| version 1.175.2.2, 2004/08/19 22:37:32 |
version 1.176, 2003/09/29 11:40:51 |
|
|
| .Nd OpenSSH SSH client (remote login program) |
.Nd OpenSSH SSH client (remote login program) |
| .Sh SYNOPSIS |
.Sh SYNOPSIS |
| .Nm ssh |
.Nm ssh |
| .Op Fl 1246AaCfgkMNnqsTtVvXxY |
.Op Fl 1246AaCfgkNnqsTtVvXx |
| .Op Fl b Ar bind_address |
.Op Fl b Ar bind_address |
| .Op Fl c Ar cipher_spec |
.Op Fl c Ar cipher_spec |
| .Bk -words |
|
| .Op Fl D Ar port |
.Op Fl D Ar port |
| .Op Fl e Ar escape_char |
.Op Fl e Ar escape_char |
| .Op Fl F Ar configfile |
.Op Fl F Ar configfile |
| .Op Fl i Ar identity_file |
.Op Fl i Ar identity_file |
| |
.Bk -words |
| .Oo Fl L Xo |
.Oo Fl L Xo |
| .Sm off |
.Sm off |
| .Ar port : |
.Ar port : |
|
|
| .Sm on |
.Sm on |
| .Xc |
.Xc |
| .Oc |
.Oc |
| .Op Fl S Ar ctl |
|
| .Oo Ar user Ns @ Oc Ns Ar hostname |
.Oo Ar user Ns @ Oc Ns Ar hostname |
| .Op Ar command |
.Op Ar command |
| .Sh DESCRIPTION |
.Sh DESCRIPTION |
|
|
| supports hostbased or challenge response authentication. |
supports hostbased or challenge response authentication. |
| .Pp |
.Pp |
| Protocol 2 provides additional mechanisms for confidentiality |
Protocol 2 provides additional mechanisms for confidentiality |
| (the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) |
(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
| and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). |
and integrity (hmac-md5, hmac-sha1). |
| Note that protocol 1 lacks a strong mechanism for ensuring the |
Note that protocol 1 lacks a strong mechanism for ensuring the |
| integrity of the connection. |
integrity of the connection. |
| .Ss Login session and remote execution |
.Ss Login session and remote execution |
|
|
| Send a BREAK to the remote system |
Send a BREAK to the remote system |
| (only useful for SSH protocol version 2 and if the peer supports it). |
(only useful for SSH protocol version 2 and if the peer supports it). |
| .It Cm ~C |
.It Cm ~C |
| Open command line. |
Open command line (only useful for adding port forwardings using the |
| Currently this allows the addition of port forwardings using the |
|
| .Fl L |
.Fl L |
| and |
and |
| .Fl R |
.Fl R |
| options (see below). |
options). |
| It also allows the cancellation of existing remote port-forwardings |
|
| using |
|
| .Fl KR Ar hostport . |
|
| Basic help is available, using the |
|
| .Fl h |
|
| option. |
|
| .It Cm ~R |
.It Cm ~R |
| Request rekeying of the connection |
Request rekeying of the connection |
| (only useful for SSH protocol version 2 and if the peer supports it). |
(only useful for SSH protocol version 2 and if the peer supports it). |
|
|
| option can be used to prevent logins to machines whose |
option can be used to prevent logins to machines whose |
| host key is not known or has changed. |
host key is not known or has changed. |
| .Pp |
.Pp |
| .Nm |
|
| can be configured to verify host identification using fingerprint resource |
|
| records (SSHFP) published in DNS. |
|
| The |
|
| .Cm VerifyHostKeyDNS |
|
| option can be used to control how DNS lookups are performed. |
|
| SSHFP resource records can be generated using |
|
| .Xr ssh-keygen 1 . |
|
| .Pp |
|
| The options are as follows: |
The options are as follows: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Fl 1 |
.It Fl 1 |
|
|
| configuration files; see the |
configuration files; see the |
| .Cm Compression |
.Cm Compression |
| option. |
option. |
| .It Fl c Ar cipher_spec |
.It Fl c Ar blowfish | 3des | des |
| Selects the cipher specification for encrypting the session. |
Selects the cipher to use for encrypting the session. |
| .Pp |
|
| Protocol version 1 allows specification of a single cipher. |
|
| The suported values are |
|
| .Dq 3des , |
|
| .Dq blowfish |
|
| and |
|
| .Dq des . |
|
| .Ar 3des |
.Ar 3des |
| (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
is used by default. |
| It is believed to be secure. |
It is believed to be secure. |
| |
.Ar 3des |
| |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
| .Ar blowfish |
.Ar blowfish |
| is a fast block cipher; it appears very secure and is much faster than |
is a fast block cipher; it appears very secure and is much faster than |
| .Ar 3des . |
.Ar 3des . |
|
|
| .Ar 3des |
.Ar 3des |
| cipher. |
cipher. |
| Its use is strongly discouraged due to cryptographic weaknesses. |
Its use is strongly discouraged due to cryptographic weaknesses. |
| The default is |
.It Fl c Ar cipher_spec |
| .Dq 3des . |
Additionally, for protocol version 2 a comma-separated list of ciphers can |
| .Pp |
be specified in order of preference. |
| For protocol version 2 |
See |
| .Ar cipher_spec |
.Cm Ciphers |
| is a comma-separated list of ciphers |
for more information. |
| listed in order of preference. |
|
| The supported ciphers are |
|
| .Dq 3des-cbc , |
|
| .Dq aes128-cbc , |
|
| .Dq aes192-cbc , |
|
| .Dq aes256-cbc , |
|
| .Dq aes128-ctr , |
|
| .Dq aes192-ctr , |
|
| .Dq aes256-ctr , |
|
| .Dq arcfour , |
|
| .Dq blowfish-cbc , |
|
| and |
|
| .Dq cast128-cbc . |
|
| The default is |
|
| .Bd -literal |
|
| ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
|
| aes192-cbc,aes256-cbc'' |
|
| .Ed |
|
| .It Fl D Ar port |
.It Fl D Ar port |
| Specifies a local |
Specifies a local |
| .Dq dynamic |
.Dq dynamic |
|
|
| options (and multiple identities specified in |
options (and multiple identities specified in |
| configuration files). |
configuration files). |
| .It Fl k |
.It Fl k |
| Disables forwarding (delegation) of GSSAPI credentials to the server. |
Disables forwarding of Kerberos tickets. |
| |
This may also be specified on a per-host basis in the configuration file. |
| .It Fl L Xo |
.It Fl L Xo |
| .Sm off |
.Sm off |
| .Ar port : host : hostport |
.Ar port : host : hostport |
|
|
| .It Fl l Ar login_name |
.It Fl l Ar login_name |
| Specifies the user to log in as on the remote machine. |
Specifies the user to log in as on the remote machine. |
| This also may be specified on a per-host basis in the configuration file. |
This also may be specified on a per-host basis in the configuration file. |
| .It Fl M |
|
| Places the |
|
| .Nm |
|
| client into |
|
| .Dq master |
|
| mode for connection sharing. |
|
| Refer to the description of |
|
| .Cm ControlMaster |
|
| in |
|
| .Xr ssh_config 5 |
|
| for details. |
|
| .It Fl m Ar mac_spec |
.It Fl m Ar mac_spec |
| Additionally, for protocol version 2 a comma-separated list of MAC |
Additionally, for protocol version 2 a comma-separated list of MAC |
| (message authentication code) algorithms can |
(message authentication code) algorithms can |
|
|
| .It Compression |
.It Compression |
| .It CompressionLevel |
.It CompressionLevel |
| .It ConnectionAttempts |
.It ConnectionAttempts |
| .It ConnectTimeout |
.It ConnectionTimeout |
| .It ControlMaster |
|
| .It ControlPath |
|
| .It DynamicForward |
.It DynamicForward |
| |
.It EnableSSHKeysign |
| .It EscapeChar |
.It EscapeChar |
| .It ForwardAgent |
.It ForwardAgent |
| .It ForwardX11 |
.It ForwardX11 |
| .It ForwardX11Trusted |
|
| .It GatewayPorts |
.It GatewayPorts |
| .It GlobalKnownHostsFile |
.It GlobalKnownHostsFile |
| .It GSSAPIAuthentication |
.It GSSAPIAuthentication |
|
|
| .It HostKeyAlias |
.It HostKeyAlias |
| .It HostName |
.It HostName |
| .It IdentityFile |
.It IdentityFile |
| .It IdentitiesOnly |
.It KeepAlive |
| .It LocalForward |
.It LocalForward |
| .It LogLevel |
.It LogLevel |
| .It MACs |
.It MACs |
|
|
| .It RemoteForward |
.It RemoteForward |
| .It RhostsRSAAuthentication |
.It RhostsRSAAuthentication |
| .It RSAAuthentication |
.It RSAAuthentication |
| .It SendEnv |
|
| .It ServerAliveInterval |
|
| .It ServerAliveCountMax |
|
| .It SmartcardDevice |
.It SmartcardDevice |
| .It StrictHostKeyChecking |
.It StrictHostKeyChecking |
| .It TCPKeepAlive |
|
| .It UsePrivilegedPort |
.It UsePrivilegedPort |
| .It User |
.It User |
| .It UserKnownHostsFile |
.It UserKnownHostsFile |
|
|
| .Ar hostport . |
.Ar hostport . |
| .Xc |
.Xc |
| .Sm on |
.Sm on |
| .It Fl S Ar ctl |
|
| Specifies the location of a control socket for connection sharing. |
|
| Refer to the description of |
|
| .Cm ControlPath |
|
| and |
|
| .Cm ControlMaster |
|
| in |
|
| .Xr ssh_config 5 |
|
| for details. |
|
| .It Fl s |
.It Fl s |
| May be used to request invocation of a subsystem on the remote system. |
May be used to request invocation of a subsystem on the remote system. |
| Subsystems are a feature of the SSH2 protocol which facilitate the use |
Subsystems are a feature of the SSH2 protocol which facilitate the use |
|
|
| An attacker may then be able to perform activities such as keystroke monitoring. |
An attacker may then be able to perform activities such as keystroke monitoring. |
| .It Fl x |
.It Fl x |
| Disables X11 forwarding. |
Disables X11 forwarding. |
| .It Fl Y |
|
| Enables trusted X11 forwarding. |
|
| .El |
.El |
| .Sh CONFIGURATION FILES |
.Sh CONFIGURATION FILES |
| .Nm |
.Nm |
|
|
| This is the per-user configuration file. |
This is the per-user configuration file. |
| The file format and configuration options are described in |
The file format and configuration options are described in |
| .Xr ssh_config 5 . |
.Xr ssh_config 5 . |
| Because of the potential for abuse, this file must have strict permissions: |
|
| read/write for the user, and not accessible by others. |
|
| .It Pa $HOME/.ssh/authorized_keys |
.It Pa $HOME/.ssh/authorized_keys |
| Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
| The format of this file is described in the |
The format of this file is described in the |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh