version 1.359, 2015/07/10 06:21:53 |
version 1.360, 2015/07/20 15:39:52 |
|
|
.Op Fl F Ar configfile |
.Op Fl F Ar configfile |
.Op Fl I Ar pkcs11 |
.Op Fl I Ar pkcs11 |
.Op Fl i Ar identity_file |
.Op Fl i Ar identity_file |
.Op Fl L Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport |
.Op Fl L Ar address |
.Op Fl l Ar login_name |
.Op Fl l Ar login_name |
.Op Fl m Ar mac_spec |
.Op Fl m Ar mac_spec |
.Op Fl O Ar ctl_cmd |
.Op Fl O Ar ctl_cmd |
.Op Fl o Ar option |
.Op Fl o Ar option |
.Op Fl p Ar port |
.Op Fl p Ar port |
.Op Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version |
.Op Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version |
.Op Fl R Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport |
.Op Fl R Ar address |
.Op Fl S Ar ctl_path |
.Op Fl S Ar ctl_path |
.Op Fl W Ar host : Ns Ar port |
.Op Fl W Ar host : Ns Ar port |
.Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun |
.Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun |
|
|
it is executed on the remote host instead of a login shell. |
it is executed on the remote host instead of a login shell. |
.Pp |
.Pp |
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds -compact |
|
.Pp |
.It Fl 1 |
.It Fl 1 |
Forces |
Forces |
.Nm |
.Nm |
to try protocol version 1 only. |
to try protocol version 1 only. |
|
.Pp |
.It Fl 2 |
.It Fl 2 |
Forces |
Forces |
.Nm |
.Nm |
to try protocol version 2 only. |
to try protocol version 2 only. |
|
.Pp |
.It Fl 4 |
.It Fl 4 |
Forces |
Forces |
.Nm |
.Nm |
to use IPv4 addresses only. |
to use IPv4 addresses only. |
|
.Pp |
.It Fl 6 |
.It Fl 6 |
Forces |
Forces |
.Nm |
.Nm |
to use IPv6 addresses only. |
to use IPv6 addresses only. |
|
.Pp |
.It Fl A |
.It Fl A |
Enables forwarding of the authentication agent connection. |
Enables forwarding of the authentication agent connection. |
This can also be specified on a per-host basis in a configuration file. |
This can also be specified on a per-host basis in a configuration file. |
|
|
An attacker cannot obtain key material from the agent, |
An attacker cannot obtain key material from the agent, |
however they can perform operations on the keys that enable them to |
however they can perform operations on the keys that enable them to |
authenticate using the identities loaded into the agent. |
authenticate using the identities loaded into the agent. |
|
.Pp |
.It Fl a |
.It Fl a |
Disables forwarding of the authentication agent connection. |
Disables forwarding of the authentication agent connection. |
|
.Pp |
.It Fl b Ar bind_address |
.It Fl b Ar bind_address |
Use |
Use |
.Ar bind_address |
.Ar bind_address |
on the local machine as the source address |
on the local machine as the source address |
of the connection. |
of the connection. |
Only useful on systems with more than one address. |
Only useful on systems with more than one address. |
|
.Pp |
.It Fl C |
.It Fl C |
Requests compression of all data (including stdin, stdout, stderr, and |
Requests compression of all data (including stdin, stdout, stderr, and |
data for forwarded X11, TCP and |
data for forwarded X11, TCP and |
|
|
configuration files; see the |
configuration files; see the |
.Cm Compression |
.Cm Compression |
option. |
option. |
|
.Pp |
.It Fl c Ar cipher_spec |
.It Fl c Ar cipher_spec |
Selects the cipher specification for encrypting the session. |
Selects the cipher specification for encrypting the session. |
.Pp |
.Pp |
|
|
keyword in |
keyword in |
.Xr ssh_config 5 |
.Xr ssh_config 5 |
for more information. |
for more information. |
|
.Pp |
.It Fl D Xo |
.It Fl D Xo |
.Sm off |
.Sm off |
.Oo Ar bind_address : Oc |
.Oo Ar bind_address : Oc |
|
|
empty address or |
empty address or |
.Sq * |
.Sq * |
indicates that the port should be available from all interfaces. |
indicates that the port should be available from all interfaces. |
|
.Pp |
.It Fl E Ar log_file |
.It Fl E Ar log_file |
Append debug logs to |
Append debug logs to |
.Ar log_file |
.Ar log_file |
instead of standard error. |
instead of standard error. |
|
.Pp |
.It Fl e Ar escape_char |
.It Fl e Ar escape_char |
Sets the escape character for sessions with a pty (default: |
Sets the escape character for sessions with a pty (default: |
.Ql ~ ) . |
.Ql ~ ) . |
|
|
Setting the character to |
Setting the character to |
.Dq none |
.Dq none |
disables any escapes and makes the session fully transparent. |
disables any escapes and makes the session fully transparent. |
|
.Pp |
.It Fl F Ar configfile |
.It Fl F Ar configfile |
Specifies an alternative per-user configuration file. |
Specifies an alternative per-user configuration file. |
If a configuration file is given on the command line, |
If a configuration file is given on the command line, |
|
|
will be ignored. |
will be ignored. |
The default for the per-user configuration file is |
The default for the per-user configuration file is |
.Pa ~/.ssh/config . |
.Pa ~/.ssh/config . |
|
.Pp |
.It Fl f |
.It Fl f |
Requests |
Requests |
.Nm |
.Nm |
|
|
.Fl f |
.Fl f |
will wait for all remote port forwards to be successfully established |
will wait for all remote port forwards to be successfully established |
before placing itself in the background. |
before placing itself in the background. |
|
.Pp |
.It Fl G |
.It Fl G |
Causes |
Causes |
.Nm |
.Nm |
|
|
and |
and |
.Cm Match |
.Cm Match |
blocks and exit. |
blocks and exit. |
|
.Pp |
.It Fl g |
.It Fl g |
Allows remote hosts to connect to local forwarded ports. |
Allows remote hosts to connect to local forwarded ports. |
If used on a multiplexed connection, then this option must be specified |
If used on a multiplexed connection, then this option must be specified |
on the master process. |
on the master process. |
|
.Pp |
.It Fl I Ar pkcs11 |
.It Fl I Ar pkcs11 |
Specify the PKCS#11 shared library |
Specify the PKCS#11 shared library |
.Nm |
.Nm |
should use to communicate with a PKCS#11 token providing the user's |
should use to communicate with a PKCS#11 token providing the user's |
private RSA key. |
private RSA key. |
|
.Pp |
.It Fl i Ar identity_file |
.It Fl i Ar identity_file |
Selects a file from which the identity (private key) for |
Selects a file from which the identity (private key) for |
public key authentication is read. |
public key authentication is read. |
|
|
by appending |
by appending |
.Pa -cert.pub |
.Pa -cert.pub |
to identity filenames. |
to identity filenames. |
|
.Pp |
.It Fl K |
.It Fl K |
Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI |
Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI |
credentials to the server. |
credentials to the server. |
|
.Pp |
.It Fl k |
.It Fl k |
Disables forwarding (delegation) of GSSAPI credentials to the server. |
Disables forwarding (delegation) of GSSAPI credentials to the server. |
|
.Pp |
.It Fl L Xo |
.It Fl L Xo |
.Sm off |
.Sm off |
.Oo Ar bind_address : Oc |
.Oo Ar bind_address : Oc |
.Ar port : host : hostport |
.Ar port : host : hostport |
.Sm on |
.Sm on |
.Xc |
.Xc |
Specifies that the given port on the local (client) host is to be |
.It Fl L Xo |
forwarded to the given host and port on the remote side. |
.Sm off |
This works by allocating a socket to listen to |
.Oo Ar bind_address : Oc |
|
.Ar port : remote_socket |
|
.Sm on |
|
.Xc |
|
.It Fl L Xo |
|
.Sm off |
|
.Ar local_socket : host : hostport |
|
.Sm on |
|
.Xc |
|
.It Fl L Xo |
|
.Sm off |
|
.Ar local_socket : remote_socket |
|
.Sm on |
|
.Xc |
|
Specifies that connections to the given TCP port or Unix socket on the local |
|
(client) host are to be forwarded to the given host and port, or Unix socket, |
|
on the remote side. |
|
This works by allocating a socket to listen to either a TCP |
.Ar port |
.Ar port |
on the local side, optionally bound to the specified |
on the local side, optionally bound to the specified |
.Ar bind_address . |
.Ar bind_address , |
Whenever a connection is made to this port, the |
or to a Unix socket. |
|
Whenever a connection is made to the local port or socket, the |
connection is forwarded over the secure channel, and a connection is |
connection is forwarded over the secure channel, and a connection is |
made to |
made to either |
.Ar host |
.Ar host |
port |
port |
.Ar hostport |
.Ar hostport , |
|
or the Unix socket |
|
.Ar remote_socket , |
from the remote machine. |
from the remote machine. |
|
.Pp |
Port forwardings can also be specified in the configuration file. |
Port forwardings can also be specified in the configuration file. |
IPv6 addresses can be specified by enclosing the address in square brackets. |
|
Only the superuser can forward privileged ports. |
Only the superuser can forward privileged ports. |
|
IPv6 addresses can be specified by enclosing the address in square brackets. |
|
.Pp |
By default, the local port is bound in accordance with the |
By default, the local port is bound in accordance with the |
.Cm GatewayPorts |
.Cm GatewayPorts |
setting. |
setting. |
|
|
empty address or |
empty address or |
.Sq * |
.Sq * |
indicates that the port should be available from all interfaces. |
indicates that the port should be available from all interfaces. |
|
.Pp |
.It Fl l Ar login_name |
.It Fl l Ar login_name |
Specifies the user to log in as on the remote machine. |
Specifies the user to log in as on the remote machine. |
This also may be specified on a per-host basis in the configuration file. |
This also may be specified on a per-host basis in the configuration file. |
|
.Pp |
.It Fl M |
.It Fl M |
Places the |
Places the |
.Nm |
.Nm |
|
|
in |
in |
.Xr ssh_config 5 |
.Xr ssh_config 5 |
for details. |
for details. |
|
.Pp |
.It Fl m Ar mac_spec |
.It Fl m Ar mac_spec |
Additionally, for protocol version 2 a comma-separated list of MAC |
Additionally, for protocol version 2 a comma-separated list of MAC |
(message authentication code) algorithms can |
(message authentication code) algorithms can |
|
|
See the |
See the |
.Cm MACs |
.Cm MACs |
keyword for more information. |
keyword for more information. |
|
.Pp |
.It Fl N |
.It Fl N |
Do not execute a remote command. |
Do not execute a remote command. |
This is useful for just forwarding ports |
This is useful for just forwarding ports |
(protocol version 2 only). |
(protocol version 2 only). |
|
.Pp |
.It Fl n |
.It Fl n |
Redirects stdin from |
Redirects stdin from |
.Pa /dev/null |
.Pa /dev/null |
|
|
needs to ask for a password or passphrase; see also the |
needs to ask for a password or passphrase; see also the |
.Fl f |
.Fl f |
option.) |
option.) |
|
.Pp |
.It Fl O Ar ctl_cmd |
.It Fl O Ar ctl_cmd |
Control an active connection multiplexing master process. |
Control an active connection multiplexing master process. |
When the |
When the |
|
|
(request the master to exit), and |
(request the master to exit), and |
.Dq stop |
.Dq stop |
(request the master to stop accepting further multiplexing requests). |
(request the master to stop accepting further multiplexing requests). |
|
.Pp |
.It Fl o Ar option |
.It Fl o Ar option |
Can be used to give options in the format used in the configuration file. |
Can be used to give options in the format used in the configuration file. |
This is useful for specifying options for which there is no separate |
This is useful for specifying options for which there is no separate |
|
|
.It VisualHostKey |
.It VisualHostKey |
.It XAuthLocation |
.It XAuthLocation |
.El |
.El |
|
.Pp |
.It Fl p Ar port |
.It Fl p Ar port |
Port to connect to on the remote host. |
Port to connect to on the remote host. |
This can be specified on a |
This can be specified on a |
per-host basis in the configuration file. |
per-host basis in the configuration file. |
|
.Pp |
.It Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version |
.It Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version |
Queries |
Queries |
.Nm |
.Nm |
|
|
(key types) and |
(key types) and |
.Ar protocol-version |
.Ar protocol-version |
(supported SSH protocol versions). |
(supported SSH protocol versions). |
|
.Pp |
.It Fl q |
.It Fl q |
Quiet mode. |
Quiet mode. |
Causes most warning and diagnostic messages to be suppressed. |
Causes most warning and diagnostic messages to be suppressed. |
|
.Pp |
.It Fl R Xo |
.It Fl R Xo |
.Sm off |
.Sm off |
.Oo Ar bind_address : Oc |
.Oo Ar bind_address : Oc |
.Ar port : host : hostport |
.Ar port : host : hostport |
.Sm on |
.Sm on |
.Xc |
.Xc |
Specifies that the given port on the remote (server) host is to be |
.It Fl R Xo |
forwarded to the given host and port on the local side. |
.Sm off |
This works by allocating a socket to listen to |
.Oo Ar bind_address : Oc |
|
.Ar port : local_socket |
|
.Sm on |
|
.Xc |
|
.It Fl R Xo |
|
.Sm off |
|
.Ar remote_socket : host : hostport |
|
.Sm on |
|
.Xc |
|
.It Fl R Xo |
|
.Sm off |
|
.Ar remote_socket : local_socket |
|
.Sm on |
|
.Xc |
|
Specifies that connections to the given TCP port or Unix socket on the remote |
|
(server) host are to be forwarded to the given host and port, or Unix socket, |
|
on the local side. |
|
This works by allocating a socket to listen to either a TCP |
.Ar port |
.Ar port |
on the remote side, and whenever a connection is made to this port, the |
or to a Unix socket on the remote side. |
connection is forwarded over the secure channel, and a connection is |
Whenever a connection is made to this port or Unix socket, the |
made to |
connection is forwarded over the secure channel, and a connection |
|
is made to either |
.Ar host |
.Ar host |
port |
port |
.Ar hostport |
.Ar hostport , |
|
or |
|
.Ar local_socket , |
from the local machine. |
from the local machine. |
.Pp |
.Pp |
Port forwardings can also be specified in the configuration file. |
Port forwardings can also be specified in the configuration file. |
|
|
logging in as root on the remote machine. |
logging in as root on the remote machine. |
IPv6 addresses can be specified by enclosing the address in square brackets. |
IPv6 addresses can be specified by enclosing the address in square brackets. |
.Pp |
.Pp |
By default, the listening socket on the server will be bound to the loopback |
By default, TCP listening sockets on the server will be bound to the loopback |
interface only. |
interface only. |
This may be overridden by specifying a |
This may be overridden by specifying a |
.Ar bind_address . |
.Ar bind_address . |
|
|
When used together with |
When used together with |
.Ic -O forward |
.Ic -O forward |
the allocated port will be printed to the standard output. |
the allocated port will be printed to the standard output. |
|
.Pp |
.It Fl S Ar ctl_path |
.It Fl S Ar ctl_path |
Specifies the location of a control socket for connection sharing, |
Specifies the location of a control socket for connection sharing, |
or the string |
or the string |
|
|
in |
in |
.Xr ssh_config 5 |
.Xr ssh_config 5 |
for details. |
for details. |
|
.Pp |
.It Fl s |
.It Fl s |
May be used to request invocation of a subsystem on the remote system. |
May be used to request invocation of a subsystem on the remote system. |
Subsystems are a feature of the SSH2 protocol which facilitate the use |
Subsystems are a feature of the SSH2 protocol which facilitate the use |
of SSH as a secure transport for other applications (eg.\& |
of SSH as a secure transport for other applications (eg.\& |
.Xr sftp 1 ) . |
.Xr sftp 1 ) . |
The subsystem is specified as the remote command. |
The subsystem is specified as the remote command. |
|
.Pp |
.It Fl T |
.It Fl T |
Disable pseudo-terminal allocation. |
Disable pseudo-terminal allocation. |
|
.Pp |
.It Fl t |
.It Fl t |
Force pseudo-terminal allocation. |
Force pseudo-terminal allocation. |
This can be used to execute arbitrary |
This can be used to execute arbitrary |
|
|
options force tty allocation, even if |
options force tty allocation, even if |
.Nm |
.Nm |
has no local tty. |
has no local tty. |
|
.Pp |
.It Fl V |
.It Fl V |
Display the version number and exit. |
Display the version number and exit. |
|
.Pp |
.It Fl v |
.It Fl v |
Verbose mode. |
Verbose mode. |
Causes |
Causes |
|
|
.Fl v |
.Fl v |
options increase the verbosity. |
options increase the verbosity. |
The maximum is 3. |
The maximum is 3. |
|
.Pp |
.It Fl W Ar host : Ns Ar port |
.It Fl W Ar host : Ns Ar port |
Requests that standard input and output on the client be forwarded to |
Requests that standard input and output on the client be forwarded to |
.Ar host |
.Ar host |
|
|
and |
and |
.Cm ClearAllForwardings . |
.Cm ClearAllForwardings . |
Works with Protocol version 2 only. |
Works with Protocol version 2 only. |
|
.Pp |
.It Fl w Xo |
.It Fl w Xo |
.Ar local_tun Ns Op : Ns Ar remote_tun |
.Ar local_tun Ns Op : Ns Ar remote_tun |
.Xc |
.Xc |
|
|
.Cm Tunnel |
.Cm Tunnel |
directive is unset, it is set to the default tunnel mode, which is |
directive is unset, it is set to the default tunnel mode, which is |
.Dq point-to-point . |
.Dq point-to-point . |
|
.Pp |
.It Fl X |
.It Fl X |
Enables X11 forwarding. |
Enables X11 forwarding. |
This can also be specified on a per-host basis in a configuration file. |
This can also be specified on a per-host basis in a configuration file. |
|
|
directive in |
directive in |
.Xr ssh_config 5 |
.Xr ssh_config 5 |
for more information. |
for more information. |
|
.Pp |
.It Fl x |
.It Fl x |
Disables X11 forwarding. |
Disables X11 forwarding. |
|
.Pp |
.It Fl Y |
.It Fl Y |
Enables trusted X11 forwarding. |
Enables trusted X11 forwarding. |
Trusted X11 forwardings are not subjected to the X11 SECURITY extension |
Trusted X11 forwardings are not subjected to the X11 SECURITY extension |
controls. |
controls. |
|
.Pp |
.It Fl y |
.It Fl y |
Send log information using the |
Send log information using the |
.Xr syslog 3 |
.Xr syslog 3 |