=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh.1,v retrieving revision 1.52.2.5 retrieving revision 1.53 diff -u -r1.52.2.5 -r1.53 --- src/usr.bin/ssh/ssh.1 2001/03/21 18:53:11 1.52.2.5 +++ src/usr.bin/ssh/ssh.1 2000/05/15 06:54:03 1.53 @@ -1,46 +1,22 @@ .\" -*- nroff -*- .\" +.\" ssh.1.in +.\" .\" Author: Tatu Ylonen +.\" .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland .\" All rights reserved .\" -.\" As far as I am concerned, the code I have written for this software -.\" can be used freely for any purpose. Any derived versions of this -.\" software must be clearly marked as such, and if the derived work is -.\" incompatible with the protocol description in the RFC file, it must be -.\" called by a name other than "ssh" or "Secure Shell". +.\" Created: Sat Apr 22 21:55:14 1995 ylo .\" -.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. -.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. -.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" $Id: ssh.1,v 1.53 2000/05/15 06:54:03 markus Exp $ .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" $OpenBSD: ssh.1,v 1.52.2.5 2001/03/21 18:53:11 jason Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os .Sh NAME .Nm ssh -.Nd OpenSSH SSH client (remote login program) +.Nd OpenSSH secure shell client (remote login program) .Sh SYNOPSIS .Nm ssh .Op Fl l Ar login_name @@ -48,12 +24,11 @@ .Op Ar command .Pp .Nm ssh -.Op Fl afgknqstvxACNPTX1246 +.Op Fl afgknqtvxCNPTX246 .Op Fl c Ar cipher_spec .Op Fl e Ar escape_char .Op Fl i Ar identity_file .Op Fl l Ar login_name -.Op Fl m Ar mac_spec .Op Fl o Ar option .Op Fl p Ar port .Oo Fl L Xo @@ -76,7 +51,7 @@ .Op Ar command .Sh DESCRIPTION .Nm -(SSH client) is a program for logging into a remote machine and for +(Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between @@ -210,9 +185,9 @@ If this method fails password authentication is tried. .Pp The public key method is similar to RSA authentication described -in the previous section except that the DSA or RSA algorithm is used -instead. -The client uses his private key +in the previous section except that the DSA algorithm is used +instead of the patented RSA algorithm. +The client uses his private DSA key .Pa $HOME/.ssh/id_dsa to sign the session identifier and sends the result to the server. The server checks whether the matching public key is listed in @@ -228,7 +203,7 @@ .Pp Protocol 2 provides additional mechanisms for confidentiality (the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) -and integrity (hmac-md5, hmac-sha1). +and integrity (hmac-sha1, hmac-md5). Note that protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. .Pp @@ -273,8 +248,8 @@ .Dq none will also make the session transparent even if a tty is used. .Pp -The session terminates when the command or shell on the remote -machine exits and all X11 and TCP/IP connections have been closed. +The session terminates when the command or shell in on the remote +machine exists and all X11 and TCP/IP connections have been closed. The exit status of the remote program is returned as the exit status of .Nm ssh . @@ -322,7 +297,7 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on command line or in a configuration file. One possible application of TCP/IP forwarding is a secure connection to an -electronic purse; another is going through firewalls. +electronic purse; another is going trough firewalls. .Pp .Ss Server authentication .Pp @@ -332,7 +307,7 @@ RSA host keys are stored in .Pa $HOME/.ssh/known_hosts and -host keys used in the protocol version 2 are stored in +DSA host keys are stored in .Pa $HOME/.ssh/known_hosts2 in the user's home directory. Additionally, the files @@ -353,14 +328,11 @@ .Cm StrictHostKeyChecking option (see below) can be used to prevent logins to machines whose host key is not known or has changed. -.Pp -The options are as follows: +.Sh OPTIONS .Bl -tag -width Ds .It Fl a Disables forwarding of the authentication agent connection. -.It Fl A -Enables forwarding of the authentication agent connection. -This can also be specified on a per-host basis in a configuration file. +This may also be specified on a per-host basis in the configuration file. .It Fl c Ar blowfish|3des Selects the cipher to use for encrypting the session. .Ar 3des @@ -370,17 +342,15 @@ (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. It is presumably more secure than the .Ar des -cipher which is no longer fully supported in +cipher which is no longer supported in .Nm ssh . .Ar blowfish is a fast block cipher, it appears very secure and is much faster than .Ar 3des . -.It Fl c Ar cipher_spec +.It Fl c Ar "3des-cbc,blowfish-cbc,arcfour,cast128-cbc" Additionally, for protocol version 2 a comma-separated list of ciphers can -be specified in order of preference. -See -.Cm Ciphers -for more information. +be specified in order of preference. Protocol version 2 supports +3DES, Blowfish and CAST128 in CBC mode and Arcfour. .It Fl e Ar ch|^ch|none Sets the escape character for sessions with a pty (default: .Ql ~ ) . @@ -410,7 +380,7 @@ Allows remote hosts to connect to local forwarded ports. .It Fl i Ar identity_file Selects the file from which the identity (private key) for -RSA or DSA authentication is read. +RSA authentication is read. Default is .Pa $HOME/.ssh/identity in the user's home directory. @@ -426,13 +396,6 @@ .It Fl l Ar login_name Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file. -.It Fl m Ar mac_spec -Additionally, for protocol version 2 a comma-separated list of MAC -(message authentication code) algorithms can -be specified in order of preference. -See the -.Cm MACs -keyword for more information. .It Fl n Redirects stdin from .Pa /dev/null @@ -455,7 +418,7 @@ option.) .It Fl N Do not execute a remote command. -This is useful if you just want to forward ports +This is usefull if you just want to forward ports (protocol version 2 only). .It Fl o Ar option Can be used to give options in the format used in the config file. @@ -473,28 +436,18 @@ Note that this option turns off .Cm RhostsAuthentication and -.Cm RhostsRSAAuthentication -for older servers. +.Cm RhostsRSAAuthentication . .It Fl q Quiet mode. Causes all warning and diagnostic messages to be suppressed. Only fatal errors are displayed. -.It Fl s -May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use -of SSH as a secure transport for other application (eg. sftp). The -subsystem is specified as the remote command. .It Fl t Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g., when implementing menu services. -Multiple -.Fl t -options force tty allocation, even if -.Nm -has no local tty. .It Fl T -Disable pseudo-tty allocation. +Disable pseudo-tty allocation (protocol version 2 only). .It Fl v Verbose mode. Causes @@ -502,15 +455,14 @@ to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. -Multiple -.Fl v -options increases the verbosity. -Maximum is 3. +The verbose mode is also used to display +.Xr skey 1 +challenges, if the user entered "s/key" as password. .It Fl x Disables X11 forwarding. +This can also be specified on a per-host basis in a configuration file. .It Fl X Enables X11 forwarding. -This can also be specified on a per-host basis in a configuration file. .It Fl C Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11 and TCP/IP connections). @@ -558,10 +510,6 @@ Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. -.It Fl 1 -Forces -.Nm -to try protocol version 1 only. .It Fl 2 Forces .Nm @@ -651,10 +599,9 @@ .Dq no , the check will not be executed. .It Cm Cipher -Specifies the cipher to use for encrypting the session -in protocol version 1. +Specifies the cipher to use for encrypting the session. Currently, -.Dq blowfish +.Dq blowfish , and .Dq 3des are supported. @@ -665,12 +612,7 @@ in order of preference. Multiple ciphers must be comma-separated. The default is -.Pp -.Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, - rijndael256-cbc,rijndael-cbc@lysator.liu.se'' -.Ed +.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc . .It Cm Compression Specifies whether to use compression. The argument must be @@ -688,12 +630,14 @@ back to rsh or exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. -.It Cm PubkeyAuthentication -Specifies whether to try public key authentication. +.It Cm DSAAuthentication +Specifies whether to try DSA authentication. The argument to this keyword must be .Dq yes or .Dq no . +DSA authentication will only be +attempted if a DSA identity file exists. Note that this option applies to protocol version 2 only. .It Cm EscapeChar Sets the escape character (default: @@ -727,8 +671,6 @@ .Dq yes or .Dq no . -The default is -.Dq no . .It Cm ForwardX11 Specifies whether X11 connections will be automatically redirected over the secure channel and @@ -750,19 +692,8 @@ The default is .Dq no . .It Cm GlobalKnownHostsFile -Specifies a file to use for the protocol version 1 global -host key database instead of +Specifies a file to use instead of .Pa /etc/ssh_known_hosts . -.It Cm GlobalKnownHostsFile2 -Specifies a file to use for the protocol version 2 global -host key database instead of -.Pa /etc/ssh_known_hosts2 . -.It Cm HostKeyAlias -Specifies an alias that should be used instead of the -real host name when looking up or saving the host key -in the known_hosts files. -This option is useful for tunneling ssh connections -or if you have multiple servers running on a single host. .It Cm HostName Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. @@ -782,6 +713,16 @@ It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence. +.It Cm IdentityFile2 +Specifies the file from which the user's DSA authentication identity +is read (default +.Pa $HOME/.ssh/id_dsa +in the user's home directory). +The file name may use the tilde +syntax to refer to a user's home directory. +It is possible to have +multiple identity files specified in configuration files; all these +identities will be tried in sequence. .It Cm KeepAlive Specifies whether the system should send keepalive messages to the other side. @@ -827,18 +768,6 @@ The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. The default is INFO. -.It Cm MACs -Specifies the MAC (message authentication code) algorithms -in order of preference. -The MAC algorithm is used in protocol version 2 -for data integrity protection. -Multiple algorithms must be comma-separated. -The default is -.Pp -.Bd -literal - ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com, - hmac-sha1-96,hmac-md5-96'' -.Ed .It Cm NumberOfPasswordPrompts Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. @@ -853,14 +782,6 @@ .It Cm Port Specifies the port number to connect on the remote host. Default is 22. -.It Cm PreferredAuthentications -Specifies the order in which the client should try protocol 2 -authentication methods. This allows a client to prefer one method (e.g. -.Cm keyboard-interactive ) -over another method (e.g. -.Cm password ) -The default for this option is: -.Dq publickey, password, keyboard-interactive .It Cm Protocol Specifies the protocol versions .Nm @@ -941,9 +862,8 @@ attempted if the identity file exists, or an authentication agent is running. Note that this option applies to protocol version 1 only. -.It Cm ChallengeResponseAuthentication -Specifies whether to use challenge response authentication. -Currently there is only support for +.It Cm SkeyAuthentication +Specifies whether to use .Xr skey 1 authentication. The argument to this keyword must be @@ -956,41 +876,28 @@ If this flag is set to .Dq yes , .Nm -will never automatically add host keys to the +ssh will never automatically add host keys to the .Pa $HOME/.ssh/known_hosts and .Pa $HOME/.ssh/known_hosts2 -files, and refuses to connect to hosts whose host key has changed. +files, and refuses to connect hosts whose host key has changed. This provides maximum protection against trojan horse attacks. However, it can be somewhat annoying if you don't have good .Pa /etc/ssh_known_hosts and .Pa /etc/ssh_known_hosts2 files installed and frequently -connect to new hosts. -This option forces the user to manually -add all new hosts. -If this flag is set to -.Dq no , -.Nm -will automatically add new host keys to the -user known hosts files. -If this flag is set to -.Dq ask , -new host keys -will be added to the user known host files only after the user -has confirmed that is what they really want to do, and -.Nm -will refuse to connect to hosts whose host key has changed. +connect new hosts. +Basically this option forces the user to manually +add any new hosts. +Normally this option is disabled, and new hosts +will automatically be added to the known host files. The host keys of -known hosts will be verified automatically in all cases. +known hosts will be verified automatically in either case. The argument must be -.Dq yes , -.Dq no +.Dq yes or -.Dq ask . -The default is -.Dq ask . +.Dq no . .It Cm UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be @@ -998,27 +905,21 @@ or .Dq no . The default is -.Dq no . +.Dq yes . Note that setting this option to .Dq no turns off .Cm RhostsAuthentication and -.Cm RhostsRSAAuthentication -for older servers. +.Cm RhostsRSAAuthentication . .It Cm User Specifies the user to log in as. This can be useful if you have a different user name on different machines. This saves the trouble of having to remember to give the user name on the command line. .It Cm UserKnownHostsFile -Specifies a file to use for the protocol version 1 user -host key database instead of +Specifies a file to use instead of .Pa $HOME/.ssh/known_hosts . -.It Cm UserKnownHostsFile2 -Specifies a file to use for the protocol version 2 user -host key database instead of -.Pa $HOME/.ssh/known_hosts2 . .It Cm UseRsh Specifies that rlogin/rsh should be used for this host. It is possible that the host does not at all support the @@ -1035,13 +936,6 @@ .Dq yes or .Dq no . -.It Cm XAuthLocation -Specifies the location of the -.Xr xauth 1 -program. -The default is -.Pa /usr/X11R6/bin/xauth . -.El .Sh ENVIRONMENT .Nm will normally set the following environment variables: @@ -1083,10 +977,6 @@ The variable contains three space-separated values: client ip-address, client port number, and server port number. -.It Ev SSH_ORIGINAL_COMMAND -The variable contains the original command line if a forced command -is executed. -It can be used to extract the original arguments. .It Ev SSH_TTY This is set to the name of the tty (path to the device) associated with the current shell or command. @@ -1094,7 +984,7 @@ this variable is not set. .It Ev TZ The timezone variable is set to indicate the present timezone if it -was set when the daemon was started (i.e., the daemon passes the value +was set when the daemon was started (e.i., the daemon passes the value on to new connections). .It Ev USER Set to the name of the user logging in. @@ -1109,13 +999,10 @@ to the environment. .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/known_hosts, $HOME/.ssh/known_hosts2 +.It Pa $HOME/.ssh/known_hosts Records host keys for all hosts the user has logged into (that are not in -.Pa /etc/ssh_known_hosts -for protocol version 1 or -.Pa /etc/ssh_known_hosts2 -for protocol version 2). +.Pa /etc/ssh_known_hosts ) . See .Xr sshd 8 . .It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa @@ -1147,7 +1034,7 @@ These files are not sensitive and can (but need not) be readable by anyone. These files are -never used automatically and are not necessary; they are only provided for +never used automatically and are not necessary; they is only provided for the convenience of the user. .It Pa $HOME/.ssh/config This is the per-user configuration file. @@ -1170,7 +1057,7 @@ This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. .It Pa $HOME/.ssh/authorized_keys2 -Lists the public keys (DSA/RSA) that can be used for logging in as this user. +Lists the DSA keys that can be used for logging in as this user. This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. .It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 @@ -1178,7 +1065,7 @@ .Pa /etc/ssh_known_hosts contains RSA and .Pa /etc/ssh_known_hosts2 -contains DSA or RSA keys for protocol version 2. +contains DSA keys. These files should be prepared by the system administrator to contain the public host keys of all machines in the organization. @@ -1217,7 +1104,7 @@ Each line of the file contains a host name (in the canonical form returned by name servers), and then a user name on that host, separated by a space. -On some machines this file may need to be +One some machines this file may need to be world-readable if the user's home directory is on a NFS partition, because .Xr sshd 8 @@ -1289,23 +1176,52 @@ Contains additional definitions for environment variables, see section .Sx ENVIRONMENT above. +.It Pa libcrypto.so.X.1 +A version of this library which includes support for the RSA algorithm +is required for proper operation. +.Sh AUTHOR +OpenSSH +is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, +but with bugs removed and newer features re-added. +Rapidly after the +1.2.12 release, newer versions of the original ssh bore successively +more restrictive licenses, and thus demand for a free version was born. +.Pp +This version of OpenSSH +.Bl -bullet +.It +has all components of a restrictive nature (i.e., patents, see +.Xr ssl 8 ) +directly removed from the source code; any licensed or patented components +are chosen from +external libraries. +.It +has been updated to support SSH protocol 1.5 and 2, making it compatible with +all other SSH clients and servers. +.It +contains added support for +.Xr kerberos 8 +authentication and ticket passing. +.It +supports one-time password authentication with +.Xr skey 1 . .El -.Sh AUTHORS -OpenSSH is a derivative of the original and free -ssh 1.2.12 release by Tatu Ylonen. -Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, -Theo de Raadt and Dug Song -removed many bugs, re-added newer features and -created OpenSSH. -Markus Friedl contributed the support for SSH -protocol versions 1.5 and 2.0. +.Pp +The libraries described in +.Xr ssl 8 +are required for proper operation. +.Pp +OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, +Niels Provos, Theo de Raadt, and Dug Song. +.Pp +The support for SSH protocol 2 was written by Markus Friedl. .Sh SEE ALSO .Xr rlogin 1 , .Xr rsh 1 , .Xr scp 1 , -.Xr sftp 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , .Xr telnet 1 , -.Xr sshd 8 +.Xr sshd 8 , +.Xr ssl 8