version 1.52.2.5, 2001/03/21 18:53:11 |
version 1.53, 2000/05/15 06:54:03 |
|
|
.\" -*- nroff -*- |
.\" -*- nroff -*- |
.\" |
.\" |
|
.\" ssh.1.in |
|
.\" |
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
|
.\" |
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
.\" All rights reserved |
.\" All rights reserved |
.\" |
.\" |
.\" As far as I am concerned, the code I have written for this software |
.\" Created: Sat Apr 22 21:55:14 1995 ylo |
.\" can be used freely for any purpose. Any derived versions of this |
|
.\" software must be clearly marked as such, and if the derived work is |
|
.\" incompatible with the protocol description in the RFC file, it must be |
|
.\" called by a name other than "ssh" or "Secure Shell". |
|
.\" |
.\" |
.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. |
.\" $Id$ |
.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. |
|
.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. |
|
.\" |
.\" |
.\" Redistribution and use in source and binary forms, with or without |
|
.\" modification, are permitted provided that the following conditions |
|
.\" are met: |
|
.\" 1. Redistributions of source code must retain the above copyright |
|
.\" notice, this list of conditions and the following disclaimer. |
|
.\" 2. Redistributions in binary form must reproduce the above copyright |
|
.\" notice, this list of conditions and the following disclaimer in the |
|
.\" documentation and/or other materials provided with the distribution. |
|
.\" |
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
|
.\" |
|
.\" $OpenBSD$ |
|
.Dd September 25, 1999 |
.Dd September 25, 1999 |
.Dt SSH 1 |
.Dt SSH 1 |
.Os |
.Os |
.Sh NAME |
.Sh NAME |
.Nm ssh |
.Nm ssh |
.Nd OpenSSH SSH client (remote login program) |
.Nd OpenSSH secure shell client (remote login program) |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Nm ssh |
.Nm ssh |
.Op Fl l Ar login_name |
.Op Fl l Ar login_name |
|
|
.Op Ar command |
.Op Ar command |
.Pp |
.Pp |
.Nm ssh |
.Nm ssh |
.Op Fl afgknqstvxACNPTX1246 |
.Op Fl afgknqtvxCNPTX246 |
.Op Fl c Ar cipher_spec |
.Op Fl c Ar cipher_spec |
.Op Fl e Ar escape_char |
.Op Fl e Ar escape_char |
.Op Fl i Ar identity_file |
.Op Fl i Ar identity_file |
.Op Fl l Ar login_name |
.Op Fl l Ar login_name |
.Op Fl m Ar mac_spec |
|
.Op Fl o Ar option |
.Op Fl o Ar option |
.Op Fl p Ar port |
.Op Fl p Ar port |
.Oo Fl L Xo |
.Oo Fl L Xo |
|
|
.Op Ar command |
.Op Ar command |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm |
.Nm |
(SSH client) is a program for logging into a remote machine and for |
(Secure Shell) is a program for logging into a remote machine and for |
executing commands on a remote machine. |
executing commands on a remote machine. |
It is intended to replace |
It is intended to replace |
rlogin and rsh, and provide secure encrypted communications between |
rlogin and rsh, and provide secure encrypted communications between |
|
|
If this method fails password authentication is tried. |
If this method fails password authentication is tried. |
.Pp |
.Pp |
The public key method is similar to RSA authentication described |
The public key method is similar to RSA authentication described |
in the previous section except that the DSA or RSA algorithm is used |
in the previous section except that the DSA algorithm is used |
instead. |
instead of the patented RSA algorithm. |
The client uses his private key |
The client uses his private DSA key |
.Pa $HOME/.ssh/id_dsa |
.Pa $HOME/.ssh/id_dsa |
to sign the session identifier and sends the result to the server. |
to sign the session identifier and sends the result to the server. |
The server checks whether the matching public key is listed in |
The server checks whether the matching public key is listed in |
|
|
.Pp |
.Pp |
Protocol 2 provides additional mechanisms for confidentiality |
Protocol 2 provides additional mechanisms for confidentiality |
(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
and integrity (hmac-md5, hmac-sha1). |
and integrity (hmac-sha1, hmac-md5). |
Note that protocol 1 lacks a strong mechanism for ensuring the |
Note that protocol 1 lacks a strong mechanism for ensuring the |
integrity of the connection. |
integrity of the connection. |
.Pp |
.Pp |
|
|
.Dq none |
.Dq none |
will also make the session transparent even if a tty is used. |
will also make the session transparent even if a tty is used. |
.Pp |
.Pp |
The session terminates when the command or shell on the remote |
The session terminates when the command or shell in on the remote |
machine exits and all X11 and TCP/IP connections have been closed. |
machine exists and all X11 and TCP/IP connections have been closed. |
The exit status of the remote program is returned as the exit status |
The exit status of the remote program is returned as the exit status |
of |
of |
.Nm ssh . |
.Nm ssh . |
|
|
Forwarding of arbitrary TCP/IP connections over the secure channel can |
Forwarding of arbitrary TCP/IP connections over the secure channel can |
be specified either on command line or in a configuration file. |
be specified either on command line or in a configuration file. |
One possible application of TCP/IP forwarding is a secure connection to an |
One possible application of TCP/IP forwarding is a secure connection to an |
electronic purse; another is going through firewalls. |
electronic purse; another is going trough firewalls. |
.Pp |
.Pp |
.Ss Server authentication |
.Ss Server authentication |
.Pp |
.Pp |
|
|
RSA host keys are stored in |
RSA host keys are stored in |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
and |
and |
host keys used in the protocol version 2 are stored in |
DSA host keys are stored in |
.Pa $HOME/.ssh/known_hosts2 |
.Pa $HOME/.ssh/known_hosts2 |
in the user's home directory. |
in the user's home directory. |
Additionally, the files |
Additionally, the files |
|
|
.Cm StrictHostKeyChecking |
.Cm StrictHostKeyChecking |
option (see below) can be used to prevent logins to machines whose |
option (see below) can be used to prevent logins to machines whose |
host key is not known or has changed. |
host key is not known or has changed. |
.Pp |
.Sh OPTIONS |
The options are as follows: |
|
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Fl a |
.It Fl a |
Disables forwarding of the authentication agent connection. |
Disables forwarding of the authentication agent connection. |
.It Fl A |
This may also be specified on a per-host basis in the configuration file. |
Enables forwarding of the authentication agent connection. |
|
This can also be specified on a per-host basis in a configuration file. |
|
.It Fl c Ar blowfish|3des |
.It Fl c Ar blowfish|3des |
Selects the cipher to use for encrypting the session. |
Selects the cipher to use for encrypting the session. |
.Ar 3des |
.Ar 3des |
|
|
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
It is presumably more secure than the |
It is presumably more secure than the |
.Ar des |
.Ar des |
cipher which is no longer fully supported in |
cipher which is no longer supported in |
.Nm ssh . |
.Nm ssh . |
.Ar blowfish |
.Ar blowfish |
is a fast block cipher, it appears very secure and is much faster than |
is a fast block cipher, it appears very secure and is much faster than |
.Ar 3des . |
.Ar 3des . |
.It Fl c Ar cipher_spec |
.It Fl c Ar "3des-cbc,blowfish-cbc,arcfour,cast128-cbc" |
Additionally, for protocol version 2 a comma-separated list of ciphers can |
Additionally, for protocol version 2 a comma-separated list of ciphers can |
be specified in order of preference. |
be specified in order of preference. Protocol version 2 supports |
See |
3DES, Blowfish and CAST128 in CBC mode and Arcfour. |
.Cm Ciphers |
|
for more information. |
|
.It Fl e Ar ch|^ch|none |
.It Fl e Ar ch|^ch|none |
Sets the escape character for sessions with a pty (default: |
Sets the escape character for sessions with a pty (default: |
.Ql ~ ) . |
.Ql ~ ) . |
|
|
Allows remote hosts to connect to local forwarded ports. |
Allows remote hosts to connect to local forwarded ports. |
.It Fl i Ar identity_file |
.It Fl i Ar identity_file |
Selects the file from which the identity (private key) for |
Selects the file from which the identity (private key) for |
RSA or DSA authentication is read. |
RSA authentication is read. |
Default is |
Default is |
.Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
in the user's home directory. |
in the user's home directory. |
|
|
.It Fl l Ar login_name |
.It Fl l Ar login_name |
Specifies the user to log in as on the remote machine. |
Specifies the user to log in as on the remote machine. |
This also may be specified on a per-host basis in the configuration file. |
This also may be specified on a per-host basis in the configuration file. |
.It Fl m Ar mac_spec |
|
Additionally, for protocol version 2 a comma-separated list of MAC |
|
(message authentication code) algorithms can |
|
be specified in order of preference. |
|
See the |
|
.Cm MACs |
|
keyword for more information. |
|
.It Fl n |
.It Fl n |
Redirects stdin from |
Redirects stdin from |
.Pa /dev/null |
.Pa /dev/null |
|
|
option.) |
option.) |
.It Fl N |
.It Fl N |
Do not execute a remote command. |
Do not execute a remote command. |
This is useful if you just want to forward ports |
This is usefull if you just want to forward ports |
(protocol version 2 only). |
(protocol version 2 only). |
.It Fl o Ar option |
.It Fl o Ar option |
Can be used to give options in the format used in the config file. |
Can be used to give options in the format used in the config file. |
|
|
Note that this option turns off |
Note that this option turns off |
.Cm RhostsAuthentication |
.Cm RhostsAuthentication |
and |
and |
.Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication . |
for older servers. |
|
.It Fl q |
.It Fl q |
Quiet mode. |
Quiet mode. |
Causes all warning and diagnostic messages to be suppressed. |
Causes all warning and diagnostic messages to be suppressed. |
Only fatal errors are displayed. |
Only fatal errors are displayed. |
.It Fl s |
|
May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use |
|
of SSH as a secure transport for other application (eg. sftp). The |
|
subsystem is specified as the remote command. |
|
.It Fl t |
.It Fl t |
Force pseudo-tty allocation. |
Force pseudo-tty allocation. |
This can be used to execute arbitrary |
This can be used to execute arbitrary |
screen-based programs on a remote machine, which can be very useful, |
screen-based programs on a remote machine, which can be very useful, |
e.g., when implementing menu services. |
e.g., when implementing menu services. |
Multiple |
|
.Fl t |
|
options force tty allocation, even if |
|
.Nm |
|
has no local tty. |
|
.It Fl T |
.It Fl T |
Disable pseudo-tty allocation. |
Disable pseudo-tty allocation (protocol version 2 only). |
.It Fl v |
.It Fl v |
Verbose mode. |
Verbose mode. |
Causes |
Causes |
|
|
to print debugging messages about its progress. |
to print debugging messages about its progress. |
This is helpful in |
This is helpful in |
debugging connection, authentication, and configuration problems. |
debugging connection, authentication, and configuration problems. |
Multiple |
The verbose mode is also used to display |
.Fl v |
.Xr skey 1 |
options increases the verbosity. |
challenges, if the user entered "s/key" as password. |
Maximum is 3. |
|
.It Fl x |
.It Fl x |
Disables X11 forwarding. |
Disables X11 forwarding. |
|
This can also be specified on a per-host basis in a configuration file. |
.It Fl X |
.It Fl X |
Enables X11 forwarding. |
Enables X11 forwarding. |
This can also be specified on a per-host basis in a configuration file. |
|
.It Fl C |
.It Fl C |
Requests compression of all data (including stdin, stdout, stderr, and |
Requests compression of all data (including stdin, stdout, stderr, and |
data for forwarded X11 and TCP/IP connections). |
data for forwarded X11 and TCP/IP connections). |
|
|
Port forwardings can also be specified in the configuration file. |
Port forwardings can also be specified in the configuration file. |
Privileged ports can be forwarded only when |
Privileged ports can be forwarded only when |
logging in as root on the remote machine. |
logging in as root on the remote machine. |
.It Fl 1 |
|
Forces |
|
.Nm |
|
to try protocol version 1 only. |
|
.It Fl 2 |
.It Fl 2 |
Forces |
Forces |
.Nm |
.Nm |
|
|
.Dq no , |
.Dq no , |
the check will not be executed. |
the check will not be executed. |
.It Cm Cipher |
.It Cm Cipher |
Specifies the cipher to use for encrypting the session |
Specifies the cipher to use for encrypting the session. |
in protocol version 1. |
|
Currently, |
Currently, |
.Dq blowfish |
.Dq blowfish , |
and |
and |
.Dq 3des |
.Dq 3des |
are supported. |
are supported. |
|
|
in order of preference. |
in order of preference. |
Multiple ciphers must be comma-separated. |
Multiple ciphers must be comma-separated. |
The default is |
The default is |
.Pp |
.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc . |
.Bd -literal |
|
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
|
aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, |
|
rijndael256-cbc,rijndael-cbc@lysator.liu.se'' |
|
.Ed |
|
.It Cm Compression |
.It Cm Compression |
Specifies whether to use compression. |
Specifies whether to use compression. |
The argument must be |
The argument must be |
|
|
back to rsh or exiting. |
back to rsh or exiting. |
The argument must be an integer. |
The argument must be an integer. |
This may be useful in scripts if the connection sometimes fails. |
This may be useful in scripts if the connection sometimes fails. |
.It Cm PubkeyAuthentication |
.It Cm DSAAuthentication |
Specifies whether to try public key authentication. |
Specifies whether to try DSA authentication. |
The argument to this keyword must be |
The argument to this keyword must be |
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
|
DSA authentication will only be |
|
attempted if a DSA identity file exists. |
Note that this option applies to protocol version 2 only. |
Note that this option applies to protocol version 2 only. |
.It Cm EscapeChar |
.It Cm EscapeChar |
Sets the escape character (default: |
Sets the escape character (default: |
|
|
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
The default is |
|
.Dq no . |
|
.It Cm ForwardX11 |
.It Cm ForwardX11 |
Specifies whether X11 connections will be automatically redirected |
Specifies whether X11 connections will be automatically redirected |
over the secure channel and |
over the secure channel and |
|
|
The default is |
The default is |
.Dq no . |
.Dq no . |
.It Cm GlobalKnownHostsFile |
.It Cm GlobalKnownHostsFile |
Specifies a file to use for the protocol version 1 global |
Specifies a file to use instead of |
host key database instead of |
|
.Pa /etc/ssh_known_hosts . |
.Pa /etc/ssh_known_hosts . |
.It Cm GlobalKnownHostsFile2 |
|
Specifies a file to use for the protocol version 2 global |
|
host key database instead of |
|
.Pa /etc/ssh_known_hosts2 . |
|
.It Cm HostKeyAlias |
|
Specifies an alias that should be used instead of the |
|
real host name when looking up or saving the host key |
|
in the known_hosts files. |
|
This option is useful for tunneling ssh connections |
|
or if you have multiple servers running on a single host. |
|
.It Cm HostName |
.It Cm HostName |
Specifies the real host name to log into. |
Specifies the real host name to log into. |
This can be used to specify nicknames or abbreviations for hosts. |
This can be used to specify nicknames or abbreviations for hosts. |
|
|
It is possible to have |
It is possible to have |
multiple identity files specified in configuration files; all these |
multiple identity files specified in configuration files; all these |
identities will be tried in sequence. |
identities will be tried in sequence. |
|
.It Cm IdentityFile2 |
|
Specifies the file from which the user's DSA authentication identity |
|
is read (default |
|
.Pa $HOME/.ssh/id_dsa |
|
in the user's home directory). |
|
The file name may use the tilde |
|
syntax to refer to a user's home directory. |
|
It is possible to have |
|
multiple identity files specified in configuration files; all these |
|
identities will be tried in sequence. |
.It Cm KeepAlive |
.It Cm KeepAlive |
Specifies whether the system should send keepalive messages to the |
Specifies whether the system should send keepalive messages to the |
other side. |
other side. |
|
|
The possible values are: |
The possible values are: |
QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. |
QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. |
The default is INFO. |
The default is INFO. |
.It Cm MACs |
|
Specifies the MAC (message authentication code) algorithms |
|
in order of preference. |
|
The MAC algorithm is used in protocol version 2 |
|
for data integrity protection. |
|
Multiple algorithms must be comma-separated. |
|
The default is |
|
.Pp |
|
.Bd -literal |
|
``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com, |
|
hmac-sha1-96,hmac-md5-96'' |
|
.Ed |
|
.It Cm NumberOfPasswordPrompts |
.It Cm NumberOfPasswordPrompts |
Specifies the number of password prompts before giving up. |
Specifies the number of password prompts before giving up. |
The argument to this keyword must be an integer. |
The argument to this keyword must be an integer. |
|
|
.It Cm Port |
.It Cm Port |
Specifies the port number to connect on the remote host. |
Specifies the port number to connect on the remote host. |
Default is 22. |
Default is 22. |
.It Cm PreferredAuthentications |
|
Specifies the order in which the client should try protocol 2 |
|
authentication methods. This allows a client to prefer one method (e.g. |
|
.Cm keyboard-interactive ) |
|
over another method (e.g. |
|
.Cm password ) |
|
The default for this option is: |
|
.Dq publickey, password, keyboard-interactive |
|
.It Cm Protocol |
.It Cm Protocol |
Specifies the protocol versions |
Specifies the protocol versions |
.Nm |
.Nm |
|
|
attempted if the identity file exists, or an authentication agent is |
attempted if the identity file exists, or an authentication agent is |
running. |
running. |
Note that this option applies to protocol version 1 only. |
Note that this option applies to protocol version 1 only. |
.It Cm ChallengeResponseAuthentication |
.It Cm SkeyAuthentication |
Specifies whether to use challenge response authentication. |
Specifies whether to use |
Currently there is only support for |
|
.Xr skey 1 |
.Xr skey 1 |
authentication. |
authentication. |
The argument to this keyword must be |
The argument to this keyword must be |
|
|
If this flag is set to |
If this flag is set to |
.Dq yes , |
.Dq yes , |
.Nm |
.Nm |
will never automatically add host keys to the |
ssh will never automatically add host keys to the |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
and |
and |
.Pa $HOME/.ssh/known_hosts2 |
.Pa $HOME/.ssh/known_hosts2 |
files, and refuses to connect to hosts whose host key has changed. |
files, and refuses to connect hosts whose host key has changed. |
This provides maximum protection against trojan horse attacks. |
This provides maximum protection against trojan horse attacks. |
However, it can be somewhat annoying if you don't have good |
However, it can be somewhat annoying if you don't have good |
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
and |
and |
.Pa /etc/ssh_known_hosts2 |
.Pa /etc/ssh_known_hosts2 |
files installed and frequently |
files installed and frequently |
connect to new hosts. |
connect new hosts. |
This option forces the user to manually |
Basically this option forces the user to manually |
add all new hosts. |
add any new hosts. |
If this flag is set to |
Normally this option is disabled, and new hosts |
.Dq no , |
will automatically be added to the known host files. |
.Nm |
|
will automatically add new host keys to the |
|
user known hosts files. |
|
If this flag is set to |
|
.Dq ask , |
|
new host keys |
|
will be added to the user known host files only after the user |
|
has confirmed that is what they really want to do, and |
|
.Nm |
|
will refuse to connect to hosts whose host key has changed. |
|
The host keys of |
The host keys of |
known hosts will be verified automatically in all cases. |
known hosts will be verified automatically in either case. |
The argument must be |
The argument must be |
.Dq yes , |
.Dq yes |
.Dq no |
|
or |
or |
.Dq ask . |
.Dq no . |
The default is |
|
.Dq ask . |
|
.It Cm UsePrivilegedPort |
.It Cm UsePrivilegedPort |
Specifies whether to use a privileged port for outgoing connections. |
Specifies whether to use a privileged port for outgoing connections. |
The argument must be |
The argument must be |
|
|
or |
or |
.Dq no . |
.Dq no . |
The default is |
The default is |
.Dq no . |
.Dq yes . |
Note that setting this option to |
Note that setting this option to |
.Dq no |
.Dq no |
turns off |
turns off |
.Cm RhostsAuthentication |
.Cm RhostsAuthentication |
and |
and |
.Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication . |
for older servers. |
|
.It Cm User |
.It Cm User |
Specifies the user to log in as. |
Specifies the user to log in as. |
This can be useful if you have a different user name on different machines. |
This can be useful if you have a different user name on different machines. |
This saves the trouble of |
This saves the trouble of |
having to remember to give the user name on the command line. |
having to remember to give the user name on the command line. |
.It Cm UserKnownHostsFile |
.It Cm UserKnownHostsFile |
Specifies a file to use for the protocol version 1 user |
Specifies a file to use instead of |
host key database instead of |
|
.Pa $HOME/.ssh/known_hosts . |
.Pa $HOME/.ssh/known_hosts . |
.It Cm UserKnownHostsFile2 |
|
Specifies a file to use for the protocol version 2 user |
|
host key database instead of |
|
.Pa $HOME/.ssh/known_hosts2 . |
|
.It Cm UseRsh |
.It Cm UseRsh |
Specifies that rlogin/rsh should be used for this host. |
Specifies that rlogin/rsh should be used for this host. |
It is possible that the host does not at all support the |
It is possible that the host does not at all support the |
|
|
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
.It Cm XAuthLocation |
|
Specifies the location of the |
|
.Xr xauth 1 |
|
program. |
|
The default is |
|
.Pa /usr/X11R6/bin/xauth . |
|
.El |
|
.Sh ENVIRONMENT |
.Sh ENVIRONMENT |
.Nm |
.Nm |
will normally set the following environment variables: |
will normally set the following environment variables: |
|
|
The variable contains |
The variable contains |
three space-separated values: client ip-address, client port number, |
three space-separated values: client ip-address, client port number, |
and server port number. |
and server port number. |
.It Ev SSH_ORIGINAL_COMMAND |
|
The variable contains the original command line if a forced command |
|
is executed. |
|
It can be used to extract the original arguments. |
|
.It Ev SSH_TTY |
.It Ev SSH_TTY |
This is set to the name of the tty (path to the device) associated |
This is set to the name of the tty (path to the device) associated |
with the current shell or command. |
with the current shell or command. |
|
|
this variable is not set. |
this variable is not set. |
.It Ev TZ |
.It Ev TZ |
The timezone variable is set to indicate the present timezone if it |
The timezone variable is set to indicate the present timezone if it |
was set when the daemon was started (i.e., the daemon passes the value |
was set when the daemon was started (e.i., the daemon passes the value |
on to new connections). |
on to new connections). |
.It Ev USER |
.It Ev USER |
Set to the name of the user logging in. |
Set to the name of the user logging in. |
|
|
to the environment. |
to the environment. |
.Sh FILES |
.Sh FILES |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Pa $HOME/.ssh/known_hosts, $HOME/.ssh/known_hosts2 |
.It Pa $HOME/.ssh/known_hosts |
Records host keys for all hosts the user has logged into (that are not |
Records host keys for all hosts the user has logged into (that are not |
in |
in |
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts ) . |
for protocol version 1 or |
|
.Pa /etc/ssh_known_hosts2 |
|
for protocol version 2). |
|
See |
See |
.Xr sshd 8 . |
.Xr sshd 8 . |
.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa |
.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa |
|
|
These files are not |
These files are not |
sensitive and can (but need not) be readable by anyone. |
sensitive and can (but need not) be readable by anyone. |
These files are |
These files are |
never used automatically and are not necessary; they are only provided for |
never used automatically and are not necessary; they is only provided for |
the convenience of the user. |
the convenience of the user. |
.It Pa $HOME/.ssh/config |
.It Pa $HOME/.ssh/config |
This is the per-user configuration file. |
This is the per-user configuration file. |
|
|
This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
.It Pa $HOME/.ssh/authorized_keys2 |
.It Pa $HOME/.ssh/authorized_keys2 |
Lists the public keys (DSA/RSA) that can be used for logging in as this user. |
Lists the DSA keys that can be used for logging in as this user. |
This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 |
.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 |
|
|
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
contains RSA and |
contains RSA and |
.Pa /etc/ssh_known_hosts2 |
.Pa /etc/ssh_known_hosts2 |
contains DSA or RSA keys for protocol version 2. |
contains DSA keys. |
These files should be prepared by the |
These files should be prepared by the |
system administrator to contain the public host keys of all machines in the |
system administrator to contain the public host keys of all machines in the |
organization. |
organization. |
|
|
Each line of the file contains a host name (in the canonical form |
Each line of the file contains a host name (in the canonical form |
returned by name servers), and then a user name on that host, |
returned by name servers), and then a user name on that host, |
separated by a space. |
separated by a space. |
On some machines this file may need to be |
One some machines this file may need to be |
world-readable if the user's home directory is on a NFS partition, |
world-readable if the user's home directory is on a NFS partition, |
because |
because |
.Xr sshd 8 |
.Xr sshd 8 |
|
|
Contains additional definitions for environment variables, see section |
Contains additional definitions for environment variables, see section |
.Sx ENVIRONMENT |
.Sx ENVIRONMENT |
above. |
above. |
|
.It Pa libcrypto.so.X.1 |
|
A version of this library which includes support for the RSA algorithm |
|
is required for proper operation. |
|
.Sh AUTHOR |
|
OpenSSH |
|
is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, |
|
but with bugs removed and newer features re-added. |
|
Rapidly after the |
|
1.2.12 release, newer versions of the original ssh bore successively |
|
more restrictive licenses, and thus demand for a free version was born. |
|
.Pp |
|
This version of OpenSSH |
|
.Bl -bullet |
|
.It |
|
has all components of a restrictive nature (i.e., patents, see |
|
.Xr ssl 8 ) |
|
directly removed from the source code; any licensed or patented components |
|
are chosen from |
|
external libraries. |
|
.It |
|
has been updated to support SSH protocol 1.5 and 2, making it compatible with |
|
all other SSH clients and servers. |
|
.It |
|
contains added support for |
|
.Xr kerberos 8 |
|
authentication and ticket passing. |
|
.It |
|
supports one-time password authentication with |
|
.Xr skey 1 . |
.El |
.El |
.Sh AUTHORS |
.Pp |
OpenSSH is a derivative of the original and free |
The libraries described in |
ssh 1.2.12 release by Tatu Ylonen. |
.Xr ssl 8 |
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
are required for proper operation. |
Theo de Raadt and Dug Song |
.Pp |
removed many bugs, re-added newer features and |
OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, |
created OpenSSH. |
Niels Provos, Theo de Raadt, and Dug Song. |
Markus Friedl contributed the support for SSH |
.Pp |
protocol versions 1.5 and 2.0. |
The support for SSH protocol 2 was written by Markus Friedl. |
.Sh SEE ALSO |
.Sh SEE ALSO |
.Xr rlogin 1 , |
.Xr rlogin 1 , |
.Xr rsh 1 , |
.Xr rsh 1 , |
.Xr scp 1 , |
.Xr scp 1 , |
.Xr sftp 1 , |
|
.Xr ssh-add 1 , |
.Xr ssh-add 1 , |
.Xr ssh-agent 1 , |
.Xr ssh-agent 1 , |
.Xr ssh-keygen 1 , |
.Xr ssh-keygen 1 , |
.Xr telnet 1 , |
.Xr telnet 1 , |
.Xr sshd 8 |
.Xr sshd 8 , |
|
.Xr ssl 8 |