|
| .Cm CompressionLevel |
|
| option for protocol version 1. |
|
| Compression is desirable on modem lines and other |
|
| slow connections, but will only slow down things on fast networks. |
|
| The default value can be set on a host-by-host basis in the |
|
| configuration files; see the |
|
| .Cm Compression |
|
| option. |
|
| .It Fl F Ar configfile |
|
| Specifies an alternative per-user configuration file. |
|
| If a configuration file is given on the command line, |
|
| the system-wide configuration file |
|
| .Pq Pa /etc/ssh/ssh_config |
|
| will be ignored. |
|
| The default for the per-user configuration file is |
|
| .Pa $HOME/.ssh/config . |
|
| .It Fl L Ar port:host:hostport |
|
| Specifies that the given port on the local (client) host is to be |
|
| forwarded to the given host and port on the remote side. |
|
| This works by allocating a socket to listen to |
|
| .Ar port |
|
| on the local side, and whenever a connection is made to this port, the |
|
| connection is forwarded over the secure channel, and a connection is |
|
| made to |
|
| .Ar host |
|
| port |
|
| .Ar hostport |
|
| from the remote machine. |
|
| Port forwardings can also be specified in the configuration file. |
|
| Only root can forward privileged ports. |
|
| IPv6 addresses can be specified with an alternative syntax: |
|
| .Ar port/host/hostport |
|
| .It Fl R Ar port:host:hostport |
|
| Specifies that the given port on the remote (server) host is to be |
|
| forwarded to the given host and port on the local side. |
|
| This works by allocating a socket to listen to |
|
| .Ar port |
|
| on the remote side, and whenever a connection is made to this port, the |
|
| connection is forwarded over the secure channel, and a connection is |
|
| made to |
|
| .Ar host |
|
| port |
|
| .Ar hostport |
|
| from the local machine. |
|
| Port forwardings can also be specified in the configuration file. |
|
| Privileged ports can be forwarded only when |
|
| logging in as root on the remote machine. |
|
| IPv6 addresses can be specified with an alternative syntax: |
|
| .Ar port/host/hostport |
|
| .It Fl D Ar port |
|
| Specifies a local |
|
| .Dq dynamic |
|
| application-level port forwarding. |
|
| This works by allocating a socket to listen to |
|
| .Ar port |
|
| on the local side, and whenever a connection is made to this port, the |
|
| connection is forwarded over the secure channel, and the application |
|
| protocol is then used to determine where to connect to from the |
|
| remote machine. |
|
| Currently the SOCKS4 and SOCKS5 protocols are supported, and |
|
| .Nm |
|
| will act as a SOCKS server. |
|
| Only root can forward privileged ports. |
|
| Dynamic port forwardings can also be specified in the configuration file. |
|
| .It Fl 1 |
|
| Forces |
|
| .Nm |
|
| to try protocol version 1 only. |
|
| .It Fl 2 |
|
| Forces |
|
| .Nm |
|
| to try protocol version 2 only. |
|
| .It Fl 4 |
|
| Forces |
|
| .Nm |
|
| to use IPv4 addresses only. |
|
| .It Fl 6 |
|
| Forces |
|
| .Nm |
|
| to use IPv6 addresses only. |
|
| .El |
.El |
| .Sh CONFIGURATION FILES |
.Sh CONFIGURATION FILES |
| .Nm |
.Nm |
|
|
| .Sh ENVIRONMENT |
.Sh ENVIRONMENT |
| .Nm |
.Nm |
| will normally set the following environment variables: |
will normally set the following environment variables: |
| .Bl -tag -width Ds |
.Bl -tag -width LOGNAME |
| .It Ev DISPLAY |
.It Ev DISPLAY |
| The |
The |
| .Ev DISPLAY |
.Ev DISPLAY |
|
|
| to point to a value of the form |
to point to a value of the form |
| .Dq hostname:n |
.Dq hostname:n |
| where hostname indicates |
where hostname indicates |
| the host where the shell runs, and n is an integer >= 1. |
the host where the shell runs, and n is an integer \*(Ge 1. |
| .Nm |
.Nm |
| uses this special value to forward X11 connections over the secure |
uses this special value to forward X11 connections over the secure |
| channel. |
channel. |
|
|
| .Dq VARNAME=value |
.Dq VARNAME=value |
| to the environment if the file exists and if users are allowed to |
to the environment if the file exists and if users are allowed to |
| change their environment. |
change their environment. |
| See the |
For more information, see the |
| .Cm PermitUserEnvironment |
.Cm PermitUserEnvironment |
| option in |
option in |
| .Xr sshd_config 5 . |
.Xr sshd_config 5 . |
|
|
| identity file in human-readable form). |
identity file in human-readable form). |
| The contents of the |
The contents of the |
| .Pa $HOME/.ssh/identity.pub |
.Pa $HOME/.ssh/identity.pub |
| file should be added to |
file should be added to the file |
| .Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
| on all machines |
on all machines |
| where the user wishes to log in using protocol version 1 RSA authentication. |
where the user wishes to log in using protocol version 1 RSA authentication. |
|
|
| This is the per-user configuration file. |
This is the per-user configuration file. |
| The file format and configuration options are described in |
The file format and configuration options are described in |
| .Xr ssh_config 5 . |
.Xr ssh_config 5 . |
| |
Because of the potential for abuse, this file must have strict permissions: |
| |
read/write for the user, and not accessible by others. |
| .It Pa $HOME/.ssh/authorized_keys |
.It Pa $HOME/.ssh/authorized_keys |
| Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
| The format of this file is described in the |
The format of this file is described in the |
| .Xr sshd 8 |
.Xr sshd 8 |
| manual page. |
manual page. |
| In the simplest form the format is the same as the .pub |
In the simplest form the format is the same as the |
| |
.Pa .pub |
| identity files. |
identity files. |
| This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
| permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
|
|
| When different names are used |
When different names are used |
| for the same machine, all such names should be listed, separated by |
for the same machine, all such names should be listed, separated by |
| commas. |
commas. |
| The format is described on the |
The format is described in the |
| .Xr sshd 8 |
.Xr sshd 8 |
| manual page. |
manual page. |
| .Pp |
.Pp |
|
|
| is not setuid root. |
is not setuid root. |
| .It Pa $HOME/.rhosts |
.It Pa $HOME/.rhosts |
| This file is used in |
This file is used in |
| .Pa \&.rhosts |
.Em rhosts |
| authentication to list the |
authentication to list the |
| host/user pairs that are permitted to log in. |
host/user pairs that are permitted to log in. |
| (Note that this file is |
(Note that this file is |
|
|
| Note that by default |
Note that by default |
| .Xr sshd 8 |
.Xr sshd 8 |
| will be installed so that it requires successful RSA host |
will be installed so that it requires successful RSA host |
| authentication before permitting \s+2.\s0rhosts authentication. |
authentication before permitting |
| |
.Em rhosts |
| |
authentication. |
| If the server machine does not have the client's host key in |
If the server machine does not have the client's host key in |
| .Pa /etc/ssh/ssh_known_hosts , |
.Pa /etc/ssh/ssh_known_hosts , |
| it can be stored in |
it can be stored in |
|
|
| .Pa $HOME/.ssh/known_hosts . |
.Pa $HOME/.ssh/known_hosts . |
| .It Pa $HOME/.shosts |
.It Pa $HOME/.shosts |
| This file is used exactly the same way as |
This file is used exactly the same way as |
| .Pa \&.rhosts . |
.Pa .rhosts . |
| The purpose for |
The purpose for |
| having this file is to be able to use rhosts authentication with |
having this file is to be able to use rhosts authentication with |
| .Nm |
.Nm |
| without permitting login with |
without permitting login with |
| .Nm rlogin |
.Xr rlogin |
| or |
or |
| .Xr rsh 1 . |
.Xr rsh 1 . |
| .It Pa /etc/hosts.equiv |
.It Pa /etc/hosts.equiv |
| This file is used during |
This file is used during |
| .Pa \&.rhosts |
.Em rhosts |
| authentication. |
authentication. |
| It contains |
It contains |
| canonical hosts names, one per line (the full format is described on |
canonical hosts names, one per line (the full format is described in the |
| the |
|
| .Xr sshd 8 |
.Xr sshd 8 |
| manual page). |
manual page). |
| If the client host is found in this file, login is |
If the client host is found in this file, login is |
|
|
| exits with the exit status of the remote command or with 255 |
exits with the exit status of the remote command or with 255 |
| if an error occurred. |
if an error occurred. |
| .Sh SEE ALSO |
.Sh SEE ALSO |
| |
.Xr gzip 1 , |
| .Xr rsh 1 , |
.Xr rsh 1 , |
| .Xr scp 1 , |
.Xr scp 1 , |
| .Xr sftp 1 , |
.Xr sftp 1 , |
|
|
| .Xr ssh-agent 1 , |
.Xr ssh-agent 1 , |
| .Xr ssh-keygen 1 , |
.Xr ssh-keygen 1 , |
| .Xr telnet 1 , |
.Xr telnet 1 , |
| |
.Xr hosts.equiv 5 , |
| .Xr ssh_config 5 , |
.Xr ssh_config 5 , |
| .Xr ssh-keysign 8 , |
.Xr ssh-keysign 8 , |
| .Xr sshd 8 |
.Xr sshd 8 |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh