diff options
author | Colin Watson <cjwatson@debian.org> | 2005-09-14 12:45:47 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2005-09-14 12:45:47 +0000 |
commit | 9b71add4cecf753c45f5fbd6ff0913bc95b3e95d (patch) | |
tree | d4ea8fdb30c7949c6433f5277c39548ea579d4dc /ssh.1 | |
parent | ed07bcbea56007ab5b218ddf3aa6a7d4e21966e0 (diff) | |
parent | 16704d57999d987fb8d9ba53379841a79f016d67 (diff) |
Merge 4.2p1 to the trunk.
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 84 |
1 files changed, 45 insertions, 39 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.205 2005/03/07 23:41:54 jmc Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.209 2005/07/06 09:33:05 dtucker Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -109,9 +109,9 @@ or | |||
109 | .Pa /etc/shosts.equiv | 109 | .Pa /etc/shosts.equiv |
110 | on the remote machine, and the user names are | 110 | on the remote machine, and the user names are |
111 | the same on both sides, or if the files | 111 | the same on both sides, or if the files |
112 | .Pa $HOME/.rhosts | 112 | .Pa ~/.rhosts |
113 | or | 113 | or |
114 | .Pa $HOME/.shosts | 114 | .Pa ~/.shosts |
115 | exist in the user's home directory on the | 115 | exist in the user's home directory on the |
116 | remote machine and contain a line containing the name of the client | 116 | remote machine and contain a line containing the name of the client |
117 | machine and the name of the user on that machine, the user is | 117 | machine and the name of the user on that machine, the user is |
@@ -120,7 +120,7 @@ Additionally, if the server can verify the client's | |||
120 | host key (see | 120 | host key (see |
121 | .Pa /etc/ssh/ssh_known_hosts | 121 | .Pa /etc/ssh/ssh_known_hosts |
122 | and | 122 | and |
123 | .Pa $HOME/.ssh/known_hosts | 123 | .Pa ~/.ssh/known_hosts |
124 | in the | 124 | in the |
125 | .Sx FILES | 125 | .Sx FILES |
126 | section), only then is login permitted. | 126 | section), only then is login permitted. |
@@ -128,7 +128,7 @@ This authentication method closes security holes due to IP | |||
128 | spoofing, DNS spoofing and routing spoofing. | 128 | spoofing, DNS spoofing and routing spoofing. |
129 | [Note to the administrator: | 129 | [Note to the administrator: |
130 | .Pa /etc/hosts.equiv , | 130 | .Pa /etc/hosts.equiv , |
131 | .Pa $HOME/.rhosts , | 131 | .Pa ~/.rhosts , |
132 | and the rlogin/rsh protocol in general, are inherently insecure and should be | 132 | and the rlogin/rsh protocol in general, are inherently insecure and should be |
133 | disabled if security is desired.] | 133 | disabled if security is desired.] |
134 | .Pp | 134 | .Pp |
@@ -144,7 +144,7 @@ key pair for authentication purposes. | |||
144 | The server knows the public key, and only the user knows the private key. | 144 | The server knows the public key, and only the user knows the private key. |
145 | .Pp | 145 | .Pp |
146 | The file | 146 | The file |
147 | .Pa $HOME/.ssh/authorized_keys | 147 | .Pa ~/.ssh/authorized_keys |
148 | lists the public keys that are permitted for logging in. | 148 | lists the public keys that are permitted for logging in. |
149 | When the user logs in, the | 149 | When the user logs in, the |
150 | .Nm | 150 | .Nm |
@@ -165,18 +165,18 @@ implements the RSA authentication protocol automatically. | |||
165 | The user creates his/her RSA key pair by running | 165 | The user creates his/her RSA key pair by running |
166 | .Xr ssh-keygen 1 . | 166 | .Xr ssh-keygen 1 . |
167 | This stores the private key in | 167 | This stores the private key in |
168 | .Pa $HOME/.ssh/identity | 168 | .Pa ~/.ssh/identity |
169 | and stores the public key in | 169 | and stores the public key in |
170 | .Pa $HOME/.ssh/identity.pub | 170 | .Pa ~/.ssh/identity.pub |
171 | in the user's home directory. | 171 | in the user's home directory. |
172 | The user should then copy the | 172 | The user should then copy the |
173 | .Pa identity.pub | 173 | .Pa identity.pub |
174 | to | 174 | to |
175 | .Pa $HOME/.ssh/authorized_keys | 175 | .Pa ~/.ssh/authorized_keys |
176 | in his/her home directory on the remote machine (the | 176 | in his/her home directory on the remote machine (the |
177 | .Pa authorized_keys | 177 | .Pa authorized_keys |
178 | file corresponds to the conventional | 178 | file corresponds to the conventional |
179 | .Pa $HOME/.rhosts | 179 | .Pa ~/.rhosts |
180 | file, and has one key | 180 | file, and has one key |
181 | per line, though the lines can be very long). | 181 | per line, though the lines can be very long). |
182 | After this, the user can log in without giving the password. | 182 | After this, the user can log in without giving the password. |
@@ -206,12 +206,12 @@ password authentication are tried. | |||
206 | The public key method is similar to RSA authentication described | 206 | The public key method is similar to RSA authentication described |
207 | in the previous section and allows the RSA or DSA algorithm to be used: | 207 | in the previous section and allows the RSA or DSA algorithm to be used: |
208 | The client uses his private key, | 208 | The client uses his private key, |
209 | .Pa $HOME/.ssh/id_dsa | 209 | .Pa ~/.ssh/id_dsa |
210 | or | 210 | or |
211 | .Pa $HOME/.ssh/id_rsa , | 211 | .Pa ~/.ssh/id_rsa , |
212 | to sign the session identifier and sends the result to the server. | 212 | to sign the session identifier and sends the result to the server. |
213 | The server checks whether the matching public key is listed in | 213 | The server checks whether the matching public key is listed in |
214 | .Pa $HOME/.ssh/authorized_keys | 214 | .Pa ~/.ssh/authorized_keys |
215 | and grants access if both the key is found and the signature is correct. | 215 | and grants access if both the key is found and the signature is correct. |
216 | The session identifier is derived from a shared Diffie-Hellman value | 216 | The session identifier is derived from a shared Diffie-Hellman value |
217 | and is only known to the client and the server. | 217 | and is only known to the client and the server. |
@@ -365,7 +365,7 @@ electronic purse; another is going through firewalls. | |||
365 | automatically maintains and checks a database containing | 365 | automatically maintains and checks a database containing |
366 | identifications for all hosts it has ever been used with. | 366 | identifications for all hosts it has ever been used with. |
367 | Host keys are stored in | 367 | Host keys are stored in |
368 | .Pa $HOME/.ssh/known_hosts | 368 | .Pa ~/.ssh/known_hosts |
369 | in the user's home directory. | 369 | in the user's home directory. |
370 | Additionally, the file | 370 | Additionally, the file |
371 | .Pa /etc/ssh/ssh_known_hosts | 371 | .Pa /etc/ssh/ssh_known_hosts |
@@ -423,8 +423,11 @@ authenticate using the identities loaded into the agent. | |||
423 | .It Fl a | 423 | .It Fl a |
424 | Disables forwarding of the authentication agent connection. | 424 | Disables forwarding of the authentication agent connection. |
425 | .It Fl b Ar bind_address | 425 | .It Fl b Ar bind_address |
426 | Specify the interface to transmit from on machines with multiple | 426 | Use |
427 | interfaces or aliased addresses. | 427 | .Ar bind_address |
428 | on the local machine as the source address | ||
429 | of the connection. | ||
430 | Only useful on systems with more than one address. | ||
428 | .It Fl C | 431 | .It Fl C |
429 | Requests compression of all data (including stdin, stdout, stderr, and | 432 | Requests compression of all data (including stdin, stdout, stderr, and |
430 | data for forwarded X11 and TCP/IP connections). | 433 | data for forwarded X11 and TCP/IP connections). |
@@ -479,14 +482,17 @@ The supported ciphers are | |||
479 | .Dq aes128-ctr , | 482 | .Dq aes128-ctr , |
480 | .Dq aes192-ctr , | 483 | .Dq aes192-ctr , |
481 | .Dq aes256-ctr , | 484 | .Dq aes256-ctr , |
485 | .Dq arcfour128 , | ||
486 | .Dq arcfour256 , | ||
482 | .Dq arcfour , | 487 | .Dq arcfour , |
483 | .Dq blowfish-cbc , | 488 | .Dq blowfish-cbc , |
484 | and | 489 | and |
485 | .Dq cast128-cbc . | 490 | .Dq cast128-cbc . |
486 | The default is | 491 | The default is |
487 | .Bd -literal | 492 | .Bd -literal |
488 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 493 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
489 | aes192-cbc,aes256-cbc'' | 494 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
495 | aes192-ctr,aes256-ctr'' | ||
490 | .Ed | 496 | .Ed |
491 | .It Fl D Ar port | 497 | .It Fl D Ar port |
492 | Specifies a local | 498 | Specifies a local |
@@ -522,7 +528,7 @@ the system-wide configuration file | |||
522 | .Pq Pa /etc/ssh/ssh_config | 528 | .Pq Pa /etc/ssh/ssh_config |
523 | will be ignored. | 529 | will be ignored. |
524 | The default for the per-user configuration file is | 530 | The default for the per-user configuration file is |
525 | .Pa $HOME/.ssh/config . | 531 | .Pa ~/.ssh/config . |
526 | .It Fl f | 532 | .It Fl f |
527 | Requests | 533 | Requests |
528 | .Nm | 534 | .Nm |
@@ -548,11 +554,11 @@ private RSA key. | |||
548 | Selects a file from which the identity (private key) for | 554 | Selects a file from which the identity (private key) for |
549 | RSA or DSA authentication is read. | 555 | RSA or DSA authentication is read. |
550 | The default is | 556 | The default is |
551 | .Pa $HOME/.ssh/identity | 557 | .Pa ~/.ssh/identity |
552 | for protocol version 1, and | 558 | for protocol version 1, and |
553 | .Pa $HOME/.ssh/id_rsa | 559 | .Pa ~/.ssh/id_rsa |
554 | and | 560 | and |
555 | .Pa $HOME/.ssh/id_dsa | 561 | .Pa ~/.ssh/id_dsa |
556 | for protocol version 2. | 562 | for protocol version 2. |
557 | Identity files may also be specified on | 563 | Identity files may also be specified on |
558 | a per-host basis in the configuration file. | 564 | a per-host basis in the configuration file. |
@@ -945,7 +951,7 @@ Set to the name of the user logging in. | |||
945 | Additionally, | 951 | Additionally, |
946 | .Nm | 952 | .Nm |
947 | reads | 953 | reads |
948 | .Pa $HOME/.ssh/environment , | 954 | .Pa ~/.ssh/environment , |
949 | and adds lines of the format | 955 | and adds lines of the format |
950 | .Dq VARNAME=value | 956 | .Dq VARNAME=value |
951 | to the environment if the file exists and if users are allowed to | 957 | to the environment if the file exists and if users are allowed to |
@@ -956,13 +962,13 @@ option in | |||
956 | .Xr sshd_config 5 . | 962 | .Xr sshd_config 5 . |
957 | .Sh FILES | 963 | .Sh FILES |
958 | .Bl -tag -width Ds | 964 | .Bl -tag -width Ds |
959 | .It Pa $HOME/.ssh/known_hosts | 965 | .It Pa ~/.ssh/known_hosts |
960 | Records host keys for all hosts the user has logged into that are not | 966 | Records host keys for all hosts the user has logged into that are not |
961 | in | 967 | in |
962 | .Pa /etc/ssh/ssh_known_hosts . | 968 | .Pa /etc/ssh/ssh_known_hosts . |
963 | See | 969 | See |
964 | .Xr sshd 8 . | 970 | .Xr sshd 8 . |
965 | .It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa | 971 | .It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa |
966 | Contains the authentication identity of the user. | 972 | Contains the authentication identity of the user. |
967 | They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. | 973 | They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. |
968 | These files | 974 | These files |
@@ -974,21 +980,21 @@ ignores a private key file if it is accessible by others. | |||
974 | It is possible to specify a passphrase when | 980 | It is possible to specify a passphrase when |
975 | generating the key; the passphrase will be used to encrypt the | 981 | generating the key; the passphrase will be used to encrypt the |
976 | sensitive part of this file using 3DES. | 982 | sensitive part of this file using 3DES. |
977 | .It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub | 983 | .It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub |
978 | Contains the public key for authentication (public part of the | 984 | Contains the public key for authentication (public part of the |
979 | identity file in human-readable form). | 985 | identity file in human-readable form). |
980 | The contents of the | 986 | The contents of the |
981 | .Pa $HOME/.ssh/identity.pub | 987 | .Pa ~/.ssh/identity.pub |
982 | file should be added to the file | 988 | file should be added to the file |
983 | .Pa $HOME/.ssh/authorized_keys | 989 | .Pa ~/.ssh/authorized_keys |
984 | on all machines | 990 | on all machines |
985 | where the user wishes to log in using protocol version 1 RSA authentication. | 991 | where the user wishes to log in using protocol version 1 RSA authentication. |
986 | The contents of the | 992 | The contents of the |
987 | .Pa $HOME/.ssh/id_dsa.pub | 993 | .Pa ~/.ssh/id_dsa.pub |
988 | and | 994 | and |
989 | .Pa $HOME/.ssh/id_rsa.pub | 995 | .Pa ~/.ssh/id_rsa.pub |
990 | file should be added to | 996 | file should be added to |
991 | .Pa $HOME/.ssh/authorized_keys | 997 | .Pa ~/.ssh/authorized_keys |
992 | on all machines | 998 | on all machines |
993 | where the user wishes to log in using protocol version 2 DSA/RSA authentication. | 999 | where the user wishes to log in using protocol version 2 DSA/RSA authentication. |
994 | These files are not | 1000 | These files are not |
@@ -996,7 +1002,7 @@ sensitive and can (but need not) be readable by anyone. | |||
996 | These files are | 1002 | These files are |
997 | never used automatically and are not necessary; they are only provided for | 1003 | never used automatically and are not necessary; they are only provided for |
998 | the convenience of the user. | 1004 | the convenience of the user. |
999 | .It Pa $HOME/.ssh/config | 1005 | .It Pa ~/.ssh/config |
1000 | This is the per-user configuration file. | 1006 | This is the per-user configuration file. |
1001 | The file format and configuration options are described in | 1007 | The file format and configuration options are described in |
1002 | .Xr ssh_config 5 . | 1008 | .Xr ssh_config 5 . |
@@ -1004,7 +1010,7 @@ Because of the potential for abuse, this file must have strict permissions: | |||
1004 | read/write for the user, and not accessible by others. | 1010 | read/write for the user, and not accessible by others. |
1005 | It may be group-writable provided that the group in question contains only | 1011 | It may be group-writable provided that the group in question contains only |
1006 | the user. | 1012 | the user. |
1007 | .It Pa $HOME/.ssh/authorized_keys | 1013 | .It Pa ~/.ssh/authorized_keys |
1008 | Lists the public keys (RSA/DSA) that can be used for logging in as this user. | 1014 | Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
1009 | The format of this file is described in the | 1015 | The format of this file is described in the |
1010 | .Xr sshd 8 | 1016 | .Xr sshd 8 |
@@ -1064,7 +1070,7 @@ be setuid root when that authentication method is used. | |||
1064 | By default | 1070 | By default |
1065 | .Nm | 1071 | .Nm |
1066 | is not setuid root. | 1072 | is not setuid root. |
1067 | .It Pa $HOME/.rhosts | 1073 | .It Pa ~/.rhosts |
1068 | This file is used in | 1074 | This file is used in |
1069 | .Cm RhostsRSAAuthentication | 1075 | .Cm RhostsRSAAuthentication |
1070 | and | 1076 | and |
@@ -1094,12 +1100,12 @@ authentication before permitting log in. | |||
1094 | If the server machine does not have the client's host key in | 1100 | If the server machine does not have the client's host key in |
1095 | .Pa /etc/ssh/ssh_known_hosts , | 1101 | .Pa /etc/ssh/ssh_known_hosts , |
1096 | it can be stored in | 1102 | it can be stored in |
1097 | .Pa $HOME/.ssh/known_hosts . | 1103 | .Pa ~/.ssh/known_hosts . |
1098 | The easiest way to do this is to | 1104 | The easiest way to do this is to |
1099 | connect back to the client from the server machine using ssh; this | 1105 | connect back to the client from the server machine using ssh; this |
1100 | will automatically add the host key to | 1106 | will automatically add the host key to |
1101 | .Pa $HOME/.ssh/known_hosts . | 1107 | .Pa ~/.ssh/known_hosts . |
1102 | .It Pa $HOME/.shosts | 1108 | .It Pa ~/.shosts |
1103 | This file is used exactly the same way as | 1109 | This file is used exactly the same way as |
1104 | .Pa .rhosts . | 1110 | .Pa .rhosts . |
1105 | The purpose for | 1111 | The purpose for |
@@ -1139,7 +1145,7 @@ when the user logs in just before the user's shell (or command) is started. | |||
1139 | See the | 1145 | See the |
1140 | .Xr sshd 8 | 1146 | .Xr sshd 8 |
1141 | manual page for more information. | 1147 | manual page for more information. |
1142 | .It Pa $HOME/.ssh/rc | 1148 | .It Pa ~/.ssh/rc |
1143 | Commands in this file are executed by | 1149 | Commands in this file are executed by |
1144 | .Nm | 1150 | .Nm |
1145 | when the user logs in just before the user's shell (or command) is | 1151 | when the user logs in just before the user's shell (or command) is |
@@ -1147,7 +1153,7 @@ started. | |||
1147 | See the | 1153 | See the |
1148 | .Xr sshd 8 | 1154 | .Xr sshd 8 |
1149 | manual page for more information. | 1155 | manual page for more information. |
1150 | .It Pa $HOME/.ssh/environment | 1156 | .It Pa ~/.ssh/environment |
1151 | Contains additional definitions for environment variables, see section | 1157 | Contains additional definitions for environment variables, see section |
1152 | .Sx ENVIRONMENT | 1158 | .Sx ENVIRONMENT |
1153 | above. | 1159 | above. |