diff options
author | Colin Watson <cjwatson@debian.org> | 2017-10-04 11:23:58 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-10-05 23:58:12 +0100 |
commit | 0556ea972b15607b7e13ff31bc05840881c91dd3 (patch) | |
tree | d6b8d48062d0278b5ae0eeff42d0e9afa9f26860 /ssh.1 | |
parent | db2122d97eb1ecdd8d99b7bf79b0dd2b5addfd92 (diff) | |
parent | 801a62eedaaf47b20dbf4b426dc3e084bf0c8d49 (diff) |
New upstream release (7.6p1)
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 92 |
1 files changed, 31 insertions, 61 deletions
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh.1,v 1.376 2016/07/16 06:57:55 jmc Exp $ | 36 | .\" $OpenBSD: ssh.1,v 1.384 2017/09/21 19:16:53 markus Exp $ |
37 | .Dd $Mdocdate: July 16 2016 $ | 37 | .Dd $Mdocdate: September 21 2017 $ |
38 | .Dt SSH 1 | 38 | .Dt SSH 1 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -43,7 +43,7 @@ | |||
43 | .Sh SYNOPSIS | 43 | .Sh SYNOPSIS |
44 | .Nm ssh | 44 | .Nm ssh |
45 | .Bk -words | 45 | .Bk -words |
46 | .Op Fl 1246AaCfGgKkMNnqsTtVvXxYy | 46 | .Op Fl 46AaCfGgKkMNnqsTtVvXxYy |
47 | .Op Fl b Ar bind_address | 47 | .Op Fl b Ar bind_address |
48 | .Op Fl c Ar cipher_spec | 48 | .Op Fl c Ar cipher_spec |
49 | .Op Fl D Oo Ar bind_address : Oc Ns Ar port | 49 | .Op Fl D Oo Ar bind_address : Oc Ns Ar port |
@@ -95,16 +95,6 @@ it is executed on the remote host instead of a login shell. | |||
95 | The options are as follows: | 95 | The options are as follows: |
96 | .Pp | 96 | .Pp |
97 | .Bl -tag -width Ds -compact | 97 | .Bl -tag -width Ds -compact |
98 | .It Fl 1 | ||
99 | Forces | ||
100 | .Nm | ||
101 | to try protocol version 1 only. | ||
102 | .Pp | ||
103 | .It Fl 2 | ||
104 | Forces | ||
105 | .Nm | ||
106 | to try protocol version 2 only. | ||
107 | .Pp | ||
108 | .It Fl 4 | 98 | .It Fl 4 |
109 | Forces | 99 | Forces |
110 | .Nm | 100 | .Nm |
@@ -144,12 +134,7 @@ data for forwarded X11, TCP and | |||
144 | .Ux Ns -domain | 134 | .Ux Ns -domain |
145 | connections). | 135 | connections). |
146 | The compression algorithm is the same used by | 136 | The compression algorithm is the same used by |
147 | .Xr gzip 1 , | 137 | .Xr gzip 1 . |
148 | and the | ||
149 | .Dq level | ||
150 | can be controlled by the | ||
151 | .Cm CompressionLevel | ||
152 | option for protocol version 1. | ||
153 | Compression is desirable on modem lines and other | 138 | Compression is desirable on modem lines and other |
154 | slow connections, but will only slow down things on fast networks. | 139 | slow connections, but will only slow down things on fast networks. |
155 | The default value can be set on a host-by-host basis in the | 140 | The default value can be set on a host-by-host basis in the |
@@ -159,14 +144,6 @@ option. | |||
159 | .Pp | 144 | .Pp |
160 | .It Fl c Ar cipher_spec | 145 | .It Fl c Ar cipher_spec |
161 | Selects the cipher specification for encrypting the session. | 146 | Selects the cipher specification for encrypting the session. |
162 | .Pp | ||
163 | Protocol version 1 allows specification of a single cipher. | ||
164 | The supported values are | ||
165 | .Dq 3des , | ||
166 | .Dq blowfish , | ||
167 | and | ||
168 | .Dq des . | ||
169 | For protocol version 2, | ||
170 | .Ar cipher_spec | 147 | .Ar cipher_spec |
171 | is a comma-separated list of ciphers | 148 | is a comma-separated list of ciphers |
172 | listed in order of preference. | 149 | listed in order of preference. |
@@ -290,14 +267,11 @@ private RSA key. | |||
290 | Selects a file from which the identity (private key) for | 267 | Selects a file from which the identity (private key) for |
291 | public key authentication is read. | 268 | public key authentication is read. |
292 | The default is | 269 | The default is |
293 | .Pa ~/.ssh/identity | ||
294 | for protocol version 1, and | ||
295 | .Pa ~/.ssh/id_dsa , | 270 | .Pa ~/.ssh/id_dsa , |
296 | .Pa ~/.ssh/id_ecdsa , | 271 | .Pa ~/.ssh/id_ecdsa , |
297 | .Pa ~/.ssh/id_ed25519 | 272 | .Pa ~/.ssh/id_ed25519 |
298 | and | 273 | and |
299 | .Pa ~/.ssh/id_rsa | 274 | .Pa ~/.ssh/id_rsa . |
300 | for protocol version 2. | ||
301 | Identity files may also be specified on | 275 | Identity files may also be specified on |
302 | a per-host basis in the configuration file. | 276 | a per-host basis in the configuration file. |
303 | It is possible to have multiple | 277 | It is possible to have multiple |
@@ -491,11 +465,9 @@ For full details of the options listed below, and their possible values, see | |||
491 | .It CertificateFile | 465 | .It CertificateFile |
492 | .It ChallengeResponseAuthentication | 466 | .It ChallengeResponseAuthentication |
493 | .It CheckHostIP | 467 | .It CheckHostIP |
494 | .It Cipher | ||
495 | .It Ciphers | 468 | .It Ciphers |
496 | .It ClearAllForwardings | 469 | .It ClearAllForwardings |
497 | .It Compression | 470 | .It Compression |
498 | .It CompressionLevel | ||
499 | .It ConnectionAttempts | 471 | .It ConnectionAttempts |
500 | .It ConnectTimeout | 472 | .It ConnectTimeout |
501 | .It ControlMaster | 473 | .It ControlMaster |
@@ -540,17 +512,15 @@ For full details of the options listed below, and their possible values, see | |||
540 | .It PKCS11Provider | 512 | .It PKCS11Provider |
541 | .It Port | 513 | .It Port |
542 | .It PreferredAuthentications | 514 | .It PreferredAuthentications |
543 | .It Protocol | ||
544 | .It ProxyCommand | 515 | .It ProxyCommand |
545 | .It ProxyJump | 516 | .It ProxyJump |
546 | .It ProxyUseFdpass | 517 | .It ProxyUseFdpass |
547 | .It PubkeyAcceptedKeyTypes | 518 | .It PubkeyAcceptedKeyTypes |
548 | .It PubkeyAuthentication | 519 | .It PubkeyAuthentication |
549 | .It RekeyLimit | 520 | .It RekeyLimit |
521 | .It RemoteCommand | ||
550 | .It RemoteForward | 522 | .It RemoteForward |
551 | .It RequestTTY | 523 | .It RequestTTY |
552 | .It RhostsRSAAuthentication | ||
553 | .It RSAAuthentication | ||
554 | .It SendEnv | 524 | .It SendEnv |
555 | .It ServerAliveInterval | 525 | .It ServerAliveInterval |
556 | .It ServerAliveCountMax | 526 | .It ServerAliveCountMax |
@@ -622,21 +592,30 @@ Causes most warning and diagnostic messages to be suppressed. | |||
622 | .Ar remote_socket : local_socket | 592 | .Ar remote_socket : local_socket |
623 | .Sm on | 593 | .Sm on |
624 | .Xc | 594 | .Xc |
595 | .It Fl R Xo | ||
596 | .Sm off | ||
597 | .Oo Ar bind_address : Oc | ||
598 | .Ar port | ||
599 | .Sm on | ||
600 | .Xc | ||
625 | Specifies that connections to the given TCP port or Unix socket on the remote | 601 | Specifies that connections to the given TCP port or Unix socket on the remote |
626 | (server) host are to be forwarded to the given host and port, or Unix socket, | 602 | (server) host are to be forwarded to the local side. |
627 | on the local side. | 603 | .Pp |
628 | This works by allocating a socket to listen to either a TCP | 604 | This works by allocating a socket to listen to either a TCP |
629 | .Ar port | 605 | .Ar port |
630 | or to a Unix socket on the remote side. | 606 | or to a Unix socket on the remote side. |
631 | Whenever a connection is made to this port or Unix socket, the | 607 | Whenever a connection is made to this port or Unix socket, the |
632 | connection is forwarded over the secure channel, and a connection | 608 | connection is forwarded over the secure channel, and a connection |
633 | is made to either | 609 | is made from the local machine to either an explicit destination specified by |
634 | .Ar host | 610 | .Ar host |
635 | port | 611 | port |
636 | .Ar hostport , | 612 | .Ar hostport , |
637 | or | 613 | or |
638 | .Ar local_socket , | 614 | .Ar local_socket , |
639 | from the local machine. | 615 | or, if no explicit destination was specified, |
616 | .Nm | ||
617 | will act as a SOCKS 4/5 proxy and forward connections to the destinations | ||
618 | requested by the remote SOCKS client. | ||
640 | .Pp | 619 | .Pp |
641 | Port forwardings can also be specified in the configuration file. | 620 | Port forwardings can also be specified in the configuration file. |
642 | Privileged ports can be forwarded only when | 621 | Privileged ports can be forwarded only when |
@@ -827,21 +806,7 @@ a per-user configuration file and a system-wide configuration file. | |||
827 | The file format and configuration options are described in | 806 | The file format and configuration options are described in |
828 | .Xr ssh_config 5 . | 807 | .Xr ssh_config 5 . |
829 | .Sh AUTHENTICATION | 808 | .Sh AUTHENTICATION |
830 | The OpenSSH SSH client supports SSH protocols 1 and 2. | 809 | The OpenSSH SSH client supports SSH protocol 2. |
831 | The default is to use protocol 2 only, | ||
832 | though this can be changed via the | ||
833 | .Cm Protocol | ||
834 | option in | ||
835 | .Xr ssh_config 5 | ||
836 | or the | ||
837 | .Fl 1 | ||
838 | and | ||
839 | .Fl 2 | ||
840 | options (see above). | ||
841 | Protocol 1 should not be used | ||
842 | and is only offered to support legacy devices. | ||
843 | It suffers from a number of cryptographic weaknesses | ||
844 | and doesn't support many of the advanced features available for protocol 2. | ||
845 | .Pp | 810 | .Pp |
846 | The methods available for authentication are: | 811 | The methods available for authentication are: |
847 | GSSAPI-based authentication, | 812 | GSSAPI-based authentication, |
@@ -915,11 +880,20 @@ The client proves that it has access to the private key | |||
915 | and the server checks that the corresponding public key | 880 | and the server checks that the corresponding public key |
916 | is authorized to accept the account. | 881 | is authorized to accept the account. |
917 | .Pp | 882 | .Pp |
883 | The server may inform the client of errors that prevented public key | ||
884 | authentication from succeeding after authentication completes using a | ||
885 | different method. | ||
886 | These may be viewed by increasing the | ||
887 | .Cm LogLevel | ||
888 | to | ||
889 | .Cm DEBUG | ||
890 | or higher (e.g. by using the | ||
891 | .Fl v | ||
892 | flag). | ||
893 | .Pp | ||
918 | The user creates his/her key pair by running | 894 | The user creates his/her key pair by running |
919 | .Xr ssh-keygen 1 . | 895 | .Xr ssh-keygen 1 . |
920 | This stores the private key in | 896 | This stores the private key in |
921 | .Pa ~/.ssh/identity | ||
922 | (protocol 1), | ||
923 | .Pa ~/.ssh/id_dsa | 897 | .Pa ~/.ssh/id_dsa |
924 | (DSA), | 898 | (DSA), |
925 | .Pa ~/.ssh/id_ecdsa | 899 | .Pa ~/.ssh/id_ecdsa |
@@ -930,8 +904,6 @@ or | |||
930 | .Pa ~/.ssh/id_rsa | 904 | .Pa ~/.ssh/id_rsa |
931 | (RSA) | 905 | (RSA) |
932 | and stores the public key in | 906 | and stores the public key in |
933 | .Pa ~/.ssh/identity.pub | ||
934 | (protocol 1), | ||
935 | .Pa ~/.ssh/id_dsa.pub | 907 | .Pa ~/.ssh/id_dsa.pub |
936 | (DSA), | 908 | (DSA), |
937 | .Pa ~/.ssh/id_ecdsa.pub | 909 | .Pa ~/.ssh/id_ecdsa.pub |
@@ -1517,7 +1489,6 @@ Contains additional definitions for environment variables; see | |||
1517 | .Sx ENVIRONMENT , | 1489 | .Sx ENVIRONMENT , |
1518 | above. | 1490 | above. |
1519 | .Pp | 1491 | .Pp |
1520 | .It Pa ~/.ssh/identity | ||
1521 | .It Pa ~/.ssh/id_dsa | 1492 | .It Pa ~/.ssh/id_dsa |
1522 | .It Pa ~/.ssh/id_ecdsa | 1493 | .It Pa ~/.ssh/id_ecdsa |
1523 | .It Pa ~/.ssh/id_ed25519 | 1494 | .It Pa ~/.ssh/id_ed25519 |
@@ -1532,7 +1503,6 @@ It is possible to specify a passphrase when | |||
1532 | generating the key which will be used to encrypt the | 1503 | generating the key which will be used to encrypt the |
1533 | sensitive part of this file using 3DES. | 1504 | sensitive part of this file using 3DES. |
1534 | .Pp | 1505 | .Pp |
1535 | .It Pa ~/.ssh/identity.pub | ||
1536 | .It Pa ~/.ssh/id_dsa.pub | 1506 | .It Pa ~/.ssh/id_dsa.pub |
1537 | .It Pa ~/.ssh/id_ecdsa.pub | 1507 | .It Pa ~/.ssh/id_ecdsa.pub |
1538 | .It Pa ~/.ssh/id_ed25519.pub | 1508 | .It Pa ~/.ssh/id_ed25519.pub |