diff options
author | Colin Watson <cjwatson@debian.org> | 2010-03-31 00:48:57 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2010-03-31 00:48:57 +0100 |
commit | d1a87e462e1db89f19cd960588d0c6b287cb5ccc (patch) | |
tree | f0d13e1687800f36a3c4322b94ac5230ad17bdbf /ssh.0 | |
parent | 964476f91b66c475d5b8fa1e8b28d39a97a1b56e (diff) | |
parent | 004a7fb9c6a00b13dc98f56599918a54a3506d10 (diff) |
merge 5.4p1
Diffstat (limited to 'ssh.0')
-rw-r--r-- | ssh.0 | 56 |
1 files changed, 34 insertions, 22 deletions
@@ -5,10 +5,10 @@ NAME | |||
5 | 5 | ||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] | 7 | ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] |
8 | [-D [bind_address:]port] [-e escape_char] [-F configfile] | 8 | [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] |
9 | [-i identity_file] [-L [bind_address:]port:host:hostport] | 9 | [-i identity_file] [-L [bind_address:]port:host:hostport] |
10 | [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] | 10 | [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] |
11 | [-R [bind_address:]port:host:hostport] [-S ctl_path] | 11 | [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] |
12 | [-w local_tun[:remote_tun]] [user@]hostname [command] | 12 | [-w local_tun[:remote_tun]] [user@]hostname [command] |
13 | 13 | ||
14 | DESCRIPTION | 14 | DESCRIPTION |
@@ -42,7 +42,7 @@ DESCRIPTION | |||
42 | 42 | ||
43 | Agent forwarding should be enabled with caution. Users with the | 43 | Agent forwarding should be enabled with caution. Users with the |
44 | ability to bypass file permissions on the remote host (for the | 44 | ability to bypass file permissions on the remote host (for the |
45 | agent's Unix-domain socket) can access the local agent through | 45 | agent's UNIX-domain socket) can access the local agent through |
46 | the forwarded connection. An attacker cannot obtain key material | 46 | the forwarded connection. An attacker cannot obtain key material |
47 | from the agent, however they can perform operations on the keys | 47 | from the agent, however they can perform operations on the keys |
48 | that enable them to authenticate using the identities loaded into | 48 | that enable them to authenticate using the identities loaded into |
@@ -131,11 +131,9 @@ DESCRIPTION | |||
131 | 131 | ||
132 | -g Allows remote hosts to connect to local forwarded ports. | 132 | -g Allows remote hosts to connect to local forwarded ports. |
133 | 133 | ||
134 | -I smartcard_device | 134 | -I pkcs11 |
135 | Specify the device ssh should use to communicate with a smartcard | 135 | Specify the PKCS#11 shared library ssh should use to communicate |
136 | used for storing the user's private RSA key. This option is only | 136 | with a PKCS#11 token providing the user's private RSA key. |
137 | available if support for smartcard devices is compiled in (de- | ||
138 | fault is no support). | ||
139 | 137 | ||
140 | -i identity_file | 138 | -i identity_file |
141 | Selects a file from which the identity (private key) for RSA or | 139 | Selects a file from which the identity (private key) for RSA or |
@@ -144,7 +142,9 @@ DESCRIPTION | |||
144 | tocol version 2. Identity files may also be specified on a per- | 142 | tocol version 2. Identity files may also be specified on a per- |
145 | host basis in the configuration file. It is possible to have | 143 | host basis in the configuration file. It is possible to have |
146 | multiple -i options (and multiple identities specified in config- | 144 | multiple -i options (and multiple identities specified in config- |
147 | uration files). | 145 | uration files). ssh will also try to load certificate informa- |
146 | tion from the filename obtained by appending -cert.pub to identi- | ||
147 | ty filenames. | ||
148 | 148 | ||
149 | -K Enables GSSAPI-based authentication and forwarding (delegation) | 149 | -K Enables GSSAPI-based authentication and forwarding (delegation) |
150 | of GSSAPI credentials to the server. | 150 | of GSSAPI credentials to the server. |
@@ -252,6 +252,7 @@ DESCRIPTION | |||
252 | NumberOfPasswordPrompts | 252 | NumberOfPasswordPrompts |
253 | PasswordAuthentication | 253 | PasswordAuthentication |
254 | PermitLocalCommand | 254 | PermitLocalCommand |
255 | PKCS11Provider | ||
255 | Port | 256 | Port |
256 | PreferredAuthentications | 257 | PreferredAuthentications |
257 | Protocol | 258 | Protocol |
@@ -264,7 +265,6 @@ DESCRIPTION | |||
264 | SendEnv | 265 | SendEnv |
265 | ServerAliveInterval | 266 | ServerAliveInterval |
266 | ServerAliveCountMax | 267 | ServerAliveCountMax |
267 | SmartcardDevice | ||
268 | StrictHostKeyChecking | 268 | StrictHostKeyChecking |
269 | TCPKeepAlive | 269 | TCPKeepAlive |
270 | Tunnel | 270 | Tunnel |
@@ -332,6 +332,12 @@ DESCRIPTION | |||
332 | tion, and configuration problems. Multiple -v options increase | 332 | tion, and configuration problems. Multiple -v options increase |
333 | the verbosity. The maximum is 3. | 333 | the verbosity. The maximum is 3. |
334 | 334 | ||
335 | -W host:port | ||
336 | Requests that standard input and output on the client be forward- | ||
337 | ed to host on port over the secure channel. Implies -N, -T, | ||
338 | ExitOnForwardFailure and ClearAllForwardings and works with Pro- | ||
339 | tocol version 2 only. | ||
340 | |||
335 | -w local_tun[:remote_tun] | 341 | -w local_tun[:remote_tun] |
336 | Requests tunnel device forwarding with the specified tun(4) de- | 342 | Requests tunnel device forwarding with the specified tun(4) de- |
337 | vices between the client (local_tun) and the server (remote_tun). | 343 | vices between the client (local_tun) and the server (remote_tun). |
@@ -373,15 +379,14 @@ DESCRIPTION | |||
373 | error occurred. | 379 | error occurred. |
374 | 380 | ||
375 | AUTHENTICATION | 381 | AUTHENTICATION |
376 | The OpenSSH SSH client supports SSH protocols 1 and 2. Protocol 2 is the | 382 | The OpenSSH SSH client supports SSH protocols 1 and 2. The default is to |
377 | default, with ssh falling back to protocol 1 if it detects protocol 2 is | 383 | use protocol 2 only, though this can be changed via the Protocol option |
378 | unsupported. These settings may be altered using the Protocol option in | 384 | in ssh_config(5) or the -1 and -2 options (see above). Both protocols |
379 | ssh_config(5), or enforced using the -1 and -2 options (see above). Both | 385 | support similar authentication methods, but protocol 2 is the default |
380 | protocols support similar authentication methods, but protocol 2 is pre- | 386 | since it provides additional mechanisms for confidentiality (the traffic |
381 | ferred since it provides additional mechanisms for confidentiality (the | 387 | is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and integri- |
382 | traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and | 388 | ty (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1 lacks a |
383 | integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1 | 389 | strong mechanism for ensuring the integrity of the connection. |
384 | lacks a strong mechanism for ensuring the integrity of the connection. | ||
385 | 390 | ||
386 | The methods available for authentication are: GSSAPI-based authentica- | 391 | The methods available for authentication are: GSSAPI-based authentica- |
387 | tion, host-based authentication, public key authentication, challenge-re- | 392 | tion, host-based authentication, public key authentication, challenge-re- |
@@ -431,8 +436,15 @@ AUTHENTICATION | |||
431 | though the lines can be very long. After this, the user can log in with- | 436 | though the lines can be very long. After this, the user can log in with- |
432 | out giving the password. | 437 | out giving the password. |
433 | 438 | ||
434 | The most convenient way to use public key authentication may be with an | 439 | A variation on public key authentication is available in the form of cer- |
435 | authentication agent. See ssh-agent(1) for more information. | 440 | tificate authentication: instead of a set of public/private keys, signed |
441 | certificates are used. This has the advantage that a single trusted cer- | ||
442 | tification authority can be used in place of many public/private keys. | ||
443 | See the CERTIFICATES section of ssh-keygen(1) for more information. | ||
444 | |||
445 | The most convenient way to use public key or certificate authentication | ||
446 | may be with an authentication agent. See ssh-agent(1) for more informa- | ||
447 | tion. | ||
436 | 448 | ||
437 | Challenge-response authentication works as follows: The server sends an | 449 | Challenge-response authentication works as follows: The server sends an |
438 | arbitrary "challenge" text, and prompts for a response. Protocol 2 al- | 450 | arbitrary "challenge" text, and prompts for a response. Protocol 2 al- |
@@ -864,4 +876,4 @@ AUTHORS | |||
864 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 876 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
865 | versions 1.5 and 2.0. | 877 | versions 1.5 and 2.0. |
866 | 878 | ||
867 | OpenBSD 4.6 March 19, 2009 14 | 879 | OpenBSD 4.6 March 5, 2010 14 |