summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2005-05-25 11:01:01 +0000
committerColin Watson <cjwatson@debian.org>2005-05-25 11:01:01 +0000
commite88de75a1a236779a10e8ccbcc51d25308be8840 (patch)
tree7495477a2a7d0cac17a9fcded020b6ea816182ef /ssh.1
parent30a0f9443782cd9d7308acd09430bf586186aa55 (diff)
parent5d05471f6657646d1d6500c7c43134462c407ee6 (diff)
Merge 4.0p1 to the trunk.
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.1179
1 files changed, 115 insertions, 64 deletions
diff --git a/ssh.1 b/ssh.1
index d08fb0e01..f5df15c04 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $ 37.\" $OpenBSD: ssh.1,v 1.205 2005/03/07 23:41:54 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -43,40 +43,35 @@
43.Nd OpenSSH SSH client (remote login program) 43.Nd OpenSSH SSH client (remote login program)
44.Sh SYNOPSIS 44.Sh SYNOPSIS
45.Nm ssh 45.Nm ssh
46.Bk -words
46.Op Fl 1246AaCfgkMNnqsTtVvXxY 47.Op Fl 1246AaCfgkMNnqsTtVvXxY
47.Op Fl b Ar bind_address 48.Op Fl b Ar bind_address
48.Op Fl c Ar cipher_spec 49.Op Fl c Ar cipher_spec
49.Bk -words
50.Op Fl D Ar port 50.Op Fl D Ar port
51.Op Fl e Ar escape_char 51.Op Fl e Ar escape_char
52.Op Fl F Ar configfile 52.Op Fl F Ar configfile
53.Op Fl i Ar identity_file 53.Op Fl i Ar identity_file
54.Oo Fl L Xo 54.Oo Fl L\ \&
55.Sm off 55.Sm off
56.Ar port : 56.Oo Ar bind_address : Oc
57.Ar host : 57.Ar port : host : hostport
58.Ar hostport
59.Sm on 58.Sm on
60.Xc
61.Oc 59.Oc
62.Ek
63.Op Fl l Ar login_name 60.Op Fl l Ar login_name
64.Op Fl m Ar mac_spec 61.Op Fl m Ar mac_spec
62.Op Fl O Ar ctl_cmd
65.Op Fl o Ar option 63.Op Fl o Ar option
66.Bk -words
67.Op Fl p Ar port 64.Op Fl p Ar port
68.Ek 65.Oo Fl R\ \&
69.Oo Fl R Xo
70.Sm off 66.Sm off
71.Ar port : 67.Oo Ar bind_address : Oc
72.Ar host : 68.Ar port : host : hostport
73.Ar hostport
74.Sm on 69.Sm on
75.Xc
76.Oc 70.Oc
77.Op Fl S Ar ctl 71.Op Fl S Ar ctl_path
78.Oo Ar user Ns @ Oc Ns Ar hostname 72.Oo Ar user Ns @ Oc Ns Ar hostname
79.Op Ar command 73.Op Ar command
74.Ek
80.Sh DESCRIPTION 75.Sh DESCRIPTION
81.Nm 76.Nm
82(SSH client) is a program for logging into a remote machine and for 77(SSH client) is a program for logging into a remote machine and for
@@ -103,35 +98,25 @@ is specified,
103.Ar command 98.Ar command
104is executed on the remote host instead of a login shell. 99is executed on the remote host instead of a login shell.
105.Ss SSH protocol version 1 100.Ss SSH protocol version 1
106First, if the machine the user logs in from is listed in 101The first authentication method is the
102.Em rhosts
103or
104.Em hosts.equiv
105method combined with RSA-based host authentication.
106If the machine the user logs in from is listed in
107.Pa /etc/hosts.equiv 107.Pa /etc/hosts.equiv
108or 108or
109.Pa /etc/shosts.equiv 109.Pa /etc/shosts.equiv
110on the remote machine, and the user names are 110on the remote machine, and the user names are
111the same on both sides, the user is immediately permitted to log in. 111the same on both sides, or if the files
112Second, if 112.Pa $HOME/.rhosts
113.Pa .rhosts
114or 113or
115.Pa .shosts 114.Pa $HOME/.shosts
116exists in the user's home directory on the 115exist in the user's home directory on the
117remote machine and contains a line containing the name of the client 116remote machine and contain a line containing the name of the client
118machine and the name of the user on that machine, the user is 117machine and the name of the user on that machine, the user is
119permitted to log in. 118considered for log in.
120This form of authentication alone is normally not 119Additionally, if the server can verify the client's
121allowed by the server because it is not secure.
122.Pp
123The second authentication method is the
124.Em rhosts
125or
126.Em hosts.equiv
127method combined with RSA-based host authentication.
128It means that if the login would be permitted by
129.Pa $HOME/.rhosts ,
130.Pa $HOME/.shosts ,
131.Pa /etc/hosts.equiv ,
132or
133.Pa /etc/shosts.equiv ,
134and if additionally the server can verify the client's
135host key (see 120host key (see
136.Pa /etc/ssh/ssh_known_hosts 121.Pa /etc/ssh/ssh_known_hosts
137and 122and
@@ -147,7 +132,7 @@ spoofing, DNS spoofing and routing spoofing.
147and the rlogin/rsh protocol in general, are inherently insecure and should be 132and the rlogin/rsh protocol in general, are inherently insecure and should be
148disabled if security is desired.] 133disabled if security is desired.]
149.Pp 134.Pp
150As a third authentication method, 135As a second authentication method,
151.Nm 136.Nm
152supports RSA based authentication. 137supports RSA based authentication.
153The scheme is based on public-key cryptography: there are cryptosystems 138The scheme is based on public-key cryptography: there are cryptosystems
@@ -195,9 +180,6 @@ file corresponds to the conventional
195file, and has one key 180file, and has one key
196per line, though the lines can be very long). 181per line, though the lines can be very long).
197After this, the user can log in without giving the password. 182After this, the user can log in without giving the password.
198RSA authentication is much more secure than
199.Em rhosts
200authentication.
201.Pp 183.Pp
202The most convenient way to use RSA authentication may be with an 184The most convenient way to use RSA authentication may be with an
203authentication agent. 185authentication agent.
@@ -582,6 +564,7 @@ configuration files).
582Disables forwarding (delegation) of GSSAPI credentials to the server. 564Disables forwarding (delegation) of GSSAPI credentials to the server.
583.It Fl L Xo 565.It Fl L Xo
584.Sm off 566.Sm off
567.Oo Ar bind_address : Oc
585.Ar port : host : hostport 568.Ar port : host : hostport
586.Sm on 569.Sm on
587.Xc 570.Xc
@@ -589,7 +572,9 @@ Specifies that the given port on the local (client) host is to be
589forwarded to the given host and port on the remote side. 572forwarded to the given host and port on the remote side.
590This works by allocating a socket to listen to 573This works by allocating a socket to listen to
591.Ar port 574.Ar port
592on the local side, and whenever a connection is made to this port, the 575on the local side, optionally bound to the specified
576.Ar bind_address .
577Whenever a connection is made to this port, the
593connection is forwarded over the secure channel, and a connection is 578connection is forwarded over the secure channel, and a connection is
594made to 579made to
595.Ar host 580.Ar host
@@ -597,14 +582,30 @@ port
597.Ar hostport 582.Ar hostport
598from the remote machine. 583from the remote machine.
599Port forwardings can also be specified in the configuration file. 584Port forwardings can also be specified in the configuration file.
600Only root can forward privileged ports.
601IPv6 addresses can be specified with an alternative syntax: 585IPv6 addresses can be specified with an alternative syntax:
602.Sm off 586.Sm off
603.Xo 587.Xo
588.Op Ar bind_address No /
604.Ar port No / Ar host No / 589.Ar port No / Ar host No /
605.Ar hostport . 590.Ar hostport
606.Xc 591.Xc
607.Sm on 592.Sm on
593or by enclosing the address in square brackets.
594Only the superuser can forward privileged ports.
595By default, the local port is bound in accordance with the
596.Cm GatewayPorts
597setting.
598However, an explicit
599.Ar bind_address
600may be used to bind the connection to a specific address.
601The
602.Ar bind_address
603of
604.Dq localhost
605indicates that the listening port be bound for local use only, while an
606empty address or
607.Sq *
608indicates that the port should be available from all interfaces.
608.It Fl l Ar login_name 609.It Fl l Ar login_name
609Specifies the user to log in as on the remote machine. 610Specifies the user to log in as on the remote machine.
610This also may be specified on a per-host basis in the configuration file. 611This also may be specified on a per-host basis in the configuration file.
@@ -650,6 +651,18 @@ program will be put in the background.
650needs to ask for a password or passphrase; see also the 651needs to ask for a password or passphrase; see also the
651.Fl f 652.Fl f
652option.) 653option.)
654.It Fl O Ar ctl_cmd
655Control an active connection multiplexing master process.
656When the
657.Fl O
658option is specified, the
659.Ar ctl_cmd
660argument is interpreted and passed to the master process.
661Valid commands are:
662.Dq check
663(check that the master process is running) and
664.Dq exit
665(request the master to exit).
653.It Fl o Ar option 666.It Fl o Ar option
654Can be used to give options in the format used in the configuration file. 667Can be used to give options in the format used in the configuration file.
655This is useful for specifying options for which there is no separate 668This is useful for specifying options for which there is no separate
@@ -681,6 +694,7 @@ For full details of the options listed below, and their possible values, see
681.It GlobalKnownHostsFile 694.It GlobalKnownHostsFile
682.It GSSAPIAuthentication 695.It GSSAPIAuthentication
683.It GSSAPIDelegateCredentials 696.It GSSAPIDelegateCredentials
697.It HashKnownHosts
684.It Host 698.It Host
685.It HostbasedAuthentication 699.It HostbasedAuthentication
686.It HostKeyAlgorithms 700.It HostKeyAlgorithms
@@ -688,6 +702,7 @@ For full details of the options listed below, and their possible values, see
688.It HostName 702.It HostName
689.It IdentityFile 703.It IdentityFile
690.It IdentitiesOnly 704.It IdentitiesOnly
705.It KbdInteractiveDevices
691.It LocalForward 706.It LocalForward
692.It LogLevel 707.It LogLevel
693.It MACs 708.It MACs
@@ -727,6 +742,7 @@ If a second
727is given then even fatal errors are suppressed. 742is given then even fatal errors are suppressed.
728.It Fl R Xo 743.It Fl R Xo
729.Sm off 744.Sm off
745.Oo Ar bind_address : Oc
730.Ar port : host : hostport 746.Ar port : host : hostport
731.Sm on 747.Sm on
732.Xc 748.Xc
@@ -741,17 +757,36 @@ made to
741port 757port
742.Ar hostport 758.Ar hostport
743from the local machine. 759from the local machine.
760.Pp
744Port forwardings can also be specified in the configuration file. 761Port forwardings can also be specified in the configuration file.
745Privileged ports can be forwarded only when 762Privileged ports can be forwarded only when
746logging in as root on the remote machine. 763logging in as root on the remote machine.
747IPv6 addresses can be specified with an alternative syntax: 764IPv6 addresses can be specified by enclosing the address in square braces or
765using an alternative syntax:
748.Sm off 766.Sm off
749.Xo 767.Xo
750.Ar port No / Ar host No / 768.Op Ar bind_address No /
751.Ar hostport . 769.Ar host No / Ar port No /
752.Xc 770.Ar hostport
771.Xc .
753.Sm on 772.Sm on
754.It Fl S Ar ctl 773.Pp
774By default, the listening socket on the server will be bound to the loopback
775interface only.
776This may be overriden by specifying a
777.Ar bind_address .
778An empty
779.Ar bind_address ,
780or the address
781.Ql * ,
782indicates that the remote socket should listen on all interfaces.
783Specifying a remote
784.Ar bind_address
785will only succeed if the server's
786.Cm GatewayPorts
787option is enabled (see
788.Xr sshd_config 5 ) .
789.It Fl S Ar ctl_path
755Specifies the location of a control socket for connection sharing. 790Specifies the location of a control socket for connection sharing.
756Refer to the description of 791Refer to the description of
757.Cm ControlPath 792.Cm ControlPath
@@ -800,10 +835,23 @@ Users with the ability to bypass file permissions on the remote host
800(for the user's X authorization database) 835(for the user's X authorization database)
801can access the local X11 display through the forwarded connection. 836can access the local X11 display through the forwarded connection.
802An attacker may then be able to perform activities such as keystroke monitoring. 837An attacker may then be able to perform activities such as keystroke monitoring.
838.Pp
839For this reason, X11 forwarding is subjected to X11 SECURITY extension
840restrictions by default.
841Please refer to the
842.Nm
843.Fl Y
844option and the
845.Cm ForwardX11Trusted
846directive in
847.Xr ssh_config 5
848for more information.
803.It Fl x 849.It Fl x
804Disables X11 forwarding. 850Disables X11 forwarding.
805.It Fl Y 851.It Fl Y
806Enables trusted X11 forwarding. 852Enables trusted X11 forwarding.
853Trusted X11 forwardings are not subjected to the X11 SECURITY extension
854controls.
807.El 855.El
808.Sh CONFIGURATION FILES 856.Sh CONFIGURATION FILES
809.Nm 857.Nm
@@ -863,7 +911,7 @@ and open an X11 window to read the passphrase.
863This is particularly useful when calling 911This is particularly useful when calling
864.Nm 912.Nm
865from a 913from a
866.Pa .Xsession 914.Pa .xsession
867or related script. 915or related script.
868(Note that on some machines it 916(Note that on some machines it
869may be necessary to redirect the input from 917may be necessary to redirect the input from
@@ -1016,7 +1064,9 @@ By default
1016is not setuid root. 1064is not setuid root.
1017.It Pa $HOME/.rhosts 1065.It Pa $HOME/.rhosts
1018This file is used in 1066This file is used in
1019.Em rhosts 1067.Cm RhostsRSAAuthentication
1068and
1069.Cm HostbasedAuthentication
1020authentication to list the 1070authentication to list the
1021host/user pairs that are permitted to log in. 1071host/user pairs that are permitted to log in.
1022(Note that this file is 1072(Note that this file is
@@ -1035,12 +1085,10 @@ The recommended
1035permission for most machines is read/write for the user, and not 1085permission for most machines is read/write for the user, and not
1036accessible by others. 1086accessible by others.
1037.Pp 1087.Pp
1038Note that by default 1088Note that
1039.Xr sshd 8 1089.Xr sshd 8
1040will be installed so that it requires successful RSA host 1090allows authentication only in combination with client host key
1041authentication before permitting 1091authentication before permitting log in.
1042.Em rhosts
1043authentication.
1044If the server machine does not have the client's host key in 1092If the server machine does not have the client's host key in
1045.Pa /etc/ssh/ssh_known_hosts , 1093.Pa /etc/ssh/ssh_known_hosts ,
1046it can be stored in 1094it can be stored in
@@ -1053,15 +1101,19 @@ will automatically add the host key to
1053This file is used exactly the same way as 1101This file is used exactly the same way as
1054.Pa .rhosts . 1102.Pa .rhosts .
1055The purpose for 1103The purpose for
1056having this file is to be able to use rhosts authentication with 1104having this file is to be able to use
1057.Nm 1105.Cm RhostsRSAAuthentication
1058without permitting login with 1106and
1107.Cm HostbasedAuthentication
1108authentication without permitting login with
1059.Xr rlogin 1109.Xr rlogin
1060or 1110or
1061.Xr rsh 1 . 1111.Xr rsh 1 .
1062.It Pa /etc/hosts.equiv 1112.It Pa /etc/hosts.equiv
1063This file is used during 1113This file is used during
1064.Em rhosts 1114.Cm RhostsRSAAuthentication
1115and
1116.Cm HostbasedAuthentication
1065authentication. 1117authentication.
1066It contains 1118It contains
1067canonical hosts names, one per line (the full format is described in the 1119canonical hosts names, one per line (the full format is described in the
@@ -1070,8 +1122,7 @@ manual page).
1070If the client host is found in this file, login is 1122If the client host is found in this file, login is
1071automatically permitted provided client and server user names are the 1123automatically permitted provided client and server user names are the
1072same. 1124same.
1073Additionally, successful RSA host authentication is normally 1125Additionally, successful client host key authentication is required.
1074required.
1075This file should only be writable by root. 1126This file should only be writable by root.
1076.It Pa /etc/shosts.equiv 1127.It Pa /etc/shosts.equiv
1077This file is processed exactly as 1128This file is processed exactly as