version 1.196, 2004/08/30 21:22:49 |
version 1.196.2.2, 2005/09/02 03:45:01 |
|
|
.Nd OpenSSH SSH client (remote login program) |
.Nd OpenSSH SSH client (remote login program) |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Nm ssh |
.Nm ssh |
|
.Bk -words |
.Op Fl 1246AaCfgkMNnqsTtVvXxY |
.Op Fl 1246AaCfgkMNnqsTtVvXxY |
.Op Fl b Ar bind_address |
.Op Fl b Ar bind_address |
.Op Fl c Ar cipher_spec |
.Op Fl c Ar cipher_spec |
.Bk -words |
|
.Op Fl D Ar port |
.Op Fl D Ar port |
.Op Fl e Ar escape_char |
.Op Fl e Ar escape_char |
.Op Fl F Ar configfile |
.Op Fl F Ar configfile |
.Op Fl i Ar identity_file |
.Op Fl i Ar identity_file |
.Oo Fl L Xo |
.Oo Fl L\ \& |
.Sm off |
.Sm off |
.Ar port : |
.Oo Ar bind_address : Oc |
.Ar host : |
.Ar port : host : hostport |
.Ar hostport |
|
.Sm on |
.Sm on |
.Xc |
|
.Oc |
.Oc |
.Ek |
|
.Op Fl l Ar login_name |
.Op Fl l Ar login_name |
.Op Fl m Ar mac_spec |
.Op Fl m Ar mac_spec |
|
.Op Fl O Ar ctl_cmd |
.Op Fl o Ar option |
.Op Fl o Ar option |
.Bk -words |
|
.Op Fl p Ar port |
.Op Fl p Ar port |
.Ek |
.Oo Fl R\ \& |
.Oo Fl R Xo |
|
.Sm off |
.Sm off |
.Ar port : |
.Oo Ar bind_address : Oc |
.Ar host : |
.Ar port : host : hostport |
.Ar hostport |
|
.Sm on |
.Sm on |
.Xc |
|
.Oc |
.Oc |
.Op Fl S Ar ctl |
.Op Fl S Ar ctl_path |
.Oo Ar user Ns @ Oc Ns Ar hostname |
.Oo Ar user Ns @ Oc Ns Ar hostname |
.Op Ar command |
.Op Ar command |
|
.Ek |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm |
.Nm |
(SSH client) is a program for logging into a remote machine and for |
(SSH client) is a program for logging into a remote machine and for |
|
|
.Pa /etc/shosts.equiv |
.Pa /etc/shosts.equiv |
on the remote machine, and the user names are |
on the remote machine, and the user names are |
the same on both sides, or if the files |
the same on both sides, or if the files |
.Pa $HOME/.rhosts |
.Pa ~/.rhosts |
or |
or |
.Pa $HOME/.shosts |
.Pa ~/.shosts |
exist in the user's home directory on the |
exist in the user's home directory on the |
remote machine and contain a line containing the name of the client |
remote machine and contain a line containing the name of the client |
machine and the name of the user on that machine, the user is |
machine and the name of the user on that machine, the user is |
|
|
host key (see |
host key (see |
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
and |
and |
.Pa $HOME/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
in the |
in the |
.Sx FILES |
.Sx FILES |
section), only then is login permitted. |
section), only then is login permitted. |
|
|
spoofing, DNS spoofing and routing spoofing. |
spoofing, DNS spoofing and routing spoofing. |
[Note to the administrator: |
[Note to the administrator: |
.Pa /etc/hosts.equiv , |
.Pa /etc/hosts.equiv , |
.Pa $HOME/.rhosts , |
.Pa ~/.rhosts , |
and the rlogin/rsh protocol in general, are inherently insecure and should be |
and the rlogin/rsh protocol in general, are inherently insecure and should be |
disabled if security is desired.] |
disabled if security is desired.] |
.Pp |
.Pp |
|
|
The server knows the public key, and only the user knows the private key. |
The server knows the public key, and only the user knows the private key. |
.Pp |
.Pp |
The file |
The file |
.Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
lists the public keys that are permitted for logging in. |
lists the public keys that are permitted for logging in. |
When the user logs in, the |
When the user logs in, the |
.Nm |
.Nm |
|
|
The user creates his/her RSA key pair by running |
The user creates his/her RSA key pair by running |
.Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
This stores the private key in |
This stores the private key in |
.Pa $HOME/.ssh/identity |
.Pa ~/.ssh/identity |
and stores the public key in |
and stores the public key in |
.Pa $HOME/.ssh/identity.pub |
.Pa ~/.ssh/identity.pub |
in the user's home directory. |
in the user's home directory. |
The user should then copy the |
The user should then copy the |
.Pa identity.pub |
.Pa identity.pub |
to |
to |
.Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
in his/her home directory on the remote machine (the |
in his/her home directory on the remote machine (the |
.Pa authorized_keys |
.Pa authorized_keys |
file corresponds to the conventional |
file corresponds to the conventional |
.Pa $HOME/.rhosts |
.Pa ~/.rhosts |
file, and has one key |
file, and has one key |
per line, though the lines can be very long). |
per line, though the lines can be very long). |
After this, the user can log in without giving the password. |
After this, the user can log in without giving the password. |
|
|
The public key method is similar to RSA authentication described |
The public key method is similar to RSA authentication described |
in the previous section and allows the RSA or DSA algorithm to be used: |
in the previous section and allows the RSA or DSA algorithm to be used: |
The client uses his private key, |
The client uses his private key, |
.Pa $HOME/.ssh/id_dsa |
.Pa ~/.ssh/id_dsa |
or |
or |
.Pa $HOME/.ssh/id_rsa , |
.Pa ~/.ssh/id_rsa , |
to sign the session identifier and sends the result to the server. |
to sign the session identifier and sends the result to the server. |
The server checks whether the matching public key is listed in |
The server checks whether the matching public key is listed in |
.Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
and grants access if both the key is found and the signature is correct. |
and grants access if both the key is found and the signature is correct. |
The session identifier is derived from a shared Diffie-Hellman value |
The session identifier is derived from a shared Diffie-Hellman value |
and is only known to the client and the server. |
and is only known to the client and the server. |
|
|
automatically maintains and checks a database containing |
automatically maintains and checks a database containing |
identifications for all hosts it has ever been used with. |
identifications for all hosts it has ever been used with. |
Host keys are stored in |
Host keys are stored in |
.Pa $HOME/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
in the user's home directory. |
in the user's home directory. |
Additionally, the file |
Additionally, the file |
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
|
|
.It Fl a |
.It Fl a |
Disables forwarding of the authentication agent connection. |
Disables forwarding of the authentication agent connection. |
.It Fl b Ar bind_address |
.It Fl b Ar bind_address |
Specify the interface to transmit from on machines with multiple |
Use |
interfaces or aliased addresses. |
.Ar bind_address |
|
on the local machine as the source address |
|
of the connection. |
|
Only useful on systems with more than one address. |
.It Fl C |
.It Fl C |
Requests compression of all data (including stdin, stdout, stderr, and |
Requests compression of all data (including stdin, stdout, stderr, and |
data for forwarded X11 and TCP/IP connections). |
data for forwarded X11 and TCP/IP connections). |
|
|
.Dq aes128-ctr , |
.Dq aes128-ctr , |
.Dq aes192-ctr , |
.Dq aes192-ctr , |
.Dq aes256-ctr , |
.Dq aes256-ctr , |
|
.Dq arcfour128 , |
|
.Dq arcfour256 , |
.Dq arcfour , |
.Dq arcfour , |
.Dq blowfish-cbc , |
.Dq blowfish-cbc , |
and |
and |
.Dq cast128-cbc . |
.Dq cast128-cbc . |
The default is |
The default is |
.Bd -literal |
.Bd -literal |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
aes192-cbc,aes256-cbc'' |
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
|
aes192-ctr,aes256-ctr'' |
.Ed |
.Ed |
.It Fl D Ar port |
.It Fl D Ar port |
Specifies a local |
Specifies a local |
|
|
.Pq Pa /etc/ssh/ssh_config |
.Pq Pa /etc/ssh/ssh_config |
will be ignored. |
will be ignored. |
The default for the per-user configuration file is |
The default for the per-user configuration file is |
.Pa $HOME/.ssh/config . |
.Pa ~/.ssh/config . |
.It Fl f |
.It Fl f |
Requests |
Requests |
.Nm |
.Nm |
|
|
Selects a file from which the identity (private key) for |
Selects a file from which the identity (private key) for |
RSA or DSA authentication is read. |
RSA or DSA authentication is read. |
The default is |
The default is |
.Pa $HOME/.ssh/identity |
.Pa ~/.ssh/identity |
for protocol version 1, and |
for protocol version 1, and |
.Pa $HOME/.ssh/id_rsa |
.Pa ~/.ssh/id_rsa |
and |
and |
.Pa $HOME/.ssh/id_dsa |
.Pa ~/.ssh/id_dsa |
for protocol version 2. |
for protocol version 2. |
Identity files may also be specified on |
Identity files may also be specified on |
a per-host basis in the configuration file. |
a per-host basis in the configuration file. |
|
|
Disables forwarding (delegation) of GSSAPI credentials to the server. |
Disables forwarding (delegation) of GSSAPI credentials to the server. |
.It Fl L Xo |
.It Fl L Xo |
.Sm off |
.Sm off |
|
.Oo Ar bind_address : Oc |
.Ar port : host : hostport |
.Ar port : host : hostport |
.Sm on |
.Sm on |
.Xc |
.Xc |
|
|
forwarded to the given host and port on the remote side. |
forwarded to the given host and port on the remote side. |
This works by allocating a socket to listen to |
This works by allocating a socket to listen to |
.Ar port |
.Ar port |
on the local side, and whenever a connection is made to this port, the |
on the local side, optionally bound to the specified |
|
.Ar bind_address . |
|
Whenever a connection is made to this port, the |
connection is forwarded over the secure channel, and a connection is |
connection is forwarded over the secure channel, and a connection is |
made to |
made to |
.Ar host |
.Ar host |
|
|
.Ar hostport |
.Ar hostport |
from the remote machine. |
from the remote machine. |
Port forwardings can also be specified in the configuration file. |
Port forwardings can also be specified in the configuration file. |
Only root can forward privileged ports. |
|
IPv6 addresses can be specified with an alternative syntax: |
IPv6 addresses can be specified with an alternative syntax: |
.Sm off |
.Sm off |
.Xo |
.Xo |
|
.Op Ar bind_address No / |
.Ar port No / Ar host No / |
.Ar port No / Ar host No / |
.Ar hostport . |
.Ar hostport |
.Xc |
.Xc |
.Sm on |
.Sm on |
|
or by enclosing the address in square brackets. |
|
Only the superuser can forward privileged ports. |
|
By default, the local port is bound in accordance with the |
|
.Cm GatewayPorts |
|
setting. |
|
However, an explicit |
|
.Ar bind_address |
|
may be used to bind the connection to a specific address. |
|
The |
|
.Ar bind_address |
|
of |
|
.Dq localhost |
|
indicates that the listening port be bound for local use only, while an |
|
empty address or |
|
.Sq * |
|
indicates that the port should be available from all interfaces. |
.It Fl l Ar login_name |
.It Fl l Ar login_name |
Specifies the user to log in as on the remote machine. |
Specifies the user to log in as on the remote machine. |
This also may be specified on a per-host basis in the configuration file. |
This also may be specified on a per-host basis in the configuration file. |
|
|
needs to ask for a password or passphrase; see also the |
needs to ask for a password or passphrase; see also the |
.Fl f |
.Fl f |
option.) |
option.) |
|
.It Fl O Ar ctl_cmd |
|
Control an active connection multiplexing master process. |
|
When the |
|
.Fl O |
|
option is specified, the |
|
.Ar ctl_cmd |
|
argument is interpreted and passed to the master process. |
|
Valid commands are: |
|
.Dq check |
|
(check that the master process is running) and |
|
.Dq exit |
|
(request the master to exit). |
.It Fl o Ar option |
.It Fl o Ar option |
Can be used to give options in the format used in the configuration file. |
Can be used to give options in the format used in the configuration file. |
This is useful for specifying options for which there is no separate |
This is useful for specifying options for which there is no separate |
|
|
.It GlobalKnownHostsFile |
.It GlobalKnownHostsFile |
.It GSSAPIAuthentication |
.It GSSAPIAuthentication |
.It GSSAPIDelegateCredentials |
.It GSSAPIDelegateCredentials |
|
.It HashKnownHosts |
.It Host |
.It Host |
.It HostbasedAuthentication |
.It HostbasedAuthentication |
.It HostKeyAlgorithms |
.It HostKeyAlgorithms |
|
|
.It HostName |
.It HostName |
.It IdentityFile |
.It IdentityFile |
.It IdentitiesOnly |
.It IdentitiesOnly |
|
.It KbdInteractiveDevices |
.It LocalForward |
.It LocalForward |
.It LogLevel |
.It LogLevel |
.It MACs |
.It MACs |
|
|
Causes all warning and diagnostic messages to be suppressed. |
Causes all warning and diagnostic messages to be suppressed. |
.It Fl R Xo |
.It Fl R Xo |
.Sm off |
.Sm off |
|
.Oo Ar bind_address : Oc |
.Ar port : host : hostport |
.Ar port : host : hostport |
.Sm on |
.Sm on |
.Xc |
.Xc |
|
|
port |
port |
.Ar hostport |
.Ar hostport |
from the local machine. |
from the local machine. |
|
.Pp |
Port forwardings can also be specified in the configuration file. |
Port forwardings can also be specified in the configuration file. |
Privileged ports can be forwarded only when |
Privileged ports can be forwarded only when |
logging in as root on the remote machine. |
logging in as root on the remote machine. |
IPv6 addresses can be specified with an alternative syntax: |
IPv6 addresses can be specified by enclosing the address in square braces or |
|
using an alternative syntax: |
.Sm off |
.Sm off |
.Xo |
.Xo |
.Ar port No / Ar host No / |
.Op Ar bind_address No / |
.Ar hostport . |
.Ar host No / Ar port No / |
.Xc |
.Ar hostport |
|
.Xc . |
.Sm on |
.Sm on |
.It Fl S Ar ctl |
.Pp |
|
By default, the listening socket on the server will be bound to the loopback |
|
interface only. |
|
This may be overriden by specifying a |
|
.Ar bind_address . |
|
An empty |
|
.Ar bind_address , |
|
or the address |
|
.Ql * , |
|
indicates that the remote socket should listen on all interfaces. |
|
Specifying a remote |
|
.Ar bind_address |
|
will only succeed if the server's |
|
.Cm GatewayPorts |
|
option is enabled (see |
|
.Xr sshd_config 5 ) . |
|
.It Fl S Ar ctl_path |
Specifies the location of a control socket for connection sharing. |
Specifies the location of a control socket for connection sharing. |
Refer to the description of |
Refer to the description of |
.Cm ControlPath |
.Cm ControlPath |
|
|
(for the user's X authorization database) |
(for the user's X authorization database) |
can access the local X11 display through the forwarded connection. |
can access the local X11 display through the forwarded connection. |
An attacker may then be able to perform activities such as keystroke monitoring. |
An attacker may then be able to perform activities such as keystroke monitoring. |
|
.Pp |
|
For this reason, X11 forwarding is subjected to X11 SECURITY extension |
|
restrictions by default. |
|
Please refer to the |
|
.Nm |
|
.Fl Y |
|
option and the |
|
.Cm ForwardX11Trusted |
|
directive in |
|
.Xr ssh_config 5 |
|
for more information. |
.It Fl x |
.It Fl x |
Disables X11 forwarding. |
Disables X11 forwarding. |
.It Fl Y |
.It Fl Y |
Enables trusted X11 forwarding. |
Enables trusted X11 forwarding. |
|
Trusted X11 forwardings are not subjected to the X11 SECURITY extension |
|
controls. |
.El |
.El |
.Sh CONFIGURATION FILES |
.Sh CONFIGURATION FILES |
.Nm |
.Nm |
|
|
Additionally, |
Additionally, |
.Nm |
.Nm |
reads |
reads |
.Pa $HOME/.ssh/environment , |
.Pa ~/.ssh/environment , |
and adds lines of the format |
and adds lines of the format |
.Dq VARNAME=value |
.Dq VARNAME=value |
to the environment if the file exists and if users are allowed to |
to the environment if the file exists and if users are allowed to |
|
|
.Xr sshd_config 5 . |
.Xr sshd_config 5 . |
.Sh FILES |
.Sh FILES |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Pa $HOME/.ssh/known_hosts |
.It Pa ~/.ssh/known_hosts |
Records host keys for all hosts the user has logged into that are not |
Records host keys for all hosts the user has logged into that are not |
in |
in |
.Pa /etc/ssh/ssh_known_hosts . |
.Pa /etc/ssh/ssh_known_hosts . |
See |
See |
.Xr sshd 8 . |
.Xr sshd 8 . |
.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa |
.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa |
Contains the authentication identity of the user. |
Contains the authentication identity of the user. |
They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. |
They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. |
These files |
These files |
|
|
It is possible to specify a passphrase when |
It is possible to specify a passphrase when |
generating the key; the passphrase will be used to encrypt the |
generating the key; the passphrase will be used to encrypt the |
sensitive part of this file using 3DES. |
sensitive part of this file using 3DES. |
.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub |
.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub |
Contains the public key for authentication (public part of the |
Contains the public key for authentication (public part of the |
identity file in human-readable form). |
identity file in human-readable form). |
The contents of the |
The contents of the |
.Pa $HOME/.ssh/identity.pub |
.Pa ~/.ssh/identity.pub |
file should be added to the file |
file should be added to the file |
.Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
on all machines |
on all machines |
where the user wishes to log in using protocol version 1 RSA authentication. |
where the user wishes to log in using protocol version 1 RSA authentication. |
The contents of the |
The contents of the |
.Pa $HOME/.ssh/id_dsa.pub |
.Pa ~/.ssh/id_dsa.pub |
and |
and |
.Pa $HOME/.ssh/id_rsa.pub |
.Pa ~/.ssh/id_rsa.pub |
file should be added to |
file should be added to |
.Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
on all machines |
on all machines |
where the user wishes to log in using protocol version 2 DSA/RSA authentication. |
where the user wishes to log in using protocol version 2 DSA/RSA authentication. |
These files are not |
These files are not |
|
|
These files are |
These files are |
never used automatically and are not necessary; they are only provided for |
never used automatically and are not necessary; they are only provided for |
the convenience of the user. |
the convenience of the user. |
.It Pa $HOME/.ssh/config |
.It Pa ~/.ssh/config |
This is the per-user configuration file. |
This is the per-user configuration file. |
The file format and configuration options are described in |
The file format and configuration options are described in |
.Xr ssh_config 5 . |
.Xr ssh_config 5 . |
Because of the potential for abuse, this file must have strict permissions: |
Because of the potential for abuse, this file must have strict permissions: |
read/write for the user, and not accessible by others. |
read/write for the user, and not accessible by others. |
.It Pa $HOME/.ssh/authorized_keys |
.It Pa ~/.ssh/authorized_keys |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
The format of this file is described in the |
The format of this file is described in the |
.Xr sshd 8 |
.Xr sshd 8 |
|
|
By default |
By default |
.Nm |
.Nm |
is not setuid root. |
is not setuid root. |
.It Pa $HOME/.rhosts |
.It Pa ~/.rhosts |
This file is used in |
This file is used in |
.Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication |
and |
and |
|
|
If the server machine does not have the client's host key in |
If the server machine does not have the client's host key in |
.Pa /etc/ssh/ssh_known_hosts , |
.Pa /etc/ssh/ssh_known_hosts , |
it can be stored in |
it can be stored in |
.Pa $HOME/.ssh/known_hosts . |
.Pa ~/.ssh/known_hosts . |
The easiest way to do this is to |
The easiest way to do this is to |
connect back to the client from the server machine using ssh; this |
connect back to the client from the server machine using ssh; this |
will automatically add the host key to |
will automatically add the host key to |
.Pa $HOME/.ssh/known_hosts . |
.Pa ~/.ssh/known_hosts . |
.It Pa $HOME/.shosts |
.It Pa ~/.shosts |
This file is used exactly the same way as |
This file is used exactly the same way as |
.Pa .rhosts . |
.Pa .rhosts . |
The purpose for |
The purpose for |
|
|
See the |
See the |
.Xr sshd 8 |
.Xr sshd 8 |
manual page for more information. |
manual page for more information. |
.It Pa $HOME/.ssh/rc |
.It Pa ~/.ssh/rc |
Commands in this file are executed by |
Commands in this file are executed by |
.Nm |
.Nm |
when the user logs in just before the user's shell (or command) is |
when the user logs in just before the user's shell (or command) is |
|
|
See the |
See the |
.Xr sshd 8 |
.Xr sshd 8 |
manual page for more information. |
manual page for more information. |
.It Pa $HOME/.ssh/environment |
.It Pa ~/.ssh/environment |
Contains additional definitions for environment variables, see section |
Contains additional definitions for environment variables, see section |
.Sx ENVIRONMENT |
.Sx ENVIRONMENT |
above. |
above. |