| version 1.368, 2016/02/16 07:47:54 |
version 1.369, 2016/02/17 07:38:19 |
|
|
| for details. |
for details. |
| .Pp |
.Pp |
| .It Fl m Ar mac_spec |
.It Fl m Ar mac_spec |
| Additionally, for protocol version 2 a comma-separated list of MAC |
A comma-separated list of MAC (message authentication code) algorithms, |
| (message authentication code) algorithms can |
specified in order of preference. |
| be specified in order of preference. |
|
| See the |
See the |
| .Cm MACs |
.Cm MACs |
| keyword for more information. |
keyword for more information. |
| .Pp |
.Pp |
| .It Fl N |
.It Fl N |
| Do not execute a remote command. |
Do not execute a remote command. |
| This is useful for just forwarding ports |
This is useful for just forwarding ports. |
| (protocol version 2 only). |
|
| .Pp |
.Pp |
| .It Fl n |
.It Fl n |
| Redirects stdin from |
Redirects stdin from |
|
|
| .Pp |
.Pp |
| .It Fl s |
.It Fl s |
| May be used to request invocation of a subsystem on the remote system. |
May be used to request invocation of a subsystem on the remote system. |
| Subsystems are a feature of the SSH2 protocol which facilitate the use |
Subsystems facilitate the use of SSH |
| of SSH as a secure transport for other applications (eg.\& |
as a secure transport for other applications (e.g.\& |
| .Xr sftp 1 ) . |
.Xr sftp 1 ) . |
| The subsystem is specified as the remote command. |
The subsystem is specified as the remote command. |
| .Pp |
.Pp |
|
|
| .Cm ExitOnForwardFailure |
.Cm ExitOnForwardFailure |
| and |
and |
| .Cm ClearAllForwardings . |
.Cm ClearAllForwardings . |
| Works with Protocol version 2 only. |
|
| .Pp |
.Pp |
| .It Fl w Xo |
.It Fl w Xo |
| .Ar local_tun Ns Op : Ns Ar remote_tun |
.Ar local_tun Ns Op : Ns Ar remote_tun |
|
|
| and |
and |
| .Fl 2 |
.Fl 2 |
| options (see above). |
options (see above). |
| Protocol 1 should not be used - it suffers from a number of cryptographic |
Protocol 1 should not be used |
| weaknesses and is only offered to support legacy devices. |
and is only offered to support legacy devices. |
| |
It suffers from a number of cryptographic weaknesses |
| |
and doesn't support many of the advanced features available for protocol 2. |
| .Pp |
.Pp |
| The methods available for authentication are: |
The methods available for authentication are: |
| GSSAPI-based authentication, |
GSSAPI-based authentication, |
|
|
| challenge-response authentication, |
challenge-response authentication, |
| and password authentication. |
and password authentication. |
| Authentication methods are tried in the order specified above, |
Authentication methods are tried in the order specified above, |
| though protocol 2 has a configuration option to change the default order: |
though |
| .Cm PreferredAuthentications . |
.Cm PreferredAuthentications |
| |
can be used to change the default order. |
| .Pp |
.Pp |
| Host-based authentication works as follows: |
Host-based authentication works as follows: |
| If the machine the user logs in from is listed in |
If the machine the user logs in from is listed in |
|
|
| .Nm |
.Nm |
| implements public key authentication protocol automatically, |
implements public key authentication protocol automatically, |
| using one of the DSA, ECDSA, Ed25519 or RSA algorithms. |
using one of the DSA, ECDSA, Ed25519 or RSA algorithms. |
| Protocol 1 is restricted to using only RSA keys, |
|
| but protocol 2 may use any. |
|
| The HISTORY section of |
The HISTORY section of |
| .Xr ssl 8 |
.Xr ssl 8 |
| contains a brief discussion of the DSA and RSA algorithms. |
contains a brief discussion of the DSA and RSA algorithms. |
|
|
| .Pa ~/.ssh/identity |
.Pa ~/.ssh/identity |
| (protocol 1), |
(protocol 1), |
| .Pa ~/.ssh/id_dsa |
.Pa ~/.ssh/id_dsa |
| (protocol 2 DSA), |
(DSA), |
| .Pa ~/.ssh/id_ecdsa |
.Pa ~/.ssh/id_ecdsa |
| (protocol 2 ECDSA), |
(ECDSA), |
| .Pa ~/.ssh/id_ed25519 |
.Pa ~/.ssh/id_ed25519 |
| (protocol 2 Ed25519), |
(Ed25519), |
| or |
or |
| .Pa ~/.ssh/id_rsa |
.Pa ~/.ssh/id_rsa |
| (protocol 2 RSA) |
(RSA) |
| and stores the public key in |
and stores the public key in |
| .Pa ~/.ssh/identity.pub |
.Pa ~/.ssh/identity.pub |
| (protocol 1), |
(protocol 1), |
| .Pa ~/.ssh/id_dsa.pub |
.Pa ~/.ssh/id_dsa.pub |
| (protocol 2 DSA), |
(DSA), |
| .Pa ~/.ssh/id_ecdsa.pub |
.Pa ~/.ssh/id_ecdsa.pub |
| (protocol 2 ECDSA), |
(ECDSA), |
| .Pa ~/.ssh/id_ed25519.pub |
.Pa ~/.ssh/id_ed25519.pub |
| (protocol 2 Ed25519), |
(Ed25519), |
| or |
or |
| .Pa ~/.ssh/id_rsa.pub |
.Pa ~/.ssh/id_rsa.pub |
| (protocol 2 RSA) |
(RSA) |
| in the user's home directory. |
in the user's home directory. |
| The user should then copy the public key |
The user should then copy the public key |
| to |
to |
|
|
| The server sends an arbitrary |
The server sends an arbitrary |
| .Qq challenge |
.Qq challenge |
| text, and prompts for a response. |
text, and prompts for a response. |
| Protocol 2 allows multiple challenges and responses; |
|
| protocol 1 is restricted to just one challenge/response. |
|
| Examples of challenge-response authentication include |
Examples of challenge-response authentication include |
| .Bx |
.Bx |
| Authentication (see |
Authentication (see |
|
|
| Display a list of escape characters. |
Display a list of escape characters. |
| .It Cm ~B |
.It Cm ~B |
| Send a BREAK to the remote system |
Send a BREAK to the remote system |
| (only useful for SSH protocol version 2 and if the peer supports it). |
(only useful if the peer supports it). |
| .It Cm ~C |
.It Cm ~C |
| Open command line. |
Open command line. |
| Currently this allows the addition of port forwardings using the |
Currently this allows the addition of port forwardings using the |
|
|
| option. |
option. |
| .It Cm ~R |
.It Cm ~R |
| Request rekeying of the connection |
Request rekeying of the connection |
| (only useful for SSH protocol version 2 and if the peer supports it). |
(only useful if the peer supports it). |
| .It Cm ~V |
.It Cm ~V |
| Decrease the verbosity |
Decrease the verbosity |
| .Pq Ic LogLevel |
.Pq Ic LogLevel |
|
|
| .It Pa /etc/ssh/ssh_host_rsa_key |
.It Pa /etc/ssh/ssh_host_rsa_key |
| These files contain the private parts of the host keys |
These files contain the private parts of the host keys |
| and are used for host-based authentication. |
and are used for host-based authentication. |
| If protocol version 1 is used, |
|
| .Nm |
|
| must be setuid root, since the host key is readable only by root. |
|
| For protocol version 2, |
|
| .Nm |
|
| uses |
|
| .Xr ssh-keysign 8 |
|
| to access the host keys, |
|
| eliminating the requirement that |
|
| .Nm |
|
| be setuid root when host-based authentication is used. |
|
| By default |
|
| .Nm |
|
| is not setuid root. |
|
| .Pp |
.Pp |
| .It Pa /etc/ssh/ssh_known_hosts |
.It Pa /etc/ssh/ssh_known_hosts |
| Systemwide list of known host keys. |
Systemwide list of known host keys. |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh