| version 1.64, 2000/10/16 21:46:31 |
version 1.64.2.1, 2001/02/16 20:13:19 |
|
|
| .Op Ar command |
.Op Ar command |
| .Pp |
.Pp |
| .Nm ssh |
.Nm ssh |
| .Op Fl afgknqtvxACNPTX246 |
.Op Fl afgknqstvxACNPTX1246 |
| .Op Fl c Ar cipher_spec |
.Op Fl c Ar cipher_spec |
| .Op Fl e Ar escape_char |
.Op Fl e Ar escape_char |
| .Op Fl i Ar identity_file |
.Op Fl i Ar identity_file |
| .Op Fl l Ar login_name |
.Op Fl l Ar login_name |
| |
.Op Fl m Ar mac_spec |
| .Op Fl o Ar option |
.Op Fl o Ar option |
| .Op Fl p Ar port |
.Op Fl p Ar port |
| .Oo Fl L Xo |
.Oo Fl L Xo |
|
|
| If this method fails password authentication is tried. |
If this method fails password authentication is tried. |
| .Pp |
.Pp |
| The public key method is similar to RSA authentication described |
The public key method is similar to RSA authentication described |
| in the previous section except that the DSA algorithm is used |
in the previous section except that the DSA or RSA algorithm is used |
| instead of the patented RSA algorithm. |
instead. |
| The client uses his private DSA key |
The client uses his private key |
| .Pa $HOME/.ssh/id_dsa |
.Pa $HOME/.ssh/id_dsa |
| to sign the session identifier and sends the result to the server. |
to sign the session identifier and sends the result to the server. |
| The server checks whether the matching public key is listed in |
The server checks whether the matching public key is listed in |
|
|
| .Dq none |
.Dq none |
| will also make the session transparent even if a tty is used. |
will also make the session transparent even if a tty is used. |
| .Pp |
.Pp |
| The session terminates when the command or shell in on the remote |
The session terminates when the command or shell on the remote |
| machine exists and all X11 and TCP/IP connections have been closed. |
machine exists and all X11 and TCP/IP connections have been closed. |
| The exit status of the remote program is returned as the exit status |
The exit status of the remote program is returned as the exit status |
| of |
of |
|
|
| RSA host keys are stored in |
RSA host keys are stored in |
| .Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
| and |
and |
| DSA host keys are stored in |
host keys used in the protocol version 2 are stored in |
| .Pa $HOME/.ssh/known_hosts2 |
.Pa $HOME/.ssh/known_hosts2 |
| in the user's home directory. |
in the user's home directory. |
| Additionally, the files |
Additionally, the files |
|
|
| .Cm StrictHostKeyChecking |
.Cm StrictHostKeyChecking |
| option (see below) can be used to prevent logins to machines whose |
option (see below) can be used to prevent logins to machines whose |
| host key is not known or has changed. |
host key is not known or has changed. |
| .Sh OPTIONS |
.Pp |
| |
The options are as follows: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Fl a |
.It Fl a |
| Disables forwarding of the authentication agent connection. |
Disables forwarding of the authentication agent connection. |
|
|
| .Ar blowfish |
.Ar blowfish |
| is a fast block cipher, it appears very secure and is much faster than |
is a fast block cipher, it appears very secure and is much faster than |
| .Ar 3des . |
.Ar 3des . |
| .It Fl c Ar "3des-cbc,blowfish-cbc,arcfour,cast128-cbc" |
.It Fl c Ar cipher_spec |
| Additionally, for protocol version 2 a comma-separated list of ciphers can |
Additionally, for protocol version 2 a comma-separated list of ciphers can |
| be specified in order of preference. |
be specified in order of preference. |
| Protocol version 2 supports 3DES, Blowfish, and CAST128 in CBC mode |
See |
| and Arcfour. |
.Cm Ciphers |
| |
for more information. |
| .It Fl e Ar ch|^ch|none |
.It Fl e Ar ch|^ch|none |
| Sets the escape character for sessions with a pty (default: |
Sets the escape character for sessions with a pty (default: |
| .Ql ~ ) . |
.Ql ~ ) . |
|
|
| Allows remote hosts to connect to local forwarded ports. |
Allows remote hosts to connect to local forwarded ports. |
| .It Fl i Ar identity_file |
.It Fl i Ar identity_file |
| Selects the file from which the identity (private key) for |
Selects the file from which the identity (private key) for |
| RSA authentication is read. |
RSA or DSA authentication is read. |
| Default is |
Default is |
| .Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
| in the user's home directory. |
in the user's home directory. |
|
|
| .It Fl l Ar login_name |
.It Fl l Ar login_name |
| Specifies the user to log in as on the remote machine. |
Specifies the user to log in as on the remote machine. |
| This also may be specified on a per-host basis in the configuration file. |
This also may be specified on a per-host basis in the configuration file. |
| |
.It Fl m Ar mac_spec |
| |
Additionally, for protocol version 2 a comma-separated list of MAC |
| |
(message authentication code) algorithms can |
| |
be specified in order of preference. |
| |
See the |
| |
.Cm MACs |
| |
keyword for more information. |
| .It Fl n |
.It Fl n |
| Redirects stdin from |
Redirects stdin from |
| .Pa /dev/null |
.Pa /dev/null |
|
|
| option.) |
option.) |
| .It Fl N |
.It Fl N |
| Do not execute a remote command. |
Do not execute a remote command. |
| This is usefull if you just want to forward ports |
This is useful if you just want to forward ports |
| (protocol version 2 only). |
(protocol version 2 only). |
| .It Fl o Ar option |
.It Fl o Ar option |
| Can be used to give options in the format used in the config file. |
Can be used to give options in the format used in the config file. |
|
|
| Note that this option turns off |
Note that this option turns off |
| .Cm RhostsAuthentication |
.Cm RhostsAuthentication |
| and |
and |
| .Cm RhostsRSAAuthentication . |
.Cm RhostsRSAAuthentication |
| |
for older servers. |
| .It Fl q |
.It Fl q |
| Quiet mode. |
Quiet mode. |
| Causes all warning and diagnostic messages to be suppressed. |
Causes all warning and diagnostic messages to be suppressed. |
| Only fatal errors are displayed. |
Only fatal errors are displayed. |
| |
.It Fl s |
| |
May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use |
| |
of SSH as a secure transport for other application (eg. sftp). The |
| |
subsystem is specified as the remote command. |
| .It Fl t |
.It Fl t |
| Force pseudo-tty allocation. |
Force pseudo-tty allocation. |
| This can be used to execute arbitrary |
This can be used to execute arbitrary |
| screen-based programs on a remote machine, which can be very useful, |
screen-based programs on a remote machine, which can be very useful, |
| e.g., when implementing menu services. |
e.g., when implementing menu services. |
| |
Multiple |
| |
.Fl t |
| |
options force tty allocation, even if |
| |
.Nm |
| |
has no local tty. |
| .It Fl T |
.It Fl T |
| Disable pseudo-tty allocation (protocol version 2 only). |
Disable pseudo-tty allocation. |
| .It Fl v |
.It Fl v |
| Verbose mode. |
Verbose mode. |
| Causes |
Causes |
|
|
| to print debugging messages about its progress. |
to print debugging messages about its progress. |
| This is helpful in |
This is helpful in |
| debugging connection, authentication, and configuration problems. |
debugging connection, authentication, and configuration problems. |
| The verbose mode is also used to display |
Multiple |
| .Xr skey 1 |
.Fl v |
| challenges, if the user entered "s/key" as password. |
options increases the verbosity. |
| Multiple -v options increases the verbosity. |
|
| Maximum is 3. |
Maximum is 3. |
| .It Fl x |
.It Fl x |
| Disables X11 forwarding. |
Disables X11 forwarding. |
|
|
| Port forwardings can also be specified in the configuration file. |
Port forwardings can also be specified in the configuration file. |
| Privileged ports can be forwarded only when |
Privileged ports can be forwarded only when |
| logging in as root on the remote machine. |
logging in as root on the remote machine. |
| |
.It Fl 1 |
| |
Forces |
| |
.Nm |
| |
to try protocol version 1 only. |
| .It Fl 2 |
.It Fl 2 |
| Forces |
Forces |
| .Nm |
.Nm |
|
|
| in order of preference. |
in order of preference. |
| Multiple ciphers must be comma-separated. |
Multiple ciphers must be comma-separated. |
| The default is |
The default is |
| .Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour . |
.Pp |
| |
.Bd -literal |
| |
``3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc, |
| |
aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, |
| |
rijndael256-cbc,rijndael-cbc@lysator.liu.se'' |
| |
.Ed |
| .It Cm Compression |
.It Cm Compression |
| Specifies whether to use compression. |
Specifies whether to use compression. |
| The argument must be |
The argument must be |
|
|
| back to rsh or exiting. |
back to rsh or exiting. |
| The argument must be an integer. |
The argument must be an integer. |
| This may be useful in scripts if the connection sometimes fails. |
This may be useful in scripts if the connection sometimes fails. |
| .It Cm DSAAuthentication |
.It Cm PubkeyAuthentication |
| Specifies whether to try DSA authentication. |
Specifies whether to try public key authentication. |
| The argument to this keyword must be |
The argument to this keyword must be |
| .Dq yes |
.Dq yes |
| or |
or |
| .Dq no . |
.Dq no . |
| DSA authentication will only be |
|
| attempted if a DSA identity file exists. |
|
| Note that this option applies to protocol version 2 only. |
Note that this option applies to protocol version 2 only. |
| .It Cm EscapeChar |
.It Cm EscapeChar |
| Sets the escape character (default: |
Sets the escape character (default: |
|
|
| .It Cm GlobalKnownHostsFile |
.It Cm GlobalKnownHostsFile |
| Specifies a file to use instead of |
Specifies a file to use instead of |
| .Pa /etc/ssh_known_hosts . |
.Pa /etc/ssh_known_hosts . |
| |
.It Cm HostKeyAlias |
| |
Specifies an alias that should be used instead of the |
| |
real host name when looking up or saving the host key |
| |
in the known_hosts files. |
| |
This option is useful for tunneling ssh connections |
| |
or if you have multiple servers running on a single host. |
| .It Cm HostName |
.It Cm HostName |
| Specifies the real host name to log into. |
Specifies the real host name to log into. |
| This can be used to specify nicknames or abbreviations for hosts. |
This can be used to specify nicknames or abbreviations for hosts. |
|
|
| It is possible to have |
It is possible to have |
| multiple identity files specified in configuration files; all these |
multiple identity files specified in configuration files; all these |
| identities will be tried in sequence. |
identities will be tried in sequence. |
| .It Cm IdentityFile2 |
|
| Specifies the file from which the user's DSA authentication identity |
|
| is read (default |
|
| .Pa $HOME/.ssh/id_dsa |
|
| in the user's home directory). |
|
| The file name may use the tilde |
|
| syntax to refer to a user's home directory. |
|
| It is possible to have |
|
| multiple identity files specified in configuration files; all these |
|
| identities will be tried in sequence. |
|
| .It Cm KeepAlive |
.It Cm KeepAlive |
| Specifies whether the system should send keepalive messages to the |
Specifies whether the system should send keepalive messages to the |
| other side. |
other side. |
|
|
| The possible values are: |
The possible values are: |
| QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. |
QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. |
| The default is INFO. |
The default is INFO. |
| |
.It Cm MACs |
| |
Specifies the MAC (message authentication code) algorithms |
| |
in order of preference. |
| |
The MAC algorithm is used in protocol version 2 |
| |
for data integrity protection. |
| |
Multiple algorithms must be comma-separated. |
| |
The default is |
| |
.Pp |
| |
.Bd -literal |
| |
``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com, |
| |
hmac-sha1-96,hmac-md5-96'' |
| |
.Ed |
| .It Cm NumberOfPasswordPrompts |
.It Cm NumberOfPasswordPrompts |
| Specifies the number of password prompts before giving up. |
Specifies the number of password prompts before giving up. |
| The argument to this keyword must be an integer. |
The argument to this keyword must be an integer. |
|
|
| attempted if the identity file exists, or an authentication agent is |
attempted if the identity file exists, or an authentication agent is |
| running. |
running. |
| Note that this option applies to protocol version 1 only. |
Note that this option applies to protocol version 1 only. |
| .It Cm SkeyAuthentication |
.It Cm ChallengeResponseAuthentication |
| Specifies whether to use |
Specifies whether to use challenge response authentication. |
| |
Currently there is only support for |
| .Xr skey 1 |
.Xr skey 1 |
| authentication. |
authentication. |
| The argument to this keyword must be |
The argument to this keyword must be |
|
|
| If this flag is set to |
If this flag is set to |
| .Dq yes , |
.Dq yes , |
| .Nm |
.Nm |
| ssh will never automatically add host keys to the |
will never automatically add host keys to the |
| .Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
| and |
and |
| .Pa $HOME/.ssh/known_hosts2 |
.Pa $HOME/.ssh/known_hosts2 |
| files, and refuses to connect hosts whose host key has changed. |
files, and refuses to connect to hosts whose host key has changed. |
| This provides maximum protection against trojan horse attacks. |
This provides maximum protection against trojan horse attacks. |
| However, it can be somewhat annoying if you don't have good |
However, it can be somewhat annoying if you don't have good |
| .Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
| and |
and |
| .Pa /etc/ssh_known_hosts2 |
.Pa /etc/ssh_known_hosts2 |
| files installed and frequently |
files installed and frequently |
| connect new hosts. |
connect to new hosts. |
| Basically this option forces the user to manually |
This option forces the user to manually |
| add any new hosts. |
add all new hosts. |
| Normally this option is disabled, and new hosts |
If this flag is set to |
| will automatically be added to the known host files. |
.Dq no , |
| |
.Nm |
| |
will automatically add new host keys to the |
| |
user known hosts files. |
| |
If this flag is set to |
| |
.Dq ask , |
| |
new host keys |
| |
will be added to the user known host files only after the user |
| |
has confirmed that is what they really want to do, and |
| |
.Nm |
| |
will refuse to connect to hosts whose host key has changed. |
| The host keys of |
The host keys of |
| known hosts will be verified automatically in either case. |
known hosts will be verified automatically in all cases. |
| The argument must be |
The argument must be |
| .Dq yes |
.Dq yes , |
| |
.Dq no |
| or |
or |
| .Dq no . |
.Dq ask . |
| |
The default is |
| |
.Dq ask . |
| .It Cm UsePrivilegedPort |
.It Cm UsePrivilegedPort |
| Specifies whether to use a privileged port for outgoing connections. |
Specifies whether to use a privileged port for outgoing connections. |
| The argument must be |
The argument must be |
|
|
| turns off |
turns off |
| .Cm RhostsAuthentication |
.Cm RhostsAuthentication |
| and |
and |
| .Cm RhostsRSAAuthentication . |
.Cm RhostsRSAAuthentication |
| |
for older servers. |
| .It Cm User |
.It Cm User |
| Specifies the user to log in as. |
Specifies the user to log in as. |
| This can be useful if you have a different user name on different machines. |
This can be useful if you have a different user name on different machines. |
|
|
| The variable contains |
The variable contains |
| three space-separated values: client ip-address, client port number, |
three space-separated values: client ip-address, client port number, |
| and server port number. |
and server port number. |
| |
.It Ev SSH_ORIGINAL_COMMAND |
| |
The variable contains the original command line if a forced command |
| |
is executed. |
| |
It can be used to extract the original arguments. |
| .It Ev SSH_TTY |
.It Ev SSH_TTY |
| This is set to the name of the tty (path to the device) associated |
This is set to the name of the tty (path to the device) associated |
| with the current shell or command. |
with the current shell or command. |
|
|
| These files are not |
These files are not |
| sensitive and can (but need not) be readable by anyone. |
sensitive and can (but need not) be readable by anyone. |
| These files are |
These files are |
| never used automatically and are not necessary; they is only provided for |
never used automatically and are not necessary; they are only provided for |
| the convenience of the user. |
the convenience of the user. |
| .It Pa $HOME/.ssh/config |
.It Pa $HOME/.ssh/config |
| This is the per-user configuration file. |
This is the per-user configuration file. |
|
|
| This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
| permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
| .It Pa $HOME/.ssh/authorized_keys2 |
.It Pa $HOME/.ssh/authorized_keys2 |
| Lists the DSA keys that can be used for logging in as this user. |
Lists the public keys (DSA/RSA) that can be used for logging in as this user. |
| This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
| permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
| .It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 |
.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 |
|
|
| .Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
| contains RSA and |
contains RSA and |
| .Pa /etc/ssh_known_hosts2 |
.Pa /etc/ssh_known_hosts2 |
| contains DSA keys. |
contains DSA or RSA keys for protocol version 2. |
| These files should be prepared by the |
These files should be prepared by the |
| system administrator to contain the public host keys of all machines in the |
system administrator to contain the public host keys of all machines in the |
| organization. |
organization. |
|
|
| A version of this library which includes support for the RSA algorithm |
A version of this library which includes support for the RSA algorithm |
| is required for proper operation. |
is required for proper operation. |
| .El |
.El |
| .Sh AUTHOR |
.Sh AUTHORS |
| OpenSSH |
OpenSSH is a derivative of the original and free |
| is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, |
ssh 1.2.12 release by Tatu Ylonen. |
| but with bugs removed and newer features re-added. |
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
| Rapidly after the |
Theo de Raadt and Dug Song |
| 1.2.12 release, newer versions of the original ssh bore successively |
removed many bugs, re-added newer features and |
| more restrictive licenses, and thus demand for a free version was born. |
created OpenSSH. |
| .Pp |
Markus Friedl contributed the support for SSH |
| This version of OpenSSH |
protocol versions 1.5 and 2.0. |
| .Bl -bullet |
|
| .It |
|
| has all components of a restrictive nature (i.e., patents, see |
|
| .Xr ssl 8 ) |
|
| directly removed from the source code; any licensed or patented components |
|
| are chosen from |
|
| external libraries. |
|
| .It |
|
| has been updated to support SSH protocol 1.5 and 2, making it compatible with |
|
| all other SSH clients and servers. |
|
| .It |
|
| contains added support for |
|
| .Xr kerberos 8 |
|
| authentication and ticket passing. |
|
| .It |
|
| supports one-time password authentication with |
|
| .Xr skey 1 . |
|
| .El |
|
| .Pp |
|
| OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, |
|
| Niels Provos, Theo de Raadt, and Dug Song. |
|
| .Pp |
|
| The support for SSH protocol 2 was written by Markus Friedl. |
|
| .Sh SEE ALSO |
.Sh SEE ALSO |
| .Xr rlogin 1 , |
.Xr rlogin 1 , |
| .Xr rsh 1 , |
.Xr rsh 1 , |
| .Xr scp 1 , |
.Xr scp 1 , |
| |
.Xr sftp 1 , |
| .Xr ssh-add 1 , |
.Xr ssh-add 1 , |
| .Xr ssh-agent 1 , |
.Xr ssh-agent 1 , |
| .Xr ssh-keygen 1 , |
.Xr ssh-keygen 1 , |
| .Xr telnet 1 , |
.Xr telnet 1 , |
| .Xr sshd 8 , |
.Xr sshd 8 |
| .Xr ssl 8 |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh