summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-02-29 12:15:15 +0000
committerColin Watson <cjwatson@debian.org>2016-03-08 11:51:22 +0000
commit46961f5704f8e86cea3e99253faad55aef4d8f35 (patch)
tree0dd97fa4fb649a62b4639fe2674380872b1f3e98 /ssh.1
parentc753fe267efb1b027424fa8706cf0385fc3d14c1 (diff)
parent85e40e87a75fb80a0bf893ac05a417d6c353537d (diff)
New upstream release (7.2).
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.197
1 files changed, 42 insertions, 55 deletions
diff --git a/ssh.1 b/ssh.1
index 649d6c303..7fb9d3040 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh.1,v 1.361 2015/07/20 18:44:12 millert Exp $ 36.\" $OpenBSD: ssh.1,v 1.369 2016/02/17 07:38:19 jmc Exp $
37.Dd $Mdocdate: July 20 2015 $ 37.Dd $Mdocdate: February 17 2016 $
38.Dt SSH 1 38.Dt SSH 1
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -58,7 +58,7 @@
58.Op Fl O Ar ctl_cmd 58.Op Fl O Ar ctl_cmd
59.Op Fl o Ar option 59.Op Fl o Ar option
60.Op Fl p Ar port 60.Op Fl p Ar port
61.Op Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version 61.Op Fl Q Ar query_option
62.Op Fl R Ar address 62.Op Fl R Ar address
63.Op Fl S Ar ctl_path 63.Op Fl S Ar ctl_path
64.Op Fl W Ar host : Ns Ar port 64.Op Fl W Ar host : Ns Ar port
@@ -70,8 +70,7 @@
70.Nm 70.Nm
71(SSH client) is a program for logging into a remote machine and for 71(SSH client) is a program for logging into a remote machine and for
72executing commands on a remote machine. 72executing commands on a remote machine.
73It is intended to replace rlogin and rsh, 73It is intended to provide secure encrypted communications between
74and provide secure encrypted communications between
75two untrusted hosts over an insecure network. 74two untrusted hosts over an insecure network.
76X11 connections, arbitrary TCP ports and 75X11 connections, arbitrary TCP ports and
77.Ux Ns -domain 76.Ux Ns -domain
@@ -85,7 +84,7 @@ connects and logs into the specified
85name). 84name).
86The user must prove 85The user must prove
87his/her identity to the remote machine using one of several methods 86his/her identity to the remote machine using one of several methods
88depending on the protocol version used (see below). 87(see below).
89.Pp 88.Pp
90If 89If
91.Ar command 90.Ar command
@@ -304,6 +303,9 @@ It is possible to have multiple
304.Fl i 303.Fl i
305options (and multiple identities specified in 304options (and multiple identities specified in
306configuration files). 305configuration files).
306If no certificates have been explicitly specified by the
307.Cm CertificateFile
308directive,
307.Nm 309.Nm
308will also try to load certificate information from the filename obtained 310will also try to load certificate information from the filename obtained
309by appending 311by appending
@@ -400,17 +402,15 @@ in
400for details. 402for details.
401.Pp 403.Pp
402.It Fl m Ar mac_spec 404.It Fl m Ar mac_spec
403Additionally, for protocol version 2 a comma-separated list of MAC 405A comma-separated list of MAC (message authentication code) algorithms,
404(message authentication code) algorithms can 406specified in order of preference.
405be specified in order of preference.
406See the 407See the
407.Cm MACs 408.Cm MACs
408keyword for more information. 409keyword for more information.
409.Pp 410.Pp
410.It Fl N 411.It Fl N
411Do not execute a remote command. 412Do not execute a remote command.
412This is useful for just forwarding ports 413This is useful for just forwarding ports.
413(protocol version 2 only).
414.Pp 414.Pp
415.It Fl n 415.It Fl n
416Redirects stdin from 416Redirects stdin from
@@ -460,6 +460,7 @@ For full details of the options listed below, and their possible values, see
460.Xr ssh_config 5 . 460.Xr ssh_config 5 .
461.Pp 461.Pp
462.Bl -tag -width Ds -offset indent -compact 462.Bl -tag -width Ds -offset indent -compact
463.It AddKeysToAgent
463.It AddressFamily 464.It AddressFamily
464.It BatchMode 465.It BatchMode
465.It BindAddress 466.It BindAddress
@@ -468,6 +469,7 @@ For full details of the options listed below, and their possible values, see
468.It CanonicalizeHostname 469.It CanonicalizeHostname
469.It CanonicalizeMaxDots 470.It CanonicalizeMaxDots
470.It CanonicalizePermittedCNAMEs 471.It CanonicalizePermittedCNAMEs
472.It CertificateFile
471.It ChallengeResponseAuthentication 473.It ChallengeResponseAuthentication
472.It CheckHostIP 474.It CheckHostIP
473.It Cipher 475.It Cipher
@@ -550,7 +552,7 @@ Port to connect to on the remote host.
550This can be specified on a 552This can be specified on a
551per-host basis in the configuration file. 553per-host basis in the configuration file.
552.Pp 554.Pp
553.It Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version 555.It Fl Q Ar query_option
554Queries 556Queries
555.Nm 557.Nm
556for the algorithms supported for the specified version 2. 558for the algorithms supported for the specified version 2.
@@ -564,7 +566,11 @@ The available features are:
564.Ar kex 566.Ar kex
565(key exchange algorithms), 567(key exchange algorithms),
566.Ar key 568.Ar key
567(key types) and 569(key types),
570.Ar key-cert
571(certificate key types),
572.Ar key-plain
573(non-certificate key types), and
568.Ar protocol-version 574.Ar protocol-version
569(supported SSH protocol versions). 575(supported SSH protocol versions).
570.Pp 576.Pp
@@ -656,8 +662,8 @@ for details.
656.Pp 662.Pp
657.It Fl s 663.It Fl s
658May be used to request invocation of a subsystem on the remote system. 664May be used to request invocation of a subsystem on the remote system.
659Subsystems are a feature of the SSH2 protocol which facilitate the use 665Subsystems facilitate the use of SSH
660of SSH as a secure transport for other applications (eg.\& 666as a secure transport for other applications (e.g.\&
661.Xr sftp 1 ) . 667.Xr sftp 1 ) .
662The subsystem is specified as the remote command. 668The subsystem is specified as the remote command.
663.Pp 669.Pp
@@ -702,7 +708,6 @@ Implies
702.Cm ExitOnForwardFailure 708.Cm ExitOnForwardFailure
703and 709and
704.Cm ClearAllForwardings . 710.Cm ClearAllForwardings .
705Works with Protocol version 2 only.
706.Pp 711.Pp
707.It Fl w Xo 712.It Fl w Xo
708.Ar local_tun Ns Op : Ns Ar remote_tun 713.Ar local_tun Ns Op : Ns Ar remote_tun
@@ -808,15 +813,10 @@ or the
808and 813and
809.Fl 2 814.Fl 2
810options (see above). 815options (see above).
811Both protocols support similar authentication methods, 816Protocol 1 should not be used
812but protocol 2 is the default since 817and is only offered to support legacy devices.
813it provides additional mechanisms for confidentiality 818It suffers from a number of cryptographic weaknesses
814(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) 819and doesn't support many of the advanced features available for protocol 2.
815and integrity (hmac-md5, hmac-sha1,
816hmac-sha2-256, hmac-sha2-512,
817umac-64, umac-128, hmac-ripemd160).
818Protocol 1 lacks a strong mechanism for ensuring the
819integrity of the connection.
820.Pp 820.Pp
821The methods available for authentication are: 821The methods available for authentication are:
822GSSAPI-based authentication, 822GSSAPI-based authentication,
@@ -825,8 +825,9 @@ public key authentication,
825challenge-response authentication, 825challenge-response authentication,
826and password authentication. 826and password authentication.
827Authentication methods are tried in the order specified above, 827Authentication methods are tried in the order specified above,
828though protocol 2 has a configuration option to change the default order: 828though
829.Cm PreferredAuthentications . 829.Cm PreferredAuthentications
830can be used to change the default order.
830.Pp 831.Pp
831Host-based authentication works as follows: 832Host-based authentication works as follows:
832If the machine the user logs in from is listed in 833If the machine the user logs in from is listed in
@@ -870,8 +871,6 @@ The server knows the public key, and only the user knows the private key.
870.Nm 871.Nm
871implements public key authentication protocol automatically, 872implements public key authentication protocol automatically,
872using one of the DSA, ECDSA, Ed25519 or RSA algorithms. 873using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
873Protocol 1 is restricted to using only RSA keys,
874but protocol 2 may use any.
875The HISTORY section of 874The HISTORY section of
876.Xr ssl 8 875.Xr ssl 8
877(on non-OpenBSD systems, see 876(on non-OpenBSD systems, see
@@ -897,26 +896,26 @@ This stores the private key in
897.Pa ~/.ssh/identity 896.Pa ~/.ssh/identity
898(protocol 1), 897(protocol 1),
899.Pa ~/.ssh/id_dsa 898.Pa ~/.ssh/id_dsa
900(protocol 2 DSA), 899(DSA),
901.Pa ~/.ssh/id_ecdsa 900.Pa ~/.ssh/id_ecdsa
902(protocol 2 ECDSA), 901(ECDSA),
903.Pa ~/.ssh/id_ed25519 902.Pa ~/.ssh/id_ed25519
904(protocol 2 Ed25519), 903(Ed25519),
905or 904or
906.Pa ~/.ssh/id_rsa 905.Pa ~/.ssh/id_rsa
907(protocol 2 RSA) 906(RSA)
908and stores the public key in 907and stores the public key in
909.Pa ~/.ssh/identity.pub 908.Pa ~/.ssh/identity.pub
910(protocol 1), 909(protocol 1),
911.Pa ~/.ssh/id_dsa.pub 910.Pa ~/.ssh/id_dsa.pub
912(protocol 2 DSA), 911(DSA),
913.Pa ~/.ssh/id_ecdsa.pub 912.Pa ~/.ssh/id_ecdsa.pub
914(protocol 2 ECDSA), 913(ECDSA),
915.Pa ~/.ssh/id_ed25519.pub 914.Pa ~/.ssh/id_ed25519.pub
916(protocol 2 Ed25519), 915(Ed25519),
917or 916or
918.Pa ~/.ssh/id_rsa.pub 917.Pa ~/.ssh/id_rsa.pub
919(protocol 2 RSA) 918(RSA)
920in the user's home directory. 919in the user's home directory.
921The user should then copy the public key 920The user should then copy the public key
922to 921to
@@ -944,14 +943,16 @@ The most convenient way to use public key or certificate authentication
944may be with an authentication agent. 943may be with an authentication agent.
945See 944See
946.Xr ssh-agent 1 945.Xr ssh-agent 1
946and (optionally) the
947.Cm AddKeysToAgent
948directive in
949.Xr ssh_config 5
947for more information. 950for more information.
948.Pp 951.Pp
949Challenge-response authentication works as follows: 952Challenge-response authentication works as follows:
950The server sends an arbitrary 953The server sends an arbitrary
951.Qq challenge 954.Qq challenge
952text, and prompts for a response. 955text, and prompts for a response.
953Protocol 2 allows multiple challenges and responses;
954protocol 1 is restricted to just one challenge/response.
955Examples of challenge-response authentication include 956Examples of challenge-response authentication include
956.Bx 957.Bx
957Authentication (see 958Authentication (see
@@ -1050,7 +1051,7 @@ at logout when waiting for forwarded connection / X11 sessions to terminate.
1050Display a list of escape characters. 1051Display a list of escape characters.
1051.It Cm ~B 1052.It Cm ~B
1052Send a BREAK to the remote system 1053Send a BREAK to the remote system
1053(only useful for SSH protocol version 2 and if the peer supports it). 1054(only useful if the peer supports it).
1054.It Cm ~C 1055.It Cm ~C
1055Open command line. 1056Open command line.
1056Currently this allows the addition of port forwardings using the 1057Currently this allows the addition of port forwardings using the
@@ -1083,7 +1084,7 @@ Basic help is available, using the
1083option. 1084option.
1084.It Cm ~R 1085.It Cm ~R
1085Request rekeying of the connection 1086Request rekeying of the connection
1086(only useful for SSH protocol version 2 and if the peer supports it). 1087(only useful if the peer supports it).
1087.It Cm ~V 1088.It Cm ~V
1088Decrease the verbosity 1089Decrease the verbosity
1089.Pq Ic LogLevel 1090.Pq Ic LogLevel
@@ -1553,20 +1554,6 @@ The file format and configuration options are described in
1553.It Pa /etc/ssh/ssh_host_rsa_key 1554.It Pa /etc/ssh/ssh_host_rsa_key
1554These files contain the private parts of the host keys 1555These files contain the private parts of the host keys
1555and are used for host-based authentication. 1556and are used for host-based authentication.
1556If protocol version 1 is used,
1557.Nm
1558must be setuid root, since the host key is readable only by root.
1559For protocol version 2,
1560.Nm
1561uses
1562.Xr ssh-keysign 8
1563to access the host keys,
1564eliminating the requirement that
1565.Nm
1566be setuid root when host-based authentication is used.
1567By default
1568.Nm
1569is not setuid root.
1570.Pp 1557.Pp
1571.It Pa /etc/ssh/ssh_known_hosts 1558.It Pa /etc/ssh/ssh_known_hosts
1572Systemwide list of known host keys. 1559Systemwide list of known host keys.