| version 1.64.2.3, 2001/03/21 19:46:30 |
version 1.64.2.4, 2001/05/07 21:09:36 |
|
|
| This form of authentication alone is normally not |
This form of authentication alone is normally not |
| allowed by the server because it is not secure. |
allowed by the server because it is not secure. |
| .Pp |
.Pp |
| The second (and primary) authentication method is the |
The second authentication method is the |
| .Pa rhosts |
.Pa rhosts |
| or |
or |
| .Pa hosts.equiv |
.Pa hosts.equiv |
|
|
| .Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
| .Pp |
.Pp |
| When a user connects using the protocol version 2 |
When a user connects using the protocol version 2 |
| different authentication methods are available: |
different authentication methods are available. |
| At first, the client attempts to authenticate using the public key method. |
Using the default values for |
| If this method fails password authentication is tried. |
.Cm PreferredAuthentications , |
| |
the client will try to authenticate first using the public key method; |
| |
if this method fails password authentication is attempted, |
| |
and finally if this method fails keyboard-interactive authentication |
| |
is attempted. |
| |
If this method fails password authentication is |
| |
tried. |
| .Pp |
.Pp |
| The public key method is similar to RSA authentication described |
The public key method is similar to RSA authentication described |
| in the previous section except that the DSA or RSA algorithm is used |
in the previous section and allows the RSA or DSA algorithm to be used: |
| instead. |
The client uses his private key, |
| The client uses his private key |
|
| .Pa $HOME/.ssh/id_dsa |
.Pa $HOME/.ssh/id_dsa |
| |
or |
| |
.Pa $HOME/.ssh/id_rsa , |
| to sign the session identifier and sends the result to the server. |
to sign the session identifier and sends the result to the server. |
| The server checks whether the matching public key is listed in |
The server checks whether the matching public key is listed in |
| .Pa $HOME/.ssh/authorized_keys2 |
.Pa $HOME/.ssh/authorized_keys2 |
|
|
| .Pp |
.Pp |
| If public key authentication fails or is not available a password |
If public key authentication fails or is not available a password |
| can be sent encrypted to the remote host for proving the user's identity. |
can be sent encrypted to the remote host for proving the user's identity. |
| This protocol 2 implementation does not yet support Kerberos or |
|
| S/Key authentication. |
|
| .Pp |
.Pp |
| |
Additionally, |
| |
.Nm |
| |
supports hostbased or challenge response authentication. |
| |
.Pp |
| Protocol 2 provides additional mechanisms for confidentiality |
Protocol 2 provides additional mechanisms for confidentiality |
| (the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
| and integrity (hmac-md5, hmac-sha1). |
and integrity (hmac-md5, hmac-sha1). |
|
|
| the remote command or shell will be automatically encrypted. |
the remote command or shell will be automatically encrypted. |
| .Pp |
.Pp |
| If a pseudo-terminal has been allocated (normal login session), the |
If a pseudo-terminal has been allocated (normal login session), the |
| user can disconnect with |
user may use the escape characters noted below. |
| .Ic ~. , |
|
| and suspend |
|
| .Nm |
|
| with |
|
| .Ic ~^Z . |
|
| All forwarded connections can be listed with |
|
| .Ic ~# |
|
| and if |
|
| the session blocks waiting for forwarded X11 or TCP/IP |
|
| connections to terminate, it can be backgrounded with |
|
| .Ic ~& |
|
| (this should not be used while the user shell is active, as it can cause the |
|
| shell to hang). |
|
| All available escapes can be listed with |
|
| .Ic ~? . |
|
| .Pp |
.Pp |
| A single tilde character can be sent as |
|
| .Ic ~~ |
|
| (or by following the tilde by a character other than those described above). |
|
| The escape character must always follow a newline to be interpreted as |
|
| special. |
|
| The escape character can be changed in configuration files |
|
| or on the command line. |
|
| .Pp |
|
| If no pseudo tty has been allocated, the |
If no pseudo tty has been allocated, the |
| session is transparent and can be used to reliably transfer binary |
session is transparent and can be used to reliably transfer binary |
| data. |
data. |
|
|
| of |
of |
| .Nm ssh . |
.Nm ssh . |
| .Pp |
.Pp |
| |
.Ss Escape Characters |
| |
.Pp |
| |
When a pseudo terminal has been requested, ssh supports a number of functions |
| |
through the use of an escape character. |
| |
.Pp |
| |
A single tilde character can be sent as |
| |
.Ic ~~ |
| |
(or by following the tilde by a character other than those described above). |
| |
The escape character must always follow a newline to be interpreted as |
| |
special. |
| |
The escape character can be changed in configuration files using the |
| |
.Cm EscapeChar |
| |
configuration directive or on the command line by the |
| |
.Fl e |
| |
option. |
| |
.Pp |
| |
The supported escapes (assuming the default |
| |
.Ql ~ ) |
| |
are: |
| |
.Bl -tag -width Ds |
| |
.It Cm ~. |
| |
Disconnect |
| |
.It Cm ~^Z |
| |
Background ssh |
| |
.It Cm ~# |
| |
List forwarded connections |
| |
.It Cm ~& |
| |
Background ssh at logout when waiting for forwarded connection / X11 sessions |
| |
to terminate (protocol version 1 only) |
| |
.It Cm ~? |
| |
Display a list of escape characters |
| |
.It Cm ~R |
| |
Request rekeying of the connection (only useful for SSH protocol version 2 |
| |
and if the peer supports it) |
| |
.El |
| |
.Pp |
| .Ss X11 and TCP forwarding |
.Ss X11 and TCP forwarding |
| .Pp |
.Pp |
| If the user is using X11 (the |
If the user is using X11 (the |
|
|
| Port forwardings can also be specified in the configuration file. |
Port forwardings can also be specified in the configuration file. |
| Privileged ports can be forwarded only when |
Privileged ports can be forwarded only when |
| logging in as root on the remote machine. |
logging in as root on the remote machine. |
| |
IPv6 addresses can be specified with an alternative syntax: |
| |
.Ar port/host/hostport |
| .It Fl 1 |
.It Fl 1 |
| Forces |
Forces |
| .Nm |
.Nm |
|
|
| .Dq yes |
.Dq yes |
| or |
or |
| .Dq no . |
.Dq no . |
| |
This option applies to protocol version 1 only. |
| .It Cm BatchMode |
.It Cm BatchMode |
| If set to |
If set to |
| .Dq yes , |
.Dq yes , |
|
|
| .Dq yes |
.Dq yes |
| or |
or |
| .Dq no . |
.Dq no . |
| |
The default is |
| |
.Dq no . |
| .It Cm CheckHostIP |
.It Cm CheckHostIP |
| If this flag is set to |
If this flag is set to |
| .Dq yes , |
.Dq yes , |
| ssh will additionally check the host ip address in the |
ssh will additionally check the host IP address in the |
| .Pa known_hosts |
.Pa known_hosts |
| file. |
file. |
| This allows ssh to detect if a host key changed due to DNS spoofing. |
This allows ssh to detect if a host key changed due to DNS spoofing. |
| If the option is set to |
If the option is set to |
| .Dq no , |
.Dq no , |
| the check will not be executed. |
the check will not be executed. |
| |
The default is |
| |
.Dq yes . |
| .It Cm Cipher |
.It Cm Cipher |
| Specifies the cipher to use for encrypting the session |
Specifies the cipher to use for encrypting the session |
| in protocol version 1. |
in protocol version 1. |
|
|
| .Pp |
.Pp |
| .Bd -literal |
.Bd -literal |
| ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
| aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, |
aes192-cbc,aes256-cbc'' |
| rijndael256-cbc,rijndael-cbc@lysator.liu.se'' |
|
| .Ed |
.Ed |
| .It Cm Compression |
.It Cm Compression |
| Specifies whether to use compression. |
Specifies whether to use compression. |
|
|
| .Dq yes |
.Dq yes |
| or |
or |
| .Dq no . |
.Dq no . |
| |
The default is |
| |
.Dq no . |
| .It Cm CompressionLevel |
.It Cm CompressionLevel |
| Specifies the compression level to use if compression is enable. |
Specifies the compression level to use if compression is enabled. |
| The argument must be an integer from 1 (fast) to 9 (slow, best). |
The argument must be an integer from 1 (fast) to 9 (slow, best). |
| The default level is 6, which is good for most applications. |
The default level is 6, which is good for most applications. |
| The meaning of the values is the same as in |
The meaning of the values is the same as in |
| .Xr gzip 1 . |
.Xr gzip 1 . |
| |
Note that this option applies to protocol version 1 only. |
| .It Cm ConnectionAttempts |
.It Cm ConnectionAttempts |
| Specifies the number of tries (one per second) to make before falling |
Specifies the number of tries (one per second) to make before falling |
| back to rsh or exiting. |
back to rsh or exiting. |
| The argument must be an integer. |
The argument must be an integer. |
| This may be useful in scripts if the connection sometimes fails. |
This may be useful in scripts if the connection sometimes fails. |
| .It Cm PubkeyAuthentication |
The default is 4. |
| Specifies whether to try public key authentication. |
|
| The argument to this keyword must be |
|
| .Dq yes |
|
| or |
|
| .Dq no . |
|
| Note that this option applies to protocol version 2 only. |
|
| .It Cm EscapeChar |
.It Cm EscapeChar |
| Sets the escape character (default: |
Sets the escape character (default: |
| .Ql ~ ) . |
.Ql ~ ) . |
|
|
| .Dq yes |
.Dq yes |
| or |
or |
| .Dq no . |
.Dq no . |
| |
The default is |
| |
.Dq no . |
| .It Cm ForwardAgent |
.It Cm ForwardAgent |
| Specifies whether the connection to the authentication agent (if any) |
Specifies whether the connection to the authentication agent (if any) |
| will be forwarded to the remote machine. |
will be forwarded to the remote machine. |
|
|
| Specifies a file to use for the protocol version 2 global |
Specifies a file to use for the protocol version 2 global |
| host key database instead of |
host key database instead of |
| .Pa /etc/ssh_known_hosts2 . |
.Pa /etc/ssh_known_hosts2 . |
| |
.It Cm HostbasedAuthentication |
| |
Specifies whether to try rhosts based authentication with public key |
| |
authentication. |
| |
The argument must be |
| |
.Dq yes |
| |
or |
| |
.Dq no . |
| |
The default is |
| |
.Dq yes . |
| |
This option applies to protocol version 2 only and |
| |
is similar to |
| |
.Cm RhostsRSAAuthentication . |
| |
.It Cm HostKeyAlgorithms |
| |
Specfies the protocol version 2 host key algorithms |
| |
that the client wants to use in order of preference. |
| |
The default for this option is: |
| |
.Dq ssh-rsa,ssh-dss |
| .It Cm HostKeyAlias |
.It Cm HostKeyAlias |
| Specifies an alias that should be used instead of the |
Specifies an alias that should be used instead of the |
| real host name when looking up or saving the host key |
real host name when looking up or saving the host key |
| in the known_hosts files. |
in the host key database files. |
| This option is useful for tunneling ssh connections |
This option is useful for tunneling ssh connections |
| or if you have multiple servers running on a single host. |
or if you have multiple servers running on a single host. |
| .It Cm HostName |
.It Cm HostName |
|
|
| .Cm HostName |
.Cm HostName |
| specifications). |
specifications). |
| .It Cm IdentityFile |
.It Cm IdentityFile |
| Specifies the file from which the user's RSA authentication identity |
Specifies the file from which the user's RSA or DSA authentication identity |
| is read (default |
is read (default |
| .Pa $HOME/.ssh/identity |
.Pa $HOME/.ssh/identity |
| in the user's home directory). |
in the user's home directory). |
|
|
| .Dq yes |
.Dq yes |
| or |
or |
| .Dq no . |
.Dq no . |
| Note that this option applies to both protocol version 1 and 2. |
The default is |
| |
.Dq yes . |
| .It Cm Port |
.It Cm Port |
| Specifies the port number to connect on the remote host. |
Specifies the port number to connect on the remote host. |
| Default is 22. |
Default is 22. |
|
|
| .Dq 2 . |
.Dq 2 . |
| Multiple versions must be comma-separated. |
Multiple versions must be comma-separated. |
| The default is |
The default is |
| .Dq 1,2 . |
.Dq 2,1 . |
| This means that |
This means that |
| .Nm |
.Nm |
| tries version 1 and falls back to version 2 |
tries version 2 and falls back to version 1 |
| if version 1 is not available. |
if version 2 is not available. |
| .It Cm ProxyCommand |
.It Cm ProxyCommand |
| Specifies the command to use to connect to the server. |
Specifies the command to use to connect to the server. |
| The command |
The command |
|
|
| .Cm CheckHostIP |
.Cm CheckHostIP |
| is not available for connects with a proxy command. |
is not available for connects with a proxy command. |
| .Pp |
.Pp |
| |
.It Cm PubkeyAuthentication |
| |
Specifies whether to try public key authentication. |
| |
The argument to this keyword must be |
| |
.Dq yes |
| |
or |
| |
.Dq no . |
| |
The default is |
| |
.Dq yes . |
| |
This option applies to protocol version 2 only. |
| .It Cm RemoteForward |
.It Cm RemoteForward |
| Specifies that a TCP/IP port on the remote machine be forwarded over |
Specifies that a TCP/IP port on the remote machine be forwarded over |
| the secure channel to given host:port from the local machine. |
the secure channel to given host:port from the local machine. |
|
|
| authentication time on slow connections when rhosts authentication is |
authentication time on slow connections when rhosts authentication is |
| not used. |
not used. |
| Most servers do not permit RhostsAuthentication because it |
Most servers do not permit RhostsAuthentication because it |
| is not secure (see RhostsRSAAuthentication). |
is not secure (see |
| |
.Cm RhostsRSAAuthentication ). |
| The argument to this keyword must be |
The argument to this keyword must be |
| .Dq yes |
.Dq yes |
| or |
or |
| .Dq no . |
.Dq no . |
| |
The default is |
| |
.Dq yes . |
| |
This option applies to protocol version 1 only. |
| .It Cm RhostsRSAAuthentication |
.It Cm RhostsRSAAuthentication |
| Specifies whether to try rhosts based authentication with RSA host |
Specifies whether to try rhosts based authentication with RSA host |
| authentication. |
authentication. |
| This is the primary authentication method for most sites. |
|
| The argument must be |
The argument must be |
| .Dq yes |
.Dq yes |
| or |
or |
| .Dq no . |
.Dq no . |
| |
The default is |
| |
.Dq yes . |
| |
This option applies to protocol version 1 only. |
| .It Cm RSAAuthentication |
.It Cm RSAAuthentication |
| Specifies whether to try RSA authentication. |
Specifies whether to try RSA authentication. |
| The argument to this keyword must be |
The argument to this keyword must be |
|
|
| RSA authentication will only be |
RSA authentication will only be |
| attempted if the identity file exists, or an authentication agent is |
attempted if the identity file exists, or an authentication agent is |
| running. |
running. |
| |
The default is |
| |
.Dq yes . |
| Note that this option applies to protocol version 1 only. |
Note that this option applies to protocol version 1 only. |
| .It Cm ChallengeResponseAuthentication |
.It Cm ChallengeResponseAuthentication |
| Specifies whether to use challenge response authentication. |
Specifies whether to use challenge response authentication. |
|
|
| .Dq no . |
.Dq no . |
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| Note that setting this option to |
Note that you need to set this option to |
| .Dq no |
.Dq yes |
| turns off |
if you want to use |
| .Cm RhostsAuthentication |
.Cm RhostsAuthentication |
| and |
and |
| .Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication |
| for older servers. |
with older servers. |
| .It Cm User |
.It Cm User |
| Specifies the user to log in as. |
Specifies the user to log in as. |
| This can be useful if you have a different user name on different machines. |
This can be useful if you have a different user name on different machines. |
|
|
| .Nm |
.Nm |
| uses this special value to forward X11 connections over the secure |
uses this special value to forward X11 connections over the secure |
| channel. |
channel. |
| The user should normally not set DISPLAY explicitly, as that |
The user should normally not set |
| |
.Ev DISPLAY |
| |
explicitly, as that |
| will render the X11 connection insecure (and will require the user to |
will render the X11 connection insecure (and will require the user to |
| manually copy any required authorization cookies). |
manually copy any required authorization cookies). |
| .It Ev HOME |
.It Ev HOME |
|
|
| for protocol version 2). |
for protocol version 2). |
| See |
See |
| .Xr sshd 8 . |
.Xr sshd 8 . |
| .It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa |
.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa |
| Contains the RSA and the DSA authentication identity of the user. |
Contains the authentication identity of the user. |
| |
They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. |
| These files |
These files |
| contain sensitive data and should be readable by the user but not |
contain sensitive data and should be readable by the user but not |
| accessible by others (read/write/execute). |
accessible by others (read/write/execute). |
|
|
| It is possible to specify a passphrase when |
It is possible to specify a passphrase when |
| generating the key; the passphrase will be used to encrypt the |
generating the key; the passphrase will be used to encrypt the |
| sensitive part of this file using 3DES. |
sensitive part of this file using 3DES. |
| .It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub |
.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub |
| Contains the public key for authentication (public part of the |
Contains the public key for authentication (public part of the |
| identity file in human-readable form). |
identity file in human-readable form). |
| The contents of the |
The contents of the |
|
|
| file should be added to |
file should be added to |
| .Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
| on all machines |
on all machines |
| where you wish to log in using RSA authentication. |
where you wish to log in using protocol version 1 RSA authentication. |
| The contents of the |
The contents of the |
| .Pa $HOME/.ssh/id_dsa.pub |
.Pa $HOME/.ssh/id_dsa.pub |
| |
and |
| |
.Pa $HOME/.ssh/id_rsa.pub |
| file should be added to |
file should be added to |
| .Pa $HOME/.ssh/authorized_keys2 |
.Pa $HOME/.ssh/authorized_keys2 |
| on all machines |
on all machines |
| where you wish to log in using DSA authentication. |
where you wish to log in using protocol version 2 DSA/RSA authentication. |
| These files are not |
These files are not |
| sensitive and can (but need not) be readable by anyone. |
sensitive and can (but need not) be readable by anyone. |
| These files are |
These files are |
|
|
| This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
| permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
| .It Pa $HOME/.ssh/authorized_keys2 |
.It Pa $HOME/.ssh/authorized_keys2 |
| Lists the public keys (DSA/RSA) that can be used for logging in as this user. |
Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
| This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
| permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
| .It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 |
.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 |
|
|
| .Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
| contains RSA and |
contains RSA and |
| .Pa /etc/ssh_known_hosts2 |
.Pa /etc/ssh_known_hosts2 |
| contains DSA or RSA keys for protocol version 2. |
contains RSA or DSA keys for protocol version 2. |
| These files should be prepared by the |
These files should be prepared by the |
| system administrator to contain the public host keys of all machines in the |
system administrator to contain the public host keys of all machines in the |
| organization. |
organization. |
|
|
| .Xr ssh-keygen 1 , |
.Xr ssh-keygen 1 , |
| .Xr telnet 1 , |
.Xr telnet 1 , |
| .Xr sshd 8 |
.Xr sshd 8 |
| |
.Rs |
| |
.%A T. Ylonen |
| |
.%A T. Kivinen |
| |
.%A M. Saarinen |
| |
.%A T. Rinne |
| |
.%A S. Lehtinen |
| |
.%T "SSH Protocol Architecture" |
| |
.%N draft-ietf-secsh-architecture-07.txt |
| |
.%D January 2001 |
| |
.%O work in progress material |
| |
.Re |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh