| version 1.257.2.2, 2006/11/08 00:17:14 |
version 1.258, 2006/03/16 04:24:42 |
|
|
| .Oc |
.Oc |
| .Op Fl S Ar ctl_path |
.Op Fl S Ar ctl_path |
| .Bk -words |
.Bk -words |
| .Oo Fl w Ar local_tun Ns |
.Op Fl w Ar tunnel : Ns Ar tunnel |
| .Op : Ns Ar remote_tun Oc |
|
| .Oo Ar user Ns @ Oc Ns Ar hostname |
.Oo Ar user Ns @ Oc Ns Ar hostname |
| .Op Ar command |
.Op Ar command |
| .Ek |
.Ek |
|
|
| .It ControlPath |
.It ControlPath |
| .It DynamicForward |
.It DynamicForward |
| .It EscapeChar |
.It EscapeChar |
| .It ExitOnForwardFailure |
|
| .It ForwardAgent |
.It ForwardAgent |
| .It ForwardX11 |
.It ForwardX11 |
| .It ForwardX11Trusted |
.It ForwardX11Trusted |
|
|
| .Fl v |
.Fl v |
| options increase the verbosity. |
options increase the verbosity. |
| The maximum is 3. |
The maximum is 3. |
| .It Fl w Xo |
.It Fl w Ar tunnel : Ns Ar tunnel |
| .Ar local_tun Ns Op : Ns Ar remote_tun |
Requests a |
| .Xc |
|
| Requests |
|
| tunnel |
|
| device forwarding with the specified |
|
| .Xr tun 4 |
.Xr tun 4 |
| devices between the client |
device on the client |
| .Pq Ar local_tun |
(first |
| and the server |
.Ar tunnel |
| .Pq Ar remote_tun . |
arg) |
| .Pp |
and server |
| |
(second |
| |
.Ar tunnel |
| |
arg). |
| The devices may be specified by numerical ID or the keyword |
The devices may be specified by numerical ID or the keyword |
| .Dq any , |
.Dq any , |
| which uses the next available tunnel device. |
which uses the next available tunnel device. |
| If |
|
| .Ar remote_tun |
|
| is not specified, it defaults to |
|
| .Dq any . |
|
| See also the |
See also the |
| .Cm Tunnel |
.Cm Tunnel |
| and |
directive in |
| .Cm TunnelDevice |
|
| directives in |
|
| .Xr ssh_config 5 . |
.Xr ssh_config 5 . |
| If the |
|
| .Cm Tunnel |
|
| directive is unset, it is set to the default tunnel mode, which is |
|
| .Dq point-to-point . |
|
| .It Fl X |
.It Fl X |
| Enables X11 forwarding. |
Enables X11 forwarding. |
| This can also be specified on a per-host basis in a configuration file. |
This can also be specified on a per-host basis in a configuration file. |
|
|
| integrity of the connection. |
integrity of the connection. |
| .Pp |
.Pp |
| The methods available for authentication are: |
The methods available for authentication are: |
| GSSAPI-based authentication, |
|
| host-based authentication, |
host-based authentication, |
| public key authentication, |
public key authentication, |
| challenge-response authentication, |
challenge-response authentication, |
|
|
| options (see above). |
options (see above). |
| It also allows the cancellation of existing remote port-forwardings |
It also allows the cancellation of existing remote port-forwardings |
| using |
using |
| .Sm off |
.Fl KR Ar hostport . |
| .Fl KR Oo Ar bind_address : Oc Ar port . |
|
| .Sm on |
|
| .Ic !\& Ns Ar command |
.Ic !\& Ns Ar command |
| allows the user to execute a local command if the |
allows the user to execute a local command if the |
| .Ic PermitLocalCommand |
.Ic PermitLocalCommand |
|
|
| The SSHFP resource records should first be added to the zonefile for |
The SSHFP resource records should first be added to the zonefile for |
| host.example.com: |
host.example.com: |
| .Bd -literal -offset indent |
.Bd -literal -offset indent |
| $ ssh-keygen -r host.example.com. |
$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com. |
| |
$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com. |
| .Ed |
.Ed |
| .Pp |
.Pp |
| The output lines will have to be added to the zonefile. |
The output lines will have to be added to the zonefile. |
|
|
| and at what level (layer 2 or 3 traffic). |
and at what level (layer 2 or 3 traffic). |
| .Pp |
.Pp |
| The following example would connect client network 10.0.50.0/24 |
The following example would connect client network 10.0.50.0/24 |
| with remote network 10.0.99.0/24 using a point-to-point connection |
with remote network 10.0.99.0/24, provided that the SSH server |
| from 10.1.1.1 to 10.1.1.2, |
running on the gateway to the remote network, |
| provided that the SSH server running on the gateway to the remote network, |
at 192.168.1.15, allows it: |
| at 192.168.1.15, allows it. |
|
| .Pp |
|
| On the client: |
|
| .Bd -literal -offset indent |
.Bd -literal -offset indent |
| # ssh -f -w 0:1 192.168.1.15 true |
# ssh -f -w 0:1 192.168.1.15 true |
| # ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252 |
# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252 |
| # route add 10.0.99.0/24 10.1.1.2 |
|
| .Ed |
.Ed |
| .Pp |
.Pp |
| On the server: |
|
| .Bd -literal -offset indent |
|
| # ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252 |
|
| # route add 10.0.50.0/24 10.1.1.1 |
|
| .Ed |
|
| .Pp |
|
| Client access may be more finely tuned via the |
Client access may be more finely tuned via the |
| .Pa /root/.ssh/authorized_keys |
.Pa /root/.ssh/authorized_keys |
| file (see below) and the |
file (see below) and the |
|
|
| tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john |
tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john |
| .Ed |
.Ed |
| .Pp |
.Pp |
| Since an SSH-based setup entails a fair amount of overhead, |
Since a SSH-based setup entails a fair amount of overhead, |
| it may be more suited to temporary setups, |
it may be more suited to temporary setups, |
| such as for wireless VPNs. |
such as for wireless VPNs. |
| More permanent VPNs are better provided by tools such as |
More permanent VPNs are better provided by tools such as |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh