| version 1.205, 2005/03/07 23:41:54 |
version 1.205.2.1, 2005/09/04 18:40:10 |
|
|
| .Pa /etc/shosts.equiv |
.Pa /etc/shosts.equiv |
| on the remote machine, and the user names are |
on the remote machine, and the user names are |
| the same on both sides, or if the files |
the same on both sides, or if the files |
| .Pa $HOME/.rhosts |
.Pa ~/.rhosts |
| or |
or |
| .Pa $HOME/.shosts |
.Pa ~/.shosts |
| exist in the user's home directory on the |
exist in the user's home directory on the |
| remote machine and contain a line containing the name of the client |
remote machine and contain a line containing the name of the client |
| machine and the name of the user on that machine, the user is |
machine and the name of the user on that machine, the user is |
|
|
| host key (see |
host key (see |
| .Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
| and |
and |
| .Pa $HOME/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
| in the |
in the |
| .Sx FILES |
.Sx FILES |
| section), only then is login permitted. |
section), only then is login permitted. |
|
|
| spoofing, DNS spoofing and routing spoofing. |
spoofing, DNS spoofing and routing spoofing. |
| [Note to the administrator: |
[Note to the administrator: |
| .Pa /etc/hosts.equiv , |
.Pa /etc/hosts.equiv , |
| .Pa $HOME/.rhosts , |
.Pa ~/.rhosts , |
| and the rlogin/rsh protocol in general, are inherently insecure and should be |
and the rlogin/rsh protocol in general, are inherently insecure and should be |
| disabled if security is desired.] |
disabled if security is desired.] |
| .Pp |
.Pp |
|
|
| The server knows the public key, and only the user knows the private key. |
The server knows the public key, and only the user knows the private key. |
| .Pp |
.Pp |
| The file |
The file |
| .Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
| lists the public keys that are permitted for logging in. |
lists the public keys that are permitted for logging in. |
| When the user logs in, the |
When the user logs in, the |
| .Nm |
.Nm |
|
|
| The user creates his/her RSA key pair by running |
The user creates his/her RSA key pair by running |
| .Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
| This stores the private key in |
This stores the private key in |
| .Pa $HOME/.ssh/identity |
.Pa ~/.ssh/identity |
| and stores the public key in |
and stores the public key in |
| .Pa $HOME/.ssh/identity.pub |
.Pa ~/.ssh/identity.pub |
| in the user's home directory. |
in the user's home directory. |
| The user should then copy the |
The user should then copy the |
| .Pa identity.pub |
.Pa identity.pub |
| to |
to |
| .Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
| in his/her home directory on the remote machine (the |
in his/her home directory on the remote machine (the |
| .Pa authorized_keys |
.Pa authorized_keys |
| file corresponds to the conventional |
file corresponds to the conventional |
| .Pa $HOME/.rhosts |
.Pa ~/.rhosts |
| file, and has one key |
file, and has one key |
| per line, though the lines can be very long). |
per line, though the lines can be very long). |
| After this, the user can log in without giving the password. |
After this, the user can log in without giving the password. |
|
|
| The public key method is similar to RSA authentication described |
The public key method is similar to RSA authentication described |
| in the previous section and allows the RSA or DSA algorithm to be used: |
in the previous section and allows the RSA or DSA algorithm to be used: |
| The client uses his private key, |
The client uses his private key, |
| .Pa $HOME/.ssh/id_dsa |
.Pa ~/.ssh/id_dsa |
| or |
or |
| .Pa $HOME/.ssh/id_rsa , |
.Pa ~/.ssh/id_rsa , |
| to sign the session identifier and sends the result to the server. |
to sign the session identifier and sends the result to the server. |
| The server checks whether the matching public key is listed in |
The server checks whether the matching public key is listed in |
| .Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
| and grants access if both the key is found and the signature is correct. |
and grants access if both the key is found and the signature is correct. |
| The session identifier is derived from a shared Diffie-Hellman value |
The session identifier is derived from a shared Diffie-Hellman value |
| and is only known to the client and the server. |
and is only known to the client and the server. |
|
|
| automatically maintains and checks a database containing |
automatically maintains and checks a database containing |
| identifications for all hosts it has ever been used with. |
identifications for all hosts it has ever been used with. |
| Host keys are stored in |
Host keys are stored in |
| .Pa $HOME/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
| in the user's home directory. |
in the user's home directory. |
| Additionally, the file |
Additionally, the file |
| .Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
|
|
| .It Fl a |
.It Fl a |
| Disables forwarding of the authentication agent connection. |
Disables forwarding of the authentication agent connection. |
| .It Fl b Ar bind_address |
.It Fl b Ar bind_address |
| Specify the interface to transmit from on machines with multiple |
Use |
| interfaces or aliased addresses. |
.Ar bind_address |
| |
on the local machine as the source address |
| |
of the connection. |
| |
Only useful on systems with more than one address. |
| .It Fl C |
.It Fl C |
| Requests compression of all data (including stdin, stdout, stderr, and |
Requests compression of all data (including stdin, stdout, stderr, and |
| data for forwarded X11 and TCP/IP connections). |
data for forwarded X11 and TCP/IP connections). |
|
|
| .Dq aes128-ctr , |
.Dq aes128-ctr , |
| .Dq aes192-ctr , |
.Dq aes192-ctr , |
| .Dq aes256-ctr , |
.Dq aes256-ctr , |
| |
.Dq arcfour128 , |
| |
.Dq arcfour256 , |
| .Dq arcfour , |
.Dq arcfour , |
| .Dq blowfish-cbc , |
.Dq blowfish-cbc , |
| and |
and |
| .Dq cast128-cbc . |
.Dq cast128-cbc . |
| The default is |
The default is |
| .Bd -literal |
.Bd -literal |
| ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
| aes192-cbc,aes256-cbc'' |
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
| |
aes192-ctr,aes256-ctr'' |
| .Ed |
.Ed |
| .It Fl D Ar port |
.It Fl D Ar port |
| Specifies a local |
Specifies a local |
|
|
| .Pq Pa /etc/ssh/ssh_config |
.Pq Pa /etc/ssh/ssh_config |
| will be ignored. |
will be ignored. |
| The default for the per-user configuration file is |
The default for the per-user configuration file is |
| .Pa $HOME/.ssh/config . |
.Pa ~/.ssh/config . |
| .It Fl f |
.It Fl f |
| Requests |
Requests |
| .Nm |
.Nm |
|
|
| Selects a file from which the identity (private key) for |
Selects a file from which the identity (private key) for |
| RSA or DSA authentication is read. |
RSA or DSA authentication is read. |
| The default is |
The default is |
| .Pa $HOME/.ssh/identity |
.Pa ~/.ssh/identity |
| for protocol version 1, and |
for protocol version 1, and |
| .Pa $HOME/.ssh/id_rsa |
.Pa ~/.ssh/id_rsa |
| and |
and |
| .Pa $HOME/.ssh/id_dsa |
.Pa ~/.ssh/id_dsa |
| for protocol version 2. |
for protocol version 2. |
| Identity files may also be specified on |
Identity files may also be specified on |
| a per-host basis in the configuration file. |
a per-host basis in the configuration file. |
|
|
| Additionally, |
Additionally, |
| .Nm |
.Nm |
| reads |
reads |
| .Pa $HOME/.ssh/environment , |
.Pa ~/.ssh/environment , |
| and adds lines of the format |
and adds lines of the format |
| .Dq VARNAME=value |
.Dq VARNAME=value |
| to the environment if the file exists and if users are allowed to |
to the environment if the file exists and if users are allowed to |
|
|
| .Xr sshd_config 5 . |
.Xr sshd_config 5 . |
| .Sh FILES |
.Sh FILES |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Pa $HOME/.ssh/known_hosts |
.It Pa ~/.ssh/known_hosts |
| Records host keys for all hosts the user has logged into that are not |
Records host keys for all hosts the user has logged into that are not |
| in |
in |
| .Pa /etc/ssh/ssh_known_hosts . |
.Pa /etc/ssh/ssh_known_hosts . |
| See |
See |
| .Xr sshd 8 . |
.Xr sshd 8 . |
| .It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa |
.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa |
| Contains the authentication identity of the user. |
Contains the authentication identity of the user. |
| They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. |
They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. |
| These files |
These files |
|
|
| It is possible to specify a passphrase when |
It is possible to specify a passphrase when |
| generating the key; the passphrase will be used to encrypt the |
generating the key; the passphrase will be used to encrypt the |
| sensitive part of this file using 3DES. |
sensitive part of this file using 3DES. |
| .It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub |
.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub |
| Contains the public key for authentication (public part of the |
Contains the public key for authentication (public part of the |
| identity file in human-readable form). |
identity file in human-readable form). |
| The contents of the |
The contents of the |
| .Pa $HOME/.ssh/identity.pub |
.Pa ~/.ssh/identity.pub |
| file should be added to the file |
file should be added to the file |
| .Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
| on all machines |
on all machines |
| where the user wishes to log in using protocol version 1 RSA authentication. |
where the user wishes to log in using protocol version 1 RSA authentication. |
| The contents of the |
The contents of the |
| .Pa $HOME/.ssh/id_dsa.pub |
.Pa ~/.ssh/id_dsa.pub |
| and |
and |
| .Pa $HOME/.ssh/id_rsa.pub |
.Pa ~/.ssh/id_rsa.pub |
| file should be added to |
file should be added to |
| .Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
| on all machines |
on all machines |
| where the user wishes to log in using protocol version 2 DSA/RSA authentication. |
where the user wishes to log in using protocol version 2 DSA/RSA authentication. |
| These files are not |
These files are not |
|
|
| These files are |
These files are |
| never used automatically and are not necessary; they are only provided for |
never used automatically and are not necessary; they are only provided for |
| the convenience of the user. |
the convenience of the user. |
| .It Pa $HOME/.ssh/config |
.It Pa ~/.ssh/config |
| This is the per-user configuration file. |
This is the per-user configuration file. |
| The file format and configuration options are described in |
The file format and configuration options are described in |
| .Xr ssh_config 5 . |
.Xr ssh_config 5 . |
| Because of the potential for abuse, this file must have strict permissions: |
Because of the potential for abuse, this file must have strict permissions: |
| read/write for the user, and not accessible by others. |
read/write for the user, and not accessible by others. |
| .It Pa $HOME/.ssh/authorized_keys |
.It Pa ~/.ssh/authorized_keys |
| Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
| The format of this file is described in the |
The format of this file is described in the |
| .Xr sshd 8 |
.Xr sshd 8 |
|
|
| By default |
By default |
| .Nm |
.Nm |
| is not setuid root. |
is not setuid root. |
| .It Pa $HOME/.rhosts |
.It Pa ~/.rhosts |
| This file is used in |
This file is used in |
| .Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication |
| and |
and |
|
|
| If the server machine does not have the client's host key in |
If the server machine does not have the client's host key in |
| .Pa /etc/ssh/ssh_known_hosts , |
.Pa /etc/ssh/ssh_known_hosts , |
| it can be stored in |
it can be stored in |
| .Pa $HOME/.ssh/known_hosts . |
.Pa ~/.ssh/known_hosts . |
| The easiest way to do this is to |
The easiest way to do this is to |
| connect back to the client from the server machine using ssh; this |
connect back to the client from the server machine using ssh; this |
| will automatically add the host key to |
will automatically add the host key to |
| .Pa $HOME/.ssh/known_hosts . |
.Pa ~/.ssh/known_hosts . |
| .It Pa $HOME/.shosts |
.It Pa ~/.shosts |
| This file is used exactly the same way as |
This file is used exactly the same way as |
| .Pa .rhosts . |
.Pa .rhosts . |
| The purpose for |
The purpose for |
|
|
| See the |
See the |
| .Xr sshd 8 |
.Xr sshd 8 |
| manual page for more information. |
manual page for more information. |
| .It Pa $HOME/.ssh/rc |
.It Pa ~/.ssh/rc |
| Commands in this file are executed by |
Commands in this file are executed by |
| .Nm |
.Nm |
| when the user logs in just before the user's shell (or command) is |
when the user logs in just before the user's shell (or command) is |
|
|
| See the |
See the |
| .Xr sshd 8 |
.Xr sshd 8 |
| manual page for more information. |
manual page for more information. |
| .It Pa $HOME/.ssh/environment |
.It Pa ~/.ssh/environment |
| Contains additional definitions for environment variables, see section |
Contains additional definitions for environment variables, see section |
| .Sx ENVIRONMENT |
.Sx ENVIRONMENT |
| above. |
above. |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh