diff options
author | Colin Watson <cjwatson@debian.org> | 2004-03-01 02:25:32 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2004-03-01 02:25:32 +0000 |
commit | ea8116a11e3de70036dbc665ccb0d486cf89cac9 (patch) | |
tree | d73ccdff78d8608e156465af42e6a1b3527fb2d6 /ssh.1 | |
parent | e39b311381a5609cc05acf298c42fba196dc524b (diff) | |
parent | f5bda272678ec6dccaa5f29379cf60cb855018e8 (diff) |
Merge 3.8p1 to the trunk. This builds and runs, but I haven't tested it
extensively yet.
ProtocolKeepAlives is now just a compatibility alias for
ServerAliveInterval.
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 490 |
1 files changed, 280 insertions, 210 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -43,22 +43,14 @@ | |||
43 | .Nd OpenSSH SSH client (remote login program) | 43 | .Nd OpenSSH SSH client (remote login program) |
44 | .Sh SYNOPSIS | 44 | .Sh SYNOPSIS |
45 | .Nm ssh | 45 | .Nm ssh |
46 | .Op Fl l Ar login_name | 46 | .Op Fl 1246AaCfgkNnqsTtVvXxY |
47 | .Ar hostname | user@hostname | ||
48 | .Op Ar command | ||
49 | .Pp | ||
50 | .Nm ssh | ||
51 | .Bk -words | ||
52 | .Op Fl afgknqstvxACNTVX1246 | ||
53 | .Op Fl b Ar bind_address | 47 | .Op Fl b Ar bind_address |
54 | .Op Fl c Ar cipher_spec | 48 | .Op Fl c Ar cipher_spec |
49 | .Op Fl D Ar port | ||
55 | .Op Fl e Ar escape_char | 50 | .Op Fl e Ar escape_char |
56 | .Op Fl i Ar identity_file | ||
57 | .Op Fl l Ar login_name | ||
58 | .Op Fl m Ar mac_spec | ||
59 | .Op Fl o Ar option | ||
60 | .Op Fl p Ar port | ||
61 | .Op Fl F Ar configfile | 51 | .Op Fl F Ar configfile |
52 | .Op Fl i Ar identity_file | ||
53 | .Bk -words | ||
62 | .Oo Fl L Xo | 54 | .Oo Fl L Xo |
63 | .Sm off | 55 | .Sm off |
64 | .Ar port : | 56 | .Ar port : |
@@ -68,7 +60,12 @@ | |||
68 | .Xc | 60 | .Xc |
69 | .Oc | 61 | .Oc |
70 | .Ek | 62 | .Ek |
63 | .Op Fl l Ar login_name | ||
64 | .Op Fl m Ar mac_spec | ||
65 | .Op Fl o Ar option | ||
71 | .Bk -words | 66 | .Bk -words |
67 | .Op Fl p Ar port | ||
68 | .Ek | ||
72 | .Oo Fl R Xo | 69 | .Oo Fl R Xo |
73 | .Sm off | 70 | .Sm off |
74 | .Ar port : | 71 | .Ar port : |
@@ -77,29 +74,34 @@ | |||
77 | .Sm on | 74 | .Sm on |
78 | .Xc | 75 | .Xc |
79 | .Oc | 76 | .Oc |
80 | .Op Fl D Ar port | 77 | .Oo Ar user Ns @ Oc Ns Ar hostname |
81 | .Ar hostname | user@hostname | ||
82 | .Op Ar command | 78 | .Op Ar command |
83 | .Ek | ||
84 | .Sh DESCRIPTION | 79 | .Sh DESCRIPTION |
85 | .Nm | 80 | .Nm |
86 | (SSH client) is a program for logging into a remote machine and for | 81 | (SSH client) is a program for logging into a remote machine and for |
87 | executing commands on a remote machine. | 82 | executing commands on a remote machine. |
88 | It is intended to replace | 83 | It is intended to replace rlogin and rsh, |
89 | rlogin and rsh, and provide secure encrypted communications between | 84 | and provide secure encrypted communications between |
90 | two untrusted hosts over an insecure network. | 85 | two untrusted hosts over an insecure network. |
91 | X11 connections and | 86 | X11 connections and arbitrary TCP/IP ports |
92 | arbitrary TCP/IP ports can also be forwarded over the secure channel. | 87 | can also be forwarded over the secure channel. |
93 | .Pp | 88 | .Pp |
94 | .Nm | 89 | .Nm |
95 | connects and logs into the specified | 90 | connects and logs into the specified |
96 | .Ar hostname . | 91 | .Ar hostname |
92 | (with optional | ||
93 | .Ar user | ||
94 | name). | ||
97 | The user must prove | 95 | The user must prove |
98 | his/her identity to the remote machine using one of several methods | 96 | his/her identity to the remote machine using one of several methods |
99 | depending on the protocol version used: | 97 | depending on the protocol version used. |
100 | .Pp | 98 | .Pp |
99 | If | ||
100 | .Ar command | ||
101 | is specified, | ||
102 | .Ar command | ||
103 | is executed on the remote host instead of a login shell. | ||
101 | .Ss SSH protocol version 1 | 104 | .Ss SSH protocol version 1 |
102 | .Pp | ||
103 | First, if the machine the user logs in from is listed in | 105 | First, if the machine the user logs in from is listed in |
104 | .Pa /etc/hosts.equiv | 106 | .Pa /etc/hosts.equiv |
105 | or | 107 | or |
@@ -107,9 +109,9 @@ or | |||
107 | on the remote machine, and the user names are | 109 | on the remote machine, and the user names are |
108 | the same on both sides, the user is immediately permitted to log in. | 110 | the same on both sides, the user is immediately permitted to log in. |
109 | Second, if | 111 | Second, if |
110 | .Pa \&.rhosts | 112 | .Pa .rhosts |
111 | or | 113 | or |
112 | .Pa \&.shosts | 114 | .Pa .shosts |
113 | exists in the user's home directory on the | 115 | exists in the user's home directory on the |
114 | remote machine and contains a line containing the name of the client | 116 | remote machine and contains a line containing the name of the client |
115 | machine and the name of the user on that machine, the user is | 117 | machine and the name of the user on that machine, the user is |
@@ -118,9 +120,9 @@ This form of authentication alone is normally not | |||
118 | allowed by the server because it is not secure. | 120 | allowed by the server because it is not secure. |
119 | .Pp | 121 | .Pp |
120 | The second authentication method is the | 122 | The second authentication method is the |
121 | .Pa rhosts | 123 | .Em rhosts |
122 | or | 124 | or |
123 | .Pa hosts.equiv | 125 | .Em hosts.equiv |
124 | method combined with RSA-based host authentication. | 126 | method combined with RSA-based host authentication. |
125 | It means that if the login would be permitted by | 127 | It means that if the login would be permitted by |
126 | .Pa $HOME/.rhosts , | 128 | .Pa $HOME/.rhosts , |
@@ -135,7 +137,7 @@ and | |||
135 | .Pa $HOME/.ssh/known_hosts | 137 | .Pa $HOME/.ssh/known_hosts |
136 | in the | 138 | in the |
137 | .Sx FILES | 139 | .Sx FILES |
138 | section), only then login is permitted. | 140 | section), only then is login permitted. |
139 | This authentication method closes security holes due to IP | 141 | This authentication method closes security holes due to IP |
140 | spoofing, DNS spoofing and routing spoofing. | 142 | spoofing, DNS spoofing and routing spoofing. |
141 | [Note to the administrator: | 143 | [Note to the administrator: |
@@ -154,24 +156,23 @@ RSA is one such system. | |||
154 | The idea is that each user creates a public/private | 156 | The idea is that each user creates a public/private |
155 | key pair for authentication purposes. | 157 | key pair for authentication purposes. |
156 | The server knows the public key, and only the user knows the private key. | 158 | The server knows the public key, and only the user knows the private key. |
159 | .Pp | ||
157 | The file | 160 | The file |
158 | .Pa $HOME/.ssh/authorized_keys | 161 | .Pa $HOME/.ssh/authorized_keys |
159 | lists the public keys that are permitted for logging | 162 | lists the public keys that are permitted for logging in. |
160 | in. | ||
161 | When the user logs in, the | 163 | When the user logs in, the |
162 | .Nm | 164 | .Nm |
163 | program tells the server which key pair it would like to use for | 165 | program tells the server which key pair it would like to use for |
164 | authentication. | 166 | authentication. |
165 | The server checks if this key is permitted, and if | 167 | The server checks if this key is permitted, and if so, |
166 | so, sends the user (actually the | 168 | sends the user (actually the |
167 | .Nm | 169 | .Nm |
168 | program running on behalf of the user) a challenge, a random number, | 170 | program running on behalf of the user) a challenge, a random number, |
169 | encrypted by the user's public key. | 171 | encrypted by the user's public key. |
170 | The challenge can only be | 172 | The challenge can only be decrypted using the proper private key. |
171 | decrypted using the proper private key. | 173 | The user's client then decrypts the challenge using the private key, |
172 | The user's client then decrypts the | 174 | proving that he/she knows the private key |
173 | challenge using the private key, proving that he/she knows the private | 175 | but without disclosing it to the server. |
174 | key but without disclosing it to the server. | ||
175 | .Pp | 176 | .Pp |
176 | .Nm | 177 | .Nm |
177 | implements the RSA authentication protocol automatically. | 178 | implements the RSA authentication protocol automatically. |
@@ -179,7 +180,7 @@ The user creates his/her RSA key pair by running | |||
179 | .Xr ssh-keygen 1 . | 180 | .Xr ssh-keygen 1 . |
180 | This stores the private key in | 181 | This stores the private key in |
181 | .Pa $HOME/.ssh/identity | 182 | .Pa $HOME/.ssh/identity |
182 | and the public key in | 183 | and stores the public key in |
183 | .Pa $HOME/.ssh/identity.pub | 184 | .Pa $HOME/.ssh/identity.pub |
184 | in the user's home directory. | 185 | in the user's home directory. |
185 | The user should then copy the | 186 | The user should then copy the |
@@ -193,8 +194,9 @@ file corresponds to the conventional | |||
193 | file, and has one key | 194 | file, and has one key |
194 | per line, though the lines can be very long). | 195 | per line, though the lines can be very long). |
195 | After this, the user can log in without giving the password. | 196 | After this, the user can log in without giving the password. |
196 | RSA authentication is much | 197 | RSA authentication is much more secure than |
197 | more secure than rhosts authentication. | 198 | .Em rhosts |
199 | authentication. | ||
198 | .Pp | 200 | .Pp |
199 | The most convenient way to use RSA authentication may be with an | 201 | The most convenient way to use RSA authentication may be with an |
200 | authentication agent. | 202 | authentication agent. |
@@ -208,16 +210,14 @@ prompts the user for a password. | |||
208 | The password is sent to the remote | 210 | The password is sent to the remote |
209 | host for checking; however, since all communications are encrypted, | 211 | host for checking; however, since all communications are encrypted, |
210 | the password cannot be seen by someone listening on the network. | 212 | the password cannot be seen by someone listening on the network. |
211 | .Pp | ||
212 | .Ss SSH protocol version 2 | 213 | .Ss SSH protocol version 2 |
213 | .Pp | 214 | When a user connects using protocol version 2, |
214 | When a user connects using protocol version 2 | ||
215 | similar authentication methods are available. | 215 | similar authentication methods are available. |
216 | Using the default values for | 216 | Using the default values for |
217 | .Cm PreferredAuthentications , | 217 | .Cm PreferredAuthentications , |
218 | the client will try to authenticate first using the hostbased method; | 218 | the client will try to authenticate first using the hostbased method; |
219 | if this method fails public key authentication is attempted, | 219 | if this method fails, public key authentication is attempted, |
220 | and finally if this method fails keyboard-interactive and | 220 | and finally if this method fails, keyboard-interactive and |
221 | password authentication are tried. | 221 | password authentication are tried. |
222 | .Pp | 222 | .Pp |
223 | The public key method is similar to RSA authentication described | 223 | The public key method is similar to RSA authentication described |
@@ -233,8 +233,8 @@ and grants access if both the key is found and the signature is correct. | |||
233 | The session identifier is derived from a shared Diffie-Hellman value | 233 | The session identifier is derived from a shared Diffie-Hellman value |
234 | and is only known to the client and the server. | 234 | and is only known to the client and the server. |
235 | .Pp | 235 | .Pp |
236 | If public key authentication fails or is not available a password | 236 | If public key authentication fails or is not available, a password |
237 | can be sent encrypted to the remote host for proving the user's identity. | 237 | can be sent encrypted to the remote host to prove the user's identity. |
238 | .Pp | 238 | .Pp |
239 | Additionally, | 239 | Additionally, |
240 | .Nm | 240 | .Nm |
@@ -245,9 +245,7 @@ Protocol 2 provides additional mechanisms for confidentiality | |||
245 | and integrity (hmac-md5, hmac-sha1). | 245 | and integrity (hmac-md5, hmac-sha1). |
246 | Note that protocol 1 lacks a strong mechanism for ensuring the | 246 | Note that protocol 1 lacks a strong mechanism for ensuring the |
247 | integrity of the connection. | 247 | integrity of the connection. |
248 | .Pp | ||
249 | .Ss Login session and remote execution | 248 | .Ss Login session and remote execution |
250 | .Pp | ||
251 | When the user's identity has been accepted by the server, the server | 249 | When the user's identity has been accepted by the server, the server |
252 | either executes the given command, or logs into the machine and gives | 250 | either executes the given command, or logs into the machine and gives |
253 | the user a normal shell on the remote machine. | 251 | the user a normal shell on the remote machine. |
@@ -257,23 +255,20 @@ the remote command or shell will be automatically encrypted. | |||
257 | If a pseudo-terminal has been allocated (normal login session), the | 255 | If a pseudo-terminal has been allocated (normal login session), the |
258 | user may use the escape characters noted below. | 256 | user may use the escape characters noted below. |
259 | .Pp | 257 | .Pp |
260 | If no pseudo tty has been allocated, the | 258 | If no pseudo-tty has been allocated, |
261 | session is transparent and can be used to reliably transfer binary | 259 | the session is transparent and can be used to reliably transfer binary data. |
262 | data. | ||
263 | On most systems, setting the escape character to | 260 | On most systems, setting the escape character to |
264 | .Dq none | 261 | .Dq none |
265 | will also make the session transparent even if a tty is used. | 262 | will also make the session transparent even if a tty is used. |
266 | .Pp | 263 | .Pp |
267 | The session terminates when the command or shell on the remote | 264 | The session terminates when the command or shell on the remote |
268 | machine exits and all X11 and TCP/IP connections have been closed. | 265 | machine exits and all X11 and TCP/IP connections have been closed. |
269 | The exit status of the remote program is returned as the exit status | 266 | The exit status of the remote program is returned as the exit status of |
270 | of | ||
271 | .Nm ssh . | 267 | .Nm ssh . |
272 | .Pp | ||
273 | .Ss Escape Characters | 268 | .Ss Escape Characters |
274 | .Pp | 269 | When a pseudo-terminal has been requested, |
275 | When a pseudo terminal has been requested, ssh supports a number of functions | 270 | .Nm |
276 | through the use of an escape character. | 271 | supports a number of functions through the use of an escape character. |
277 | .Pp | 272 | .Pp |
278 | A single tilde character can be sent as | 273 | A single tilde character can be sent as |
279 | .Ic ~~ | 274 | .Ic ~~ |
@@ -291,37 +286,37 @@ The supported escapes (assuming the default | |||
291 | are: | 286 | are: |
292 | .Bl -tag -width Ds | 287 | .Bl -tag -width Ds |
293 | .It Cm ~. | 288 | .It Cm ~. |
294 | Disconnect | 289 | Disconnect. |
295 | .It Cm ~^Z | 290 | .It Cm ~^Z |
296 | Background ssh | 291 | Background |
292 | .Nm ssh . | ||
297 | .It Cm ~# | 293 | .It Cm ~# |
298 | List forwarded connections | 294 | List forwarded connections. |
299 | .It Cm ~& | 295 | .It Cm ~& |
300 | Background ssh at logout when waiting for forwarded connection / X11 sessions | 296 | Background |
301 | to terminate | 297 | .Nm |
298 | at logout when waiting for forwarded connection / X11 sessions to terminate. | ||
302 | .It Cm ~? | 299 | .It Cm ~? |
303 | Display a list of escape characters | 300 | Display a list of escape characters. |
304 | .It Cm ~B | 301 | .It Cm ~B |
305 | Send a BREAK to the remote system (only useful for SSH protocol version 2 | 302 | Send a BREAK to the remote system |
306 | and if the peer supports it) | 303 | (only useful for SSH protocol version 2 and if the peer supports it). |
307 | .It Cm ~C | 304 | .It Cm ~C |
308 | Open command line (only useful for adding port forwardings using the | 305 | Open command line (only useful for adding port forwardings using the |
309 | .Fl L | 306 | .Fl L |
310 | and | 307 | and |
311 | .Fl R | 308 | .Fl R |
312 | options) | 309 | options). |
313 | .It Cm ~R | 310 | .It Cm ~R |
314 | Request rekeying of the connection (only useful for SSH protocol version 2 | 311 | Request rekeying of the connection |
315 | and if the peer supports it) | 312 | (only useful for SSH protocol version 2 and if the peer supports it). |
316 | .El | 313 | .El |
317 | .Pp | ||
318 | .Ss X11 and TCP forwarding | 314 | .Ss X11 and TCP forwarding |
319 | .Pp | ||
320 | If the | 315 | If the |
321 | .Cm ForwardX11 | 316 | .Cm ForwardX11 |
322 | variable is set to | 317 | variable is set to |
323 | .Dq yes | 318 | .Dq yes |
324 | (or, see the description of the | 319 | (or see the description of the |
325 | .Fl X | 320 | .Fl X |
326 | and | 321 | and |
327 | .Fl x | 322 | .Fl x |
@@ -342,8 +337,7 @@ The | |||
342 | .Ev DISPLAY | 337 | .Ev DISPLAY |
343 | value set by | 338 | value set by |
344 | .Nm | 339 | .Nm |
345 | will point to the server machine, but with a display number greater | 340 | will point to the server machine, but with a display number greater than zero. |
346 | than zero. | ||
347 | This is normal, and happens because | 341 | This is normal, and happens because |
348 | .Nm | 342 | .Nm |
349 | creates a | 343 | creates a |
@@ -364,7 +358,7 @@ If the | |||
364 | .Cm ForwardAgent | 358 | .Cm ForwardAgent |
365 | variable is set to | 359 | variable is set to |
366 | .Dq yes | 360 | .Dq yes |
367 | (or, see the description of the | 361 | (or see the description of the |
368 | .Fl A | 362 | .Fl A |
369 | and | 363 | and |
370 | .Fl a | 364 | .Fl a |
@@ -376,9 +370,7 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can | |||
376 | be specified either on the command line or in a configuration file. | 370 | be specified either on the command line or in a configuration file. |
377 | One possible application of TCP/IP forwarding is a secure connection to an | 371 | One possible application of TCP/IP forwarding is a secure connection to an |
378 | electronic purse; another is going through firewalls. | 372 | electronic purse; another is going through firewalls. |
379 | .Pp | ||
380 | .Ss Server authentication | 373 | .Ss Server authentication |
381 | .Pp | ||
382 | .Nm | 374 | .Nm |
383 | automatically maintains and checks a database containing | 375 | automatically maintains and checks a database containing |
384 | identifications for all hosts it has ever been used with. | 376 | identifications for all hosts it has ever been used with. |
@@ -389,14 +381,12 @@ Additionally, the file | |||
389 | .Pa /etc/ssh/ssh_known_hosts | 381 | .Pa /etc/ssh/ssh_known_hosts |
390 | is automatically checked for known hosts. | 382 | is automatically checked for known hosts. |
391 | Any new hosts are automatically added to the user's file. | 383 | Any new hosts are automatically added to the user's file. |
392 | If a host's identification | 384 | If a host's identification ever changes, |
393 | ever changes, | ||
394 | .Nm | 385 | .Nm |
395 | warns about this and disables password authentication to prevent a | 386 | warns about this and disables password authentication to prevent a |
396 | trojan horse from getting the user's password. | 387 | trojan horse from getting the user's password. |
397 | Another purpose of | 388 | Another purpose of this mechanism is to prevent man-in-the-middle attacks |
398 | this mechanism is to prevent man-in-the-middle attacks which could | 389 | which could otherwise be used to circumvent the encryption. |
399 | otherwise be used to circumvent the encryption. | ||
400 | The | 390 | The |
401 | .Cm StrictHostKeyChecking | 391 | .Cm StrictHostKeyChecking |
402 | option can be used to prevent logins to machines whose | 392 | option can be used to prevent logins to machines whose |
@@ -404,8 +394,22 @@ host key is not known or has changed. | |||
404 | .Pp | 394 | .Pp |
405 | The options are as follows: | 395 | The options are as follows: |
406 | .Bl -tag -width Ds | 396 | .Bl -tag -width Ds |
407 | .It Fl a | 397 | .It Fl 1 |
408 | Disables forwarding of the authentication agent connection. | 398 | Forces |
399 | .Nm | ||
400 | to try protocol version 1 only. | ||
401 | .It Fl 2 | ||
402 | Forces | ||
403 | .Nm | ||
404 | to try protocol version 2 only. | ||
405 | .It Fl 4 | ||
406 | Forces | ||
407 | .Nm | ||
408 | to use IPv4 addresses only. | ||
409 | .It Fl 6 | ||
410 | Forces | ||
411 | .Nm | ||
412 | to use IPv6 addresses only. | ||
409 | .It Fl A | 413 | .It Fl A |
410 | Enables forwarding of the authentication agent connection. | 414 | Enables forwarding of the authentication agent connection. |
411 | This can also be specified on a per-host basis in a configuration file. | 415 | This can also be specified on a per-host basis in a configuration file. |
@@ -417,10 +421,28 @@ can access the local agent through the forwarded connection. | |||
417 | An attacker cannot obtain key material from the agent, | 421 | An attacker cannot obtain key material from the agent, |
418 | however they can perform operations on the keys that enable them to | 422 | however they can perform operations on the keys that enable them to |
419 | authenticate using the identities loaded into the agent. | 423 | authenticate using the identities loaded into the agent. |
424 | .It Fl a | ||
425 | Disables forwarding of the authentication agent connection. | ||
420 | .It Fl b Ar bind_address | 426 | .It Fl b Ar bind_address |
421 | Specify the interface to transmit from on machines with multiple | 427 | Specify the interface to transmit from on machines with multiple |
422 | interfaces or aliased addresses. | 428 | interfaces or aliased addresses. |
423 | .It Fl c Ar blowfish|3des|des | 429 | .It Fl C |
430 | Requests compression of all data (including stdin, stdout, stderr, and | ||
431 | data for forwarded X11 and TCP/IP connections). | ||
432 | The compression algorithm is the same used by | ||
433 | .Xr gzip 1 , | ||
434 | and the | ||
435 | .Dq level | ||
436 | can be controlled by the | ||
437 | .Cm CompressionLevel | ||
438 | option for protocol version 1. | ||
439 | Compression is desirable on modem lines and other | ||
440 | slow connections, but will only slow down things on fast networks. | ||
441 | The default value can be set on a host-by-host basis in the | ||
442 | configuration files; see the | ||
443 | .Cm Compression | ||
444 | option. | ||
445 | .It Fl c Ar blowfish | 3des | des | ||
424 | Selects the cipher to use for encrypting the session. | 446 | Selects the cipher to use for encrypting the session. |
425 | .Ar 3des | 447 | .Ar 3des |
426 | is used by default. | 448 | is used by default. |
@@ -428,7 +450,7 @@ It is believed to be secure. | |||
428 | .Ar 3des | 450 | .Ar 3des |
429 | (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. | 451 | (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
430 | .Ar blowfish | 452 | .Ar blowfish |
431 | is a fast block cipher, it appears very secure and is much faster than | 453 | is a fast block cipher; it appears very secure and is much faster than |
432 | .Ar 3des . | 454 | .Ar 3des . |
433 | .Ar des | 455 | .Ar des |
434 | is only supported in the | 456 | is only supported in the |
@@ -444,18 +466,41 @@ be specified in order of preference. | |||
444 | See | 466 | See |
445 | .Cm Ciphers | 467 | .Cm Ciphers |
446 | for more information. | 468 | for more information. |
447 | .It Fl e Ar ch|^ch|none | 469 | .It Fl D Ar port |
470 | Specifies a local | ||
471 | .Dq dynamic | ||
472 | application-level port forwarding. | ||
473 | This works by allocating a socket to listen to | ||
474 | .Ar port | ||
475 | on the local side, and whenever a connection is made to this port, the | ||
476 | connection is forwarded over the secure channel, and the application | ||
477 | protocol is then used to determine where to connect to from the | ||
478 | remote machine. | ||
479 | Currently the SOCKS4 and SOCKS5 protocols are supported, and | ||
480 | .Nm | ||
481 | will act as a SOCKS server. | ||
482 | Only root can forward privileged ports. | ||
483 | Dynamic port forwardings can also be specified in the configuration file. | ||
484 | .It Fl e Ar ch | ^ch | none | ||
448 | Sets the escape character for sessions with a pty (default: | 485 | Sets the escape character for sessions with a pty (default: |
449 | .Ql ~ ) . | 486 | .Ql ~ ) . |
450 | The escape character is only recognized at the beginning of a line. | 487 | The escape character is only recognized at the beginning of a line. |
451 | The escape character followed by a dot | 488 | The escape character followed by a dot |
452 | .Pq Ql \&. | 489 | .Pq Ql \&. |
453 | closes the connection, followed | 490 | closes the connection; |
454 | by control-Z suspends the connection, and followed by itself sends the | 491 | followed by control-Z suspends the connection; |
455 | escape character once. | 492 | and followed by itself sends the escape character once. |
456 | Setting the character to | 493 | Setting the character to |
457 | .Dq none | 494 | .Dq none |
458 | disables any escapes and makes the session fully transparent. | 495 | disables any escapes and makes the session fully transparent. |
496 | .It Fl F Ar configfile | ||
497 | Specifies an alternative per-user configuration file. | ||
498 | If a configuration file is given on the command line, | ||
499 | the system-wide configuration file | ||
500 | .Pq Pa /etc/ssh/ssh_config | ||
501 | will be ignored. | ||
502 | The default for the per-user configuration file is | ||
503 | .Pa $HOME/.ssh/config . | ||
459 | .It Fl f | 504 | .It Fl f |
460 | Requests | 505 | Requests |
461 | .Nm | 506 | .Nm |
@@ -471,6 +516,12 @@ something like | |||
471 | .Ic ssh -f host xterm . | 516 | .Ic ssh -f host xterm . |
472 | .It Fl g | 517 | .It Fl g |
473 | Allows remote hosts to connect to local forwarded ports. | 518 | Allows remote hosts to connect to local forwarded ports. |
519 | .It Fl I Ar smartcard_device | ||
520 | Specifies which smartcard device to use. | ||
521 | The argument is the device | ||
522 | .Nm | ||
523 | should use to communicate with a smartcard used for storing the user's | ||
524 | private RSA key. | ||
474 | .It Fl i Ar identity_file | 525 | .It Fl i Ar identity_file |
475 | Selects a file from which the identity (private key) for | 526 | Selects a file from which the identity (private key) for |
476 | RSA or DSA authentication is read. | 527 | RSA or DSA authentication is read. |
@@ -487,15 +538,33 @@ It is possible to have multiple | |||
487 | .Fl i | 538 | .Fl i |
488 | options (and multiple identities specified in | 539 | options (and multiple identities specified in |
489 | configuration files). | 540 | configuration files). |
490 | .It Fl I Ar smartcard_device | ||
491 | Specifies which smartcard device to use. | ||
492 | The argument is the device | ||
493 | .Nm | ||
494 | should use to communicate with a smartcard used for storing the user's | ||
495 | private RSA key. | ||
496 | .It Fl k | 541 | .It Fl k |
497 | Disables forwarding of Kerberos tickets. | 542 | Disables forwarding (delegation) of GSSAPI credentials to the server. |
498 | This may also be specified on a per-host basis in the configuration file. | 543 | .It Fl L Xo |
544 | .Sm off | ||
545 | .Ar port : host : hostport | ||
546 | .Sm on | ||
547 | .Xc | ||
548 | Specifies that the given port on the local (client) host is to be | ||
549 | forwarded to the given host and port on the remote side. | ||
550 | This works by allocating a socket to listen to | ||
551 | .Ar port | ||
552 | on the local side, and whenever a connection is made to this port, the | ||
553 | connection is forwarded over the secure channel, and a connection is | ||
554 | made to | ||
555 | .Ar host | ||
556 | port | ||
557 | .Ar hostport | ||
558 | from the remote machine. | ||
559 | Port forwardings can also be specified in the configuration file. | ||
560 | Only root can forward privileged ports. | ||
561 | IPv6 addresses can be specified with an alternative syntax: | ||
562 | .Sm off | ||
563 | .Xo | ||
564 | .Ar port No / Ar host No / | ||
565 | .Ar hostport . | ||
566 | .Xc | ||
567 | .Sm on | ||
499 | .It Fl l Ar login_name | 568 | .It Fl l Ar login_name |
500 | Specifies the user to log in as on the remote machine. | 569 | Specifies the user to log in as on the remote machine. |
501 | This also may be specified on a per-host basis in the configuration file. | 570 | This also may be specified on a per-host basis in the configuration file. |
@@ -506,6 +575,10 @@ be specified in order of preference. | |||
506 | See the | 575 | See the |
507 | .Cm MACs | 576 | .Cm MACs |
508 | keyword for more information. | 577 | keyword for more information. |
578 | .It Fl N | ||
579 | Do not execute a remote command. | ||
580 | This is useful for just forwarding ports | ||
581 | (protocol version 2 only). | ||
509 | .It Fl n | 582 | .It Fl n |
510 | Redirects stdin from | 583 | Redirects stdin from |
511 | .Pa /dev/null | 584 | .Pa /dev/null |
@@ -526,14 +599,66 @@ program will be put in the background. | |||
526 | needs to ask for a password or passphrase; see also the | 599 | needs to ask for a password or passphrase; see also the |
527 | .Fl f | 600 | .Fl f |
528 | option.) | 601 | option.) |
529 | .It Fl N | ||
530 | Do not execute a remote command. | ||
531 | This is useful for just forwarding ports | ||
532 | (protocol version 2 only). | ||
533 | .It Fl o Ar option | 602 | .It Fl o Ar option |
534 | Can be used to give options in the format used in the configuration file. | 603 | Can be used to give options in the format used in the configuration file. |
535 | This is useful for specifying options for which there is no separate | 604 | This is useful for specifying options for which there is no separate |
536 | command-line flag. | 605 | command-line flag. |
606 | For full details of the options listed below, and their possible values, see | ||
607 | .Xr ssh_config 5 . | ||
608 | .Pp | ||
609 | .Bl -tag -width Ds -offset indent -compact | ||
610 | .It AddressFamily | ||
611 | .It BatchMode | ||
612 | .It BindAddress | ||
613 | .It ChallengeResponseAuthentication | ||
614 | .It CheckHostIP | ||
615 | .It Cipher | ||
616 | .It Ciphers | ||
617 | .It ClearAllForwardings | ||
618 | .It Compression | ||
619 | .It CompressionLevel | ||
620 | .It ConnectionAttempts | ||
621 | .It ConnectionTimeout | ||
622 | .It DynamicForward | ||
623 | .It EscapeChar | ||
624 | .It ForwardAgent | ||
625 | .It ForwardX11 | ||
626 | .It ForwardX11Trusted | ||
627 | .It GatewayPorts | ||
628 | .It GlobalKnownHostsFile | ||
629 | .It GSSAPIAuthentication | ||
630 | .It GSSAPIDelegateCredentials | ||
631 | .It Host | ||
632 | .It HostbasedAuthentication | ||
633 | .It HostKeyAlgorithms | ||
634 | .It HostKeyAlias | ||
635 | .It HostName | ||
636 | .It IdentityFile | ||
637 | .It LocalForward | ||
638 | .It LogLevel | ||
639 | .It MACs | ||
640 | .It NoHostAuthenticationForLocalhost | ||
641 | .It NumberOfPasswordPrompts | ||
642 | .It PasswordAuthentication | ||
643 | .It Port | ||
644 | .It PreferredAuthentications | ||
645 | .It Protocol | ||
646 | .It ProxyCommand | ||
647 | .It PubkeyAuthentication | ||
648 | .It RemoteForward | ||
649 | .It RhostsRSAAuthentication | ||
650 | .It RSAAuthentication | ||
651 | .It ServerAliveInterval | ||
652 | .It ServerAliveCountMax | ||
653 | .It SmartcardDevice | ||
654 | .It StrictHostKeyChecking | ||
655 | .It TCPKeepAlive | ||
656 | .It UsePrivilegedPort | ||
657 | .It User | ||
658 | .It UserKnownHostsFile | ||
659 | .It VerifyHostKeyDNS | ||
660 | .It XAuthLocation | ||
661 | .El | ||
537 | .It Fl p Ar port | 662 | .It Fl p Ar port |
538 | Port to connect to on the remote host. | 663 | Port to connect to on the remote host. |
539 | This can be specified on a | 664 | This can be specified on a |
@@ -545,11 +670,40 @@ Only fatal errors are displayed. | |||
545 | If a second | 670 | If a second |
546 | .Fl q | 671 | .Fl q |
547 | is given then even fatal errors are suppressed. | 672 | is given then even fatal errors are suppressed. |
673 | .It Fl R Xo | ||
674 | .Sm off | ||
675 | .Ar port : host : hostport | ||
676 | .Sm on | ||
677 | .Xc | ||
678 | Specifies that the given port on the remote (server) host is to be | ||
679 | forwarded to the given host and port on the local side. | ||
680 | This works by allocating a socket to listen to | ||
681 | .Ar port | ||
682 | on the remote side, and whenever a connection is made to this port, the | ||
683 | connection is forwarded over the secure channel, and a connection is | ||
684 | made to | ||
685 | .Ar host | ||
686 | port | ||
687 | .Ar hostport | ||
688 | from the local machine. | ||
689 | Port forwardings can also be specified in the configuration file. | ||
690 | Privileged ports can be forwarded only when | ||
691 | logging in as root on the remote machine. | ||
692 | IPv6 addresses can be specified with an alternative syntax: | ||
693 | .Sm off | ||
694 | .Xo | ||
695 | .Ar port No / Ar host No / | ||
696 | .Ar hostport . | ||
697 | .Xc | ||
698 | .Sm on | ||
548 | .It Fl s | 699 | .It Fl s |
549 | May be used to request invocation of a subsystem on the remote system. | 700 | May be used to request invocation of a subsystem on the remote system. |
550 | Subsystems are a feature of the SSH2 protocol which facilitate the use | 701 | Subsystems are a feature of the SSH2 protocol which facilitate the use |
551 | of SSH as a secure transport for other applications (eg. sftp). | 702 | of SSH as a secure transport for other applications (eg.\& |
703 | .Xr sftp 1 ) . | ||
552 | The subsystem is specified as the remote command. | 704 | The subsystem is specified as the remote command. |
705 | .It Fl T | ||
706 | Disable pseudo-tty allocation. | ||
553 | .It Fl t | 707 | .It Fl t |
554 | Force pseudo-tty allocation. | 708 | Force pseudo-tty allocation. |
555 | This can be used to execute arbitrary | 709 | This can be used to execute arbitrary |
@@ -560,8 +714,8 @@ Multiple | |||
560 | options force tty allocation, even if | 714 | options force tty allocation, even if |
561 | .Nm | 715 | .Nm |
562 | has no local tty. | 716 | has no local tty. |
563 | .It Fl T | 717 | .It Fl V |
564 | Disable pseudo-tty allocation. | 718 | Display the version number and exit. |
565 | .It Fl v | 719 | .It Fl v |
566 | Verbose mode. | 720 | Verbose mode. |
567 | Causes | 721 | Causes |
@@ -573,10 +727,6 @@ Multiple | |||
573 | .Fl v | 727 | .Fl v |
574 | options increase the verbosity. | 728 | options increase the verbosity. |
575 | The maximum is 3. | 729 | The maximum is 3. |
576 | .It Fl V | ||
577 | Display the version number and exit. | ||
578 | .It Fl x | ||
579 | Disables X11 forwarding. | ||
580 | .It Fl X | 730 | .It Fl X |
581 | Enables X11 forwarding. | 731 | Enables X11 forwarding. |
582 | This can also be specified on a per-host basis in a configuration file. | 732 | This can also be specified on a per-host basis in a configuration file. |
@@ -586,94 +736,10 @@ Users with the ability to bypass file permissions on the remote host | |||
586 | (for the user's X authorization database) | 736 | (for the user's X authorization database) |
587 | can access the local X11 display through the forwarded connection. | 737 | can access the local X11 display through the forwarded connection. |
588 | An attacker may then be able to perform activities such as keystroke monitoring. | 738 | An attacker may then be able to perform activities such as keystroke monitoring. |
589 | .It Fl C | 739 | .It Fl x |
590 | Requests compression of all data (including stdin, stdout, stderr, and | 740 | Disables X11 forwarding. |
591 | data for forwarded X11 and TCP/IP connections). | 741 | .It Fl Y |
592 | The compression algorithm is the same used by | 742 | Enables trusted X11 forwarding. |
593 | .Xr gzip 1 , | ||
594 | and the | ||
595 | .Dq level | ||
596 | can be controlled by the | ||
597 | .Cm CompressionLevel | ||
598 | option for protocol version 1. | ||
599 | Compression is desirable on modem lines and other | ||
600 | slow connections, but will only slow down things on fast networks. | ||
601 | The default value can be set on a host-by-host basis in the | ||
602 | configuration files; see the | ||
603 | .Cm Compression | ||
604 | option. | ||
605 | .It Fl F Ar configfile | ||
606 | Specifies an alternative per-user configuration file. | ||
607 | If a configuration file is given on the command line, | ||
608 | the system-wide configuration file | ||
609 | .Pq Pa /etc/ssh/ssh_config | ||
610 | will be ignored. | ||
611 | The default for the per-user configuration file is | ||
612 | .Pa $HOME/.ssh/config . | ||
613 | .It Fl L Ar port:host:hostport | ||
614 | Specifies that the given port on the local (client) host is to be | ||
615 | forwarded to the given host and port on the remote side. | ||
616 | This works by allocating a socket to listen to | ||
617 | .Ar port | ||
618 | on the local side, and whenever a connection is made to this port, the | ||
619 | connection is forwarded over the secure channel, and a connection is | ||
620 | made to | ||
621 | .Ar host | ||
622 | port | ||
623 | .Ar hostport | ||
624 | from the remote machine. | ||
625 | Port forwardings can also be specified in the configuration file. | ||
626 | Only root can forward privileged ports. | ||
627 | IPv6 addresses can be specified with an alternative syntax: | ||
628 | .Ar port/host/hostport | ||
629 | .It Fl R Ar port:host:hostport | ||
630 | Specifies that the given port on the remote (server) host is to be | ||
631 | forwarded to the given host and port on the local side. | ||
632 | This works by allocating a socket to listen to | ||
633 | .Ar port | ||
634 | on the remote side, and whenever a connection is made to this port, the | ||
635 | connection is forwarded over the secure channel, and a connection is | ||
636 | made to | ||
637 | .Ar host | ||
638 | port | ||
639 | .Ar hostport | ||
640 | from the local machine. | ||
641 | Port forwardings can also be specified in the configuration file. | ||
642 | Privileged ports can be forwarded only when | ||
643 | logging in as root on the remote machine. | ||
644 | IPv6 addresses can be specified with an alternative syntax: | ||
645 | .Ar port/host/hostport | ||
646 | .It Fl D Ar port | ||
647 | Specifies a local | ||
648 | .Dq dynamic | ||
649 | application-level port forwarding. | ||
650 | This works by allocating a socket to listen to | ||
651 | .Ar port | ||
652 | on the local side, and whenever a connection is made to this port, the | ||
653 | connection is forwarded over the secure channel, and the application | ||
654 | protocol is then used to determine where to connect to from the | ||
655 | remote machine. | ||
656 | Currently the SOCKS4 and SOCKS5 protocols are supported, and | ||
657 | .Nm | ||
658 | will act as a SOCKS server. | ||
659 | Only root can forward privileged ports. | ||
660 | Dynamic port forwardings can also be specified in the configuration file. | ||
661 | .It Fl 1 | ||
662 | Forces | ||
663 | .Nm | ||
664 | to try protocol version 1 only. | ||
665 | .It Fl 2 | ||
666 | Forces | ||
667 | .Nm | ||
668 | to try protocol version 2 only. | ||
669 | .It Fl 4 | ||
670 | Forces | ||
671 | .Nm | ||
672 | to use IPv4 addresses only. | ||
673 | .It Fl 6 | ||
674 | Forces | ||
675 | .Nm | ||
676 | to use IPv6 addresses only. | ||
677 | .El | 743 | .El |
678 | .Sh CONFIGURATION FILES | 744 | .Sh CONFIGURATION FILES |
679 | .Nm | 745 | .Nm |
@@ -684,7 +750,7 @@ The file format and configuration options are described in | |||
684 | .Sh ENVIRONMENT | 750 | .Sh ENVIRONMENT |
685 | .Nm | 751 | .Nm |
686 | will normally set the following environment variables: | 752 | will normally set the following environment variables: |
687 | .Bl -tag -width Ds | 753 | .Bl -tag -width LOGNAME |
688 | .It Ev DISPLAY | 754 | .It Ev DISPLAY |
689 | The | 755 | The |
690 | .Ev DISPLAY | 756 | .Ev DISPLAY |
@@ -694,7 +760,7 @@ It is automatically set by | |||
694 | to point to a value of the form | 760 | to point to a value of the form |
695 | .Dq hostname:n | 761 | .Dq hostname:n |
696 | where hostname indicates | 762 | where hostname indicates |
697 | the host where the shell runs, and n is an integer >= 1. | 763 | the host where the shell runs, and n is an integer \*(Ge 1. |
698 | .Nm | 764 | .Nm |
699 | uses this special value to forward X11 connections over the secure | 765 | uses this special value to forward X11 connections over the secure |
700 | channel. | 766 | channel. |
@@ -772,7 +838,7 @@ and adds lines of the format | |||
772 | .Dq VARNAME=value | 838 | .Dq VARNAME=value |
773 | to the environment if the file exists and if users are allowed to | 839 | to the environment if the file exists and if users are allowed to |
774 | change their environment. | 840 | change their environment. |
775 | See the | 841 | For more information, see the |
776 | .Cm PermitUserEnvironment | 842 | .Cm PermitUserEnvironment |
777 | option in | 843 | option in |
778 | .Xr sshd_config 5 . | 844 | .Xr sshd_config 5 . |
@@ -801,7 +867,7 @@ Contains the public key for authentication (public part of the | |||
801 | identity file in human-readable form). | 867 | identity file in human-readable form). |
802 | The contents of the | 868 | The contents of the |
803 | .Pa $HOME/.ssh/identity.pub | 869 | .Pa $HOME/.ssh/identity.pub |
804 | file should be added to | 870 | file should be added to the file |
805 | .Pa $HOME/.ssh/authorized_keys | 871 | .Pa $HOME/.ssh/authorized_keys |
806 | on all machines | 872 | on all machines |
807 | where the user wishes to log in using protocol version 1 RSA authentication. | 873 | where the user wishes to log in using protocol version 1 RSA authentication. |
@@ -827,7 +893,8 @@ Lists the public keys (RSA/DSA) that can be used for logging in as this user. | |||
827 | The format of this file is described in the | 893 | The format of this file is described in the |
828 | .Xr sshd 8 | 894 | .Xr sshd 8 |
829 | manual page. | 895 | manual page. |
830 | In the simplest form the format is the same as the .pub | 896 | In the simplest form the format is the same as the |
897 | .Pa .pub | ||
831 | identity files. | 898 | identity files. |
832 | This file is not highly sensitive, but the recommended | 899 | This file is not highly sensitive, but the recommended |
833 | permissions are read/write for the user, and not accessible by others. | 900 | permissions are read/write for the user, and not accessible by others. |
@@ -843,7 +910,7 @@ by spaces): system name, public key and optional comment field. | |||
843 | When different names are used | 910 | When different names are used |
844 | for the same machine, all such names should be listed, separated by | 911 | for the same machine, all such names should be listed, separated by |
845 | commas. | 912 | commas. |
846 | The format is described on the | 913 | The format is described in the |
847 | .Xr sshd 8 | 914 | .Xr sshd 8 |
848 | manual page. | 915 | manual page. |
849 | .Pp | 916 | .Pp |
@@ -883,7 +950,7 @@ By default | |||
883 | is not setuid root. | 950 | is not setuid root. |
884 | .It Pa $HOME/.rhosts | 951 | .It Pa $HOME/.rhosts |
885 | This file is used in | 952 | This file is used in |
886 | .Pa \&.rhosts | 953 | .Em rhosts |
887 | authentication to list the | 954 | authentication to list the |
888 | host/user pairs that are permitted to log in. | 955 | host/user pairs that are permitted to log in. |
889 | (Note that this file is | 956 | (Note that this file is |
@@ -905,7 +972,9 @@ accessible by others. | |||
905 | Note that by default | 972 | Note that by default |
906 | .Xr sshd 8 | 973 | .Xr sshd 8 |
907 | will be installed so that it requires successful RSA host | 974 | will be installed so that it requires successful RSA host |
908 | authentication before permitting \s+2.\s0rhosts authentication. | 975 | authentication before permitting |
976 | .Em rhosts | ||
977 | authentication. | ||
909 | If the server machine does not have the client's host key in | 978 | If the server machine does not have the client's host key in |
910 | .Pa /etc/ssh/ssh_known_hosts , | 979 | .Pa /etc/ssh/ssh_known_hosts , |
911 | it can be stored in | 980 | it can be stored in |
@@ -916,21 +985,20 @@ will automatically add the host key to | |||
916 | .Pa $HOME/.ssh/known_hosts . | 985 | .Pa $HOME/.ssh/known_hosts . |
917 | .It Pa $HOME/.shosts | 986 | .It Pa $HOME/.shosts |
918 | This file is used exactly the same way as | 987 | This file is used exactly the same way as |
919 | .Pa \&.rhosts . | 988 | .Pa .rhosts . |
920 | The purpose for | 989 | The purpose for |
921 | having this file is to be able to use rhosts authentication with | 990 | having this file is to be able to use rhosts authentication with |
922 | .Nm | 991 | .Nm |
923 | without permitting login with | 992 | without permitting login with |
924 | .Nm rlogin | 993 | .Xr rlogin |
925 | or | 994 | or |
926 | .Xr rsh 1 . | 995 | .Xr rsh 1 . |
927 | .It Pa /etc/hosts.equiv | 996 | .It Pa /etc/hosts.equiv |
928 | This file is used during | 997 | This file is used during |
929 | .Pa \&.rhosts | 998 | .Em rhosts |
930 | authentication. | 999 | authentication. |
931 | It contains | 1000 | It contains |
932 | canonical hosts names, one per line (the full format is described on | 1001 | canonical hosts names, one per line (the full format is described in the |
933 | the | ||
934 | .Xr sshd 8 | 1002 | .Xr sshd 8 |
935 | manual page). | 1003 | manual page). |
936 | If the client host is found in this file, login is | 1004 | If the client host is found in this file, login is |
@@ -970,6 +1038,7 @@ above. | |||
970 | exits with the exit status of the remote command or with 255 | 1038 | exits with the exit status of the remote command or with 255 |
971 | if an error occurred. | 1039 | if an error occurred. |
972 | .Sh SEE ALSO | 1040 | .Sh SEE ALSO |
1041 | .Xr gzip 1 , | ||
973 | .Xr rsh 1 , | 1042 | .Xr rsh 1 , |
974 | .Xr scp 1 , | 1043 | .Xr scp 1 , |
975 | .Xr sftp 1 , | 1044 | .Xr sftp 1 , |
@@ -978,6 +1047,7 @@ if an error occurred. | |||
978 | .Xr ssh-argv0 1 , | 1047 | .Xr ssh-argv0 1 , |
979 | .Xr ssh-keygen 1 , | 1048 | .Xr ssh-keygen 1 , |
980 | .Xr telnet 1 , | 1049 | .Xr telnet 1 , |
1050 | .Xr hosts.equiv 5 , | ||
981 | .Xr ssh_config 5 , | 1051 | .Xr ssh_config 5 , |
982 | .Xr ssh-keysign 8 , | 1052 | .Xr ssh-keysign 8 , |
983 | .Xr sshd 8 | 1053 | .Xr sshd 8 |