summaryrefslogtreecommitdiff
path: root/ssh.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2003-09-01 18:52:37 +0000
committerColin Watson <cjwatson@debian.org>2003-09-01 18:52:37 +0000
commit854156dd39acbde9b4a47ec0fc54a042ea7358e0 (patch)
tree96755f8590acc2146f4b4ef5b5cdba600e5d9353 /ssh.0
parentfad82e8999e790899083f9e22a1841148d746df6 (diff)
parent053db7da5ce09acdf742789d9d1a05e81d4861d0 (diff)
Import OpenSSH 3.6.1p2.
Diffstat (limited to 'ssh.0')
-rw-r--r--ssh.0608
1 files changed, 608 insertions, 0 deletions
diff --git a/ssh.0 b/ssh.0
new file mode 100644
index 000000000..0baca2288
--- /dev/null
+++ b/ssh.0
@@ -0,0 +1,608 @@
1SSH(1) BSD General Commands Manual SSH(1)
2
3NAME
4 ssh - OpenSSH SSH client (remote login program)
5
6SYNOPSIS
7 ssh [-l login_name] hostname | user@hostname [command]
8
9 ssh [-afgknqstvxACNTX1246] [-b bind_address] [-c cipher_spec]
10 [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec]
11 [-o option] [-p port] [-F configfile] [-L port:host:hostport]
12 [-R port:host:hostport] [-D port] hostname | user@hostname [command]
13
14DESCRIPTION
15 ssh (SSH client) is a program for logging into a remote machine and for
16 executing commands on a remote machine. It is intended to replace rlogin
17 and rsh, and provide secure encrypted communications between two
18 untrusted hosts over an insecure network. X11 connections and arbitrary
19 TCP/IP ports can also be forwarded over the secure channel.
20
21 ssh connects and logs into the specified hostname. The user must prove
22 his/her identity to the remote machine using one of several methods
23 depending on the protocol version used:
24
25 SSH protocol version 1
26 First, if the machine the user logs in from is listed in /etc/hosts.equiv
27 or /etc/shosts.equiv on the remote machine, and the user names are the
28 same on both sides, the user is immediately permitted to log in. Second,
29 if .rhosts or .shosts exists in the userM-bM-^@M-^Ys home directory on the remote
30 machine and contains a line containing the name of the client machine and
31 the name of the user on that machine, the user is permitted to log in.
32 This form of authentication alone is normally not allowed by the server
33 because it is not secure.
34
35 The second authentication method is the rhosts or hosts.equiv method com-
36 bined with RSA-based host authentication. It means that if the login
37 would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or
38 /etc/shosts.equiv, and if additionally the server can verify the clientM-bM-^@M-^Ys
39 host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the
40 FILES section), only then login is permitted. This authentication method
41 closes security holes due to IP spoofing, DNS spoofing and routing spoof-
42 ing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and
43 the rlogin/rsh protocol in general, are inherently insecure and should be
44 disabled if security is desired.]
45
46 As a third authentication method, ssh supports RSA based authentication.
47 The scheme is based on public-key cryptography: there are cryptosystems
48 where encryption and decryption are done using separate keys, and it is
49 not possible to derive the decryption key from the encryption key. RSA
50 is one such system. The idea is that each user creates a public/private
51 key pair for authentication purposes. The server knows the public key,
52 and only the user knows the private key. The file
53 $HOME/.ssh/authorized_keys lists the public keys that are permitted for
54 logging in. When the user logs in, the ssh program tells the server
55 which key pair it would like to use for authentication. The server
56 checks if this key is permitted, and if so, sends the user (actually the
57 ssh program running on behalf of the user) a challenge, a random number,
58 encrypted by the userM-bM-^@M-^Ys public key. The challenge can only be decrypted
59 using the proper private key. The userM-bM-^@M-^Ys client then decrypts the chal-
60 lenge using the private key, proving that he/she knows the private key
61 but without disclosing it to the server.
