version 1.175, 2003/07/22 13:35:22 |
version 1.175.2.2, 2004/08/19 22:37:32 |
|
|
.Nd OpenSSH SSH client (remote login program) |
.Nd OpenSSH SSH client (remote login program) |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Nm ssh |
.Nm ssh |
.Op Fl l Ar login_name |
.Op Fl 1246AaCfgkMNnqsTtVvXxY |
.Ar hostname | user@hostname |
|
.Op Ar command |
|
.Pp |
|
.Nm ssh |
|
.Bk -words |
|
.Op Fl afgknqstvxACNTVX1246 |
|
.Op Fl b Ar bind_address |
.Op Fl b Ar bind_address |
.Op Fl c Ar cipher_spec |
.Op Fl c Ar cipher_spec |
|
.Bk -words |
|
.Op Fl D Ar port |
.Op Fl e Ar escape_char |
.Op Fl e Ar escape_char |
.Op Fl i Ar identity_file |
|
.Op Fl l Ar login_name |
|
.Op Fl m Ar mac_spec |
|
.Op Fl o Ar option |
|
.Op Fl p Ar port |
|
.Op Fl F Ar configfile |
.Op Fl F Ar configfile |
|
.Op Fl i Ar identity_file |
.Oo Fl L Xo |
.Oo Fl L Xo |
.Sm off |
.Sm off |
.Ar port : |
.Ar port : |
|
|
.Xc |
.Xc |
.Oc |
.Oc |
.Ek |
.Ek |
|
.Op Fl l Ar login_name |
|
.Op Fl m Ar mac_spec |
|
.Op Fl o Ar option |
.Bk -words |
.Bk -words |
|
.Op Fl p Ar port |
|
.Ek |
.Oo Fl R Xo |
.Oo Fl R Xo |
.Sm off |
.Sm off |
.Ar port : |
.Ar port : |
|
|
.Sm on |
.Sm on |
.Xc |
.Xc |
.Oc |
.Oc |
.Op Fl D Ar port |
.Op Fl S Ar ctl |
.Ar hostname | user@hostname |
.Oo Ar user Ns @ Oc Ns Ar hostname |
.Op Ar command |
.Op Ar command |
.Ek |
|
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm |
.Nm |
(SSH client) is a program for logging into a remote machine and for |
(SSH client) is a program for logging into a remote machine and for |
executing commands on a remote machine. |
executing commands on a remote machine. |
It is intended to replace |
It is intended to replace rlogin and rsh, |
rlogin and rsh, and provide secure encrypted communications between |
and provide secure encrypted communications between |
two untrusted hosts over an insecure network. |
two untrusted hosts over an insecure network. |
X11 connections and |
X11 connections and arbitrary TCP/IP ports |
arbitrary TCP/IP ports can also be forwarded over the secure channel. |
can also be forwarded over the secure channel. |
.Pp |
.Pp |
.Nm |
.Nm |
connects and logs into the specified |
connects and logs into the specified |
.Ar hostname . |
.Ar hostname |
|
(with optional |
|
.Ar user |
|
name). |
The user must prove |
The user must prove |
his/her identity to the remote machine using one of several methods |
his/her identity to the remote machine using one of several methods |
depending on the protocol version used: |
depending on the protocol version used. |
.Pp |
.Pp |
|
If |
|
.Ar command |
|
is specified, |
|
.Ar command |
|
is executed on the remote host instead of a login shell. |
.Ss SSH protocol version 1 |
.Ss SSH protocol version 1 |
.Pp |
|
First, if the machine the user logs in from is listed in |
First, if the machine the user logs in from is listed in |
.Pa /etc/hosts.equiv |
.Pa /etc/hosts.equiv |
or |
or |
|
|
on the remote machine, and the user names are |
on the remote machine, and the user names are |
the same on both sides, the user is immediately permitted to log in. |
the same on both sides, the user is immediately permitted to log in. |
Second, if |
Second, if |
.Pa \&.rhosts |
.Pa .rhosts |
or |
or |
.Pa \&.shosts |
.Pa .shosts |
exists in the user's home directory on the |
exists in the user's home directory on the |
remote machine and contains a line containing the name of the client |
remote machine and contains a line containing the name of the client |
machine and the name of the user on that machine, the user is |
machine and the name of the user on that machine, the user is |
|
|
allowed by the server because it is not secure. |
allowed by the server because it is not secure. |
.Pp |
.Pp |
The second authentication method is the |
The second authentication method is the |
.Pa rhosts |
.Em rhosts |
or |
or |
.Pa hosts.equiv |
.Em hosts.equiv |
method combined with RSA-based host authentication. |
method combined with RSA-based host authentication. |
It means that if the login would be permitted by |
It means that if the login would be permitted by |
.Pa $HOME/.rhosts , |
.Pa $HOME/.rhosts , |
|
|
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
in the |
in the |
.Sx FILES |
.Sx FILES |
section), only then login is permitted. |
section), only then is login permitted. |
This authentication method closes security holes due to IP |
This authentication method closes security holes due to IP |
spoofing, DNS spoofing and routing spoofing. |
spoofing, DNS spoofing and routing spoofing. |
[Note to the administrator: |
[Note to the administrator: |
|
|
The idea is that each user creates a public/private |
The idea is that each user creates a public/private |
key pair for authentication purposes. |
key pair for authentication purposes. |
The server knows the public key, and only the user knows the private key. |
The server knows the public key, and only the user knows the private key. |
