diff options
author | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-03-08 11:51:22 +0000 |
commit | 46961f5704f8e86cea3e99253faad55aef4d8f35 (patch) | |
tree | 0dd97fa4fb649a62b4639fe2674380872b1f3e98 /ssh.1 | |
parent | c753fe267efb1b027424fa8706cf0385fc3d14c1 (diff) | |
parent | 85e40e87a75fb80a0bf893ac05a417d6c353537d (diff) |
New upstream release (7.2).
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 97 |
1 files changed, 42 insertions, 55 deletions
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh.1,v 1.361 2015/07/20 18:44:12 millert Exp $ | 36 | .\" $OpenBSD: ssh.1,v 1.369 2016/02/17 07:38:19 jmc Exp $ |
37 | .Dd $Mdocdate: July 20 2015 $ | 37 | .Dd $Mdocdate: February 17 2016 $ |
38 | .Dt SSH 1 | 38 | .Dt SSH 1 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -58,7 +58,7 @@ | |||
58 | .Op Fl O Ar ctl_cmd | 58 | .Op Fl O Ar ctl_cmd |
59 | .Op Fl o Ar option | 59 | .Op Fl o Ar option |
60 | .Op Fl p Ar port | 60 | .Op Fl p Ar port |
61 | .Op Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version | 61 | .Op Fl Q Ar query_option |
62 | .Op Fl R Ar address | 62 | .Op Fl R Ar address |
63 | .Op Fl S Ar ctl_path | 63 | .Op Fl S Ar ctl_path |
64 | .Op Fl W Ar host : Ns Ar port | 64 | .Op Fl W Ar host : Ns Ar port |
@@ -70,8 +70,7 @@ | |||
70 | .Nm | 70 | .Nm |
71 | (SSH client) is a program for logging into a remote machine and for | 71 | (SSH client) is a program for logging into a remote machine and for |
72 | executing commands on a remote machine. | 72 | executing commands on a remote machine. |
73 | It is intended to replace rlogin and rsh, | 73 | It is intended to provide secure encrypted communications between |
74 | and provide secure encrypted communications between | ||
75 | two untrusted hosts over an insecure network. | 74 | two untrusted hosts over an insecure network. |
76 | X11 connections, arbitrary TCP ports and | 75 | X11 connections, arbitrary TCP ports and |
77 | .Ux Ns -domain | 76 | .Ux Ns -domain |
@@ -85,7 +84,7 @@ connects and logs into the specified | |||
85 | name). | 84 | name). |
86 | The user must prove | 85 | The user must prove |
87 | his/her identity to the remote machine using one of several methods | 86 | his/her identity to the remote machine using one of several methods |
88 | depending on the protocol version used (see below). | 87 | (see below). |
89 | .Pp | 88 | .Pp |
90 | If | 89 | If |
91 | .Ar command | 90 | .Ar command |
@@ -304,6 +303,9 @@ It is possible to have multiple | |||
304 | .Fl i | 303 | .Fl i |
305 | options (and multiple identities specified in | 304 | options (and multiple identities specified in |
306 | configuration files). | 305 | configuration files). |
306 | If no certificates have been explicitly specified by the | ||
307 | .Cm CertificateFile | ||
308 | directive, | ||
307 | .Nm | 309 | .Nm |
308 | will also try to load certificate information from the filename obtained | 310 | will also try to load certificate information from the filename obtained |
309 | by appending | 311 | by appending |
@@ -400,17 +402,15 @@ in | |||
400 | for details. | 402 | for details. |
401 | .Pp | 403 | .Pp |
402 | .It Fl m Ar mac_spec | 404 | .It Fl m Ar mac_spec |
403 | Additionally, for protocol version 2 a comma-separated list of MAC | 405 | A comma-separated list of MAC (message authentication code) algorithms, |
404 | (message authentication code) algorithms can | 406 | specified in order of preference. |
405 | be specified in order of preference. | ||
406 | See the | 407 | See the |
407 | .Cm MACs | 408 | .Cm MACs |
408 | keyword for more information. | 409 | keyword for more information. |
409 | .Pp | 410 | .Pp |
410 | .It Fl N | 411 | .It Fl N |
411 | Do not execute a remote command. | 412 | Do not execute a remote command. |
412 | This is useful for just forwarding ports | 413 | This is useful for just forwarding ports. |
413 | (protocol version 2 only). | ||
414 | .Pp | 414 | .Pp |
415 | .It Fl n | 415 | .It Fl n |
416 | Redirects stdin from | 416 | Redirects stdin from |
@@ -460,6 +460,7 @@ For full details of the options listed below, and their possible values, see | |||
460 | .Xr ssh_config 5 . | 460 | .Xr ssh_config 5 . |
461 | .Pp | 461 | .Pp |
462 | .Bl -tag -width Ds -offset indent -compact | 462 | .Bl -tag -width Ds -offset indent -compact |
463 | .It AddKeysToAgent | ||
463 | .It AddressFamily | 464 | .It AddressFamily |
464 | .It BatchMode | 465 | .It BatchMode |
465 | .It BindAddress | 466 | .It BindAddress |
@@ -468,6 +469,7 @@ For full details of the options listed below, and their possible values, see | |||
468 | .It CanonicalizeHostname | 469 | .It CanonicalizeHostname |
469 | .It CanonicalizeMaxDots | 470 | .It CanonicalizeMaxDots |
470 | .It CanonicalizePermittedCNAMEs | 471 | .It CanonicalizePermittedCNAMEs |
472 | .It CertificateFile | ||
471 | .It ChallengeResponseAuthentication | 473 | .It ChallengeResponseAuthentication |
472 | .It CheckHostIP | 474 | .It CheckHostIP |
473 | .It Cipher | 475 | .It Cipher |
@@ -550,7 +552,7 @@ Port to connect to on the remote host. | |||
550 | This can be specified on a | 552 | This can be specified on a |
551 | per-host basis in the configuration file. | 553 | per-host basis in the configuration file. |
552 | .Pp | 554 | .Pp |
553 | .It Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version | 555 | .It Fl Q Ar query_option |
554 | Queries | 556 | Queries |
555 | .Nm | 557 | .Nm |
556 | for the algorithms supported for the specified version 2. | 558 | for the algorithms supported for the specified version 2. |
@@ -564,7 +566,11 @@ The available features are: | |||
564 | .Ar kex | 566 | .Ar kex |
565 | (key exchange algorithms), | 567 | (key exchange algorithms), |
566 | .Ar key | 568 | .Ar key |
567 | (key types) and | 569 | (key types), |
570 | .Ar key-cert | ||
571 | (certificate key types), | ||
572 | .Ar key-plain | ||
573 | (non-certificate key types), and | ||
568 | .Ar protocol-version | 574 | .Ar protocol-version |
569 | (supported SSH protocol versions). | 575 | (supported SSH protocol versions). |
570 | .Pp | 576 | .Pp |
@@ -656,8 +662,8 @@ for details. | |||
656 | .Pp | 662 | .Pp |
657 | .It Fl s | 663 | .It Fl s |
658 | May be used to request invocation of a subsystem on the remote system. | 664 | May be used to request invocation of a subsystem on the remote system. |
659 | Subsystems are a feature of the SSH2 protocol which facilitate the use | 665 | Subsystems facilitate the use of SSH |
660 | of SSH as a secure transport for other applications (eg.\& | 666 | as a secure transport for other applications (e.g.\& |
661 | .Xr sftp 1 ) . | 667 | .Xr sftp 1 ) . |
662 | The subsystem is specified as the remote command. | 668 | The subsystem is specified as the remote command. |
663 | .Pp | 669 | .Pp |
@@ -702,7 +708,6 @@ Implies | |||
702 | .Cm ExitOnForwardFailure | 708 | .Cm ExitOnForwardFailure |
703 | and | 709 | and |
704 | .Cm ClearAllForwardings . | 710 | .Cm ClearAllForwardings . |
705 | Works with Protocol version 2 only. | ||
706 | .Pp | 711 | .Pp |
707 | .It Fl w Xo | 712 | .It Fl w Xo |
708 | .Ar local_tun Ns Op : Ns Ar remote_tun | 713 | .Ar local_tun Ns Op : Ns Ar remote_tun |
@@ -808,15 +813,10 @@ or the | |||
808 | and | 813 | and |
809 | .Fl 2 | 814 | .Fl 2 |
810 | options (see above). | 815 | options (see above). |
811 | Both protocols support similar authentication methods, | 816 | Protocol 1 should not be used |
812 | but protocol 2 is the default since | 817 | and is only offered to support legacy devices. |
813 | it provides additional mechanisms for confidentiality | 818 | It suffers from a number of cryptographic weaknesses |
814 | (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) | 819 | and doesn't support many of the advanced features available for protocol 2. |
815 | and integrity (hmac-md5, hmac-sha1, | ||
816 | hmac-sha2-256, hmac-sha2-512, | ||
817 | umac-64, umac-128, hmac-ripemd160). | ||
818 | Protocol 1 lacks a strong mechanism for ensuring the | ||
819 | integrity of the connection. | ||
820 | .Pp | 820 | .Pp |
821 | The methods available for authentication are: | 821 | The methods available for authentication are: |
822 | GSSAPI-based authentication, | 822 | GSSAPI-based authentication, |
@@ -825,8 +825,9 @@ public key authentication, | |||
825 | challenge-response authentication, | 825 | challenge-response authentication, |
826 | and password authentication. | 826 | and password authentication. |
827 | Authentication methods are tried in the order specified above, | 827 | Authentication methods are tried in the order specified above, |
828 | though protocol 2 has a configuration option to change the default order: | 828 | though |
829 | .Cm PreferredAuthentications . | 829 | .Cm PreferredAuthentications |
830 | can be used to change the default order. | ||
830 | .Pp | 831 | .Pp |
831 | Host-based authentication works as follows: | 832 | Host-based authentication works as follows: |
832 | If the machine the user logs in from is listed in | 833 | If the machine the user logs in from is listed in |
@@ -870,8 +871,6 @@ The server knows the public key, and only the user knows the private key. | |||
870 | .Nm | 871 | .Nm |
871 | implements public key authentication protocol automatically, | 872 | implements public key authentication protocol automatically, |
872 | using one of the DSA, ECDSA, Ed25519 or RSA algorithms. | 873 | using one of the DSA, ECDSA, Ed25519 or RSA algorithms. |
873 | Protocol 1 is restricted to using only RSA keys, | ||
874 | but protocol 2 may use any. | ||
875 | The HISTORY section of | 874 | The HISTORY section of |
876 | .Xr ssl 8 | 875 | .Xr ssl 8 |
877 | (on non-OpenBSD systems, see | 876 | (on non-OpenBSD systems, see |
@@ -897,26 +896,26 @@ This stores the private key in | |||
897 | .Pa ~/.ssh/identity | 896 | .Pa ~/.ssh/identity |
898 | (protocol 1), | 897 | (protocol 1), |
899 | .Pa ~/.ssh/id_dsa | 898 | .Pa ~/.ssh/id_dsa |
900 | (protocol 2 DSA), | 899 | (DSA), |
901 | .Pa ~/.ssh/id_ecdsa | 900 | .Pa ~/.ssh/id_ecdsa |
902 | (protocol 2 ECDSA), | 901 | (ECDSA), |
903 | .Pa ~/.ssh/id_ed25519 | 902 | .Pa ~/.ssh/id_ed25519 |
904 | (protocol 2 Ed25519), | 903 | (Ed25519), |
905 | or | 904 | or |
906 | .Pa ~/.ssh/id_rsa | 905 | .Pa ~/.ssh/id_rsa |
907 | (protocol 2 RSA) | 906 | (RSA) |
908 | and stores the public key in | 907 | and stores the public key in |
909 | .Pa ~/.ssh/identity.pub | 908 | .Pa ~/.ssh/identity.pub |
910 | (protocol 1), | 909 | (protocol 1), |
911 | .Pa ~/.ssh/id_dsa.pub | 910 | .Pa ~/.ssh/id_dsa.pub |
912 | (protocol 2 DSA), | 911 | (DSA), |
913 | .Pa ~/.ssh/id_ecdsa.pub | 912 | .Pa ~/.ssh/id_ecdsa.pub |
914 | (protocol 2 ECDSA), | 913 | (ECDSA), |
915 | .Pa ~/.ssh/id_ed25519.pub | 914 | .Pa ~/.ssh/id_ed25519.pub |
916 | (protocol 2 Ed25519), | 915 | (Ed25519), |
917 | or | 916 | or |
918 | .Pa ~/.ssh/id_rsa.pub | 917 | .Pa ~/.ssh/id_rsa.pub |
919 | (protocol 2 RSA) | 918 | (RSA) |
920 | in the user's home directory. | 919 | in the user's home directory. |
921 | The user should then copy the public key | 920 | The user should then copy the public key |
922 | to | 921 | to |
@@ -944,14 +943,16 @@ The most convenient way to use public key or certificate authentication | |||
944 | may be with an authentication agent. | 943 | may be with an authentication agent. |
945 | See | 944 | See |
946 | .Xr ssh-agent 1 | 945 | .Xr ssh-agent 1 |
946 | and (optionally) the | ||
947 | .Cm AddKeysToAgent | ||
948 | directive in | ||
949 | .Xr ssh_config 5 | ||
947 | for more information. | 950 | for more information. |
948 | .Pp | 951 | .Pp |
949 | Challenge-response authentication works as follows: | 952 | Challenge-response authentication works as follows: |
950 | The server sends an arbitrary | 953 | The server sends an arbitrary |
951 | .Qq challenge | 954 | .Qq challenge |
952 | text, and prompts for a response. | 955 | text, and prompts for a response. |
953 | Protocol 2 allows multiple challenges and responses; | ||
954 | protocol 1 is restricted to just one challenge/response. | ||
955 | Examples of challenge-response authentication include | 956 | Examples of challenge-response authentication include |
956 | .Bx | 957 | .Bx |
957 | Authentication (see | 958 | Authentication (see |
@@ -1050,7 +1051,7 @@ at logout when waiting for forwarded connection / X11 sessions to terminate. | |||
1050 | Display a list of escape characters. | 1051 | Display a list of escape characters. |
1051 | .It Cm ~B | 1052 | .It Cm ~B |
1052 | Send a BREAK to the remote system | 1053 | Send a BREAK to the remote system |
1053 | (only useful for SSH protocol version 2 and if the peer supports it). | 1054 | (only useful if the peer supports it). |
1054 | .It Cm ~C | 1055 | .It Cm ~C |
1055 | Open command line. | 1056 | Open command line. |
1056 | Currently this allows the addition of port forwardings using the | 1057 | Currently this allows the addition of port forwardings using the |
@@ -1083,7 +1084,7 @@ Basic help is available, using the | |||
1083 | option. | 1084 | option. |
1084 | .It Cm ~R | 1085 | .It Cm ~R |
1085 | Request rekeying of the connection | 1086 | Request rekeying of the connection |
1086 | (only useful for SSH protocol version 2 and if the peer supports it). | 1087 | (only useful if the peer supports it). |
1087 | .It Cm ~V | 1088 | .It Cm ~V |
1088 | Decrease the verbosity | 1089 | Decrease the verbosity |
1089 | .Pq Ic LogLevel | 1090 | .Pq Ic LogLevel |
@@ -1553,20 +1554,6 @@ The file format and configuration options are described in | |||
1553 | .It Pa /etc/ssh/ssh_host_rsa_key | 1554 | .It Pa /etc/ssh/ssh_host_rsa_key |
1554 | These files contain the private parts of the host keys | 1555 | These files contain the private parts of the host keys |
1555 | and are used for host-based authentication. | 1556 | and are used for host-based authentication. |
1556 | If protocol version 1 is used, | ||
1557 | .Nm | ||
1558 | must be setuid root, since the host key is readable only by root. | ||
1559 | For protocol version 2, | ||
1560 | .Nm | ||
1561 | uses | ||
1562 | .Xr ssh-keysign 8 | ||
1563 | to access the host keys, | ||
1564 | eliminating the requirement that | ||
1565 | .Nm | ||
1566 | be setuid root when host-based authentication is used. | ||
1567 | By default | ||
1568 | .Nm | ||
1569 | is not setuid root. | ||
1570 | .Pp | 1557 | .Pp |
1571 | .It Pa /etc/ssh/ssh_known_hosts | 1558 | .It Pa /etc/ssh/ssh_known_hosts |
1572 | Systemwide list of known host keys. | 1559 | Systemwide list of known host keys. |