62
63 ssh implements the RSA authentication protocol automatically. The user
64 creates his/her RSA key pair by running ssh-keygen(1). This stores the
65 private key in $HOME/.ssh/identity and the public key in
66 $HOME/.ssh/identity.pub in the userM-bM-^@M-^Ys home directory. The user should
67 then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home
68 directory on the remote machine (the authorized_keys file corresponds to
69 the conventional $HOME/.rhosts file, and has one key per line, though the
70 lines can be very long). After this, the user can log in without giving
71 the password. RSA authentication is much more secure than rhosts authen-
72 tication.
73
74 The most convenient way to use RSA authentication may be with an authen-
75 tication agent. See ssh-agent(1) for more information.
76
77 If other authentication methods fail, ssh prompts the user for a pass-
78 word. The password is sent to the remote host for checking; however,
79 since all communications are encrypted, the password cannot be seen by
80 someone listening on the network.
81
82 SSH protocol version 2
83 When a user connects using protocol version 2 similar authentication
84 methods are available. Using the default values for
85 PreferredAuthentications, the client will try to authenticate first using
86 the hostbased method; if this method fails public key authentication is
87 attempted, and finally if this method fails keyboard-interactive and
88 password authentication are tried.
89
90 The public key method is similar to RSA authentication described in the
91 previous section and allows the RSA or DSA algorithm to be used: The
92 client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, to
93 sign the session identifier and sends the result to the server. The
94 server checks whether the matching public key is listed in
95 $HOME/.ssh/authorized_keys and grants access if both the key is found and
96 the signature is correct. The session identifier is derived from a
97 shared Diffie-Hellman value and is only known to the client and the
98 server.
99
100 If public key authentication fails or is not available a password can be
101 sent encrypted to the remote host for proving the userM-bM-^@M-^Ys identity.
102
103 Additionally, ssh supports hostbased or challenge response authentica-
104 tion.
105
106 Protocol 2 provides additional mechanisms for confidentiality (the traf-
107 fic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) and integrity
108 (hmac-md5, hmac-sha1). Note that protocol 1 lacks a strong mechanism for
109 ensuring the integrity of the connection.
110
111 Login session and remote execution
112 When the userM-bM-^@M-^Ys identity has been accepted by the server, the server
113 either executes the given command, or logs into the machine and gives the
114 user a normal shell on the remote machine. All communication with the
115 remote command or shell will be automatically encrypted.
116
117 If a pseudo-terminal has been allocated (normal login session), the user
118 may use the escape characters noted below.
119
120 If no pseudo tty has been allocated, the session is transparent and can
121 be used to reliably transfer binary data. On most systems, setting the
122 escape character to M-bM-^@M-^\noneM-bM-^@M-^] will also make the session transparent even if
123 a tty is used.
124
125 The session terminates when the command or shell on the remote machine
126 exits and all X11 and TCP/IP connections have been closed. The exit sta-
127 tus of the remote program is returned as the exit status of ssh.
128
129 Escape Characters
130 When a pseudo terminal has been requested, ssh supports a number of func-
131 tions through the use of an escape character.
132
133 A single tilde character can be sent as ~~ or by following the tilde by a
134 character other than those described below. The escape character must
135 always follow a newline to be interpreted as special. The escape charac-
136 ter can be changed in configuration files using the EscapeChar configura-
137 tion directive or on the command line by the -e option.
138
139 The supported escapes (assuming the default M-bM-^@M-^X~M-bM-^@M-^Y) are:
140
141 ~. Disconnect
142
143 ~^Z Background ssh
144
145 ~# List forwarded connections
146
147 ~& Background ssh at logout when waiting for forwarded connection /
148 X11 sessions to terminate
149
150 ~? Display a list of escape characters
151
152 ~C Open command line (only useful for adding port forwardings using
153 the -L and -R options)
154
155 ~R Request rekeying of the connection (only useful for SSH protocol
156 version 2 and if the peer supports it)
157
158 X11 and TCP forwarding
159 If the ForwardX11 variable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or, see the description of
160 the -X and -x options described later) and the user is using X11 (the
161 DISPLAY environment variable is set), the connection to the X11 display
162 is automatically forwarded to the remote side in such a way that any X11
163 programs started from the shell (or command) will go through the
164 encrypted channel, and the connection to the real X server will be made
165 from the local machine. The user should not manually set DISPLAY. For-
166 warding of X11 connections can be configured on the command line or in
167 configuration files.
168
169 The DISPLAY value set by ssh will point to the server machine, but with a
170 display number greater than zero. This is normal, and happens because
171 ssh creates a M-bM-^@M-^\proxyM-bM-^@M-^] X server on the server machine for forwarding the
172 connections over the encrypted channel.
173
174 ssh will also automatically set up Xauthority data on the server machine.
175 For this purpose, it will generate a random authorization cookie, store
176 it in Xauthority on the server, and verify that any forwarded connections
177 carry this cookie and replace it by the real cookie when the connection
178 is opened. The real authentication cookie is never sent to the server
179 machine (and no cookies are sent in the plain).
180
181 If the ForwardAgent variable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or, see the description of
182 the -A and -a options described later) and the user is using an authenti-
183 cation agent, the connection to the agent is automatically forwarded to
184 the remote side.
185
186 Forwarding of arbitrary TCP/IP connections over the secure channel can be
187 specified either on the command line or in a configuration file. One
188 possible application of TCP/IP forwarding is a secure connection to an
189 electronic purse; another is going through firewalls.
190
191 Server authentication
192 ssh automatically maintains and checks a database containing identifica-
193 tions for all hosts it has ever been used with. Host keys are stored in
194 $HOME/.ssh/known_hosts in the userM-bM-^@M-^Ys home directory. Additionally, the
195 file /etc/ssh/ssh_known_hosts is automatically checked for known hosts.
196 Any new hosts are automatically added to the userM-bM-^@M-^Ys file. If a hostM-bM-^@M-^Ys
197 identification ever changes, ssh warns about this and disables password
198 authentication to prevent a trojan horse from getting the userM-bM-^@M-^Ys pass-
199 word. Another purpose of this mechanism is to prevent man-in-the-middle
200 attacks which could otherwise be used to circumvent the encryption. The
201 StrictHostKeyChecking option can be used to prevent logins to machines
202 whose host key is not known or has changed.
203
204 The options are as follows:
205
206 -a Disables forwarding of the authentication agent connection.
207
208 -A Enables forwarding of the authentication agent connection. This
209 can also be specified on a per-host basis in a configuration
210 file.
211
212 Agent forwarding should be enabled with caution. Users with the
213 ability to bypass file permissions on the remote host (for the
214 agentM-bM-^@M-^Ys Unix-domain socket) can access the local agent through
215 the forwarded connection. An attacker cannot obtain key material
216 from the agent, however they can perform operations on the keys
217 that enable them to authenticate using the identities loaded into
218 the agent.
219
220 -b bind_address
221 Specify the interface to transmit from on machines with multiple
222 interfaces or aliased addresses.
223
224 -c blowfish|3des|des
225 Selects the cipher to use for encrypting the session. 3des is
226 used by default. It is believed to be secure. 3des (triple-des)
227 is an encrypt-decrypt-encrypt triple with three different keys.
228 blowfish is a fast block cipher, it appears very secure and is
229 much faster than 3des. des is only supported in the ssh client
230 for interoperability with legacy protocol 1 implementations that
231 do not support the 3des cipher. Its use is strongly discouraged
232 due to cryptographic weaknesses.
233
234 -c cipher_spec
235 Additionally, for protocol version 2 a comma-separated list of
236 ciphers can be specified in order of preference. See Ciphers for
237 more information.
238
239 -e ch|^ch|none
240 Sets the escape character for sessions with a pty (default: M-bM-^@M-^X~M-bM-^@M-^Y).
241 The escape character is only recognized at the beginning of a
242 line. The escape character followed by a dot (M-bM-^@M-^X.M-bM-^@M-^Y) closes the
243 connection, followed by control-Z suspends the connection, and
244 followed by itself sends the escape character once. Setting the
245 character to M-bM-^@M-^\noneM-bM-^@M-^] disables any escapes and makes the session
246 fully transparent.
247
248 -f Requests ssh to go to background just before command execution.
249 This is useful if ssh is going to ask for passwords or
250 passphrases, but the user wants it in the background. This
251 implies -n. The recommended way to start X11 programs at a
252 remote site is with something like ssh -f host xterm.
253
254 -g Allows remote hosts to connect to local forwarded ports.
255
256 -i identity_file
257 Selects a file from which the identity (private key) for RSA or
258 DSA authentication is read. The default is $HOME/.ssh/identity
259 for protocol version 1, and $HOME/.ssh/id_rsa and
260 $HOME/.ssh/id_dsa for protocol version 2. Identity files may
261 also be specified on a per-host basis in the configuration file.
262 It is possible to have multiple -i options (and multiple identi-
263 ties specified in configuration files).
264
265 -I smartcard_device
266 Specifies which smartcard device to use. The argument is the
267 device ssh should use to communicate with a smartcard used for
268 storing the userM-bM-^@M-^Ys private RSA key.
269
270 -k Disables forwarding of Kerberos tickets and AFS tokens. This may
271 also be specified on a per-host basis in the configuration file.
272
273 -l login_name
274 Specifies the user to log in as on the remote machine. This also
275 may be specified on a per-host basis in the configuration file.
276
277 -m mac_spec
278 Additionally, for protocol version 2 a comma-separated list of
279 MAC (message authentication code) algorithms can be specified in
280 order of preference. See the MACs keyword for more information.
281
282 -n Redirects stdin from /dev/null (actually, prevents reading from
283 stdin). This must be used when ssh is run in the background. A
284 common trick is to use this to run X11 programs on a remote
285 machine. For example, ssh -n shadows.cs.hut.fi emacs & will
286 start an emacs on shadows.cs.hut.fi, and the X11 connection will
287 be automatically forwarded over an encrypted channel. The ssh
288 program will be put in the background. (This does not work if
289 ssh needs to ask for a password or passphrase; see also the -f
290 option.)
291
292 -N Do not execute a remote command. This is useful for just for-
293 warding ports (protocol version 2 only).
294
295 -o option
296 Can be used to give options in the format used in the configura-
297 tion file. This is useful for specifying options for which there
298 is no separate command-line flag.
299
300 -p port
301 Port to connect to on the remote host. This can be specified on
302 a per-host basis in the configuration file.
303
304 -q Quiet mode. Causes all warning and diagnostic messages to be
305 suppressed.
306
307 -s May be used to request invocation of a subsystem on the remote
308 system. Subsystems are a feature of the SSH2 protocol which
309 facilitate the use of SSH as a secure transport for other appli-
310 cations (eg. sftp). The subsystem is specified as the remote com-
311 mand.
312
313 -t Force pseudo-tty allocation. This can be used to execute arbi-
314 trary screen-based programs on a remote machine, which can be
315 very useful, e.g., when implementing menu services. Multiple -t
316 options force tty allocation, even if ssh has no local tty.
317
318 -T Disable pseudo-tty allocation.
319
320 -v Verbose mode. Causes ssh to print debugging messages about its
321 progress. This is helpful in debugging connection, authentica-
322 tion, and configuration problems. Multiple -v options increases
323 the verbosity. Maximum is 3.
324
325 -x Disables X11 forwarding.
326
327 -X Enables X11 forwarding. This can also be specified on a per-host
328 basis in a configuration file.
329
330 X11 forwarding should be enabled with caution. Users with the
331 ability to bypass file permissions on the remote host (for the
332 userM-bM-^@M-^Ys X authorization database) can access the local X11 display
333 through the forwarded connection. An attacker may then be able
334 to perform activities such as keystroke monitoring.
335
336 -C Requests compression of all data (including stdin, stdout,
337 stderr, and data for forwarded X11 and TCP/IP connections). The
338 compression algorithm is the same used by gzip(1), and the
339 M-bM-^@M-^\levelM-bM-^@M-^] can be controlled by the CompressionLevel option for pro-
340 tocol version 1. Compression is desirable on modem lines and
341 other slow connections, but will only slow down things on fast
342 networks. The default value can be set on a host-by-host basis
343 in the configuration files; see the Compression option.
344
345 -F configfile
346 Specifies an alternative per-user configuration file. If a con-
347 figuration file is given on the command line, the system-wide
348 configuration file (/etc/ssh/ssh_config) will be ignored. The
349 default for the per-user configuration file is $HOME/.ssh/config.
350
351 -L port:host:hostport
352 Specifies that the given port on the local (client) host is to be
353 forwarded to the given host and port on the remote side. This
354 works by allocating a socket to listen to port on the local side,
355 and whenever a connection is made to this port, the connection is
356 forwarded over the secure channel, and a connection is made to
357 host port hostport from the remote machine. Port forwardings can
358 also be specified in the configuration file. Only root can for-
359 ward privileged ports. IPv6 addresses can be specified with an
360 alternative syntax: port/host/hostport
361
362 -R port:host:hostport
363 Specifies that the given port on the remote (server) host is to
364 be forwarded to the given host and port on the local side. This
365 works by allocating a socket to listen to port on the remote
366 side, and whenever a connection is made to this port, the connec-
367 tion is forwarded over the secure channel, and a connection is
368 made to host port hostport from the local machine. Port forward-
369 ings can also be specified in the configuration file. Privileged
370 ports can be forwarded only when logging in as root on the remote
371 machine. IPv6 addresses can be specified with an alternative
372 syntax: port/host/hostport
373
374 -D port
375 Specifies a local M-bM-^@M-^\dynamicM-bM-^@M-^] application-level port forwarding.
376 This works by allocating a socket to listen to port on the local
377 side, and whenever a connection is made to this port, the connec-
378 tion is forwarded over the secure channel, and the application
379 protocol is then used to determine where to connect to from the
380 remote machine. Currently the SOCKS4 protocol is supported, and
381 ssh will act as a SOCKS4 server. Only root can forward privi-
382 leged ports. Dynamic port forwardings can also be specified in
383 the configuration file.
384
385 -1 Forces ssh to try protocol version 1 only.
386
387 -2 Forces ssh to try protocol version 2 only.
388
389 -4 Forces ssh to use IPv4 addresses only.
390
391 -6 Forces ssh to use IPv6 addresses only.
392
393CONFIGURATION FILES
394 ssh may additionally obtain configuration data from a per-user configura-
395 tion file and a system-wide configuration file. The file format and con-
396 figuration options are described in ssh_config(5).
397
398ENVIRONMENT
399 ssh will normally set the following environment variables:
400
401 DISPLAY
402 The DISPLAY variable indicates the location of the X11 server.
403 It is automatically set by ssh to point to a value of the form
404 M-bM-^@M-^\hostname:nM-bM-^@M-^] where hostname indicates the host where the shell
405 runs, and n is an integer >= 1. ssh uses this special value to
406 forward X11 connections over the secure channel. The user should
407 normally not set DISPLAY explicitly, as that will render the X11
408 connection insecure (and will require the user to manually copy
409 any required authorization cookies).
410
411 HOME Set to the path of the userM-bM-^@M-^Ys home directory.
412
413 LOGNAME
414 Synonym for USER; set for compatibility with systems that use
415 this variable.
416
417 MAIL Set to the path of the userM-bM-^@M-^Ys mailbox.
418
419 PATH Set to the default PATH, as specified when compiling ssh.
420
421 SSH_ASKPASS
422 If ssh needs a passphrase, it will read the passphrase from the
423 current terminal if it was run from a terminal. If ssh does not
424 have a terminal associated with it but DISPLAY and SSH_ASKPASS
425 are set, it will execute the program specified by SSH_ASKPASS and
426 open an X11 window to read the passphrase. This is particularly
427 useful when calling ssh from a .Xsession or related script.
428 (Note that on some machines it may be necessary to redirect the
429 input from /dev/null to make this work.)
430
431 SSH_AUTH_SOCK
432 Identifies the path of a unix-domain socket used to communicate
433 with the agent.
434
435 SSH_CONNECTION
436 Identifies the client and server ends of the connection. The
437 variable contains four space-separated values: client ip-address,
438 client port number, server ip-address and server port number.
439
440 SSH_ORIGINAL_COMMAND
441 The variable contains the original command line if a forced com-
442 mand is executed. It can be used to extract the original argu-
443 ments.
444
445 SSH_TTY
446 This is set to the name of the tty (path to the device) associ-
447 ated with the current shell or command. If the current session
448 has no tty, this variable is not set.
449
450 TZ The timezone variable is set to indicate the present timezone if
451 it was set when the daemon was started (i.e., the daemon passes
452 the value on to new connections).
453
454 USER Set to the name of the user logging in.
455
456 Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the
457 format M-bM-^@M-^\VARNAME=valueM-bM-^@M-^] to the environment if the file exists and if users
458 are allowed to change their environment. See the PermitUserEnvironment
459 option in sshd_config(5).
460
461FILES
462 $HOME/.ssh/known_hosts
463 Records host keys for all hosts the user has logged into that are
464 not in /etc/ssh/ssh_known_hosts. See sshd(8).
465
466 $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa
467 Contains the authentication identity of the user. They are for
468 protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
469 These files contain sensitive data and should be readable by the
470 user but not accessible by others (read/write/execute). Note
471 that ssh ignores a private key file if it is accessible by oth-
472 ers. It is possible to specify a passphrase when generating the
473 key; the passphrase will be used to encrypt the sensitive part of
474 this file using 3DES.
475
476 $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub
477 Contains the public key for authentication (public part of the
478 identity file in human-readable form). The contents of the
479 $HOME/.ssh/identity.pub file should be added to
480 $HOME/.ssh/authorized_keys on all machines where the user wishes
481 to log in using protocol version 1 RSA authentication. The con-
482 tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file
483 should be added to $HOME/.ssh/authorized_keys on all machines
484 where the user wishes to log in using protocol version 2 DSA/RSA
485 authentication. These files are not sensitive and can (but need
486 not) be readable by anyone. These files are never used automati-
487 cally and are not necessary; they are only provided for the con-
488 venience of the user.
489
490 $HOME/.ssh/config
491 This is the per-user configuration file. The file format and
492 configuration options are described in ssh_config(5).
493
494 $HOME/.ssh/authorized_keys
495 Lists the public keys (RSA/DSA) that can be used for logging in
496 as this user. The format of this file is described in the
497 sshd(8) manual page. In the simplest form the format is the same
498 as the .pub identity files. This file is not highly sensitive,
499 but the recommended permissions are read/write for the user, and
500 not accessible by others.
501
502 /etc/ssh/ssh_known_hosts
503 Systemwide list of known host keys. This file should be prepared
504 by the system administrator to contain the public host keys of
505 all machines in the organization. This file should be world-
506 readable. This file contains public keys, one per line, in the
507 following format (fields separated by spaces): system name, pub-
508 lic key and optional comment field. When different names are
509 used for the same machine, all such names should be listed, sepa-
510 rated by commas. The format is described on the sshd(8) manual
511 page.
512
513 The canonical system name (as returned by name servers) is used
514 by sshd(8) to verify the client host when logging in; other names
515 are needed because ssh does not convert the user-supplied name to
516 a canonical name before checking the key, because someone with
517 access to the name servers would then be able to fool host
518 authentication.
519
520 /etc/ssh/ssh_config
521 Systemwide configuration file. The file format and configuration
522 options are described in ssh_config(5).
523
524 /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key,
525 /etc/ssh/ssh_host_rsa_key
526 These three files contain the private parts of the host keys and
527 are used for RhostsRSAAuthentication and HostbasedAuthentication.
528 If the protocol version 1 RhostsRSAAuthentication method is used,
529 ssh must be setuid root, since the host key is readable only by
530 root. For protocol version 2, ssh uses ssh-keysign(8) to access
531 the host keys for HostbasedAuthentication. This eliminates the
532 requirement that ssh be setuid root when that authentication
533 method is used. By default ssh is not setuid root.
534
535 $HOME/.rhosts
536 This file is used in .rhosts authentication to list the host/user
537 pairs that are permitted to log in. (Note that this file is also
538 used by rlogin and rsh, which makes using this file insecure.)
539 Each line of the file contains a host name (in the canonical form
540 returned by name servers), and then a user name on that host,
541 separated by a space. On some machines this file may need to be
542 world-readable if the userM-bM-^@M-^Ys home directory is on a NFS parti-
543 tion, because sshd(8) reads it as root. Additionally, this file
544 must be owned by the user, and must not have write permissions
545 for anyone else. The recommended permission for most machines is
546 read/write for the user, and not accessible by others.
547
548 Note that by default sshd(8) will be installed so that it
549 requires successful RSA host authentication before permitting
550 .rhosts authentication. If the server machine does not have the
551 clientM-bM-^@M-^Ys host key in /etc/ssh/ssh_known_hosts, it can be stored
552 in $HOME/.ssh/known_hosts. The easiest way to do this is to con-
553 nect back to the client from the server machine using ssh; this
554 will automatically add the host key to $HOME/.ssh/known_hosts.
555
556 $HOME/.shosts
557 This file is used exactly the same way as .rhosts. The purpose
558 for having this file is to be able to use rhosts authentication
559 with ssh without permitting login with rlogin or rsh(1).
560
561 /etc/hosts.equiv
562 This file is used during .rhosts authentication. It contains
563 canonical hosts names, one per line (the full format is described
564 on the sshd(8) manual page). If the client host is found in this
565 file, login is automatically permitted provided client and server
566 user names are the same. Additionally, successful RSA host
567 authentication is normally required. This file should only be
568 writable by root.
569
570 /etc/shosts.equiv
571 This file is processed exactly as /etc/hosts.equiv. This file
572 may be useful to permit logins using ssh but not using
573 rsh/rlogin.
574
575 /etc/ssh/sshrc
576 Commands in this file are executed by ssh when the user logs in
577 just before the userM-bM-^@M-^Ys shell (or command) is started. See the
578 sshd(8) manual page for more information.
579
580 $HOME/.ssh/rc
581 Commands in this file are executed by ssh when the user logs in
582 just before the userM-bM-^@M-^Ys shell (or command) is started. See the
583 sshd(8) manual page for more information.
584
585 $HOME/.ssh/environment
586 Contains additional definitions for environment variables, see
587 section ENVIRONMENT above.
588
589DIAGNOSTICS
590 ssh exits with the exit status of the remote command or with 255 if an
591 error occurred.
592
593AUTHORS
594 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
595 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
596 de Raadt and Dug Song removed many bugs, re-added newer features and cre-
597 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
598 versions 1.5 and 2.0.
599
600SEE ALSO
601 rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
602 telnet(1), ssh_config(5), ssh-keysign(8), sshd(8)
603
604 T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH
605 Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January
606 2002, work in progress material.
607
608BSD September 25, 1999 BSD
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-01 08:08:28 +0000