version 1.43, 2000/03/24 03:04:46 |
version 1.44, 2000/04/12 21:47:51 |
|
|
.Oc |
.Oc |
.Op Ar hostname | user@hostname |
.Op Ar hostname | user@hostname |
.Op Ar command |
.Op Ar command |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm |
.Nm |
(Secure Shell) is a program for logging into a remote machine and for |
(Secure Shell) is a program for logging into a remote machine and for |
executing commands on a remote machine. |
executing commands on a remote machine. |
|
|
arbitrary TCP/IP ports can also be forwarded over the secure channel. |
arbitrary TCP/IP ports can also be forwarded over the secure channel. |
.Pp |
.Pp |
.Nm |
.Nm |
connects and logs into the specified |
connects and logs into the specified |
.Ar hostname . |
.Ar hostname . |
The user must prove |
The user must prove |
his/her identity to the remote machine using one of several methods. |
his/her identity to the remote machine using one of several methods. |
|
|
.Pa /etc/shosts.equiv |
.Pa /etc/shosts.equiv |
on the remote machine, and the user names are |
on the remote machine, and the user names are |
the same on both sides, the user is immediately permitted to log in. |
the same on both sides, the user is immediately permitted to log in. |
Second, if |
Second, if |
.Pa \&.rhosts |
.Pa \&.rhosts |
or |
or |
.Pa \&.shosts |
.Pa \&.shosts |
|
|
or |
or |
.Pa /etc/shosts.equiv , |
.Pa /etc/shosts.equiv , |
and if additionally the server can verify the client's |
and if additionally the server can verify the client's |
host key (see |
host key (see |
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
and |
and |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
|
|
and the rlogin/rsh protocol in general, are inherently insecure and should be |
and the rlogin/rsh protocol in general, are inherently insecure and should be |
disabled if security is desired.] |
disabled if security is desired.] |
.Pp |
.Pp |
As a third authentication method, |
As a third authentication method, |
.Nm |
.Nm |
supports RSA based authentication. |
supports RSA based authentication. |
The scheme is based on public-key cryptography: there are cryptosystems |
The scheme is based on public-key cryptography: there are cryptosystems |
where encryption and decryption are done using separate keys, and it |
where encryption and decryption are done using separate keys, and it |
is not possible to derive the decryption key from the encryption key. |
is not possible to derive the decryption key from the encryption key. |
RSA is one such system. |
RSA is one such system. |
The idea is that each user creates a public/private |
The idea is that each user creates a public/private |
key pair for authentication purposes. |
key pair for authentication purposes. |
The server knows the public key, and only the user knows the private key. |
The server knows the public key, and only the user knows the private key. |
The file |
The file |
.Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
lists the public keys that are permitted for logging |
lists the public keys that are permitted for logging |
in. |
in. |
|
|
implements the RSA authentication protocol automatically. |
implements the RSA authentication protocol automatically. |
The user creates his/her RSA key pair by running |
The user creates his/her RSA key pair by running |
.Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
This stores the private key in |
This stores the private key in |
.Pa \&.ssh/identity |
.Pa \&.ssh/identity |
and the public key in |
and the public key in |
.Pa \&.ssh/identity.pub |
.Pa \&.ssh/identity.pub |
in the user's home directory. |
in the user's home directory. |
The user should then copy the |
The user should then copy the |
.Pa identity.pub |
.Pa identity.pub |
to |
to |
.Pa \&.ssh/authorized_keys |
.Pa \&.ssh/authorized_keys |
in his/her home directory on the remote machine (the |
in his/her home directory on the remote machine (the |
.Pa authorized_keys |
.Pa authorized_keys |
file corresponds to the conventional |
file corresponds to the conventional |
.Pa \&.rhosts |
.Pa \&.rhosts |
file, and has one key |
file, and has one key |
per line, though the lines can be very long). |
per line, though the lines can be very long). |
|
|
.Xr ssh-agent 1 |
.Xr ssh-agent 1 |
for more information. |
for more information. |
.Pp |
.Pp |
If other authentication methods fail, |
If other authentication methods fail, |
.Nm |
.Nm |
prompts the user for a password. |
prompts the user for a password. |
The password is sent to the remote |
The password is sent to the remote |
|
|
with |
with |
.Ic ~^Z . |
.Ic ~^Z . |
All forwarded connections can be listed with |
All forwarded connections can be listed with |
.Ic ~# |
.Ic ~# |
and if |
and if |
the session blocks waiting for forwarded X11 or TCP/IP |
the session blocks waiting for forwarded X11 or TCP/IP |
connections to terminate, it can be backgrounded with |
connections to terminate, it can be backgrounded with |
|
|
configured on the command line or in configuration files. |
configured on the command line or in configuration files. |
.Pp |
.Pp |
The |
The |
.Ev DISPLAY |
.Ev DISPLAY |
value set by |
value set by |
.Nm |
.Nm |
will point to the server machine, but with a display number greater |
will point to the server machine, but with a display number greater |
|
|
.Nm |
.Nm |
automatically maintains and checks a database containing RSA-based |
automatically maintains and checks a database containing RSA-based |
identifications for all hosts it has ever been used with. |
identifications for all hosts it has ever been used with. |
The database is stored in |
The database is stored in |
.Pa \&.ssh/known_hosts |
.Pa \&.ssh/known_hosts |
in the user's home directory. |
in the user's home directory. |
Additionally, the file |
Additionally, the file |
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
is automatically checked for known hosts. |
is automatically checked for known hosts. |
Any new hosts are automatically added to the user's file. |
Any new hosts are automatically added to the user's file. |
|
|
Disables forwarding of the authentication agent connection. |
Disables forwarding of the authentication agent connection. |
This may also be specified on a per-host basis in the configuration file. |
This may also be specified on a per-host basis in the configuration file. |
.It Fl c Ar blowfish|3des |
.It Fl c Ar blowfish|3des |
Selects the cipher to use for encrypting the session. |
Selects the cipher to use for encrypting the session. |
.Ar 3des |
.Ar 3des |
is used by default. |
is used by default. |
It is believed to be secure. |
It is believed to be secure. |
.Ar 3des |
.Ar 3des |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
It is presumably more secure than the |
It is presumably more secure than the |
|
|
.Nm |
.Nm |
is going to ask for passwords or passphrases, but the user |
is going to ask for passwords or passphrases, but the user |
wants it in the background. |
wants it in the background. |
This implies |
This implies |
.Fl n . |
.Fl n . |
The recommended way to start X11 programs at a remote site is with |
The recommended way to start X11 programs at a remote site is with |
something like |
something like |
|
|
.It Fl g |
.It Fl g |
Allows remote hosts to connect to local forwarded ports. |
Allows remote hosts to connect to local forwarded ports. |
.It Fl i Ar identity_file |
.It Fl i Ar identity_file |
Selects the file from which the identity (private key) for |
Selects the file from which the identity (private key) for |
RSA authentication is read. |
RSA authentication is read. |
Default is |
Default is |
.Pa \&.ssh/identity |
.Pa \&.ssh/identity |
in the user's home directory. |
in the user's home directory. |
Identity files may also be specified on |
Identity files may also be specified on |
|
|
to disable the escape |
to disable the escape |
character entirely (making the connection transparent for binary |
character entirely (making the connection transparent for binary |
data). |
data). |
.It Cm FallBackToRsh |
.It Cm FallBackToRsh |
Specifies that if connecting via |
Specifies that if connecting via |
.Nm |
.Nm |
fails due to a connection refused error (there is no |
fails due to a connection refused error (there is no |
.Xr sshd 8 |
.Xr sshd 8 |
listening on the remote host), |
listening on the remote host), |
.Xr rsh 1 |
.Xr rsh 1 |
should automatically be used instead (after a suitable warning about |
should automatically be used instead (after a suitable warning about |
the session being unencrypted). |
the session being unencrypted). |
|
|
.Dq no . |
.Dq no . |
.It Cm ForwardX11 |
.It Cm ForwardX11 |
Specifies whether X11 connections will be automatically redirected |
Specifies whether X11 connections will be automatically redirected |
over the secure channel and |
over the secure channel and |
.Ev DISPLAY |
.Ev DISPLAY |
set. |
set. |
The argument must be |
The argument must be |
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
|
|
The default is |
The default is |
.Dq no . |
.Dq no . |
.It Cm GlobalKnownHostsFile |
.It Cm GlobalKnownHostsFile |
Specifies a file to use instead of |
Specifies a file to use instead of |
.Pa /etc/ssh_known_hosts . |
.Pa /etc/ssh_known_hosts . |
.It Cm HostName |
.It Cm HostName |
Specifies the real host name to log into. |
Specifies the real host name to log into. |
|
|
.Dq no . |
.Dq no . |
.It Cm StrictHostKeyChecking |
.It Cm StrictHostKeyChecking |
If this flag is set to |
If this flag is set to |
.Dq yes , |
.Dq yes , |
.Nm |
.Nm |
ssh will never automatically add host keys to the |
ssh will never automatically add host keys to the |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
|
|
The |
The |
.Ev DISPLAY |
.Ev DISPLAY |
variable indicates the location of the X11 server. |
variable indicates the location of the X11 server. |
It is automatically set by |
It is automatically set by |
.Nm |
.Nm |
to point to a value of the form |
to point to a value of the form |
.Dq hostname:n |
.Dq hostname:n |
|
|
Set to the name of the user logging in. |
Set to the name of the user logging in. |
.El |
.El |
.Pp |
.Pp |
Additionally, |
Additionally, |
.Nm |
.Nm |
reads |
reads |
.Pa $HOME/.ssh/environment , |
.Pa $HOME/.ssh/environment , |
and adds lines of the format |
and adds lines of the format |
.Dq VARNAME=value |
.Dq VARNAME=value |
to the environment. |
to the environment. |
|
|
It is possible to specify a passphrase when |
It is possible to specify a passphrase when |
generating the key; the passphrase will be used to encrypt the |
generating the key; the passphrase will be used to encrypt the |
sensitive part of this file using 3DES. |
sensitive part of this file using 3DES. |
.It Pa $HOME/.ssh/identity.pub |
.It Pa $HOME/.ssh/identity.pub |
Contains the public key for authentication (public part of the |
Contains the public key for authentication (public part of the |
identity file in human-readable form). |
identity file in human-readable form). |
The contents of this file should be added to |
The contents of this file should be added to |
|
|
required. |
required. |
This file should only be writable by root. |
This file should only be writable by root. |
.It Pa /etc/shosts.equiv |
.It Pa /etc/shosts.equiv |
This file is processed exactly as |
This file is processed exactly as |
.Pa /etc/hosts.equiv . |
.Pa /etc/hosts.equiv . |
This file may be useful to permit logins using |
This file may be useful to permit logins using |
.Nm |
.Nm |
|
|
.Nm |
.Nm |
when the user logs in just before the user's shell (or command) is |
when the user logs in just before the user's shell (or command) is |
started. |
started. |
See the |
See the |
.Xr sshd 8 |
.Xr sshd 8 |
manual page for more information. |
manual page for more information. |
.It Pa $HOME/.ssh/environment |
.It Pa $HOME/.ssh/environment |
|
|
has been updated to support ssh protocol 1.5, making it compatible with |
has been updated to support ssh protocol 1.5, making it compatible with |
all other ssh protocol 1 clients and servers. |
all other ssh protocol 1 clients and servers. |
.It |
.It |
contains added support for |
contains added support for |
.Xr kerberos 8 |
.Xr kerberos 8 |
authentication and ticket passing. |
authentication and ticket passing. |
.It |
.It |