version 1.368, 2016/02/16 07:47:54 |
version 1.369, 2016/02/17 07:38:19 |
|
|
for details. |
for details. |
.Pp |
.Pp |
.It Fl m Ar mac_spec |
.It Fl m Ar mac_spec |
Additionally, for protocol version 2 a comma-separated list of MAC |
A comma-separated list of MAC (message authentication code) algorithms, |
(message authentication code) algorithms can |
specified in order of preference. |
be specified in order of preference. |
|
See the |
See the |
.Cm MACs |
.Cm MACs |
keyword for more information. |
keyword for more information. |
.Pp |
.Pp |
.It Fl N |
.It Fl N |
Do not execute a remote command. |
Do not execute a remote command. |
This is useful for just forwarding ports |
This is useful for just forwarding ports. |
(protocol version 2 only). |
|
.Pp |
.Pp |
.It Fl n |
.It Fl n |
Redirects stdin from |
Redirects stdin from |
|
|
.Pp |
.Pp |
.It Fl s |
.It Fl s |
May be used to request invocation of a subsystem on the remote system. |
May be used to request invocation of a subsystem on the remote system. |
Subsystems are a feature of the SSH2 protocol which facilitate the use |
Subsystems facilitate the use of SSH |
of SSH as a secure transport for other applications (eg.\& |
as a secure transport for other applications (e.g.\& |
.Xr sftp 1 ) . |
.Xr sftp 1 ) . |
The subsystem is specified as the remote command. |
The subsystem is specified as the remote command. |
.Pp |
.Pp |
|
|
.Cm ExitOnForwardFailure |
.Cm ExitOnForwardFailure |
and |
and |
.Cm ClearAllForwardings . |
.Cm ClearAllForwardings . |
Works with Protocol version 2 only. |
|
.Pp |
.Pp |
.It Fl w Xo |
.It Fl w Xo |
.Ar local_tun Ns Op : Ns Ar remote_tun |
.Ar local_tun Ns Op : Ns Ar remote_tun |
|
|
and |
and |
.Fl 2 |
.Fl 2 |
options (see above). |
options (see above). |
Protocol 1 should not be used - it suffers from a number of cryptographic |
Protocol 1 should not be used |
weaknesses and is only offered to support legacy devices. |
and is only offered to support legacy devices. |
|
It suffers from a number of cryptographic weaknesses |
|
and doesn't support many of the advanced features available for protocol 2. |
.Pp |
.Pp |
The methods available for authentication are: |
The methods available for authentication are: |
GSSAPI-based authentication, |
GSSAPI-based authentication, |
|
|
challenge-response authentication, |
challenge-response authentication, |
and password authentication. |
and password authentication. |
Authentication methods are tried in the order specified above, |
Authentication methods are tried in the order specified above, |
though protocol 2 has a configuration option to change the default order: |
though |
.Cm PreferredAuthentications . |
.Cm PreferredAuthentications |
|
can be used to change the default order. |
.Pp |
.Pp |
Host-based authentication works as follows: |
Host-based authentication works as follows: |
If the machine the user logs in from is listed in |
If the machine the user logs in from is listed in |
|
|
.Nm |
.Nm |
implements public key authentication protocol automatically, |
implements public key authentication protocol automatically, |
using one of the DSA, ECDSA, Ed25519 or RSA algorithms. |
using one of the DSA, ECDSA, Ed25519 or RSA algorithms. |
Protocol 1 is restricted to using only RSA keys, |
|
but protocol 2 may use any. |
|
The HISTORY section of |
The HISTORY section of |
.Xr ssl 8 |
.Xr ssl 8 |
contains a brief discussion of the DSA and RSA algorithms. |
contains a brief discussion of the DSA and RSA algorithms. |
|
|
.Pa ~/.ssh/identity |
.Pa ~/.ssh/identity |
(protocol 1), |
(protocol 1), |
.Pa ~/.ssh/id_dsa |
.Pa ~/.ssh/id_dsa |
(protocol 2 DSA), |
(DSA), |
.Pa ~/.ssh/id_ecdsa |
.Pa ~/.ssh/id_ecdsa |
(protocol 2 ECDSA), |
(ECDSA), |
.Pa ~/.ssh/id_ed25519 |
.Pa ~/.ssh/id_ed25519 |
(protocol 2 Ed25519), |
(Ed25519), |
or |
or |
.Pa ~/.ssh/id_rsa |
.Pa ~/.ssh/id_rsa |
(protocol 2 RSA) |
(RSA) |
and stores the public key in |
and stores the public key in |
.Pa ~/.ssh/identity.pub |
.Pa ~/.ssh/identity.pub |
(protocol 1), |
(protocol 1), |
.Pa ~/.ssh/id_dsa.pub |
.Pa ~/.ssh/id_dsa.pub |
(protocol 2 DSA), |
(DSA), |
.Pa ~/.ssh/id_ecdsa.pub |
.Pa ~/.ssh/id_ecdsa.pub |
(protocol 2 ECDSA), |
(ECDSA), |
.Pa ~/.ssh/id_ed25519.pub |
.Pa ~/.ssh/id_ed25519.pub |
(protocol 2 Ed25519), |
(Ed25519), |
or |
or |
.Pa ~/.ssh/id_rsa.pub |
.Pa ~/.ssh/id_rsa.pub |
(protocol 2 RSA) |
(RSA) |
in the user's home directory. |
in the user's home directory. |
The user should then copy the public key |
The user should then copy the public key |
to |
to |
|
|
The server sends an arbitrary |
The server sends an arbitrary |
.Qq challenge |
.Qq challenge |
text, and prompts for a response. |
text, and prompts for a response. |
Protocol 2 allows multiple challenges and responses; |
|
protocol 1 is restricted to just one challenge/response. |
|
Examples of challenge-response authentication include |
Examples of challenge-response authentication include |
.Bx |
.Bx |
Authentication (see |
Authentication (see |
|
|
Display a list of escape characters. |
Display a list of escape characters. |
.It Cm ~B |
.It Cm ~B |
Send a BREAK to the remote system |
Send a BREAK to the remote system |
(only useful for SSH protocol version 2 and if the peer supports it). |
(only useful if the peer supports it). |
.It Cm ~C |
.It Cm ~C |
Open command line. |
Open command line. |
Currently this allows the addition of port forwardings using the |
Currently this allows the addition of port forwardings using the |
|
|
option. |
option. |
.It Cm ~R |
.It Cm ~R |
Request rekeying of the connection |
Request rekeying of the connection |
(only useful for SSH protocol version 2 and if the peer supports it). |
(only useful if the peer supports it). |
.It Cm ~V |
.It Cm ~V |
Decrease the verbosity |
Decrease the verbosity |
.Pq Ic LogLevel |
.Pq Ic LogLevel |
|
|
.It Pa /etc/ssh/ssh_host_rsa_key |
.It Pa /etc/ssh/ssh_host_rsa_key |
These files contain the private parts of the host keys |
These files contain the private parts of the host keys |
and are used for host-based authentication. |
and are used for host-based authentication. |
If protocol version 1 is used, |
|
.Nm |
|
must be setuid root, since the host key is readable only by root. |
|
For protocol version 2, |
|
.Nm |
|
uses |
|
.Xr ssh-keysign 8 |
|
to access the host keys, |
|
eliminating the requirement that |
|
.Nm |
|
be setuid root when host-based authentication is used. |
|
By default |
|
.Nm |
|
is not setuid root. |
|
.Pp |
.Pp |
.It Pa /etc/ssh/ssh_known_hosts |
.It Pa /etc/ssh/ssh_known_hosts |
Systemwide list of known host keys. |
Systemwide list of known host keys. |