| version 1.359, 2015/07/10 06:21:53 |
version 1.360, 2015/07/20 15:39:52 |
|
|
| .Op Fl F Ar configfile |
.Op Fl F Ar configfile |
| .Op Fl I Ar pkcs11 |
.Op Fl I Ar pkcs11 |
| .Op Fl i Ar identity_file |
.Op Fl i Ar identity_file |
| .Op Fl L Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport |
.Op Fl L Ar address |
| .Op Fl l Ar login_name |
.Op Fl l Ar login_name |
| .Op Fl m Ar mac_spec |
.Op Fl m Ar mac_spec |
| .Op Fl O Ar ctl_cmd |
.Op Fl O Ar ctl_cmd |
| .Op Fl o Ar option |
.Op Fl o Ar option |
| .Op Fl p Ar port |
.Op Fl p Ar port |
| .Op Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version |
.Op Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version |
| .Op Fl R Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport |
.Op Fl R Ar address |
| .Op Fl S Ar ctl_path |
.Op Fl S Ar ctl_path |
| .Op Fl W Ar host : Ns Ar port |
.Op Fl W Ar host : Ns Ar port |
| .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun |
.Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun |
|
|
| it is executed on the remote host instead of a login shell. |
it is executed on the remote host instead of a login shell. |
| .Pp |
.Pp |
| The options are as follows: |
The options are as follows: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds -compact |
| |
.Pp |
| .It Fl 1 |
.It Fl 1 |
| Forces |
Forces |
| .Nm |
.Nm |
| to try protocol version 1 only. |
to try protocol version 1 only. |
| |
.Pp |
| .It Fl 2 |
.It Fl 2 |
| Forces |
Forces |
| .Nm |
.Nm |
| to try protocol version 2 only. |
to try protocol version 2 only. |
| |
.Pp |
| .It Fl 4 |
.It Fl 4 |
| Forces |
Forces |
| .Nm |
.Nm |
| to use IPv4 addresses only. |
to use IPv4 addresses only. |
| |
.Pp |
| .It Fl 6 |
.It Fl 6 |
| Forces |
Forces |
| .Nm |
.Nm |
| to use IPv6 addresses only. |
to use IPv6 addresses only. |
| |
.Pp |
| .It Fl A |
.It Fl A |
| Enables forwarding of the authentication agent connection. |
Enables forwarding of the authentication agent connection. |
| This can also be specified on a per-host basis in a configuration file. |
This can also be specified on a per-host basis in a configuration file. |
|
|
| An attacker cannot obtain key material from the agent, |
An attacker cannot obtain key material from the agent, |
| however they can perform operations on the keys that enable them to |
however they can perform operations on the keys that enable them to |
| authenticate using the identities loaded into the agent. |
authenticate using the identities loaded into the agent. |
| |
.Pp |
| .It Fl a |
.It Fl a |
| Disables forwarding of the authentication agent connection. |
Disables forwarding of the authentication agent connection. |
| |
.Pp |
| .It Fl b Ar bind_address |
.It Fl b Ar bind_address |
| Use |
Use |
| .Ar bind_address |
.Ar bind_address |
| on the local machine as the source address |
on the local machine as the source address |
| of the connection. |
of the connection. |
| Only useful on systems with more than one address. |
Only useful on systems with more than one address. |
| |
.Pp |
| .It Fl C |
.It Fl C |
| Requests compression of all data (including stdin, stdout, stderr, and |
Requests compression of all data (including stdin, stdout, stderr, and |
| data for forwarded X11, TCP and |
data for forwarded X11, TCP and |
|
|
| configuration files; see the |
configuration files; see the |
| .Cm Compression |
.Cm Compression |
| option. |
option. |
| |
.Pp |
| .It Fl c Ar cipher_spec |
.It Fl c Ar cipher_spec |
| Selects the cipher specification for encrypting the session. |
Selects the cipher specification for encrypting the session. |
| .Pp |
.Pp |
|
|
| keyword in |
keyword in |
| .Xr ssh_config 5 |
.Xr ssh_config 5 |
| for more information. |
for more information. |
| |
.Pp |
| .It Fl D Xo |
.It Fl D Xo |
| .Sm off |
.Sm off |
| .Oo Ar bind_address : Oc |
.Oo Ar bind_address : Oc |
|
|
| empty address or |
empty address or |
| .Sq * |
.Sq * |
| indicates that the port should be available from all interfaces. |
indicates that the port should be available from all interfaces. |
| |
.Pp |
| .It Fl E Ar log_file |
.It Fl E Ar log_file |
| Append debug logs to |
Append debug logs to |
| .Ar log_file |
.Ar log_file |
| instead of standard error. |
instead of standard error. |
| |
.Pp |
| .It Fl e Ar escape_char |
.It Fl e Ar escape_char |
| Sets the escape character for sessions with a pty (default: |
Sets the escape character for sessions with a pty (default: |
| .Ql ~ ) . |
.Ql ~ ) . |
|
|
| Setting the character to |
Setting the character to |
| .Dq none |
.Dq none |
| disables any escapes and makes the session fully transparent. |
disables any escapes and makes the session fully transparent. |
| |
.Pp |
| .It Fl F Ar configfile |
.It Fl F Ar configfile |
| Specifies an alternative per-user configuration file. |
Specifies an alternative per-user configuration file. |
| If a configuration file is given on the command line, |
If a configuration file is given on the command line, |
|
|
| will be ignored. |
will be ignored. |
| The default for the per-user configuration file is |
The default for the per-user configuration file is |
| .Pa ~/.ssh/config . |
.Pa ~/.ssh/config . |
| |
.Pp |
| .It Fl f |
.It Fl f |
| Requests |
Requests |
| .Nm |
.Nm |
|
|
| .Fl f |
.Fl f |
| will wait for all remote port forwards to be successfully established |
will wait for all remote port forwards to be successfully established |
| before placing itself in the background. |
before placing itself in the background. |
| |
.Pp |
| .It Fl G |
.It Fl G |
| Causes |
Causes |
| .Nm |
.Nm |
|
|
| and |
and |
| .Cm Match |
.Cm Match |
| blocks and exit. |
blocks and exit. |
| |
.Pp |
| .It Fl g |
.It Fl g |
| Allows remote hosts to connect to local forwarded ports. |
Allows remote hosts to connect to local forwarded ports. |
| If used on a multiplexed connection, then this option must be specified |
If used on a multiplexed connection, then this option must be specified |
| on the master process. |
on the master process. |
| |
.Pp |
| .It Fl I Ar pkcs11 |
.It Fl I Ar pkcs11 |
| Specify the PKCS#11 shared library |
Specify the PKCS#11 shared library |
| .Nm |
.Nm |
| should use to communicate with a PKCS#11 token providing the user's |
should use to communicate with a PKCS#11 token providing the user's |
| private RSA key. |
private RSA key. |
| |
.Pp |
| .It Fl i Ar identity_file |
.It Fl i Ar identity_file |
| Selects a file from which the identity (private key) for |
Selects a file from which the identity (private key) for |
| public key authentication is read. |
public key authentication is read. |
|
|
| by appending |
by appending |
| .Pa -cert.pub |
.Pa -cert.pub |
| to identity filenames. |
to identity filenames. |
| |
.Pp |
| .It Fl K |
.It Fl K |
| Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI |
Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI |
| credentials to the server. |
credentials to the server. |
| |
.Pp |
| .It Fl k |
.It Fl k |
| Disables forwarding (delegation) of GSSAPI credentials to the server. |
Disables forwarding (delegation) of GSSAPI credentials to the server. |
| |
.Pp |
| .It Fl L Xo |
.It Fl L Xo |
| .Sm off |
.Sm off |
| .Oo Ar bind_address : Oc |
.Oo Ar bind_address : Oc |
| .Ar port : host : hostport |
.Ar port : host : hostport |
| .Sm on |
.Sm on |
| .Xc |
.Xc |
| Specifies that the given port on the local (client) host is to be |
.It Fl L Xo |
| forwarded to the given host and port on the remote side. |
.Sm off |
| This works by allocating a socket to listen to |
.Oo Ar bind_address : Oc |
| |
.Ar port : remote_socket |
| |
.Sm on |
| |
.Xc |
| |
.It Fl L Xo |
| |
.Sm off |
| |
.Ar local_socket : host : hostport |
| |
.Sm on |
| |
.Xc |
| |
.It Fl L Xo |
| |
.Sm off |
| |
.Ar local_socket : remote_socket |
| |
.Sm on |
| |
.Xc |
| |
Specifies that connections to the given TCP port or Unix socket on the local |
| |
(client) host are to be forwarded to the given host and port, or Unix socket, |
| |
on the remote side. |
| |
This works by allocating a socket to listen to either a TCP |
| .Ar port |
.Ar port |
| on the local side, optionally bound to the specified |
on the local side, optionally bound to the specified |
| .Ar bind_address . |
.Ar bind_address , |
| Whenever a connection is made to this port, the |
or to a Unix socket. |
| |
Whenever a connection is made to the local port or socket, the |
| connection is forwarded over the secure channel, and a connection is |
connection is forwarded over the secure channel, and a connection is |
| made to |
made to either |
| .Ar host |
.Ar host |
| port |
port |
| .Ar hostport |
.Ar hostport , |
| |
or the Unix socket |
| |
.Ar remote_socket , |
| from the remote machine. |
from the remote machine. |
| |
.Pp |
| Port forwardings can also be specified in the configuration file. |
Port forwardings can also be specified in the configuration file. |
| IPv6 addresses can be specified by enclosing the address in square brackets. |
|
| Only the superuser can forward privileged ports. |
Only the superuser can forward privileged ports. |
| |
IPv6 addresses can be specified by enclosing the address in square brackets. |
| |
.Pp |
| By default, the local port is bound in accordance with the |
By default, the local port is bound in accordance with the |
| .Cm GatewayPorts |
.Cm GatewayPorts |
| setting. |
setting. |
|
|
| empty address or |
empty address or |
| .Sq * |
.Sq * |
| indicates that the port should be available from all interfaces. |
indicates that the port should be available from all interfaces. |
| |
.Pp |
| .It Fl l Ar login_name |
.It Fl l Ar login_name |
| Specifies the user to log in as on the remote machine. |
Specifies the user to log in as on the remote machine. |
| This also may be specified on a per-host basis in the configuration file. |
This also may be specified on a per-host basis in the configuration file. |
| |
.Pp |
| .It Fl M |
.It Fl M |
| Places the |
Places the |
| .Nm |
.Nm |
|
|
| in |
in |
| .Xr ssh_config 5 |
.Xr ssh_config 5 |
| for details. |
for details. |
| |
.Pp |
| .It Fl m Ar mac_spec |
.It Fl m Ar mac_spec |
| Additionally, for protocol version 2 a comma-separated list of MAC |
Additionally, for protocol version 2 a comma-separated list of MAC |
| (message authentication code) algorithms can |
(message authentication code) algorithms can |
|
|
| See the |
See the |
| .Cm MACs |
.Cm MACs |
| keyword for more information. |
keyword for more information. |
| |
.Pp |
| .It Fl N |
.It Fl N |
| Do not execute a remote command. |
Do not execute a remote command. |
| This is useful for just forwarding ports |
This is useful for just forwarding ports |
| (protocol version 2 only). |
(protocol version 2 only). |
| |
.Pp |
| .It Fl n |
.It Fl n |
| Redirects stdin from |
Redirects stdin from |
| .Pa /dev/null |
.Pa /dev/null |
|
|
| needs to ask for a password or passphrase; see also the |
needs to ask for a password or passphrase; see also the |
| .Fl f |
.Fl f |
| option.) |
option.) |
| |
.Pp |
| .It Fl O Ar ctl_cmd |
.It Fl O Ar ctl_cmd |
| Control an active connection multiplexing master process. |
Control an active connection multiplexing master process. |
| When the |
When the |
|
|
| (request the master to exit), and |
(request the master to exit), and |
| .Dq stop |
.Dq stop |
| (request the master to stop accepting further multiplexing requests). |
(request the master to stop accepting further multiplexing requests). |
| |
.Pp |
| .It Fl o Ar option |
.It Fl o Ar option |
| Can be used to give options in the format used in the configuration file. |
Can be used to give options in the format used in the configuration file. |
| This is useful for specifying options for which there is no separate |
This is useful for specifying options for which there is no separate |
|
|
| .It VisualHostKey |
.It VisualHostKey |
| .It XAuthLocation |
.It XAuthLocation |
| .El |
.El |
| |
.Pp |
| .It Fl p Ar port |
.It Fl p Ar port |
| Port to connect to on the remote host. |
Port to connect to on the remote host. |
| This can be specified on a |
This can be specified on a |
| per-host basis in the configuration file. |
per-host basis in the configuration file. |
| |
.Pp |
| .It Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version |
.It Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version |
| Queries |
Queries |
| .Nm |
.Nm |
|
|
| (key types) and |
(key types) and |
| .Ar protocol-version |
.Ar protocol-version |
| (supported SSH protocol versions). |
(supported SSH protocol versions). |
| |
.Pp |
| .It Fl q |
.It Fl q |
| Quiet mode. |
Quiet mode. |
| Causes most warning and diagnostic messages to be suppressed. |
Causes most warning and diagnostic messages to be suppressed. |
| |
.Pp |
| .It Fl R Xo |
.It Fl R Xo |
| .Sm off |
.Sm off |
| .Oo Ar bind_address : Oc |
.Oo Ar bind_address : Oc |
| .Ar port : host : hostport |
.Ar port : host : hostport |
| .Sm on |
.Sm on |
| .Xc |
.Xc |
| Specifies that the given port on the remote (server) host is to be |
.It Fl R Xo |
| forwarded to the given host and port on the local side. |
.Sm off |
| This works by allocating a socket to listen to |
.Oo Ar bind_address : Oc |
| |
.Ar port : local_socket |
| |
.Sm on |
| |
.Xc |
| |
.It Fl R Xo |
| |
.Sm off |
| |
.Ar remote_socket : host : hostport |
| |
.Sm on |
| |
.Xc |
| |
.It Fl R Xo |
| |
.Sm off |
| |
.Ar remote_socket : local_socket |
| |
.Sm on |
| |
.Xc |
| |
Specifies that connections to the given TCP port or Unix socket on the remote |
| |
(server) host are to be forwarded to the given host and port, or Unix socket, |
| |
on the local side. |
| |
This works by allocating a socket to listen to either a TCP |
| .Ar port |
.Ar port |
| on the remote side, and whenever a connection is made to this port, the |
or to a Unix socket on the remote side. |
| connection is forwarded over the secure channel, and a connection is |
Whenever a connection is made to this port or Unix socket, the |
| made to |
connection is forwarded over the secure channel, and a connection |
| |
is made to either |
| .Ar host |
.Ar host |
| port |
port |
| .Ar hostport |
.Ar hostport , |
| |
or |
| |
.Ar local_socket , |
| from the local machine. |
from the local machine. |
| .Pp |
.Pp |
| Port forwardings can also be specified in the configuration file. |
Port forwardings can also be specified in the configuration file. |
|
|
| logging in as root on the remote machine. |
logging in as root on the remote machine. |
| IPv6 addresses can be specified by enclosing the address in square brackets. |
IPv6 addresses can be specified by enclosing the address in square brackets. |
| .Pp |
.Pp |
| By default, the listening socket on the server will be bound to the loopback |
By default, TCP listening sockets on the server will be bound to the loopback |
| interface only. |
interface only. |
| This may be overridden by specifying a |
This may be overridden by specifying a |
| .Ar bind_address . |
.Ar bind_address . |
|
|
| When used together with |
When used together with |
| .Ic -O forward |
.Ic -O forward |
| the allocated port will be printed to the standard output. |
the allocated port will be printed to the standard output. |
| |
.Pp |
| .It Fl S Ar ctl_path |
.It Fl S Ar ctl_path |
| Specifies the location of a control socket for connection sharing, |
Specifies the location of a control socket for connection sharing, |
| or the string |
or the string |
|
|
| in |
in |
| .Xr ssh_config 5 |
.Xr ssh_config 5 |
| for details. |
for details. |
| |
.Pp |
| .It Fl s |
.It Fl s |
| May be used to request invocation of a subsystem on the remote system. |
May be used to request invocation of a subsystem on the remote system. |
| Subsystems are a feature of the SSH2 protocol which facilitate the use |
Subsystems are a feature of the SSH2 protocol which facilitate the use |
| of SSH as a secure transport for other applications (eg.\& |
of SSH as a secure transport for other applications (eg.\& |
| .Xr sftp 1 ) . |
.Xr sftp 1 ) . |
| The subsystem is specified as the remote command. |
The subsystem is specified as the remote command. |
| |
.Pp |
| .It Fl T |
.It Fl T |
| Disable pseudo-terminal allocation. |
Disable pseudo-terminal allocation. |
| |
.Pp |
| .It Fl t |
.It Fl t |
| Force pseudo-terminal allocation. |
Force pseudo-terminal allocation. |
| This can be used to execute arbitrary |
This can be used to execute arbitrary |
|
|
| options force tty allocation, even if |
options force tty allocation, even if |
| .Nm |
.Nm |
| has no local tty. |
has no local tty. |
| |
.Pp |
| .It Fl V |
.It Fl V |
| Display the version number and exit. |
Display the version number and exit. |
| |
.Pp |
| .It Fl v |
.It Fl v |
| Verbose mode. |
Verbose mode. |
| Causes |
Causes |
|
|
| .Fl v |
.Fl v |
| options increase the verbosity. |
options increase the verbosity. |
| The maximum is 3. |
The maximum is 3. |
| |
.Pp |
| .It Fl W Ar host : Ns Ar port |
.It Fl W Ar host : Ns Ar port |
| Requests that standard input and output on the client be forwarded to |
Requests that standard input and output on the client be forwarded to |
| .Ar host |
.Ar host |
|
|
| and |
and |
| .Cm ClearAllForwardings . |
.Cm ClearAllForwardings . |
| Works with Protocol version 2 only. |
Works with Protocol version 2 only. |
| |
.Pp |
| .It Fl w Xo |
.It Fl w Xo |
| .Ar local_tun Ns Op : Ns Ar remote_tun |
.Ar local_tun Ns Op : Ns Ar remote_tun |
| .Xc |
.Xc |
|
|
| .Cm Tunnel |
.Cm Tunnel |
| directive is unset, it is set to the default tunnel mode, which is |
directive is unset, it is set to the default tunnel mode, which is |
| .Dq point-to-point . |
.Dq point-to-point . |
| |
.Pp |
| .It Fl X |
.It Fl X |
| Enables X11 forwarding. |
Enables X11 forwarding. |
| This can also be specified on a per-host basis in a configuration file. |
This can also be specified on a per-host basis in a configuration file. |
|
|
| directive in |
directive in |
| .Xr ssh_config 5 |
.Xr ssh_config 5 |
| for more information. |
for more information. |
| |
.Pp |
| .It Fl x |
.It Fl x |
| Disables X11 forwarding. |
Disables X11 forwarding. |
| |
.Pp |
| .It Fl Y |
.It Fl Y |
| Enables trusted X11 forwarding. |
Enables trusted X11 forwarding. |
| Trusted X11 forwardings are not subjected to the X11 SECURITY extension |
Trusted X11 forwardings are not subjected to the X11 SECURITY extension |
| controls. |
controls. |
| |
.Pp |
| .It Fl y |
.It Fl y |
| Send log information using the |
Send log information using the |
| .Xr syslog 3 |
.Xr syslog 3 |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh