| version 1.43, 2000/03/24 03:04:46 |
version 1.44, 2000/04/12 21:47:51 |
|
|
| .Oc |
.Oc |
| .Op Ar hostname | user@hostname |
.Op Ar hostname | user@hostname |
| .Op Ar command |
.Op Ar command |
| .Sh DESCRIPTION |
.Sh DESCRIPTION |
| .Nm |
.Nm |
| (Secure Shell) is a program for logging into a remote machine and for |
(Secure Shell) is a program for logging into a remote machine and for |
| executing commands on a remote machine. |
executing commands on a remote machine. |
|
|
| arbitrary TCP/IP ports can also be forwarded over the secure channel. |
arbitrary TCP/IP ports can also be forwarded over the secure channel. |
| .Pp |
.Pp |
| .Nm |
.Nm |
| connects and logs into the specified |
connects and logs into the specified |
| .Ar hostname . |
.Ar hostname . |
| The user must prove |
The user must prove |
| his/her identity to the remote machine using one of several methods. |
his/her identity to the remote machine using one of several methods. |
|
|
| .Pa /etc/shosts.equiv |
.Pa /etc/shosts.equiv |
| on the remote machine, and the user names are |
on the remote machine, and the user names are |
| the same on both sides, the user is immediately permitted to log in. |
the same on both sides, the user is immediately permitted to log in. |
| Second, if |
Second, if |
| .Pa \&.rhosts |
.Pa \&.rhosts |
| or |
or |
| .Pa \&.shosts |
.Pa \&.shosts |
|
|
| or |
or |
| .Pa /etc/shosts.equiv , |
.Pa /etc/shosts.equiv , |
| and if additionally the server can verify the client's |
and if additionally the server can verify the client's |
| host key (see |
host key (see |
| .Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
| and |
and |
| .Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
|
|
| and the rlogin/rsh protocol in general, are inherently insecure and should be |
and the rlogin/rsh protocol in general, are inherently insecure and should be |
| disabled if security is desired.] |
disabled if security is desired.] |
| .Pp |
.Pp |
| As a third authentication method, |
As a third authentication method, |
| .Nm |
.Nm |
| supports RSA based authentication. |
supports RSA based authentication. |
| The scheme is based on public-key cryptography: there are cryptosystems |
The scheme is based on public-key cryptography: there are cryptosystems |
| where encryption and decryption are done using separate keys, and it |
where encryption and decryption are done using separate keys, and it |
| is not possible to derive the decryption key from the encryption key. |
is not possible to derive the decryption key from the encryption key. |
| RSA is one such system. |
RSA is one such system. |
| The idea is that each user creates a public/private |
The idea is that each user creates a public/private |
| key pair for authentication purposes. |
key pair for authentication purposes. |
| The server knows the public key, and only the user knows the private key. |
The server knows the public key, and only the user knows the private key. |
| The file |
The file |
| .Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
| lists the public keys that are permitted for logging |
lists the public keys that are permitted for logging |
| in. |
in. |
|
|
| implements the RSA authentication protocol automatically. |
implements the RSA authentication protocol automatically. |
| The user creates his/her RSA key pair by running |
The user creates his/her RSA key pair by running |
| .Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
| This stores the private key in |
This stores the private key in |
| .Pa \&.ssh/identity |
.Pa \&.ssh/identity |
| and the public key in |
and the public key in |
| .Pa \&.ssh/identity.pub |
.Pa \&.ssh/identity.pub |
| in the user's home directory. |
in the user's home directory. |
| The user should then copy the |
The user should then copy the |
| .Pa identity.pub |
.Pa identity.pub |
| to |
to |
| .Pa \&.ssh/authorized_keys |
.Pa \&.ssh/authorized_keys |
| in his/her home directory on the remote machine (the |
in his/her home directory on the remote machine (the |
| .Pa authorized_keys |
.Pa authorized_keys |
| file corresponds to the conventional |
file corresponds to the conventional |
| .Pa \&.rhosts |
.Pa \&.rhosts |
| file, and has one key |
file, and has one key |
| per line, though the lines can be very long). |
per line, though the lines can be very long). |
|
|
| .Xr ssh-agent 1 |
.Xr ssh-agent 1 |
| for more information. |
for more information. |
| .Pp |
.Pp |
| If other authentication methods fail, |
If other authentication methods fail, |
| .Nm |
.Nm |
| prompts the user for a password. |
prompts the user for a password. |
| The password is sent to the remote |
The password is sent to the remote |
|
|
| with |
with |
| .Ic ~^Z . |
.Ic ~^Z . |
| All forwarded connections can be listed with |
All forwarded connections can be listed with |
| .Ic ~# |
.Ic ~# |
| and if |
and if |
| the session blocks waiting for forwarded X11 or TCP/IP |
the session blocks waiting for forwarded X11 or TCP/IP |
| connections to terminate, it can be backgrounded with |
connections to terminate, it can be backgrounded with |
|
|
| configured on the command line or in configuration files. |
configured on the command line or in configuration files. |
| .Pp |
.Pp |
| The |
The |
| .Ev DISPLAY |
.Ev DISPLAY |
| value set by |
value set by |
| .Nm |
.Nm |
| will point to the server machine, but with a display number greater |
will point to the server machine, but with a display number greater |
|
|
| .Nm |
.Nm |
| automatically maintains and checks a database containing RSA-based |
automatically maintains and checks a database containing RSA-based |
| identifications for all hosts it has ever been used with. |
identifications for all hosts it has ever been used with. |
| The database is stored in |
The database is stored in |
| .Pa \&.ssh/known_hosts |
.Pa \&.ssh/known_hosts |
| in the user's home directory. |
in the user's home directory. |
| Additionally, the file |
Additionally, the file |
| .Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
| is automatically checked for known hosts. |
is automatically checked for known hosts. |
| Any new hosts are automatically added to the user's file. |
Any new hosts are automatically added to the user's file. |
|
|
| Disables forwarding of the authentication agent connection. |
Disables forwarding of the authentication agent connection. |
| This may also be specified on a per-host basis in the configuration file. |
This may also be specified on a per-host basis in the configuration file. |
| .It Fl c Ar blowfish|3des |
.It Fl c Ar blowfish|3des |
| Selects the cipher to use for encrypting the session. |
Selects the cipher to use for encrypting the session. |
| .Ar 3des |
.Ar 3des |
| is used by default. |
is used by default. |
| It is believed to be secure. |
It is believed to be secure. |
| .Ar 3des |
.Ar 3des |
| (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
| It is presumably more secure than the |
It is presumably more secure than the |
|
|
| .Nm |
.Nm |
| is going to ask for passwords or passphrases, but the user |
is going to ask for passwords or passphrases, but the user |
| wants it in the background. |
wants it in the background. |
| This implies |
This implies |
| .Fl n . |
.Fl n . |
| The recommended way to start X11 programs at a remote site is with |
The recommended way to start X11 programs at a remote site is with |
| something like |
something like |
|
|
| .It Fl g |
.It Fl g |
| Allows remote hosts to connect to local forwarded ports. |
Allows remote hosts to connect to local forwarded ports. |
| .It Fl i Ar identity_file |
.It Fl i Ar identity_file |
| Selects the file from which the identity (private key) for |
Selects the file from which the identity (private key) for |
| RSA authentication is read. |
RSA authentication is read. |
| Default is |
Default is |
| .Pa \&.ssh/identity |
.Pa \&.ssh/identity |
| in the user's home directory. |
in the user's home directory. |
| Identity files may also be specified on |
Identity files may also be specified on |
|
|
| to disable the escape |
to disable the escape |
| character entirely (making the connection transparent for binary |
character entirely (making the connection transparent for binary |
| data). |
data). |
| .It Cm FallBackToRsh |
.It Cm FallBackToRsh |
| Specifies that if connecting via |
Specifies that if connecting via |
| .Nm |
.Nm |
| fails due to a connection refused error (there is no |
fails due to a connection refused error (there is no |
| .Xr sshd 8 |
.Xr sshd 8 |
| listening on the remote host), |
listening on the remote host), |
| .Xr rsh 1 |
.Xr rsh 1 |
| should automatically be used instead (after a suitable warning about |
should automatically be used instead (after a suitable warning about |
| the session being unencrypted). |
the session being unencrypted). |
|
|
| .Dq no . |
.Dq no . |
| .It Cm ForwardX11 |
.It Cm ForwardX11 |
| Specifies whether X11 connections will be automatically redirected |
Specifies whether X11 connections will be automatically redirected |
| over the secure channel and |
over the secure channel and |
| .Ev DISPLAY |
.Ev DISPLAY |
| set. |
set. |
| The argument must be |
The argument must be |
| .Dq yes |
.Dq yes |
| or |
or |
| .Dq no . |
.Dq no . |
|
|
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| .It Cm GlobalKnownHostsFile |
.It Cm GlobalKnownHostsFile |
| Specifies a file to use instead of |
Specifies a file to use instead of |
| .Pa /etc/ssh_known_hosts . |
.Pa /etc/ssh_known_hosts . |
| .It Cm HostName |
.It Cm HostName |
| Specifies the real host name to log into. |
Specifies the real host name to log into. |
|
|
| .Dq no . |
.Dq no . |
| .It Cm StrictHostKeyChecking |
.It Cm StrictHostKeyChecking |
| If this flag is set to |
If this flag is set to |
| .Dq yes , |
.Dq yes , |
| .Nm |
.Nm |
| ssh will never automatically add host keys to the |
ssh will never automatically add host keys to the |
| .Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
|
|
| The |
The |
| .Ev DISPLAY |
.Ev DISPLAY |
| variable indicates the location of the X11 server. |
variable indicates the location of the X11 server. |
| It is automatically set by |
It is automatically set by |
| .Nm |
.Nm |
| to point to a value of the form |
to point to a value of the form |
| .Dq hostname:n |
.Dq hostname:n |
|
|
| Set to the name of the user logging in. |
Set to the name of the user logging in. |
| .El |
.El |
| .Pp |
.Pp |
| Additionally, |
Additionally, |
| .Nm |
.Nm |
| reads |
reads |
| .Pa $HOME/.ssh/environment , |
.Pa $HOME/.ssh/environment , |
| and adds lines of the format |
and adds lines of the format |
| .Dq VARNAME=value |
.Dq VARNAME=value |
| to the environment. |
to the environment. |
|
|
| It is possible to specify a passphrase when |
It is possible to specify a passphrase when |
| generating the key; the passphrase will be used to encrypt the |
generating the key; the passphrase will be used to encrypt the |
| sensitive part of this file using 3DES. |
sensitive part of this file using 3DES. |
| .It Pa $HOME/.ssh/identity.pub |
.It Pa $HOME/.ssh/identity.pub |
| Contains the public key for authentication (public part of the |
Contains the public key for authentication (public part of the |
| identity file in human-readable form). |
identity file in human-readable form). |
| The contents of this file should be added to |
The contents of this file should be added to |
|
|
| required. |
required. |
| This file should only be writable by root. |
This file should only be writable by root. |
| .It Pa /etc/shosts.equiv |
.It Pa /etc/shosts.equiv |
| This file is processed exactly as |
This file is processed exactly as |
| .Pa /etc/hosts.equiv . |
.Pa /etc/hosts.equiv . |
| This file may be useful to permit logins using |
This file may be useful to permit logins using |
| .Nm |
.Nm |
|
|
| .Nm |
.Nm |
| when the user logs in just before the user's shell (or command) is |
when the user logs in just before the user's shell (or command) is |
| started. |
started. |
| See the |
See the |
| .Xr sshd 8 |
.Xr sshd 8 |
| manual page for more information. |
manual page for more information. |
| .It Pa $HOME/.ssh/environment |
.It Pa $HOME/.ssh/environment |
|
|
| has been updated to support ssh protocol 1.5, making it compatible with |
has been updated to support ssh protocol 1.5, making it compatible with |
| all other ssh protocol 1 clients and servers. |
all other ssh protocol 1 clients and servers. |
| .It |
.It |
| contains added support for |
contains added support for |
| .Xr kerberos 8 |
.Xr kerberos 8 |
| authentication and ticket passing. |
authentication and ticket passing. |
| .It |
.It |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh