version 1.175.2.1, 2004/02/28 03:51:34 |
version 1.175.2.2, 2004/08/19 22:37:32 |
|
|
.Nd OpenSSH SSH client (remote login program) |
.Nd OpenSSH SSH client (remote login program) |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Nm ssh |
.Nm ssh |
.Op Fl 1246AaCfgkNnqsTtVvXxY |
.Op Fl 1246AaCfgkMNnqsTtVvXxY |
.Op Fl b Ar bind_address |
.Op Fl b Ar bind_address |
.Op Fl c Ar cipher_spec |
.Op Fl c Ar cipher_spec |
|
.Bk -words |
.Op Fl D Ar port |
.Op Fl D Ar port |
.Op Fl e Ar escape_char |
.Op Fl e Ar escape_char |
.Op Fl F Ar configfile |
.Op Fl F Ar configfile |
.Op Fl i Ar identity_file |
.Op Fl i Ar identity_file |
.Bk -words |
|
.Oo Fl L Xo |
.Oo Fl L Xo |
.Sm off |
.Sm off |
.Ar port : |
.Ar port : |
|
|
.Sm on |
.Sm on |
.Xc |
.Xc |
.Oc |
.Oc |
|
.Op Fl S Ar ctl |
.Oo Ar user Ns @ Oc Ns Ar hostname |
.Oo Ar user Ns @ Oc Ns Ar hostname |
.Op Ar command |
.Op Ar command |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
|
|
supports hostbased or challenge response authentication. |
supports hostbased or challenge response authentication. |
.Pp |
.Pp |
Protocol 2 provides additional mechanisms for confidentiality |
Protocol 2 provides additional mechanisms for confidentiality |
(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) |
and integrity (hmac-md5, hmac-sha1). |
and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). |
Note that protocol 1 lacks a strong mechanism for ensuring the |
Note that protocol 1 lacks a strong mechanism for ensuring the |
integrity of the connection. |
integrity of the connection. |
.Ss Login session and remote execution |
.Ss Login session and remote execution |
|
|
Send a BREAK to the remote system |
Send a BREAK to the remote system |
(only useful for SSH protocol version 2 and if the peer supports it). |
(only useful for SSH protocol version 2 and if the peer supports it). |
.It Cm ~C |
.It Cm ~C |
Open command line (only useful for adding port forwardings using the |
Open command line. |
|
Currently this allows the addition of port forwardings using the |
.Fl L |
.Fl L |
and |
and |
.Fl R |
.Fl R |
options). |
options (see below). |
|
It also allows the cancellation of existing remote port-forwardings |
|
using |
|
.Fl KR Ar hostport . |
|
Basic help is available, using the |
|
.Fl h |
|
option. |
.It Cm ~R |
.It Cm ~R |
Request rekeying of the connection |
Request rekeying of the connection |
(only useful for SSH protocol version 2 and if the peer supports it). |
(only useful for SSH protocol version 2 and if the peer supports it). |
|
|
option can be used to prevent logins to machines whose |
option can be used to prevent logins to machines whose |
host key is not known or has changed. |
host key is not known or has changed. |
.Pp |
.Pp |
|
.Nm |
|
can be configured to verify host identification using fingerprint resource |
|
records (SSHFP) published in DNS. |
|
The |
|
.Cm VerifyHostKeyDNS |
|
option can be used to control how DNS lookups are performed. |
|
SSHFP resource records can be generated using |
|
.Xr ssh-keygen 1 . |
|
.Pp |
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Fl 1 |
.It Fl 1 |
|
|
configuration files; see the |
configuration files; see the |
.Cm Compression |
.Cm Compression |
option. |
option. |
.It Fl c Ar blowfish | 3des | des |
.It Fl c Ar cipher_spec |
Selects the cipher to use for encrypting the session. |
Selects the cipher specification for encrypting the session. |
|
.Pp |
|
Protocol version 1 allows specification of a single cipher. |
|
The suported values are |
|
.Dq 3des , |
|
.Dq blowfish |
|
and |
|
.Dq des . |
.Ar 3des |
.Ar 3des |
is used by default. |
|
It is believed to be secure. |
|
.Ar 3des |
|
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
|
It is believed to be secure. |
.Ar blowfish |
.Ar blowfish |
is a fast block cipher; it appears very secure and is much faster than |
is a fast block cipher; it appears very secure and is much faster than |
.Ar 3des . |
.Ar 3des . |
|
|
.Ar 3des |
.Ar 3des |
cipher. |
cipher. |
Its use is strongly discouraged due to cryptographic weaknesses. |
Its use is strongly discouraged due to cryptographic weaknesses. |
.It Fl c Ar cipher_spec |
The default is |
Additionally, for protocol version 2 a comma-separated list of ciphers can |
.Dq 3des . |
be specified in order of preference. |
.Pp |
See |
For protocol version 2 |
.Cm Ciphers |
.Ar cipher_spec |
for more information. |
is a comma-separated list of ciphers |
|
listed in order of preference. |
|
The supported ciphers are |
|
.Dq 3des-cbc , |
|
.Dq aes128-cbc , |
|
.Dq aes192-cbc , |
|
.Dq aes256-cbc , |
|
.Dq aes128-ctr , |
|
.Dq aes192-ctr , |
|
.Dq aes256-ctr , |
|
.Dq arcfour , |
|
.Dq blowfish-cbc , |
|
and |
|
.Dq cast128-cbc . |
|
The default is |
|
.Bd -literal |
|
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
|
aes192-cbc,aes256-cbc'' |
|
.Ed |
.It Fl D Ar port |
.It Fl D Ar port |
Specifies a local |
Specifies a local |
.Dq dynamic |
.Dq dynamic |
|
|
.It Fl l Ar login_name |
.It Fl l Ar login_name |
Specifies the user to log in as on the remote machine. |
Specifies the user to log in as on the remote machine. |
This also may be specified on a per-host basis in the configuration file. |
This also may be specified on a per-host basis in the configuration file. |
|
.It Fl M |
|
Places the |
|
.Nm |
|
client into |
|
.Dq master |
|
mode for connection sharing. |
|
Refer to the description of |
|
.Cm ControlMaster |
|
in |
|
.Xr ssh_config 5 |
|
for details. |
.It Fl m Ar mac_spec |
.It Fl m Ar mac_spec |
Additionally, for protocol version 2 a comma-separated list of MAC |
Additionally, for protocol version 2 a comma-separated list of MAC |
(message authentication code) algorithms can |
(message authentication code) algorithms can |
|
|
.It Compression |
.It Compression |
.It CompressionLevel |
.It CompressionLevel |
.It ConnectionAttempts |
.It ConnectionAttempts |
.It ConnectionTimeout |
.It ConnectTimeout |
|
.It ControlMaster |
|
.It ControlPath |
.It DynamicForward |
.It DynamicForward |
.It EscapeChar |
.It EscapeChar |
.It ForwardAgent |
.It ForwardAgent |
|
|
.It HostKeyAlias |
.It HostKeyAlias |
.It HostName |
.It HostName |
.It IdentityFile |
.It IdentityFile |
|
.It IdentitiesOnly |
.It LocalForward |
.It LocalForward |
.It LogLevel |
.It LogLevel |
.It MACs |
.It MACs |
|
|
.It RemoteForward |
.It RemoteForward |
.It RhostsRSAAuthentication |
.It RhostsRSAAuthentication |
.It RSAAuthentication |
.It RSAAuthentication |
|
.It SendEnv |
.It ServerAliveInterval |
.It ServerAliveInterval |
.It ServerAliveCountMax |
.It ServerAliveCountMax |
.It SmartcardDevice |
.It SmartcardDevice |
|
|
.Ar hostport . |
.Ar hostport . |
.Xc |
.Xc |
.Sm on |
.Sm on |
|
.It Fl S Ar ctl |
|
Specifies the location of a control socket for connection sharing. |
|
Refer to the description of |
|
.Cm ControlPath |
|
and |
|
.Cm ControlMaster |
|
in |
|
.Xr ssh_config 5 |
|
for details. |
.It Fl s |
.It Fl s |
May be used to request invocation of a subsystem on the remote system. |
May be used to request invocation of a subsystem on the remote system. |
Subsystems are a feature of the SSH2 protocol which facilitate the use |
Subsystems are a feature of the SSH2 protocol which facilitate the use |
|
|
This is the per-user configuration file. |
This is the per-user configuration file. |
The file format and configuration options are described in |
The file format and configuration options are described in |
.Xr ssh_config 5 . |
.Xr ssh_config 5 . |
|
Because of the potential for abuse, this file must have strict permissions: |
|
read/write for the user, and not accessible by others. |
.It Pa $HOME/.ssh/authorized_keys |
.It Pa $HOME/.ssh/authorized_keys |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
The format of this file is described in the |
The format of this file is described in the |