summaryrefslogtreecommitdiff
path: root/ssh.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2007-06-12 16:16:35 +0000
committerColin Watson <cjwatson@debian.org>2007-06-12 16:16:35 +0000
commitb7e40fa9da0b5491534a429dadb321eab5a77558 (patch)
treebed1da11e9f829925797aa093e379fc0b5868ecd /ssh.0
parent4f84beedf1005e44ff33c854abd6b711ffc0adb7 (diff)
parent086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff)
* New upstream release (closes: #395507, #397961, #420035). Important
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
Diffstat (limited to 'ssh.0')
-rw-r--r--ssh.0103
1 files changed, 71 insertions, 32 deletions
diff --git a/ssh.0 b/ssh.0
index 83c4b94eb..c31e17eaf 100644
--- a/ssh.0
+++ b/ssh.0
@@ -9,7 +9,7 @@ SYNOPSIS
9 [-i identity_file] [-L [bind_address:]port:host:hostport] 9 [-i identity_file] [-L [bind_address:]port:host:hostport]
10 [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] 10 [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
11 [-R [bind_address:]port:host:hostport] [-S ctl_path] 11 [-R [bind_address:]port:host:hostport] [-S ctl_path]
12 [-w tunnel:tunnel] [user@]hostname [command] 12 [-w local_tun[:remote_tun]] [user@]hostname [command]
13 13
14DESCRIPTION 14DESCRIPTION
15 ssh (SSH client) is a program for logging into a remote machine and for 15 ssh (SSH client) is a program for logging into a remote machine and for
@@ -225,6 +225,7 @@ DESCRIPTION
225 ControlPath 225 ControlPath
226 DynamicForward 226 DynamicForward
227 EscapeChar 227 EscapeChar
228 ExitOnForwardFailure
228 ForwardAgent 229 ForwardAgent
229 ForwardX11 230 ForwardX11
230 ForwardX11Trusted 231 ForwardX11Trusted
@@ -315,7 +316,7 @@ DESCRIPTION
315 316
316 -t Force pseudo-tty allocation. This can be used to execute arbi- 317 -t Force pseudo-tty allocation. This can be used to execute arbi-
317 trary screen-based programs on a remote machine, which can be 318 trary screen-based programs on a remote machine, which can be
318 very useful, e.g., when implementing menu services. Multiple -t 319 very useful, e.g. when implementing menu services. Multiple -t
319 options force tty allocation, even if ssh has no local tty. 320 options force tty allocation, even if ssh has no local tty.
320 321
321 -V Display the version number and exit. 322 -V Display the version number and exit.
@@ -325,11 +326,16 @@ DESCRIPTION
325 tion, and configuration problems. Multiple -v options increase 326 tion, and configuration problems. Multiple -v options increase
326 the verbosity. The maximum is 3. 327 the verbosity. The maximum is 3.
327 328
328 -w tunnel:tunnel 329 -w local_tun[:remote_tun]
329 Requests a tun(4) device on the client (first tunnel arg) and 330 Requests tunnel device forwarding with the specified tun(4) de-
330 server (second tunnel arg). The devices may be specified by nu- 331 vices between the client (local_tun) and the server (remote_tun).
331 merical ID or the keyword ``any'', which uses the next available 332
332 tunnel device. See also the Tunnel directive in ssh_config(5). 333 The devices may be specified by numerical ID or the keyword
334 ``any'', which uses the next available tunnel device. If
335 remote_tun is not specified, it defaults to ``any''. See also
336 the Tunnel and TunnelDevice directives in ssh_config(5). If the
337 Tunnel directive is unset, it is set to the default tunnel mode,
338 which is ``point-to-point''.
333 339
334 -X Enables X11 forwarding. This can also be specified on a per-host 340 -X Enables X11 forwarding. This can also be specified on a per-host
335 basis in a configuration file. 341 basis in a configuration file.
@@ -368,11 +374,11 @@ AUTHENTICATION
368 integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a 374 integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a
369 strong mechanism for ensuring the integrity of the connection. 375 strong mechanism for ensuring the integrity of the connection.
370 376
371 The methods available for authentication are: host-based authentication, 377 The methods available for authentication are: GSSAPI-based authentica-
372 public key authentication, challenge-response authentication, and pass- 378 tion, host-based authentication, public key authentication, challenge-re-
373 word authentication. Authentication methods are tried in the order spec- 379 sponse authentication, and password authentication. Authentication meth-
374 ified above, though protocol 2 has a configuration option to change the 380 ods are tried in the order specified above, though protocol 2 has a con-
375 default order: PreferredAuthentications. 381 figuration option to change the default order: PreferredAuthentications.
376 382
377 Host-based authentication works as follows: If the machine the user logs 383 Host-based authentication works as follows: If the machine the user logs
378 in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote 384 in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
@@ -487,8 +493,8 @@ ESCAPE CHARACTERS
487 ~C Open command line. Currently this allows the addition of port 493 ~C Open command line. Currently this allows the addition of port
488 forwardings using the -L and -R options (see above). It also al- 494 forwardings using the -L and -R options (see above). It also al-
489 lows the cancellation of existing remote port-forwardings using 495 lows the cancellation of existing remote port-forwardings using
490 -KR hostport. !command allows the user to execute a local com- 496 -KR[bind_address:]port. !command allows the user to execute a
491 mand if the PermitLocalCommand option is enabled in 497 local command if the PermitLocalCommand option is enabled in
492 ssh_config(5). Basic help is available, using the -h option. 498 ssh_config(5). Basic help is available, using the -h option.
493 499
494 ~R Request rekeying of the connection (only useful for SSH protocol 500 ~R Request rekeying of the connection (only useful for SSH protocol
@@ -573,8 +579,7 @@ VERIFYING HOST KEYS
573 ``host.example.com''. The SSHFP resource records should first be added 579 ``host.example.com''. The SSHFP resource records should first be added
574 to the zonefile for host.example.com: 580 to the zonefile for host.example.com:
575 581
576 $ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com. 582 $ ssh-keygen -r host.example.com.
577 $ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
578 583
579 The output lines will have to be added to the zonefile. To check that 584 The output lines will have to be added to the zonefile. To check that
580 the zone is answering fingerprint queries: 585 the zone is answering fingerprint queries:
@@ -598,24 +603,34 @@ SSH-BASED VIRTUAL PRIVATE NETWORKS
598 fic). 603 fic).
599 604
600 The following example would connect client network 10.0.50.0/24 with re- 605 The following example would connect client network 10.0.50.0/24 with re-
601 mote network 10.0.99.0/24, provided that the SSH server running on the 606 mote network 10.0.99.0/24 using a point-to-point connection from 10.1.1.1
602 gateway to the remote network, at 192.168.1.15, allows it: 607 to 10.1.1.2, provided that the SSH server running on the gateway to the
608 remote network, at 192.168.1.15, allows it.
609
610 On the client:
603 611
604 # ssh -f -w 0:1 192.168.1.15 true 612 # ssh -f -w 0:1 192.168.1.15 true
605 # ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252 613 # ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
614 # route add 10.0.99.0/24 10.1.1.2
615
616 On the server:
617
618 # ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
619 # route add 10.0.50.0/24 10.1.1.1
606 620
607 Client access may be more finely tuned via the /root/.ssh/authorized_keys 621 Client access may be more finely tuned via the /root/.ssh/authorized_keys
608 file (see below) and the PermitRootLogin server option. The following 622 file (see below) and the PermitRootLogin server option. The following
609 entry would permit connections on the first tun(4) device from user 623 entry would permit connections on tun(4) device 1 from user ``jane'' and
610 ``jane'' and on the second device from user ``john'', if PermitRootLogin 624 on tun device 2 from user ``john'', if PermitRootLogin is set to
611 is set to ``forced-commands-only'': 625 ``forced-commands-only'':
612 626
613 tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane 627 tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
614 tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john 628 tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
615 629
616 Since a SSH-based setup entails a fair amount of overhead, it may be more 630 Since an SSH-based setup entails a fair amount of overhead, it may be
617 suited to temporary setups, such as for wireless VPNs. More permanent 631 more suited to temporary setups, such as for wireless VPNs. More perma-
618 VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8). 632 nent VPNs are better provided by tools such as ipsecctl(8) and
633 isakmpd(8).
619 634
620ENVIRONMENT 635ENVIRONMENT
621 ssh will normally set the following environment variables: 636 ssh will normally set the following environment variables:
@@ -671,8 +686,8 @@ ENVIRONMENT
671 686
672 TZ This variable is set to indicate the present time 687 TZ This variable is set to indicate the present time
673 zone if it was set when the daemon was started 688 zone if it was set when the daemon was started
674 (i.e., the daemon passes the value on to new con- 689 (i.e. the daemon passes the value on to new connec-
675 nections). 690 tions).
676 691
677 USER Set to the name of the user logging in. 692 USER Set to the name of the user logging in.
678 693
@@ -779,9 +794,33 @@ SEE ALSO
779 scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1), 794 scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1),
780 tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8) 795 tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8)
781 796
782 T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH 797 The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, 2006.
783 Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January 798
784 2002, work in progress material. 799 The Secure Shell (SSH) Protocol Architecture, RFC 4251, 2006.
800
801 The Secure Shell (SSH) Authentication Protocol, RFC 4252, 2006.
802
803 The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, 2006.
804
805 The Secure Shell (SSH) Connection Protocol, RFC 4254, 2006.
806
807 Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC
808 4255, 2006.
809
810 Generic Message Exchange Authentication for the Secure Shell Protocol
811 (SSH), RFC 4256, 2006.
812
813 The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, 2006.
814
815 The Secure Shell (SSH) Transport Layer Encryption Modes, RFC 4344, 2006.
816
817 Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer
818 Protocol, RFC 4345, 2006.
819
820 Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer
821 Protocol, RFC 4419, 2006.
822
823 The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
785 824
786AUTHORS 825AUTHORS
787 OpenSSH is a derivative of the original and free ssh 1.2.12 release by 826 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
@@ -790,4 +829,4 @@ AUTHORS
790 created OpenSSH. Markus Friedl contributed the support for SSH protocol 829 created OpenSSH. Markus Friedl contributed the support for SSH protocol
791 versions 1.5 and 2.0. 830 versions 1.5 and 2.0.
792 831
793OpenBSD 3.9 September 25, 1999 12 832OpenBSD 4.1 September 25, 1999 13