|
.Pp |
The file |
The file |
.Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
lists the public keys that are permitted for logging |
lists the public keys that are permitted for logging in. |
in. |
|
When the user logs in, the |
When the user logs in, the |
.Nm |
.Nm |
program tells the server which key pair it would like to use for |
program tells the server which key pair it would like to use for |
authentication. |
authentication. |
The server checks if this key is permitted, and if |
The server checks if this key is permitted, and if so, |
so, sends the user (actually the |
sends the user (actually the |
.Nm |
.Nm |
program running on behalf of the user) a challenge, a random number, |
program running on behalf of the user) a challenge, a random number, |
encrypted by the user's public key. |
encrypted by the user's public key. |
The challenge can only be |
The challenge can only be decrypted using the proper private key. |
decrypted using the proper private key. |
The user's client then decrypts the challenge using the private key, |
The user's client then decrypts the |
proving that he/she knows the private key |
challenge using the private key, proving that he/she knows the private |
but without disclosing it to the server. |
key but without disclosing it to the server. |
|
.Pp |
.Pp |
.Nm |
.Nm |
implements the RSA authentication protocol automatically. |
implements the RSA authentication protocol automatically. |
|
|
.Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
This stores the private key in |
This stores the private key in |
.Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
and the public key in |
and stores the public key in |
.Pa $HOME/.ssh/identity.pub |
.Pa $HOME/.ssh/identity.pub |
in the user's home directory. |
in the user's home directory. |
The user should then copy the |
The user should then copy the |
|
|
file, and has one key |
file, and has one key |
per line, though the lines can be very long). |
per line, though the lines can be very long). |
After this, the user can log in without giving the password. |
After this, the user can log in without giving the password. |
RSA authentication is much |
RSA authentication is much more secure than |
more secure than rhosts authentication. |
.Em rhosts |
|
authentication. |
.Pp |
.Pp |
The most convenient way to use RSA authentication may be with an |
The most convenient way to use RSA authentication may be with an |
authentication agent. |
authentication agent. |
|
|
The password is sent to the remote |
The password is sent to the remote |
host for checking; however, since all communications are encrypted, |
host for checking; however, since all communications are encrypted, |
the password cannot be seen by someone listening on the network. |
the password cannot be seen by someone listening on the network. |
.Pp |
|
.Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
.Pp |
When a user connects using protocol version 2, |
When a user connects using protocol version 2 |
|
similar authentication methods are available. |
similar authentication methods are available. |
Using the default values for |
Using the default values for |
.Cm PreferredAuthentications , |
.Cm PreferredAuthentications , |
the client will try to authenticate first using the hostbased method; |
the client will try to authenticate first using the hostbased method; |
if this method fails public key authentication is attempted, |
if this method fails, public key authentication is attempted, |
and finally if this method fails keyboard-interactive and |
and finally if this method fails, keyboard-interactive and |
password authentication are tried. |
password authentication are tried. |
.Pp |
.Pp |
The public key method is similar to RSA authentication described |
The public key method is similar to RSA authentication described |
|
|
The session identifier is derived from a shared Diffie-Hellman value |
The session identifier is derived from a shared Diffie-Hellman value |
and is only known to the client and the server. |
and is only known to the client and the server. |
.Pp |
.Pp |
If public key authentication fails or is not available a password |
If public key authentication fails or is not available, a password |
can be sent encrypted to the remote host for proving the user's identity. |
can be sent encrypted to the remote host to prove the user's identity. |
.Pp |
.Pp |
Additionally, |
Additionally, |
.Nm |
.Nm |
supports hostbased or challenge response authentication. |
supports hostbased or challenge response authentication. |
.Pp |
.Pp |
Protocol 2 provides additional mechanisms for confidentiality |
Protocol 2 provides additional mechanisms for confidentiality |
(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) |
and integrity (hmac-md5, hmac-sha1). |
and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). |
Note that protocol 1 lacks a strong mechanism for ensuring the |
Note that protocol 1 lacks a strong mechanism for ensuring the |
integrity of the connection. |
integrity of the connection. |
.Pp |
|
.Ss Login session and remote execution |
.Ss Login session and remote execution |
.Pp |
|
When the user's identity has been accepted by the server, the server |
When the user's identity has been accepted by the server, the server |
either executes the given command, or logs into the machine and gives |
either executes the given command, or logs into the machine and gives |
the user a normal shell on the remote machine. |
the user a normal shell on the remote machine. |
|
|
If a pseudo-terminal has been allocated (normal login session), the |
If a pseudo-terminal has been allocated (normal login session), the |
user may use the escape characters noted below. |
user may use the escape characters noted below. |
.Pp |
.Pp |
If no pseudo tty has been allocated, the |
If no pseudo-tty has been allocated, |
session is transparent and can be used to reliably transfer binary |
the session is transparent and can be used to reliably transfer binary data. |
data. |
|
On most systems, setting the escape character to |
On most systems, setting the escape character to |
.Dq none |
.Dq none |
will also make the session transparent even if a tty is used. |
will also make the session transparent even if a tty is used. |
.Pp |
.Pp |
The session terminates when the command or shell on the remote |
The session terminates when the command or shell on the remote |
machine exits and all X11 and TCP/IP connections have been closed. |
machine exits and all X11 and TCP/IP connections have been closed. |
The exit status of the remote program is returned as the exit status |
The exit status of the remote program is returned as the exit status of |
of |
|
.Nm ssh . |
.Nm ssh . |
.Pp |
|
.Ss Escape Characters |
.Ss Escape Characters |
|
When a pseudo-terminal has been requested, |
|
.Nm |
|
supports a number of functions through the use of an escape character. |
.Pp |
.Pp |
When a pseudo terminal has been requested, ssh supports a number of functions |
|
through the use of an escape character. |
|
.Pp |
|
A single tilde character can be sent as |
A single tilde character can be sent as |
.Ic ~~ |
.Ic ~~ |
or by following the tilde by a character other than those described below. |
or by following the tilde by a character other than those described below. |
|
|
are: |
are: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Cm ~. |
.It Cm ~. |
Disconnect |
Disconnect. |
.It Cm ~^Z |
.It Cm ~^Z |
Background ssh |
Background |
|
.Nm ssh . |
.It Cm ~# |
.It Cm ~# |
List forwarded connections |
List forwarded connections. |
.It Cm ~& |
.It Cm ~& |
Background ssh at logout when waiting for forwarded connection / X11 sessions |
Background |
to terminate |
.Nm |
|
at logout when waiting for forwarded connection / X11 sessions to terminate. |
.It Cm ~? |
.It Cm ~? |
Display a list of escape characters |
Display a list of escape characters. |
.It Cm ~B |
.It Cm ~B |
Send a BREAK to the remote system (only useful for SSH protocol version 2 |
Send a BREAK to the remote system |
and if the peer supports it) |
(only useful for SSH protocol version 2 and if the peer supports it). |
.It Cm ~C |
.It Cm ~C |
Open command line (only useful for adding port forwardings using the |
Open command line. |
|
Currently this allows the addition of port forwardings using the |
.Fl L |
.Fl L |
and |
and |
.Fl R |
.Fl R |
options) |
options (see below). |
|
It also allows the cancellation of existing remote port-forwardings |
|
using |
|
.Fl KR Ar hostport . |
|
Basic help is available, using the |
|
.Fl h |
|
option. |
.It Cm ~R |
.It Cm ~R |
Request rekeying of the connection (only useful for SSH protocol version 2 |
Request rekeying of the connection |
and if the peer supports it) |
(only useful for SSH protocol version 2 and if the peer supports it). |
.El |
.El |
.Pp |
|
.Ss X11 and TCP forwarding |
.Ss X11 and TCP forwarding |
.Pp |
|
If the |
If the |
.Cm ForwardX11 |
.Cm ForwardX11 |
variable is set to |
variable is set to |
.Dq yes |
.Dq yes |
(or, see the description of the |
(or see the description of the |
.Fl X |
.Fl X |
and |
and |
.Fl x |
.Fl x |
|
|
.Ev DISPLAY |
.Ev DISPLAY |
value set by |
value set by |
.Nm |
.Nm |
will point to the server machine, but with a display number greater |
will point to the server machine, but with a display number greater than zero. |
than zero. |
|
This is normal, and happens because |
This is normal, and happens because |
.Nm |
.Nm |
creates a |
creates a |
|
|
.Cm ForwardAgent |
.Cm ForwardAgent |
variable is set to |
variable is set to |
.Dq yes |
.Dq yes |
(or, see the description of the |
(or see the description of the |
.Fl A |
.Fl A |
and |
and |
.Fl a |
.Fl a |
|
|
be specified either on the command line or in a configuration file. |
be specified either on the command line or in a configuration file. |
One possible application of TCP/IP forwarding is a secure connection to an |
One possible application of TCP/IP forwarding is a secure connection to an |
electronic purse; another is going through firewalls. |
electronic purse; another is going through firewalls. |
.Pp |
|
.Ss Server authentication |
.Ss Server authentication |
.Pp |
|
.Nm |
.Nm |
automatically maintains and checks a database containing |
automatically maintains and checks a database containing |
identifications for all hosts it has ever been used with. |
identifications for all hosts it has ever been used with. |
|
|
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
is automatically checked for known hosts. |
is automatically checked for known hosts. |
Any new hosts are automatically added to the user's file. |
Any new hosts are automatically added to the user's file. |
If a host's identification |
If a host's identification ever changes, |
ever changes, |
|
.Nm |
.Nm |
warns about this and disables password authentication to prevent a |
warns about this and disables password authentication to prevent a |
trojan horse from getting the user's password. |
trojan horse from getting the user's password. |
Another purpose of |
Another purpose of this mechanism is to prevent man-in-the-middle attacks |
this mechanism is to prevent man-in-the-middle attacks which could |
which could otherwise be used to circumvent the encryption. |
otherwise be used to circumvent the encryption. |
|
The |
The |
.Cm StrictHostKeyChecking |
.Cm StrictHostKeyChecking |
option can be used to prevent logins to machines whose |
option can be used to prevent logins to machines whose |
host key is not known or has changed. |
host key is not known or has changed. |
.Pp |
.Pp |
|
.Nm |
|
can be configured to verify host identification using fingerprint resource |
|
records (SSHFP) published in DNS. |
|
The |
|
.Cm VerifyHostKeyDNS |
|
option can be used to control how DNS lookups are performed. |
|
SSHFP resource records can be generated using |
|
.Xr ssh-keygen 1 . |
|
.Pp |
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Fl a |
.It Fl 1 |
Disables forwarding of the authentication agent connection. |
Forces |
|
.Nm |
|
to try protocol version 1 only. |
|
.It Fl 2 |
|
Forces |
|
.Nm |
|
to try protocol version 2 only. |
|
.It Fl 4 |
|
Forces |
|
.Nm |
|
to use IPv4 addresses only. |
|
.It Fl 6 |
|
Forces |
|
.Nm |
|
to use IPv6 addresses only. |
.It Fl A |
.It Fl A |
Enables forwarding of the authentication agent connection. |
Enables forwarding of the authentication agent connection. |
This can also be specified on a per-host basis in a configuration file. |
This can also be specified on a per-host basis in a configuration file. |
|
|
An attacker cannot obtain key material from the agent, |
An attacker cannot obtain key material from the agent, |
however they can perform operations on the keys that enable them to |
however they can perform operations on the keys that enable them to |
authenticate using the identities loaded into the agent. |
authenticate using the identities loaded into the agent. |
|
.It Fl a |
|
Disables forwarding of the authentication agent connection. |
.It Fl b Ar bind_address |
.It Fl b Ar bind_address |
Specify the interface to transmit from on machines with multiple |
Specify the interface to transmit from on machines with multiple |
interfaces or aliased addresses. |
interfaces or aliased addresses. |
.It Fl c Ar blowfish|3des|des |
.It Fl C |
Selects the cipher to use for encrypting the session. |
Requests compression of all data (including stdin, stdout, stderr, and |
|
data for forwarded X11 and TCP/IP connections). |
|
The compression algorithm is the same used by |
|
.Xr gzip 1 , |
|
and the |
|
.Dq level |
|
can be controlled by the |
|
.Cm CompressionLevel |
|
option for protocol version 1. |
|
Compression is desirable on modem lines and other |
|
slow connections, but will only slow down things on fast networks. |
|
The default value can be set on a host-by-host basis in the |
|
configuration files; see the |
|
.Cm Compression |
|
option. |
|
.It Fl c Ar cipher_spec |
|
Selects the cipher specification for encrypting the session. |
|
.Pp |
|
Protocol version 1 allows specification of a single cipher. |
|
The suported values are |
|
.Dq 3des , |
|
.Dq blowfish |
|
and |
|
.Dq des . |
.Ar 3des |
.Ar 3des |
is used by default. |
|
It is believed to be secure. |
|
.Ar 3des |
|
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
|
It is believed to be secure. |
.Ar blowfish |
.Ar blowfish |
is a fast block cipher, it appears very secure and is much faster than |
is a fast block cipher; it appears very secure and is much faster than |
.Ar 3des . |
.Ar 3des . |
.Ar des |
.Ar des |
is only supported in the |
is only supported in the |
|
|
.Ar 3des |
.Ar 3des |
cipher. |
cipher. |
Its use is strongly discouraged due to cryptographic weaknesses. |
Its use is strongly discouraged due to cryptographic weaknesses. |
.It Fl c Ar cipher_spec |
The default is |
Additionally, for protocol version 2 a comma-separated list of ciphers can |
.Dq 3des . |
be specified in order of preference. |
.Pp |
See |
For protocol version 2 |
.Cm Ciphers |
.Ar cipher_spec |
for more information. |
is a comma-separated list of ciphers |
.It Fl e Ar ch|^ch|none |
listed in order of preference. |
|
The supported ciphers are |
|
.Dq 3des-cbc , |
|
.Dq aes128-cbc , |
|
.Dq aes192-cbc , |
|
.Dq aes256-cbc , |
|
.Dq aes128-ctr , |
|
.Dq aes192-ctr , |
|
.Dq aes256-ctr , |
|
.Dq arcfour , |
|
.Dq blowfish-cbc , |
|
and |
|
.Dq cast128-cbc . |
|
The default is |
|
.Bd -literal |
|
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
|
aes192-cbc,aes256-cbc'' |
|
.Ed |
|
.It Fl D Ar port |
|
Specifies a local |
|
.Dq dynamic |
|
application-level port forwarding. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the local side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and the application |
|
protocol is then used to determine where to connect to from the |
|
remote machine. |
|
Currently the SOCKS4 and SOCKS5 protocols are supported, and |
|
.Nm |
|
will act as a SOCKS server. |
|
Only root can forward privileged ports. |
|
Dynamic port forwardings can also be specified in the configuration file. |
|
.It Fl e Ar ch | ^ch | none |
Sets the escape character for sessions with a pty (default: |
Sets the escape character for sessions with a pty (default: |
.Ql ~ ) . |
.Ql ~ ) . |
The escape character is only recognized at the beginning of a line. |
The escape character is only recognized at the beginning of a line. |
The escape character followed by a dot |
The escape character followed by a dot |
.Pq Ql \&. |
.Pq Ql \&. |
closes the connection, followed |
closes the connection; |
by control-Z suspends the connection, and followed by itself sends the |
followed by control-Z suspends the connection; |
escape character once. |
and followed by itself sends the escape character once. |
Setting the character to |
Setting the character to |
.Dq none |
.Dq none |
disables any escapes and makes the session fully transparent. |
disables any escapes and makes the session fully transparent. |
|
.It Fl F Ar configfile |
|
Specifies an alternative per-user configuration file. |
|
If a configuration file is given on the command line, |
|
the system-wide configuration file |
|
.Pq Pa /etc/ssh/ssh_config |
|
will be ignored. |
|
The default for the per-user configuration file is |
|
.Pa $HOME/.ssh/config . |
.It Fl f |
.It Fl f |
Requests |
Requests |
.Nm |
.Nm |
|
|
.Ic ssh -f host xterm . |
.Ic ssh -f host xterm . |
.It Fl g |
.It Fl g |
Allows remote hosts to connect to local forwarded ports. |
Allows remote hosts to connect to local forwarded ports. |
|
.It Fl I Ar smartcard_device |
|
Specifies which smartcard device to use. |
|
The argument is the device |
|
.Nm |
|
should use to communicate with a smartcard used for storing the user's |
|
private RSA key. |
.It Fl i Ar identity_file |
.It Fl i Ar identity_file |
Selects a file from which the identity (private key) for |
Selects a file from which the identity (private key) for |
RSA or DSA authentication is read. |
RSA or DSA authentication is read. |
|
|
.Fl i |
.Fl i |
options (and multiple identities specified in |
options (and multiple identities specified in |
configuration files). |
configuration files). |
.It Fl I Ar smartcard_device |
|
Specifies which smartcard device to use. |
|
The argument is the device |
|
.Nm |
|
should use to communicate with a smartcard used for storing the user's |
|
private RSA key. |
|
.It Fl k |
.It Fl k |
Disables forwarding of Kerberos tickets. |
Disables forwarding (delegation) of GSSAPI credentials to the server. |
This may also be specified on a per-host basis in the configuration file. |
.It Fl L Xo |
|
.Sm off |
|
.Ar port : host : hostport |
|
.Sm on |
|
.Xc |
|
Specifies that the given port on the local (client) host is to be |
|
forwarded to the given host and port on the remote side. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the local side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and a connection is |
|
made to |
|
.Ar host |
|
port |
|
.Ar hostport |
|
from the remote machine. |
|
Port forwardings can also be specified in the configuration file. |
|
Only root can forward privileged ports. |
|
IPv6 addresses can be specified with an alternative syntax: |
|
.Sm off |
|
.Xo |
|
.Ar port No / Ar host No / |
|
.Ar hostport . |
|
.Xc |
|
.Sm on |
.It Fl l Ar login_name |
.It Fl l Ar login_name |
Specifies the user to log in as on the remote machine. |
Specifies the user to log in as on the remote machine. |
This also may be specified on a per-host basis in the configuration file. |
This also may be specified on a per-host basis in the configuration file. |
|
.It Fl M |
|
Places the |
|
.Nm |
|
client into |
|
.Dq master |
|
mode for connection sharing. |
|
Refer to the description of |
|
.Cm ControlMaster |
|
in |
|
.Xr ssh_config 5 |
|
for details. |
.It Fl m Ar mac_spec |
.It Fl m Ar mac_spec |
Additionally, for protocol version 2 a comma-separated list of MAC |
Additionally, for protocol version 2 a comma-separated list of MAC |
(message authentication code) algorithms can |
(message authentication code) algorithms can |
|
|
See the |
See the |
.Cm MACs |
.Cm MACs |
keyword for more information. |
keyword for more information. |
|
.It Fl N |
|
Do not execute a remote command. |
|
This is useful for just forwarding ports |
|
(protocol version 2 only). |
.It Fl n |
.It Fl n |
Redirects stdin from |
Redirects stdin from |
.Pa /dev/null |
.Pa /dev/null |
|
|
needs to ask for a password or passphrase; see also the |
needs to ask for a password or passphrase; see also the |
.Fl f |
.Fl f |
option.) |
option.) |
.It Fl N |
|
Do not execute a remote command. |
|
This is useful for just forwarding ports |
|
(protocol version 2 only). |
|
.It Fl o Ar option |
.It Fl o Ar option |
Can be used to give options in the format used in the configuration file. |
Can be used to give options in the format used in the configuration file. |
This is useful for specifying options for which there is no separate |
This is useful for specifying options for which there is no separate |
command-line flag. |
command-line flag. |
|
For full details of the options listed below, and their possible values, see |
|
.Xr ssh_config 5 . |
|
.Pp |
|
.Bl -tag -width Ds -offset indent -compact |
|
.It AddressFamily |
|
.It BatchMode |
|
.It BindAddress |
|
.It ChallengeResponseAuthentication |
|
.It CheckHostIP |
|
.It Cipher |
|
.It Ciphers |
|
.It ClearAllForwardings |
|
.It Compression |
|
.It CompressionLevel |
|
.It ConnectionAttempts |
|
.It ConnectTimeout |
|
.It ControlMaster |
|
.It ControlPath |
|
.It DynamicForward |
|
.It EscapeChar |
|
.It ForwardAgent |
|
.It ForwardX11 |
|
.It ForwardX11Trusted |
|
.It GatewayPorts |
|
.It GlobalKnownHostsFile |
|
.It GSSAPIAuthentication |
|
.It GSSAPIDelegateCredentials |
|
.It Host |
|
.It HostbasedAuthentication |
|
.It HostKeyAlgorithms |
|
.It HostKeyAlias |
|
.It HostName |
|
.It IdentityFile |
|
.It IdentitiesOnly |
|
.It LocalForward |
|
.It LogLevel |
|
.It MACs |
|
.It NoHostAuthenticationForLocalhost |
|
.It NumberOfPasswordPrompts |
|
.It PasswordAuthentication |
|
.It Port |
|
.It PreferredAuthentications |
|
.It Protocol |
|
.It ProxyCommand |
|
.It PubkeyAuthentication |
|
.It RemoteForward |
|
.It RhostsRSAAuthentication |
|
.It RSAAuthentication |
|
.It SendEnv |
|
.It ServerAliveInterval |
|
.It ServerAliveCountMax |
|
.It SmartcardDevice |
|
.It StrictHostKeyChecking |
|
.It TCPKeepAlive |
|
.It UsePrivilegedPort |
|
.It User |
|
.It UserKnownHostsFile |
|
.It VerifyHostKeyDNS |
|
.It XAuthLocation |
|
.El |
.It Fl p Ar port |
.It Fl p Ar port |
Port to connect to on the remote host. |
Port to connect to on the remote host. |
This can be specified on a |
This can be specified on a |
|
|
.It Fl q |
.It Fl q |
Quiet mode. |
Quiet mode. |
Causes all warning and diagnostic messages to be suppressed. |
Causes all warning and diagnostic messages to be suppressed. |
|
.It Fl R Xo |
|
.Sm off |
|
.Ar port : host : hostport |
|
.Sm on |
|
.Xc |
|
Specifies that the given port on the remote (server) host is to be |
|
forwarded to the given host and port on the local side. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the remote side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and a connection is |
|
made to |
|
.Ar host |
|
port |
|
.Ar hostport |
|
from the local machine. |
|
Port forwardings can also be specified in the configuration file. |
|
Privileged ports can be forwarded only when |
|
logging in as root on the remote machine. |
|
IPv6 addresses can be specified with an alternative syntax: |
|
.Sm off |
|
.Xo |
|
.Ar port No / Ar host No / |
|
.Ar hostport . |
|
.Xc |
|
.Sm on |
|
.It Fl S Ar ctl |
|
Specifies the location of a control socket for connection sharing. |
|
Refer to the description of |
|
.Cm ControlPath |
|
and |
|
.Cm ControlMaster |
|
in |
|
.Xr ssh_config 5 |
|
for details. |
.It Fl s |
.It Fl s |
May be used to request invocation of a subsystem on the remote system. |
May be used to request invocation of a subsystem on the remote system. |
Subsystems are a feature of the SSH2 protocol which facilitate the use |
Subsystems are a feature of the SSH2 protocol which facilitate the use |
of SSH as a secure transport for other applications (eg. sftp). |
of SSH as a secure transport for other applications (eg.\& |
|
.Xr sftp 1 ) . |
The subsystem is specified as the remote command. |
The subsystem is specified as the remote command. |
|
.It Fl T |
|
Disable pseudo-tty allocation. |
.It Fl t |
.It Fl t |
Force pseudo-tty allocation. |
Force pseudo-tty allocation. |
This can be used to execute arbitrary |
This can be used to execute arbitrary |
|
|
options force tty allocation, even if |
options force tty allocation, even if |
.Nm |
.Nm |
has no local tty. |
has no local tty. |
.It Fl T |
.It Fl V |
Disable pseudo-tty allocation. |
Display the version number and exit. |
.It Fl v |
.It Fl v |
Verbose mode. |
Verbose mode. |
Causes |
Causes |
|
|
.Fl v |
.Fl v |
options increase the verbosity. |
options increase the verbosity. |
The maximum is 3. |
The maximum is 3. |
.It Fl V |
|
Display the version number and exit. |
|
.It Fl x |
|
Disables X11 forwarding. |
|
.It Fl X |
.It Fl X |
Enables X11 forwarding. |
Enables X11 forwarding. |
This can also be specified on a per-host basis in a configuration file. |
This can also be specified on a per-host basis in a configuration file. |
|
|
(for the user's X authorization database) |
(for the user's X authorization database) |
can access the local X11 display through the forwarded connection. |
can access the local X11 display through the forwarded connection. |
An attacker may then be able to perform activities such as keystroke monitoring. |
An attacker may then be able to perform activities such as keystroke monitoring. |
.It Fl C |
.It Fl x |
Requests compression of all data (including stdin, stdout, stderr, and |
Disables X11 forwarding. |
data for forwarded X11 and TCP/IP connections). |
.It Fl Y |
The compression algorithm is the same used by |
Enables trusted X11 forwarding. |
.Xr gzip 1 , |
|
and the |
|
.Dq level |
|
can be controlled by the |
|
.Cm CompressionLevel |
|
option for protocol version 1. |
|
Compression is desirable on modem lines and other |
|
slow connections, but will only slow down things on fast networks. |
|
The default value can be set on a host-by-host basis in the |
|
configuration files; see the |
|
.Cm Compression |
|
option. |
|
.It Fl F Ar configfile |
|
Specifies an alternative per-user configuration file. |
|
If a configuration file is given on the command line, |
|
the system-wide configuration file |
|
.Pq Pa /etc/ssh/ssh_config |
|
will be ignored. |
|
The default for the per-user configuration file is |
|
.Pa $HOME/.ssh/config . |
|
.It Fl L Ar port:host:hostport |
|
Specifies that the given port on the local (client) host is to be |
|
forwarded to the given host and port on the remote side. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the local side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and a connection is |
|
made to |
|
.Ar host |
|
port |
|
.Ar hostport |
|
from the remote machine. |
|
Port forwardings can also be specified in the configuration file. |
|
Only root can forward privileged ports. |
|
IPv6 addresses can be specified with an alternative syntax: |
|
.Ar port/host/hostport |
|
.It Fl R Ar port:host:hostport |
|
Specifies that the given port on the remote (server) host is to be |
|
forwarded to the given host and port on the local side. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the remote side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and a connection is |
|
made to |
|
.Ar host |
|
port |
|
.Ar hostport |
|
from the local machine. |
|
Port forwardings can also be specified in the configuration file. |
|
Privileged ports can be forwarded only when |
|
logging in as root on the remote machine. |
|
IPv6 addresses can be specified with an alternative syntax: |
|
.Ar port/host/hostport |
|
.It Fl D Ar port |
|
Specifies a local |
|
.Dq dynamic |
|
application-level port forwarding. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the local side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and the application |
|
protocol is then used to determine where to connect to from the |
|
remote machine. |
|
Currently the SOCKS4 and SOCKS5 protocols are supported, and |
|
.Nm |
|
will act as a SOCKS server. |
|
Only root can forward privileged ports. |
|
Dynamic port forwardings can also be specified in the configuration file. |
|
.It Fl 1 |
|
Forces |
|
.Nm |
|
to try protocol version 1 only. |
|
.It Fl 2 |
|
Forces |
|
.Nm |
|
to try protocol version 2 only. |
|
.It Fl 4 |
|
Forces |
|
.Nm |
|
to use IPv4 addresses only. |
|
.It Fl 6 |
|
Forces |
|
.Nm |
|
to use IPv6 addresses only. |
|
.El |
.El |
.Sh CONFIGURATION FILES |
.Sh CONFIGURATION FILES |
.Nm |
.Nm |
|
|
.Sh ENVIRONMENT |
.Sh ENVIRONMENT |
.Nm |
.Nm |
will normally set the following environment variables: |
will normally set the following environment variables: |
.Bl -tag -width Ds |
.Bl -tag -width LOGNAME |
.It Ev DISPLAY |
.It Ev DISPLAY |
The |
The |
.Ev DISPLAY |
.Ev DISPLAY |
|
|
to point to a value of the form |
to point to a value of the form |
.Dq hostname:n |
.Dq hostname:n |
where hostname indicates |
where hostname indicates |
the host where the shell runs, and n is an integer >= 1. |
the host where the shell runs, and n is an integer \*(Ge 1. |
.Nm |
.Nm |
uses this special value to forward X11 connections over the secure |
uses this special value to forward X11 connections over the secure |
channel. |
channel. |
|
|
.Dq VARNAME=value |
.Dq VARNAME=value |
to the environment if the file exists and if users are allowed to |
to the environment if the file exists and if users are allowed to |
change their environment. |
change their environment. |
See the |
For more information, see the |
.Cm PermitUserEnvironment |
.Cm PermitUserEnvironment |
option in |
option in |
.Xr sshd_config 5 . |
.Xr sshd_config 5 . |
|
|
identity file in human-readable form). |
identity file in human-readable form). |
The contents of the |
The contents of the |
.Pa $HOME/.ssh/identity.pub |
.Pa $HOME/.ssh/identity.pub |
file should be added to |
file should be added to the file |
.Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
on all machines |
on all machines |
where the user wishes to log in using protocol version 1 RSA authentication. |
where the user wishes to log in using protocol version 1 RSA authentication. |
|
|
This is the per-user configuration file. |
This is the per-user configuration file. |
The file format and configuration options are described in |
The file format and configuration options are described in |
.Xr ssh_config 5 . |
.Xr ssh_config 5 . |
|
Because of the potential for abuse, this file must have strict permissions: |
|
read/write for the user, and not accessible by others. |
.It Pa $HOME/.ssh/authorized_keys |
.It Pa $HOME/.ssh/authorized_keys |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
The format of this file is described in the |
The format of this file is described in the |
.Xr sshd 8 |
.Xr sshd 8 |
manual page. |
manual page. |
In the simplest form the format is the same as the .pub |
In the simplest form the format is the same as the |
|
.Pa .pub |
identity files. |
identity files. |
This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
|
|
When different names are used |
When different names are used |
for the same machine, all such names should be listed, separated by |
for the same machine, all such names should be listed, separated by |
commas. |
commas. |
The format is described on the |
The format is described in the |
.Xr sshd 8 |
.Xr sshd 8 |
manual page. |
manual page. |
.Pp |
.Pp |
|
|
is not setuid root. |
is not setuid root. |
.It Pa $HOME/.rhosts |
.It Pa $HOME/.rhosts |
This file is used in |
This file is used in |
.Pa \&.rhosts |
.Em rhosts |
authentication to list the |
authentication to list the |
host/user pairs that are permitted to log in. |
host/user pairs that are permitted to log in. |
(Note that this file is |
(Note that this file is |
|
|
Note that by default |
Note that by default |
.Xr sshd 8 |
.Xr sshd 8 |
will be installed so that it requires successful RSA host |
will be installed so that it requires successful RSA host |
authentication before permitting \s+2.\s0rhosts authentication. |
authentication before permitting |
|
.Em rhosts |
|
authentication. |
If the server machine does not have the client's host key in |
If the server machine does not have the client's host key in |
.Pa /etc/ssh/ssh_known_hosts , |
.Pa /etc/ssh/ssh_known_hosts , |
it can be stored in |
it can be stored in |
|
|
.Pa $HOME/.ssh/known_hosts . |
.Pa $HOME/.ssh/known_hosts . |
.It Pa $HOME/.shosts |
.It Pa $HOME/.shosts |
This file is used exactly the same way as |
This file is used exactly the same way as |
.Pa \&.rhosts . |
.Pa .rhosts . |
The purpose for |
The purpose for |
having this file is to be able to use rhosts authentication with |
having this file is to be able to use rhosts authentication with |
.Nm |
.Nm |
without permitting login with |
without permitting login with |
.Nm rlogin |
.Xr rlogin |
or |
or |
.Xr rsh 1 . |
.Xr rsh 1 . |
.It Pa /etc/hosts.equiv |
.It Pa /etc/hosts.equiv |
This file is used during |
This file is used during |
.Pa \&.rhosts |
.Em rhosts |
authentication. |
authentication. |
It contains |
It contains |
canonical hosts names, one per line (the full format is described on |
canonical hosts names, one per line (the full format is described in the |
the |
|
.Xr sshd 8 |
.Xr sshd 8 |
manual page). |
manual page). |
If the client host is found in this file, login is |
If the client host is found in this file, login is |
|
|
exits with the exit status of the remote command or with 255 |
exits with the exit status of the remote command or with 255 |
if an error occurred. |
if an error occurred. |
.Sh SEE ALSO |
.Sh SEE ALSO |
|
.Xr gzip 1 , |
.Xr rsh 1 , |
.Xr rsh 1 , |
.Xr scp 1 , |
.Xr scp 1 , |
.Xr sftp 1 , |
.Xr sftp 1 , |
|
|
.Xr ssh-agent 1 , |
.Xr ssh-agent 1 , |
.Xr ssh-keygen 1 , |
.Xr ssh-keygen 1 , |
.Xr telnet 1 , |
.Xr telnet 1 , |
|
.Xr hosts.equiv 5 , |
.Xr ssh_config 5 , |
.Xr ssh_config 5 , |
.Xr ssh-keysign 8 , |
.Xr ssh-keysign 8 , |
.Xr sshd 8 |
.Xr sshd 8 |