version 1.64, 2000/10/16 21:46:31 |
version 1.64.2.6, 2001/11/15 00:15:00 |
|
|
.\" incompatible with the protocol description in the RFC file, it must be |
.\" incompatible with the protocol description in the RFC file, it must be |
.\" called by a name other than "ssh" or "Secure Shell". |
.\" called by a name other than "ssh" or "Secure Shell". |
.\" |
.\" |
.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. |
.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. |
.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. |
.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. |
.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. |
.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. |
.\" |
.\" |
.\" Redistribution and use in source and binary forms, with or without |
.\" Redistribution and use in source and binary forms, with or without |
.\" modification, are permitted provided that the following conditions |
.\" modification, are permitted provided that the following conditions |
|
|
.Os |
.Os |
.Sh NAME |
.Sh NAME |
.Nm ssh |
.Nm ssh |
.Nd OpenSSH secure shell client (remote login program) |
.Nd OpenSSH SSH client (remote login program) |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Nm ssh |
.Nm ssh |
.Op Fl l Ar login_name |
.Op Fl l Ar login_name |
.Op Ar hostname | user@hostname |
.Ar hostname | user@hostname |
.Op Ar command |
.Op Ar command |
.Pp |
.Pp |
.Nm ssh |
.Nm ssh |
.Op Fl afgknqtvxACNPTX246 |
.Op Fl afgknqstvxACNPTX1246 |
|
.Op Fl b Ar bind_address |
.Op Fl c Ar cipher_spec |
.Op Fl c Ar cipher_spec |
.Op Fl e Ar escape_char |
.Op Fl e Ar escape_char |
.Op Fl i Ar identity_file |
.Op Fl i Ar identity_file |
.Op Fl l Ar login_name |
.Op Fl l Ar login_name |
|
.Op Fl m Ar mac_spec |
.Op Fl o Ar option |
.Op Fl o Ar option |
.Op Fl p Ar port |
.Op Fl p Ar port |
|
.Op Fl F Ar configfile |
.Oo Fl L Xo |
.Oo Fl L Xo |
.Sm off |
.Sm off |
.Ar port : |
.Ar port : |
|
|
.Sm on |
.Sm on |
.Xc |
.Xc |
.Oc |
.Oc |
.Op Ar hostname | user@hostname |
.Op Fl D Ar port |
|
.Ar hostname | user@hostname |
.Op Ar command |
.Op Ar command |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm |
.Nm |
(Secure Shell) is a program for logging into a remote machine and for |
(SSH client) is a program for logging into a remote machine and for |
executing commands on a remote machine. |
executing commands on a remote machine. |
It is intended to replace |
It is intended to replace |
rlogin and rsh, and provide secure encrypted communications between |
rlogin and rsh, and provide secure encrypted communications between |
|
|
This form of authentication alone is normally not |
This form of authentication alone is normally not |
allowed by the server because it is not secure. |
allowed by the server because it is not secure. |
.Pp |
.Pp |
The second (and primary) authentication method is the |
The second authentication method is the |
.Pa rhosts |
.Pa rhosts |
or |
or |
.Pa hosts.equiv |
.Pa hosts.equiv |
|
|
.Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
.Pp |
.Pp |
When a user connects using the protocol version 2 |
When a user connects using the protocol version 2 |
different authentication methods are available: |
different authentication methods are available. |
At first, the client attempts to authenticate using the public key method. |
Using the default values for |
If this method fails password authentication is tried. |
.Cm PreferredAuthentications , |
|
the client will try to authenticate first using the hostbased method; |
|
if this method fails public key authentication is attempted, |
|
and finally if this method fails keyboard-interactive and |
|
password authentication are tried. |
.Pp |
.Pp |
The public key method is similar to RSA authentication described |
The public key method is similar to RSA authentication described |
in the previous section except that the DSA algorithm is used |
in the previous section and allows the RSA or DSA algorithm to be used: |
instead of the patented RSA algorithm. |
The client uses his private key, |
The client uses his private DSA key |
|
.Pa $HOME/.ssh/id_dsa |
.Pa $HOME/.ssh/id_dsa |
|
or |
|
.Pa $HOME/.ssh/id_rsa , |
to sign the session identifier and sends the result to the server. |
to sign the session identifier and sends the result to the server. |
The server checks whether the matching public key is listed in |
The server checks whether the matching public key is listed in |
.Pa $HOME/.ssh/authorized_keys2 |
.Pa $HOME/.ssh/authorized_keys |
and grants access if both the key is found and the signature is correct. |
and grants access if both the key is found and the signature is correct. |
The session identifier is derived from a shared Diffie-Hellman value |
The session identifier is derived from a shared Diffie-Hellman value |
and is only known to the client and the server. |
and is only known to the client and the server. |
.Pp |
.Pp |
If public key authentication fails or is not available a password |
If public key authentication fails or is not available a password |
can be sent encrypted to the remote host for proving the user's identity. |
can be sent encrypted to the remote host for proving the user's identity. |
This protocol 2 implementation does not yet support Kerberos or |
|
S/Key authentication. |
|
.Pp |
.Pp |
|
Additionally, |
|
.Nm |
|
supports hostbased or challenge response authentication. |
|
.Pp |
Protocol 2 provides additional mechanisms for confidentiality |
Protocol 2 provides additional mechanisms for confidentiality |
(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
and integrity (hmac-sha1, hmac-md5). |
and integrity (hmac-md5, hmac-sha1). |
Note that protocol 1 lacks a strong mechanism for ensuring the |
Note that protocol 1 lacks a strong mechanism for ensuring the |
integrity of the connection. |
integrity of the connection. |
.Pp |
.Pp |
|
|
the remote command or shell will be automatically encrypted. |
the remote command or shell will be automatically encrypted. |
.Pp |
.Pp |
If a pseudo-terminal has been allocated (normal login session), the |
If a pseudo-terminal has been allocated (normal login session), the |
user can disconnect with |
user may use the escape characters noted below. |
.Ic ~. , |
|
and suspend |
|
.Nm |
|
with |
|
.Ic ~^Z . |
|
All forwarded connections can be listed with |
|
.Ic ~# |
|
and if |
|
the session blocks waiting for forwarded X11 or TCP/IP |
|
connections to terminate, it can be backgrounded with |
|
.Ic ~& |
|
(this should not be used while the user shell is active, as it can cause the |
|
shell to hang). |
|
All available escapes can be listed with |
|
.Ic ~? . |
|
.Pp |
.Pp |
A single tilde character can be sent as |
|
.Ic ~~ |
|
(or by following the tilde by a character other than those described above). |
|
The escape character must always follow a newline to be interpreted as |
|
special. |
|
The escape character can be changed in configuration files |
|
or on the command line. |
|
.Pp |
|
If no pseudo tty has been allocated, the |
If no pseudo tty has been allocated, the |
session is transparent and can be used to reliably transfer binary |
session is transparent and can be used to reliably transfer binary |
data. |
data. |
|
|
.Dq none |
.Dq none |
will also make the session transparent even if a tty is used. |
will also make the session transparent even if a tty is used. |
.Pp |
.Pp |
The session terminates when the command or shell in on the remote |
The session terminates when the command or shell on the remote |
machine exists and all X11 and TCP/IP connections have been closed. |
machine exits and all X11 and TCP/IP connections have been closed. |
The exit status of the remote program is returned as the exit status |
The exit status of the remote program is returned as the exit status |
of |
of |
.Nm ssh . |
.Nm ssh . |
.Pp |
.Pp |
|
.Ss Escape Characters |
|
.Pp |
|
When a pseudo terminal has been requested, ssh supports a number of functions |
|
through the use of an escape character. |
|
.Pp |
|
A single tilde character can be sent as |
|
.Ic ~~ |
|
or by following the tilde by a character other than those described below. |
|
The escape character must always follow a newline to be interpreted as |
|
special. |
|
The escape character can be changed in configuration files using the |
|
.Cm EscapeChar |
|
configuration directive or on the command line by the |
|
.Fl e |
|
option. |
|
.Pp |
|
The supported escapes (assuming the default |
|
.Ql ~ ) |
|
are: |
|
.Bl -tag -width Ds |
|
.It Cm ~. |
|
Disconnect |
|
.It Cm ~^Z |
|
Background ssh |
|
.It Cm ~# |
|
List forwarded connections |
|
.It Cm ~& |
|
Background ssh at logout when waiting for forwarded connection / X11 sessions |
|
to terminate (protocol version 1 only) |
|
.It Cm ~? |
|
Display a list of escape characters |
|
.It Cm ~R |
|
Request rekeying of the connection (only useful for SSH protocol version 2 |
|
and if the peer supports it) |
|
.El |
|
.Pp |
.Ss X11 and TCP forwarding |
.Ss X11 and TCP forwarding |
.Pp |
.Pp |
If the user is using X11 (the |
If the |
|
.Cm ForwardX11 |
|
variable is set to |
|
.Dq yes |
|
(or, see the description of the |
|
.Fl X |
|
and |
|
.Fl x |
|
options described later) |
|
and the user is using X11 (the |
.Ev DISPLAY |
.Ev DISPLAY |
environment variable is set), the connection to the X11 display is |
environment variable is set), the connection to the X11 display is |
automatically forwarded to the remote side in such a way that any X11 |
automatically forwarded to the remote side in such a way that any X11 |
|
|
.Pp |
.Pp |
If the user is using an authentication agent, the connection to the agent |
If the user is using an authentication agent, the connection to the agent |
is automatically forwarded to the remote side unless disabled on |
is automatically forwarded to the remote side unless disabled on |
command line or in a configuration file. |
the command line or in a configuration file. |
.Pp |
.Pp |
Forwarding of arbitrary TCP/IP connections over the secure channel can |
Forwarding of arbitrary TCP/IP connections over the secure channel can |
be specified either on command line or in a configuration file. |
be specified either on the command line or in a configuration file. |
One possible application of TCP/IP forwarding is a secure connection to an |
One possible application of TCP/IP forwarding is a secure connection to an |
electronic purse; another is going trough firewalls. |
electronic purse; another is going through firewalls. |
.Pp |
.Pp |
.Ss Server authentication |
.Ss Server authentication |
.Pp |
.Pp |
.Nm |
.Nm |
automatically maintains and checks a database containing |
automatically maintains and checks a database containing |
identifications for all hosts it has ever been used with. |
identifications for all hosts it has ever been used with. |
RSA host keys are stored in |
Host keys are stored in |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
and |
|
DSA host keys are stored in |
|
.Pa $HOME/.ssh/known_hosts2 |
|
in the user's home directory. |
in the user's home directory. |
Additionally, the files |
Additionally, the file |
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
and |
is automatically checked for known hosts. |
.Pa /etc/ssh_known_hosts2 |
|
are automatically checked for known hosts. |
|
Any new hosts are automatically added to the user's file. |
Any new hosts are automatically added to the user's file. |
If a host's identification |
If a host's identification |
ever changes, |
ever changes, |
|
|
.Cm StrictHostKeyChecking |
.Cm StrictHostKeyChecking |
option (see below) can be used to prevent logins to machines whose |
option (see below) can be used to prevent logins to machines whose |
host key is not known or has changed. |
host key is not known or has changed. |
.Sh OPTIONS |
.Pp |
|
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Fl a |
.It Fl a |
Disables forwarding of the authentication agent connection. |
Disables forwarding of the authentication agent connection. |
.It Fl A |
.It Fl A |
Enables forwarding of the authentication agent connection. |
Enables forwarding of the authentication agent connection. |
This can also be specified on a per-host basis in a configuration file. |
This can also be specified on a per-host basis in a configuration file. |
.It Fl c Ar blowfish|3des |
.It Fl b Ar bind_address |
|
Specify the interface to transmit from on machines with multiple |
|
interfaces or aliased addresses. |
|
.It Fl c Ar blowfish|3des|des |
Selects the cipher to use for encrypting the session. |
Selects the cipher to use for encrypting the session. |
.Ar 3des |
.Ar 3des |
is used by default. |
is used by default. |
It is believed to be secure. |
It is believed to be secure. |
.Ar 3des |
.Ar 3des |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
It is presumably more secure than the |
|
.Ar des |
|
cipher which is no longer fully supported in |
|
.Nm ssh . |
|
.Ar blowfish |
.Ar blowfish |
is a fast block cipher, it appears very secure and is much faster than |
is a fast block cipher, it appears very secure and is much faster than |
.Ar 3des . |
.Ar 3des . |
.It Fl c Ar "3des-cbc,blowfish-cbc,arcfour,cast128-cbc" |
.Ar des |
|
is only supported in the |
|
.Nm |
|
client for interoperability with legacy protocol 1 implementations |
|
that do not support the |
|
.Ar 3des |
|
cipher. Its use is strongly discouraged due to cryptographic |
|
weaknesses. |
|
.It Fl c Ar cipher_spec |
Additionally, for protocol version 2 a comma-separated list of ciphers can |
Additionally, for protocol version 2 a comma-separated list of ciphers can |
be specified in order of preference. |
be specified in order of preference. |
Protocol version 2 supports 3DES, Blowfish, and CAST128 in CBC mode |
See |
and Arcfour. |
.Cm Ciphers |
|
for more information. |
.It Fl e Ar ch|^ch|none |
.It Fl e Ar ch|^ch|none |
Sets the escape character for sessions with a pty (default: |
Sets the escape character for sessions with a pty (default: |
.Ql ~ ) . |
.Ql ~ ) . |
|
|
Allows remote hosts to connect to local forwarded ports. |
Allows remote hosts to connect to local forwarded ports. |
.It Fl i Ar identity_file |
.It Fl i Ar identity_file |
Selects the file from which the identity (private key) for |
Selects the file from which the identity (private key) for |
RSA authentication is read. |
RSA or DSA authentication is read. |
Default is |
Default is |
.Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
in the user's home directory. |
in the user's home directory. |
|
|
.Fl i |
.Fl i |
options (and multiple identities specified in |
options (and multiple identities specified in |
configuration files). |
configuration files). |
|
.It Fl I Ar smartcard_device |
|
Specifies which smartcard device to use. The argument is |
|
the device |
|
.Nm |
|
should use to communicate with a smartcard used for storing the user's |
|
private RSA key. |
.It Fl k |
.It Fl k |
Disables forwarding of Kerberos tickets and AFS tokens. |
Disables forwarding of Kerberos tickets and AFS tokens. |
This may also be specified on a per-host basis in the configuration file. |
This may also be specified on a per-host basis in the configuration file. |
.It Fl l Ar login_name |
.It Fl l Ar login_name |
Specifies the user to log in as on the remote machine. |
Specifies the user to log in as on the remote machine. |
This also may be specified on a per-host basis in the configuration file. |
This also may be specified on a per-host basis in the configuration file. |
|
.It Fl m Ar mac_spec |
|
Additionally, for protocol version 2 a comma-separated list of MAC |
|
(message authentication code) algorithms can |
|
be specified in order of preference. |
|
See the |
|
.Cm MACs |
|
keyword for more information. |
.It Fl n |
.It Fl n |
Redirects stdin from |
Redirects stdin from |
.Pa /dev/null |
.Pa /dev/null |
|
|
option.) |
option.) |
.It Fl N |
.It Fl N |
Do not execute a remote command. |
Do not execute a remote command. |
This is usefull if you just want to forward ports |
This is useful for just forwarding ports |
(protocol version 2 only). |
(protocol version 2 only). |
.It Fl o Ar option |
.It Fl o Ar option |
Can be used to give options in the format used in the config file. |
Can be used to give options in the format used in the configuration file. |
This is useful for specifying options for which there is no separate |
This is useful for specifying options for which there is no separate |
command-line flag. |
command-line flag. |
The option has the same format as a line in the configuration file. |
|
.It Fl p Ar port |
.It Fl p Ar port |
Port to connect to on the remote host. |
Port to connect to on the remote host. |
This can be specified on a |
This can be specified on a |
per-host basis in the configuration file. |
per-host basis in the configuration file. |
.It Fl P |
.It Fl P |
Use a non-privileged port for outgoing connections. |
Use a non-privileged port for outgoing connections. |
This can be used if your firewall does |
This can be used if a firewall does |
not permit connections from privileged ports. |
not permit connections from privileged ports. |
Note that this option turns off |
Note that this option turns off |
.Cm RhostsAuthentication |
.Cm RhostsAuthentication |
and |
and |
.Cm RhostsRSAAuthentication . |
.Cm RhostsRSAAuthentication |
|
for older servers. |
.It Fl q |
.It Fl q |
Quiet mode. |
Quiet mode. |
Causes all warning and diagnostic messages to be suppressed. |
Causes all warning and diagnostic messages to be suppressed. |
Only fatal errors are displayed. |
Only fatal errors are displayed. |
|
.It Fl s |
|
May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use |
|
of SSH as a secure transport for other applications (eg. sftp). The |
|
subsystem is specified as the remote command. |
.It Fl t |
.It Fl t |
Force pseudo-tty allocation. |
Force pseudo-tty allocation. |
This can be used to execute arbitrary |
This can be used to execute arbitrary |
screen-based programs on a remote machine, which can be very useful, |
screen-based programs on a remote machine, which can be very useful, |
e.g., when implementing menu services. |
e.g., when implementing menu services. |
|
Multiple |
|
.Fl t |
|
options force tty allocation, even if |
|
.Nm |
|
has no local tty. |
.It Fl T |
.It Fl T |
Disable pseudo-tty allocation (protocol version 2 only). |
Disable pseudo-tty allocation. |
.It Fl v |
.It Fl v |
Verbose mode. |
Verbose mode. |
Causes |
Causes |
|
|
to print debugging messages about its progress. |
to print debugging messages about its progress. |
This is helpful in |
This is helpful in |
debugging connection, authentication, and configuration problems. |
debugging connection, authentication, and configuration problems. |
The verbose mode is also used to display |
Multiple |
.Xr skey 1 |
.Fl v |
challenges, if the user entered "s/key" as password. |
options increases the verbosity. |
Multiple -v options increases the verbosity. |
|
Maximum is 3. |
Maximum is 3. |
.It Fl x |
.It Fl x |
Disables X11 forwarding. |
Disables X11 forwarding. |
|
|
slow connections, but will only slow down things on fast networks. |
slow connections, but will only slow down things on fast networks. |
The default value can be set on a host-by-host basis in the |
The default value can be set on a host-by-host basis in the |
configuration files; see the |
configuration files; see the |
.Cm Compress |
.Cm Compression |
option below. |
option below. |
|
.It Fl F Ar configfile |
|
Specifies an alternative per-user configuration file. |
|
If a configuration file is given on the command line, |
|
the system-wide configuration file |
|
.Pq Pa /etc/ssh_config |
|
will be ignored. |
|
The default for the per-user configuration file is |
|
.Pa $HOME/.ssh/config . |
.It Fl L Ar port:host:hostport |
.It Fl L Ar port:host:hostport |
Specifies that the given port on the local (client) host is to be |
Specifies that the given port on the local (client) host is to be |
forwarded to the given host and port on the remote side. |
forwarded to the given host and port on the remote side. |
|
|
Port forwardings can also be specified in the configuration file. |
Port forwardings can also be specified in the configuration file. |
Privileged ports can be forwarded only when |
Privileged ports can be forwarded only when |
logging in as root on the remote machine. |
logging in as root on the remote machine. |
|
IPv6 addresses can be specified with an alternative syntax: |
|
.Ar port/host/hostport |
|
.It Fl D Ar port |
|
Specifies a local |
|
.Dq dynamic |
|
application-level port forwarding. |
|
This works by allocating a socket to listen to |
|
.Ar port |
|
on the local side, and whenever a connection is made to this port, the |
|
connection is forwarded over the secure channel, and the application |
|
protocol is then used to determine where to connect to from the |
|
remote machine. Currently the SOCKS4 protocol is supported, and |
|
.Nm |
|
will act as a SOCKS4 server. |
|
Only root can forward privileged ports. |
|
Dynamic port forwardings can also be specified in the configuration file. |
|
.It Fl 1 |
|
Forces |
|
.Nm |
|
to try protocol version 1 only. |
.It Fl 2 |
.It Fl 2 |
Forces |
Forces |
.Nm |
.Nm |
|
|
.El |
.El |
.Sh CONFIGURATION FILES |
.Sh CONFIGURATION FILES |
.Nm |
.Nm |
obtains configuration data from the following sources (in this order): |
obtains configuration data from the following sources in |
|
the following order: |
command line options, user's configuration file |
command line options, user's configuration file |
.Pq Pa $HOME/.ssh/config , |
.Pq Pa $HOME/.ssh/config , |
and system-wide configuration file |
and system-wide configuration file |
|
|
.Pp |
.Pp |
Otherwise a line is of the format |
Otherwise a line is of the format |
.Dq keyword arguments . |
.Dq keyword arguments . |
|
Configuration options may be separated by whitespace or |
|
optional whitespace and exactly one |
|
.Ql = ; |
|
the latter format is useful to avoid the need to quote whitespace |
|
when specifying configuration options using the |
|
.Nm ssh , |
|
.Nm scp |
|
and |
|
.Nm sftp |
|
.Fl o |
|
option. |
|
.Pp |
The possible |
The possible |
keywords and their meanings are as follows (note that the |
keywords and their meanings are as follows (note that |
configuration files are case-sensitive): |
keywords are case-insensitive and arguments are case-sensitive): |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Cm Host |
.It Cm Host |
Restricts the following declarations (up to the next |
Restricts the following declarations (up to the next |
|
|
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
|
This option applies to protocol version 1 only. |
.It Cm BatchMode |
.It Cm BatchMode |
If set to |
If set to |
.Dq yes , |
.Dq yes , |
passphrase/password querying will be disabled. |
passphrase/password querying will be disabled. |
This option is useful in scripts and other batch jobs where you have no |
This option is useful in scripts and other batch jobs where no user |
user to supply the password. |
is present to supply the password. |
The argument must be |
The argument must be |
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
|
The default is |
|
.Dq no . |
|
.It Cm BindAddress |
|
Specify the interface to transmit from on machines with multiple |
|
interfaces or aliased addresses. |
|
Note that this option does not work if |
|
.Cm UsePrivilegedPort |
|
is set to |
|
.Dq yes . |
.It Cm CheckHostIP |
.It Cm CheckHostIP |
If this flag is set to |
If this flag is set to |
.Dq yes , |
.Dq yes , |
ssh will additionally check the host ip address in the |
ssh will additionally check the host IP address in the |
.Pa known_hosts |
.Pa known_hosts |
file. |
file. |
This allows ssh to detect if a host key changed due to DNS spoofing. |
This allows ssh to detect if a host key changed due to DNS spoofing. |
If the option is set to |
If the option is set to |
.Dq no , |
.Dq no , |
the check will not be executed. |
the check will not be executed. |
|
The default is |
|
.Dq yes . |
.It Cm Cipher |
.It Cm Cipher |
Specifies the cipher to use for encrypting the session |
Specifies the cipher to use for encrypting the session |
in protocol version 1. |
in protocol version 1. |
Currently, |
Currently, |
.Dq blowfish |
.Dq blowfish , |
|
.Dq 3des , |
and |
and |
.Dq 3des |
.Dq des |
are supported. |
are supported. |
|
.Ar des |
|
is only supported in the |
|
.Nm |
|
client for interoperability with legacy protocol 1 implementations |
|
that do not support the |
|
.Ar 3des |
|
cipher. Its use is strongly discouraged due to cryptographic |
|
weaknesses. |
The default is |
The default is |
.Dq 3des . |
.Dq 3des . |
.It Cm Ciphers |
.It Cm Ciphers |
|
|
in order of preference. |
in order of preference. |
Multiple ciphers must be comma-separated. |
Multiple ciphers must be comma-separated. |
The default is |
The default is |
.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour . |
.Pp |
|
.Bd -literal |
|
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
|
aes192-cbc,aes256-cbc'' |
|
.Ed |
|
.It Cm ClearAllForwardings |
|
Specifies that all local, remote and dynamic port forwardings |
|
specified in the configuration files or on the command line be |
|
cleared. This option is primarily useful when used from the |
|
.Nm |
|
command line to clear port forwardings set in |
|
configuration files, and is automatically set by |
|
.Xr scp 1 |
|
and |
|
.Xr sftp 1 . |
|
The argument must be |
|
.Dq yes |
|
or |
|
.Dq no . |
|
The default is |
|
.Dq no . |
.It Cm Compression |
.It Cm Compression |
Specifies whether to use compression. |
Specifies whether to use compression. |
The argument must be |
The argument must be |
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
|
The default is |
|
.Dq no . |
.It Cm CompressionLevel |
.It Cm CompressionLevel |
Specifies the compression level to use if compression is enable. |
Specifies the compression level to use if compression is enabled. |
The argument must be an integer from 1 (fast) to 9 (slow, best). |
The argument must be an integer from 1 (fast) to 9 (slow, best). |
The default level is 6, which is good for most applications. |
The default level is 6, which is good for most applications. |
The meaning of the values is the same as in |
The meaning of the values is the same as in |
.Xr gzip 1 . |
.Xr gzip 1 . |
|
Note that this option applies to protocol version 1 only. |
.It Cm ConnectionAttempts |
.It Cm ConnectionAttempts |
Specifies the number of tries (one per second) to make before falling |
Specifies the number of tries (one per second) to make before falling |
back to rsh or exiting. |
back to rsh or exiting. |
The argument must be an integer. |
The argument must be an integer. |
This may be useful in scripts if the connection sometimes fails. |
This may be useful in scripts if the connection sometimes fails. |
.It Cm DSAAuthentication |
The default is 1. |
Specifies whether to try DSA authentication. |
.It Cm DynamicForward |
The argument to this keyword must be |
Specifies that a TCP/IP port on the local machine be forwarded |
.Dq yes |
over the secure channel, and the application |
or |
protocol is then used to determine where to connect to from the |
.Dq no . |
remote machine. The argument must be a port number. |
DSA authentication will only be |
Currently the SOCKS4 protocol is supported, and |
attempted if a DSA identity file exists. |
.Nm |
Note that this option applies to protocol version 2 only. |
will act as a SOCKS4 server. |
|
Multiple forwardings may be specified, and |
|
additional forwardings can be given on the command line. Only |
|
the superuser can forward privileged ports. |
.It Cm EscapeChar |
.It Cm EscapeChar |
Sets the escape character (default: |
Sets the escape character (default: |
.Ql ~ ) . |
.Ql ~ ) . |
|
|
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
|
The default is |
|
.Dq no . |
.It Cm ForwardAgent |
.It Cm ForwardAgent |
Specifies whether the connection to the authentication agent (if any) |
Specifies whether the connection to the authentication agent (if any) |
will be forwarded to the remote machine. |
will be forwarded to the remote machine. |
|
|
.It Cm GatewayPorts |
.It Cm GatewayPorts |
Specifies whether remote hosts are allowed to connect to local |
Specifies whether remote hosts are allowed to connect to local |
forwarded ports. |
forwarded ports. |
|
By default, |
|
.Nm |
|
binds local port forwardings to the loopback addresss. This |
|
prevents other remote hosts from connecting to forwarded ports. |
|
.Cm GatewayPorts |
|
can be used to specify that |
|
.Nm |
|
should bind local port forwardings to the wildcard address, |
|
thus allowing remote hosts to connect to forwarded ports. |
The argument must be |
The argument must be |
.Dq yes |
.Dq yes |
or |
or |
|
|
The default is |
The default is |
.Dq no . |
.Dq no . |
.It Cm GlobalKnownHostsFile |
.It Cm GlobalKnownHostsFile |
Specifies a file to use instead of |
Specifies a file to use for the global |
|
host key database instead of |
.Pa /etc/ssh_known_hosts . |
.Pa /etc/ssh_known_hosts . |
|
.It Cm HostbasedAuthentication |
|
Specifies whether to try rhosts based authentication with public key |
|
authentication. |
|
The argument must be |
|
.Dq yes |
|
or |
|
.Dq no . |
|
The default is |
|
.Dq no . |
|
This option applies to protocol version 2 only and |
|
is similar to |
|
.Cm RhostsRSAAuthentication . |
|
.It Cm HostKeyAlgorithms |
|
Specifies the protocol version 2 host key algorithms |
|
that the client wants to use in order of preference. |
|
The default for this option is: |
|
.Dq ssh-rsa,ssh-dss |
|
.It Cm HostKeyAlias |
|
Specifies an alias that should be used instead of the |
|
real host name when looking up or saving the host key |
|
in the host key database files. |
|
This option is useful for tunneling ssh connections |
|
or for multiple servers running on a single host. |
.It Cm HostName |
.It Cm HostName |
Specifies the real host name to log into. |
Specifies the real host name to log into. |
This can be used to specify nicknames or abbreviations for hosts. |
This can be used to specify nicknames or abbreviations for hosts. |
|
|
.Cm HostName |
.Cm HostName |
specifications). |
specifications). |
.It Cm IdentityFile |
.It Cm IdentityFile |
Specifies the file from which the user's RSA authentication identity |
Specifies the file from which the user's RSA or DSA authentication identity |
is read (default |
is read (default |
.Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
in the user's home directory). |
in the user's home directory). |
|
|
It is possible to have |
It is possible to have |
multiple identity files specified in configuration files; all these |
multiple identity files specified in configuration files; all these |
identities will be tried in sequence. |
identities will be tried in sequence. |
.It Cm IdentityFile2 |
|
Specifies the file from which the user's DSA authentication identity |
|
is read (default |
|
.Pa $HOME/.ssh/id_dsa |
|
in the user's home directory). |
|
The file name may use the tilde |
|
syntax to refer to a user's home directory. |
|
It is possible to have |
|
multiple identity files specified in configuration files; all these |
|
identities will be tried in sequence. |
|
.It Cm KeepAlive |
.It Cm KeepAlive |
Specifies whether the system should send keepalive messages to the |
Specifies whether the system should send keepalive messages to the |
other side. |
other side. |
|
|
.Dq no . |
.Dq no . |
.It Cm LocalForward |
.It Cm LocalForward |
Specifies that a TCP/IP port on the local machine be forwarded over |
Specifies that a TCP/IP port on the local machine be forwarded over |
the secure channel to given host:port from the remote machine. |
the secure channel to the specified host and port from the remote machine. |
The first argument must be a port number, and the second must be |
The first argument must be a port number, and the second must be |
host:port. |
.Ar host:port . |
|
IPv6 addresses can be specified with an alternative syntax: |
|
.Ar host/port . |
Multiple forwardings may be specified, and additional |
Multiple forwardings may be specified, and additional |
forwardings can be given on the command line. |
forwardings can be given on the command line. |
Only the superuser can forward privileged ports. |
Only the superuser can forward privileged ports. |
|
|
The possible values are: |
The possible values are: |
QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. |
QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. |
The default is INFO. |
The default is INFO. |
|
.It Cm MACs |
|
Specifies the MAC (message authentication code) algorithms |
|
in order of preference. |
|
The MAC algorithm is used in protocol version 2 |
|
for data integrity protection. |
|
Multiple algorithms must be comma-separated. |
|
The default is |
|
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
|
.It Cm NoHostAuthenticationForLocalhost |
|
This option can be used if the home directory is shared across machines. |
|
In this case localhost will refer to a different machine on each of |
|
the machines and the user will get many warnings about changed host keys. |
|
However, this option disables host authentication for localhost. |
|
The argument to this keyword must be |
|
.Dq yes |
|
or |
|
.Dq no . |
|
The default is to check the host key for localhost. |
.It Cm NumberOfPasswordPrompts |
.It Cm NumberOfPasswordPrompts |
Specifies the number of password prompts before giving up. |
Specifies the number of password prompts before giving up. |
The argument to this keyword must be an integer. |
The argument to this keyword must be an integer. |
|
|
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
Note that this option applies to both protocol version 1 and 2. |
The default is |
|
.Dq yes . |
.It Cm Port |
.It Cm Port |
Specifies the port number to connect on the remote host. |
Specifies the port number to connect on the remote host. |
Default is 22. |
Default is 22. |
|
.It Cm PreferredAuthentications |
|
Specifies the order in which the client should try protocol 2 |
|
authentication methods. This allows a client to prefer one method (e.g. |
|
.Cm keyboard-interactive ) |
|
over another method (e.g. |
|
.Cm password ) |
|
The default for this option is: |
|
.Dq hostbased,publickey,keyboard-interactive,password |
.It Cm Protocol |
.It Cm Protocol |
Specifies the protocol versions |
Specifies the protocol versions |
.Nm |
.Nm |
|
|
.Dq 2 . |
.Dq 2 . |
Multiple versions must be comma-separated. |
Multiple versions must be comma-separated. |
The default is |
The default is |
.Dq 1,2 . |
.Dq 2,1 . |
This means that |
This means that |
.Nm |
.Nm |
tries version 1 and falls back to version 2 |
tries version 2 and falls back to version 1 |
if version 1 is not available. |
if version 2 is not available. |
.It Cm ProxyCommand |
.It Cm ProxyCommand |
Specifies the command to use to connect to the server. |
Specifies the command to use to connect to the server. |
The command |
The command |
|
|
.Cm CheckHostIP |
.Cm CheckHostIP |
is not available for connects with a proxy command. |
is not available for connects with a proxy command. |
.Pp |
.Pp |
|
.It Cm PubkeyAuthentication |
|
Specifies whether to try public key authentication. |
|
The argument to this keyword must be |
|
.Dq yes |
|
or |
|
.Dq no . |
|
The default is |
|
.Dq yes . |
|
This option applies to protocol version 2 only. |
.It Cm RemoteForward |
.It Cm RemoteForward |
Specifies that a TCP/IP port on the remote machine be forwarded over |
Specifies that a TCP/IP port on the remote machine be forwarded over |
the secure channel to given host:port from the local machine. |
the secure channel to the specified host and port from the local machine. |
The first argument must be a port number, and the second must be |
The first argument must be a port number, and the second must be |
host:port. |
.Ar host:port . |
|
IPv6 addresses can be specified with an alternative syntax: |
|
.Ar host/port . |
Multiple forwardings may be specified, and additional |
Multiple forwardings may be specified, and additional |
forwardings can be given on the command line. |
forwardings can be given on the command line. |
Only the superuser can forward privileged ports. |
Only the superuser can forward privileged ports. |
|
|
authentication time on slow connections when rhosts authentication is |
authentication time on slow connections when rhosts authentication is |
not used. |
not used. |
Most servers do not permit RhostsAuthentication because it |
Most servers do not permit RhostsAuthentication because it |
is not secure (see RhostsRSAAuthentication). |
is not secure (see |
|
.Cm RhostsRSAAuthentication ) . |
The argument to this keyword must be |
The argument to this keyword must be |
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
|
The default is |
|
.Dq yes . |
|
This option applies to protocol version 1 only. |
.It Cm RhostsRSAAuthentication |
.It Cm RhostsRSAAuthentication |
Specifies whether to try rhosts based authentication with RSA host |
Specifies whether to try rhosts based authentication with RSA host |
authentication. |
authentication. |
This is the primary authentication method for most sites. |
|
The argument must be |
The argument must be |
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
|
The default is |
|
.Dq yes . |
|
This option applies to protocol version 1 only. |
.It Cm RSAAuthentication |
.It Cm RSAAuthentication |
Specifies whether to try RSA authentication. |
Specifies whether to try RSA authentication. |
The argument to this keyword must be |
The argument to this keyword must be |
|
|
RSA authentication will only be |
RSA authentication will only be |
attempted if the identity file exists, or an authentication agent is |
attempted if the identity file exists, or an authentication agent is |
running. |
running. |
|
The default is |
|
.Dq yes . |
Note that this option applies to protocol version 1 only. |
Note that this option applies to protocol version 1 only. |
.It Cm SkeyAuthentication |
.It Cm ChallengeResponseAuthentication |
Specifies whether to use |
Specifies whether to use challenge response authentication. |
.Xr skey 1 |
|
authentication. |
|
The argument to this keyword must be |
The argument to this keyword must be |
.Dq yes |
.Dq yes |
or |
or |
.Dq no . |
.Dq no . |
The default is |
The default is |
.Dq no . |
.Dq yes . |
|
.It Cm SmartcardDevice |
|
Specifies which smartcard device to use. The argument to this keyword is |
|
the device |
|
.Nm |
|
should use to communicate with a smartcard used for storing the user's |
|
private RSA key. By default, no device is specified and smartcard support |
|
is not activated. |
.It Cm StrictHostKeyChecking |
.It Cm StrictHostKeyChecking |
If this flag is set to |
If this flag is set to |
.Dq yes , |
.Dq yes , |
.Nm |
.Nm |
ssh will never automatically add host keys to the |
will never automatically add host keys to the |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
and |
file, and refuses to connect to hosts whose host key has changed. |
.Pa $HOME/.ssh/known_hosts2 |
This provides maximum protection against trojan horse attacks, |
files, and refuses to connect hosts whose host key has changed. |
however, can be annoying when the |
This provides maximum protection against trojan horse attacks. |
|
However, it can be somewhat annoying if you don't have good |
|
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
and |
file is poorly maintained, or connections to new hosts are |
.Pa /etc/ssh_known_hosts2 |
frequently made. |
files installed and frequently |
This option forces the user to manually |
connect new hosts. |
add all new hosts. |
Basically this option forces the user to manually |
If this flag is set to |
add any new hosts. |
.Dq no , |
Normally this option is disabled, and new hosts |
.Nm |
will automatically be added to the known host files. |
will automatically add new host keys to the |
|
user known hosts files. |
|
If this flag is set to |
|
.Dq ask , |
|
new host keys |
|
will be added to the user known host files only after the user |
|
has confirmed that is what they really want to do, and |
|
.Nm |
|
will refuse to connect to hosts whose host key has changed. |
The host keys of |
The host keys of |
known hosts will be verified automatically in either case. |
known hosts will be verified automatically in all cases. |
The argument must be |
The argument must be |
.Dq yes |
.Dq yes , |
|
.Dq no |
or |
or |
.Dq no . |
.Dq ask . |
|
The default is |
|
.Dq ask . |
.It Cm UsePrivilegedPort |
.It Cm UsePrivilegedPort |
Specifies whether to use a privileged port for outgoing connections. |
Specifies whether to use a privileged port for outgoing connections. |
The argument must be |
The argument must be |
|
|
or |
or |
.Dq no . |
.Dq no . |
The default is |
The default is |
.Dq yes . |
.Dq no . |
Note that setting this option to |
Note that this option must be set to |
.Dq no |
.Dq yes |
turns off |
if |
.Cm RhostsAuthentication |
.Cm RhostsAuthentication |
and |
and |
.Cm RhostsRSAAuthentication . |
.Cm RhostsRSAAuthentication |
|
authentications are needed with older servers. |
.It Cm User |
.It Cm User |
Specifies the user to log in as. |
Specifies the user to log in as. |
This can be useful if you have a different user name on different machines. |
This can be useful when a different user name is used on different machines. |
This saves the trouble of |
This saves the trouble of |
having to remember to give the user name on the command line. |
having to remember to give the user name on the command line. |
.It Cm UserKnownHostsFile |
.It Cm UserKnownHostsFile |
Specifies a file to use instead of |
Specifies a file to use for the user |
|
host key database instead of |
.Pa $HOME/.ssh/known_hosts . |
.Pa $HOME/.ssh/known_hosts . |
.It Cm UseRsh |
.It Cm UseRsh |
Specifies that rlogin/rsh should be used for this host. |
Specifies that rlogin/rsh should be used for this host. |
|
|
.Nm |
.Nm |
uses this special value to forward X11 connections over the secure |
uses this special value to forward X11 connections over the secure |
channel. |
channel. |
The user should normally not set DISPLAY explicitly, as that |
The user should normally not set |
|
.Ev DISPLAY |
|
explicitly, as that |
will render the X11 connection insecure (and will require the user to |
will render the X11 connection insecure (and will require the user to |
manually copy any required authorization cookies). |
manually copy any required authorization cookies). |
.It Ev HOME |
.It Ev HOME |
|
|
.Ev USER ; |
.Ev USER ; |
set for compatibility with systems that use this variable. |
set for compatibility with systems that use this variable. |
.It Ev MAIL |
.It Ev MAIL |
Set to point the user's mailbox. |
Set to the path of the user's mailbox. |
.It Ev PATH |
.It Ev PATH |
Set to the default |
Set to the default |
.Ev PATH , |
.Ev PATH , |
as specified when compiling |
as specified when compiling |
.Nm ssh . |
.Nm ssh . |
|
.It Ev SSH_ASKPASS |
|
If |
|
.Nm |
|
needs a passphrase, it will read the passphrase from the current |
|
terminal if it was run from a terminal. |
|
If |
|
.Nm |
|
does not have a terminal associated with it but |
|
.Ev DISPLAY |
|
and |
|
.Ev SSH_ASKPASS |
|
are set, it will execute the program specified by |
|
.Ev SSH_ASKPASS |
|
and open an X11 window to read the passphrase. |
|
This is particularly useful when calling |
|
.Nm |
|
from a |
|
.Pa .Xsession |
|
or related script. |
|
(Note that on some machines it |
|
may be necessary to redirect the input from |
|
.Pa /dev/null |
|
to make this work.) |
.It Ev SSH_AUTH_SOCK |
.It Ev SSH_AUTH_SOCK |
indicates the path of a unix-domain socket used to communicate with the |
Identifies the path of a unix-domain socket used to communicate with the |
agent. |
agent. |
.It Ev SSH_CLIENT |
.It Ev SSH_CLIENT |
Identifies the client end of the connection. |
Identifies the client end of the connection. |
The variable contains |
The variable contains |
three space-separated values: client ip-address, client port number, |
three space-separated values: client ip-address, client port number, |
and server port number. |
and server port number. |
|
.It Ev SSH_ORIGINAL_COMMAND |
|
The variable contains the original command line if a forced command |
|
is executed. |
|
It can be used to extract the original arguments. |
.It Ev SSH_TTY |
.It Ev SSH_TTY |
This is set to the name of the tty (path to the device) associated |
This is set to the name of the tty (path to the device) associated |
with the current shell or command. |
with the current shell or command. |
|
|
.Sh FILES |
.Sh FILES |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Pa $HOME/.ssh/known_hosts |
.It Pa $HOME/.ssh/known_hosts |
Records host keys for all hosts the user has logged into (that are not |
Records host keys for all hosts the user has logged into that are not |
in |
in |
.Pa /etc/ssh_known_hosts ) . |
.Pa /etc/ssh_known_hosts . |
See |
See |
.Xr sshd 8 . |
.Xr sshd 8 . |
.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa |
.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa |
Contains the RSA and the DSA authentication identity of the user. |
Contains the authentication identity of the user. |
|
They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. |
These files |
These files |
contain sensitive data and should be readable by the user but not |
contain sensitive data and should be readable by the user but not |
accessible by others (read/write/execute). |
accessible by others (read/write/execute). |
|
|
It is possible to specify a passphrase when |
It is possible to specify a passphrase when |
generating the key; the passphrase will be used to encrypt the |
generating the key; the passphrase will be used to encrypt the |
sensitive part of this file using 3DES. |
sensitive part of this file using 3DES. |
.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub |
.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub |
Contains the public key for authentication (public part of the |
Contains the public key for authentication (public part of the |
identity file in human-readable form). |
identity file in human-readable form). |
The contents of the |
The contents of the |
|
|
file should be added to |
file should be added to |
.Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
on all machines |
on all machines |
where you wish to log in using RSA authentication. |
where the user wishes to log in using protocol version 1 RSA authentication. |
The contents of the |
The contents of the |
.Pa $HOME/.ssh/id_dsa.pub |
.Pa $HOME/.ssh/id_dsa.pub |
|
and |
|
.Pa $HOME/.ssh/id_rsa.pub |
file should be added to |
file should be added to |
.Pa $HOME/.ssh/authorized_keys2 |
.Pa $HOME/.ssh/authorized_keys |
on all machines |
on all machines |
where you wish to log in using DSA authentication. |
where the user wishes to log in using protocol version 2 DSA/RSA authentication. |
These files are not |
These files are not |
sensitive and can (but need not) be readable by anyone. |
sensitive and can (but need not) be readable by anyone. |
These files are |
These files are |
never used automatically and are not necessary; they is only provided for |
never used automatically and are not necessary; they are only provided for |
the convenience of the user. |
the convenience of the user. |
.It Pa $HOME/.ssh/config |
.It Pa $HOME/.ssh/config |
This is the per-user configuration file. |
This is the per-user configuration file. |
|
|
but the recommended permissions are read/write for the user, and not |
but the recommended permissions are read/write for the user, and not |
accessible by others. |
accessible by others. |
.It Pa $HOME/.ssh/authorized_keys |
.It Pa $HOME/.ssh/authorized_keys |
Lists the RSA keys that can be used for logging in as this user. |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
The format of this file is described in the |
The format of this file is described in the |
.Xr sshd 8 |
.Xr sshd 8 |
manual page. |
manual page. |
In the simplest form the format is the same as the .pub |
In the simplest form the format is the same as the .pub |
identity files (that is, each line contains the number of bits in |
identity files. |
modulus, public exponent, modulus, and comment fields, separated by |
|
spaces). |
|
This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
.It Pa $HOME/.ssh/authorized_keys2 |
.It Pa /etc/ssh_known_hosts |
Lists the DSA keys that can be used for logging in as this user. |
|
This file is not highly sensitive, but the recommended |
|
permissions are read/write for the user, and not accessible by others. |
|
.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 |
|
Systemwide list of known host keys. |
Systemwide list of known host keys. |
.Pa /etc/ssh_known_hosts |
This file should be prepared by the |
contains RSA and |
|
.Pa /etc/ssh_known_hosts2 |
|
contains DSA keys. |
|
These files should be prepared by the |
|
system administrator to contain the public host keys of all machines in the |
system administrator to contain the public host keys of all machines in the |
organization. |
organization. |
This file should be world-readable. |
This file should be world-readable. |
This file contains |
This file contains |
public keys, one per line, in the following format (fields separated |
public keys, one per line, in the following format (fields separated |
by spaces): system name, number of bits in modulus, public exponent, |
by spaces): system name, public key and optional comment field. |
modulus, and optional comment field. |
|
When different names are used |
When different names are used |
for the same machine, all such names should be listed, separated by |
for the same machine, all such names should be listed, separated by |
commas. |
commas. |
|
|
Each line of the file contains a host name (in the canonical form |
Each line of the file contains a host name (in the canonical form |
returned by name servers), and then a user name on that host, |
returned by name servers), and then a user name on that host, |
separated by a space. |
separated by a space. |
One some machines this file may need to be |
On some machines this file may need to be |
world-readable if the user's home directory is on a NFS partition, |
world-readable if the user's home directory is on a NFS partition, |
because |
because |
.Xr sshd 8 |
.Xr sshd 8 |
|
|
.Xr sshd 8 |
.Xr sshd 8 |
will be installed so that it requires successful RSA host |
will be installed so that it requires successful RSA host |
authentication before permitting \s+2.\s0rhosts authentication. |
authentication before permitting \s+2.\s0rhosts authentication. |
If your server machine does not have the client's host key in |
If the server machine does not have the client's host key in |
.Pa /etc/ssh_known_hosts , |
.Pa /etc/ssh_known_hosts , |
you can store it in |
it can be stored in |
.Pa $HOME/.ssh/known_hosts . |
.Pa $HOME/.ssh/known_hosts . |
The easiest way to do this is to |
The easiest way to do this is to |
connect back to the client from the server machine using ssh; this |
connect back to the client from the server machine using ssh; this |
|
|
Contains additional definitions for environment variables, see section |
Contains additional definitions for environment variables, see section |
.Sx ENVIRONMENT |
.Sx ENVIRONMENT |
above. |
above. |
.It Pa libcrypto.so.X.1 |
|
A version of this library which includes support for the RSA algorithm |
|
is required for proper operation. |
|
.El |
.El |
.Sh AUTHOR |
.Sh AUTHORS |
OpenSSH |
OpenSSH is a derivative of the original and free |
is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, |
ssh 1.2.12 release by Tatu Ylonen. |
but with bugs removed and newer features re-added. |
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
Rapidly after the |
Theo de Raadt and Dug Song |
1.2.12 release, newer versions of the original ssh bore successively |
removed many bugs, re-added newer features and |
more restrictive licenses, and thus demand for a free version was born. |
created OpenSSH. |
.Pp |
Markus Friedl contributed the support for SSH |
This version of OpenSSH |
protocol versions 1.5 and 2.0. |
.Bl -bullet |
|
.It |
|
has all components of a restrictive nature (i.e., patents, see |
|
.Xr ssl 8 ) |
|
directly removed from the source code; any licensed or patented components |
|
are chosen from |
|
external libraries. |
|
.It |
|
has been updated to support SSH protocol 1.5 and 2, making it compatible with |
|
all other SSH clients and servers. |
|
.It |
|
contains added support for |
|
.Xr kerberos 8 |
|
authentication and ticket passing. |
|
.It |
|
supports one-time password authentication with |
|
.Xr skey 1 . |
|
.El |
|
.Pp |
|
OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, |
|
Niels Provos, Theo de Raadt, and Dug Song. |
|
.Pp |
|
The support for SSH protocol 2 was written by Markus Friedl. |
|
.Sh SEE ALSO |
.Sh SEE ALSO |
.Xr rlogin 1 , |
.Xr rlogin 1 , |
.Xr rsh 1 , |
.Xr rsh 1 , |
.Xr scp 1 , |
.Xr scp 1 , |
|
.Xr sftp 1 , |
.Xr ssh-add 1 , |
.Xr ssh-add 1 , |
.Xr ssh-agent 1 , |
.Xr ssh-agent 1 , |
.Xr ssh-keygen 1 , |
.Xr ssh-keygen 1 , |
.Xr telnet 1 , |
.Xr telnet 1 , |
.Xr sshd 8 , |
.Xr sshd 8 |
.Xr ssl 8 |
.Rs |
|
.%A T. Ylonen |
|
.%A T. Kivinen |
|
.%A M. Saarinen |
|
.%A T. Rinne |
|
.%A S. Lehtinen |
|
.%T "SSH Protocol Architecture" |
|
.%N draft-ietf-secsh-architecture-09.txt |
|
.%D July 2001 |
|
.%O work in progress material |
|
.Re |