diff options
author | Darren Tucker <dtucker@zip.com.au> | 2003-10-02 16:19:47 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2003-10-02 16:19:47 +1000 |
commit | 6177695c0b4e5cc3fbcbcbf6d041781465bc4680 (patch) | |
tree | cd37dd65f13618e2cb470dcd761aa3c695336d91 /ssh.1 | |
parent | 8fca6b57b488cb2f8cd71186e0f8e17c431f7980 (diff) |
- jmc@cvs.openbsd.org 2003/09/29 11:40:51
[ssh.1]
- add list of options to -o and .Xr ssh_config(5)
- some other cleanup
requested by deraadt@;
ok deraadt@ markus@
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 483 |
1 files changed, 275 insertions, 208 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.176 2003/09/29 11:40:51 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -43,22 +43,14 @@ | |||
43 | .Nd OpenSSH SSH client (remote login program) | 43 | .Nd OpenSSH SSH client (remote login program) |
44 | .Sh SYNOPSIS | 44 | .Sh SYNOPSIS |
45 | .Nm ssh | 45 | .Nm ssh |
46 | .Op Fl l Ar login_name | 46 | .Op Fl 1246AaCfgkNnqsTtVvXx |
47 | .Ar hostname | user@hostname | ||
48 | .Op Ar command | ||
49 | .Pp | ||
50 | .Nm ssh | ||
51 | .Bk -words | ||
52 | .Op Fl afgknqstvxACNTVX1246 | ||
53 | .Op Fl b Ar bind_address | 47 | .Op Fl b Ar bind_address |
54 | .Op Fl c Ar cipher_spec | 48 | .Op Fl c Ar cipher_spec |
49 | .Op Fl D Ar port | ||
55 | .Op Fl e Ar escape_char | 50 | .Op Fl e Ar escape_char |
56 | .Op Fl i Ar identity_file | ||
57 | .Op Fl l Ar login_name | ||
58 | .Op Fl m Ar mac_spec | ||
59 | .Op Fl o Ar option | ||
60 | .Op Fl p Ar port | ||
61 | .Op Fl F Ar configfile | 51 | .Op Fl F Ar configfile |
52 | .Op Fl i Ar identity_file | ||
53 | .Bk -words | ||
62 | .Oo Fl L Xo | 54 | .Oo Fl L Xo |
63 | .Sm off | 55 | .Sm off |
64 | .Ar port : | 56 | .Ar port : |
@@ -68,7 +60,12 @@ | |||
68 | .Xc | 60 | .Xc |
69 | .Oc | 61 | .Oc |
70 | .Ek | 62 | .Ek |
63 | .Op Fl l Ar login_name | ||
64 | .Op Fl m Ar mac_spec | ||
65 | .Op Fl o Ar option | ||
71 | .Bk -words | 66 | .Bk -words |
67 | .Op Fl p Ar port | ||
68 | .Ek | ||
72 | .Oo Fl R Xo | 69 | .Oo Fl R Xo |
73 | .Sm off | 70 | .Sm off |
74 | .Ar port : | 71 | .Ar port : |
@@ -77,29 +74,34 @@ | |||
77 | .Sm on | 74 | .Sm on |
78 | .Xc | 75 | .Xc |
79 | .Oc | 76 | .Oc |
80 | .Op Fl D Ar port | 77 | .Oo Ar user Ns @ Oc Ns Ar hostname |
81 | .Ar hostname | user@hostname | ||
82 | .Op Ar command | 78 | .Op Ar command |
83 | .Ek | ||
84 | .Sh DESCRIPTION | 79 | .Sh DESCRIPTION |
85 | .Nm | 80 | .Nm |
86 | (SSH client) is a program for logging into a remote machine and for | 81 | (SSH client) is a program for logging into a remote machine and for |
87 | executing commands on a remote machine. | 82 | executing commands on a remote machine. |
88 | It is intended to replace | 83 | It is intended to replace rlogin and rsh, |
89 | rlogin and rsh, and provide secure encrypted communications between | 84 | and provide secure encrypted communications between |
90 | two untrusted hosts over an insecure network. | 85 | two untrusted hosts over an insecure network. |
91 | X11 connections and | 86 | X11 connections and arbitrary TCP/IP ports |
92 | arbitrary TCP/IP ports can also be forwarded over the secure channel. | 87 | can also be forwarded over the secure channel. |
93 | .Pp | 88 | .Pp |
94 | .Nm | 89 | .Nm |
95 | connects and logs into the specified | 90 | connects and logs into the specified |
96 | .Ar hostname . | 91 | .Ar hostname |
92 | (with optional | ||
93 | .Ar user | ||
94 | name). | ||
97 | The user must prove | 95 | The user must prove |
98 | his/her identity to the remote machine using one of several methods | 96 | his/her identity to the remote machine using one of several methods |
99 | depending on the protocol version used: | 97 | depending on the protocol version used. |
100 | .Pp | 98 | .Pp |
99 | If | ||
100 | .Ar command | ||
101 | is specified, | ||
102 | .Ar command | ||
103 | is executed on the remote host instead of a login shell. | ||
101 | .Ss SSH protocol version 1 | 104 | .Ss SSH protocol version 1 |
102 | .Pp | ||
103 | First, if the machine the user logs in from is listed in | 105 | First, if the machine the user logs in from is listed in |
104 | .Pa /etc/hosts.equiv | 106 | .Pa /etc/hosts.equiv |
105 | or | 107 | or |
@@ -107,9 +109,9 @@ or | |||
107 | on the remote machine, and the user names are | 109 | on the remote machine, and the user names are |
108 | the same on both sides, the user is immediately permitted to log in. | 110 | the same on both sides, the user is immediately permitted to log in. |
109 | Second, if | 111 | Second, if |
110 | .Pa \&.rhosts | 112 | .Pa .rhosts |
111 | or | 113 | or |
112 | .Pa \&.shosts | 114 | .Pa .shosts |
113 | exists in the user's home directory on the | 115 | exists in the user's home directory on the |
114 | remote machine and contains a line containing the name of the client | 116 | remote machine and contains a line containing the name of the client |
115 | machine and the name of the user on that machine, the user is | 117 | machine and the name of the user on that machine, the user is |
@@ -118,9 +120,9 @@ This form of authentication alone is normally not | |||
118 | allowed by the server because it is not secure. | 120 | allowed by the server because it is not secure. |
119 | .Pp | 121 | .Pp |
120 | The second authentication method is the | 122 | The second authentication method is the |
121 | .Pa rhosts | 123 | .Em rhosts |
122 | or | 124 | or |
123 | .Pa hosts.equiv | 125 | .Em hosts.equiv |
124 | method combined with RSA-based host authentication. | 126 | method combined with RSA-based host authentication. |
125 | It means that if the login would be permitted by | 127 | It means that if the login would be permitted by |
126 | .Pa $HOME/.rhosts , | 128 | .Pa $HOME/.rhosts , |
@@ -135,7 +137,7 @@ and | |||
135 | .Pa $HOME/.ssh/known_hosts | 137 | .Pa $HOME/.ssh/known_hosts |
136 | in the | 138 | in the |
137 | .Sx FILES | 139 | .Sx FILES |
138 | section), only then login is permitted. | 140 | section), only then is login permitted. |
139 | This authentication method closes security holes due to IP | 141 | This authentication method closes security holes due to IP |
140 | spoofing, DNS spoofing and routing spoofing. | 142 | spoofing, DNS spoofing and routing spoofing. |
141 | [Note to the administrator: | 143 | [Note to the administrator: |
@@ -154,24 +156,23 @@ RSA is one such system. | |||
154 | The idea is that each user creates a public/private | 156 | The idea is that each user creates a public/private |
155 | key pair for authentication purposes. | 157 | key pair for authentication purposes. |
156 | The server knows the public key, and only the user knows the private key. | 158 | The server knows the public key, and only the user knows the private key. |
159 | .Pp | ||
157 | The file | 160 | The file |
158 | .Pa $HOME/.ssh/authorized_keys | 161 | .Pa $HOME/.ssh/authorized_keys |
159 | lists the public keys that are permitted for logging | 162 | lists the public keys that are permitted for logging in. |
160 | in. | ||
161 | When the user logs in, the | 163 | When the user logs in, the |
162 | .Nm | 164 | .Nm |
163 | program tells the server which key pair it would like to use for | 165 | program tells the server which key pair it would like to use for |
164 | authentication. | 166 | authentication. |
165 | The server checks if this key is permitted, and if | 167 | The server checks if this key is permitted, and if so, |
166 | so, sends the user (actually the | 168 | sends the user (actually the |
167 | .Nm | 169 | .Nm |
168 | program running on behalf of the user) a challenge, a random number, | 170 | program running on behalf of the user) a challenge, a random number, |
169 | encrypted by the user's public key. | 171 | encrypted by the user's public key. |
170 | The challenge can only be | 172 | The challenge can only be decrypted using the proper private key. |
171 | decrypted using the proper private key. | 173 | The user's client then decrypts the challenge using the private key, |
172 | The user's client then decrypts the | 174 | proving that he/she knows the private key |
173 | challenge using the private key, proving that he/she knows the private | 175 | but without disclosing it to the server. |
174 | key but without disclosing it to the server. | ||
175 | .Pp | 176 | .Pp |
176 | .Nm | 177 | .Nm |
177 | implements the RSA authentication protocol automatically. | 178 | implements the RSA authentication protocol automatically. |
@@ -179,7 +180,7 @@ The user creates his/her RSA key pair by running | |||
179 | .Xr ssh-keygen 1 . | 180 | .Xr ssh-keygen 1 . |
180 | This stores the private key in | 181 | This stores the private key in |
181 | .Pa $HOME/.ssh/identity | 182 | .Pa $HOME/.ssh/identity |
182 | and the public key in | 183 | and stores the public key in |
183 | .Pa $HOME/.ssh/identity.pub | 184 | .Pa $HOME/.ssh/identity.pub |
184 | in the user's home directory. | 185 | in the user's home directory. |
185 | The user should then copy the | 186 | The user should then copy the |
@@ -193,8 +194,9 @@ file corresponds to the conventional | |||
193 | file, and has one key | 194 | file, and has one key |
194 | per line, though the lines can be very long). | 195 | per line, though the lines can be very long). |
195 | After this, the user can log in without giving the password. | 196 | After this, the user can log in without giving the password. |
196 | RSA authentication is much | 197 | RSA authentication is much more secure than |
197 | more secure than rhosts authentication. | 198 | .Em rhosts |
199 | authentication. | ||
198 | .Pp | 200 | .Pp |
199 | The most convenient way to use RSA authentication may be with an | 201 | The most convenient way to use RSA authentication may be with an |
200 | authentication agent. | 202 | authentication agent. |
@@ -208,16 +210,14 @@ prompts the user for a password. | |||
208 | The password is sent to the remote | 210 | The password is sent to the remote |
209 | host for checking; however, since all communications are encrypted, | 211 | host for checking; however, since all communications are encrypted, |
210 | the password cannot be seen by someone listening on the network. | 212 | the password cannot be seen by someone listening on the network. |
211 | .Pp | ||
212 | .Ss SSH protocol version 2 | 213 | .Ss SSH protocol version 2 |
213 | .Pp | 214 | When a user connects using protocol version 2, |
214 | When a user connects using protocol version 2 | ||
215 | similar authentication methods are available. | 215 | similar authentication methods are available. |
216 | Using the default values for | 216 | Using the default values for |
217 | .Cm PreferredAuthentications , | 217 | .Cm PreferredAuthentications , |
218 | the client will try to authenticate first using the hostbased method; | 218 | the client will try to authenticate first using the hostbased method; |
219 | if this method fails public key authentication is attempted, | 219 | if this method fails, public key authentication is attempted, |
220 | and finally if this method fails keyboard-interactive and | 220 | and finally if this method fails, keyboard-interactive and |
221 | password authentication are tried. | 221 | password authentication are tried. |
222 | .Pp | 222 | .Pp |
223 | The public key method is similar to RSA authentication described | 223 | The public key method is similar to RSA authentication described |
@@ -233,8 +233,8 @@ and grants access if both the key is found and the signature is correct. | |||
233 | The session identifier is derived from a shared Diffie-Hellman value | 233 | The session identifier is derived from a shared Diffie-Hellman value |
234 | and is only known to the client and the server. | 234 | and is only known to the client and the server. |
235 | .Pp | 235 | .Pp |
236 | If public key authentication fails or is not available a password | 236 | If public key authentication fails or is not available, a password |
237 | can be sent encrypted to the remote host for proving the user's identity. | 237 | can be sent encrypted to the remote host to prove the user's identity. |
238 | .Pp | 238 | .Pp |
239 | Additionally, | 239 | Additionally, |
240 | .Nm | 240 | .Nm |
@@ -245,9 +245,7 @@ Protocol 2 provides additional mechanisms for confidentiality | |||
245 | and integrity (hmac-md5, hmac-sha1). | 245 | and integrity (hmac-md5, hmac-sha1). |
246 | Note that protocol 1 lacks a strong mechanism for ensuring the | 246 | Note that protocol 1 lacks a strong mechanism for ensuring the |
247 | integrity of the connection. | 247 | integrity of the connection. |
248 | .Pp | ||
249 | .Ss Login session and remote execution | 248 | .Ss Login session and remote execution |
250 | .Pp | ||
251 | When the user's identity has been accepted by the server, the server | 249 | When the user's identity has been accepted by the server, the server |
252 | either executes the given command, or logs into the machine and gives | 250 | either executes the given command, or logs into the machine and gives |
253 | the user a normal shell on the remote machine. | 251 | the user a normal shell on the remote machine. |
@@ -257,23 +255,20 @@ the remote command or shell will be automatically encrypted. | |||
257 | If a pseudo-terminal has been allocated (normal login session), the | 255 | If a pseudo-terminal has been allocated (normal login session), the |
258 | user may use the escape characters noted below. | 256 | user may use the escape characters noted below. |
259 | .Pp | 257 | .Pp |
260 | If no pseudo tty has been allocated, the | 258 | If no pseudo-tty has been allocated, |
261 | session is transparent and can be used to reliably transfer binary | 259 | the session is transparent and can be used to reliably transfer binary data. |
262 | data. | ||
263 | On most systems, setting the escape character to | 260 | On most systems, setting the escape character to |
264 | .Dq none | 261 | .Dq none |
265 | will also make the session transparent even if a tty is used. | 262 | will also make the session transparent even if a tty is used. |
266 | .Pp | 263 | .Pp |
267 | The session terminates when the command or shell on the remote | 264 | The session terminates when the command or shell on the remote |
268 | machine exits and all X11 and TCP/IP connections have been closed. | 265 | machine exits and all X11 and TCP/IP connections have been closed. |
269 | The exit status of the remote program is returned as the exit status | 266 | The exit status of the remote program is returned as the exit status of |
270 | of | ||
271 | .Nm ssh . | 267 | .Nm ssh . |
272 | .Pp | ||
273 | .Ss Escape Characters | 268 | .Ss Escape Characters |
274 | .Pp | 269 | When a pseudo-terminal has been requested, |
275 | When a pseudo terminal has been requested, ssh supports a number of functions | 270 | .Nm |
276 | through the use of an escape character. | 271 | supports a number of functions through the use of an escape character. |
277 | .Pp | 272 | .Pp |
278 | A single tilde character can be sent as | 273 | A single tilde character can be sent as |
279 | .Ic ~~ | 274 | .Ic ~~ |
@@ -291,37 +286,37 @@ The supported escapes (assuming the default | |||
291 | are: | 286 | are: |
292 | .Bl -tag -width Ds | 287 | .Bl -tag -width Ds |
293 | .It Cm ~. | 288 | .It Cm ~. |
294 | Disconnect | 289 | Disconnect. |
295 | .It Cm ~^Z | 290 | .It Cm ~^Z |
296 | Background ssh | 291 | Background |
292 | .Nm ssh . | ||
297 | .It Cm ~# | 293 | .It Cm ~# |
298 | List forwarded connections | 294 | List forwarded connections. |
299 | .It Cm ~& | 295 | .It Cm ~& |
300 | Background ssh at logout when waiting for forwarded connection / X11 sessions | 296 | Background |
301 | to terminate | 297 | .Nm |
298 | at logout when waiting for forwarded connection / X11 sessions to terminate. | ||
302 | .It Cm ~? | 299 | .It Cm ~? |
303 | Display a list of escape characters | 300 | Display a list of escape characters. |
304 | .It Cm ~B | 301 | .It Cm ~B |
305 | Send a BREAK to the remote system (only useful for SSH protocol version 2 | 302 | Send a BREAK to the remote system |
306 | and if the peer supports it) | 303 | (only useful for SSH protocol version 2 and if the peer supports it). |
307 | .It Cm ~C | 304 | .It Cm ~C |
308 | Open command line (only useful for adding port forwardings using the | 305 | Open command line (only useful for adding port forwardings using the |
309 | .Fl L | 306 | .Fl L |
310 | and | 307 | and |
311 | .Fl R | 308 | .Fl R |
312 | options) | 309 | options). |
313 | .It Cm ~R | 310 | .It Cm ~R |
314 | Request rekeying of the connection (only useful for SSH protocol version 2 | 311 | Request rekeying of the connection |
315 | and if the peer supports it) | 312 | (only useful for SSH protocol version 2 and if the peer supports it). |
316 | .El | 313 | .El |
317 | .Pp | ||
318 | .Ss X11 and TCP forwarding | 314 | .Ss X11 and TCP forwarding |
319 | .Pp | ||
320 | If the | 315 | If the |
321 | .Cm ForwardX11 | 316 | .Cm ForwardX11 |
322 | variable is set to | 317 | variable is set to |
323 | .Dq yes | 318 | .Dq yes |
324 | (or, see the description of the | 319 | (or see the description of the |
325 | .Fl X | 320 | .Fl X |
326 | and | 321 | and |
327 | .Fl x | 322 | .Fl x |
@@ -342,8 +337,7 @@ The | |||
342 | .Ev DISPLAY | 337 | .Ev DISPLAY |
343 | value set by | 338 | value set by |
344 | .Nm | 339 | .Nm |
345 | will point to the server machine, but with a display number greater | 340 | will point to the server machine, but with a display number greater than zero. |
346 | than zero. | ||
347 | This is normal, and happens because | 341 | This is normal, and happens because |
348 | .Nm | 342 | .Nm |
349 | creates a | 343 | creates a |
@@ -364,7 +358,7 @@ If the | |||
364 | .Cm ForwardAgent | 358 | .Cm ForwardAgent |
365 | variable is set to | 359 | variable is set to |
366 | .Dq yes | 360 | .Dq yes |
367 | (or, see the description of the | 361 | (or see the description of the |
368 | .Fl A | 362 | .Fl A |
369 | and | 363 | and |
370 | .Fl a | 364 | .Fl a |
@@ -376,9 +370,7 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can | |||
376 | be specified either on the command line or in a configuration file. | 370 | be specified either on the command line or in a configuration file. |
377 | One possible application of TCP/IP forwarding is a secure connection to an | 371 | One possible application of TCP/IP forwarding is a secure connection to an |
378 | electronic purse; another is going through firewalls. | 372 | electronic purse; another is going through firewalls. |
379 | .Pp | ||
380 | .Ss Server authentication | 373 | .Ss Server authentication |
381 | .Pp | ||
382 | .Nm | 374 | .Nm |
383 | automatically maintains and checks a database containing | 375 | automatically maintains and checks a database containing |
384 | identifications for all hosts it has ever been used with. | 376 | identifications for all hosts it has ever been used with. |
@@ -389,14 +381,12 @@ Additionally, the file | |||
389 | .Pa /etc/ssh/ssh_known_hosts | 381 | .Pa /etc/ssh/ssh_known_hosts |
390 | is automatically checked for known hosts. | 382 | is automatically checked for known hosts. |
391 | Any new hosts are automatically added to the user's file. | 383 | Any new hosts are automatically added to the user's file. |
392 | If a host's identification | 384 | If a host's identification ever changes, |
393 | ever changes, | ||
394 | .Nm | 385 | .Nm |
395 | warns about this and disables password authentication to prevent a | 386 | warns about this and disables password authentication to prevent a |
396 | trojan horse from getting the user's password. | 387 | trojan horse from getting the user's password. |
397 | Another purpose of | 388 | Another purpose of this mechanism is to prevent man-in-the-middle attacks |
398 | this mechanism is to prevent man-in-the-middle attacks which could | 389 | which could otherwise be used to circumvent the encryption. |
399 | otherwise be used to circumvent the encryption. | ||
400 | The | 390 | The |
401 | .Cm StrictHostKeyChecking | 391 | .Cm StrictHostKeyChecking |
402 | option can be used to prevent logins to machines whose | 392 | option can be used to prevent logins to machines whose |
@@ -404,8 +394,22 @@ host key is not known or has changed. | |||
404 | .Pp | 394 | .Pp |
405 | The options are as follows: | 395 | The options are as follows: |
406 | .Bl -tag -width Ds | 396 | .Bl -tag -width Ds |
407 | .It Fl a | 397 | .It Fl 1 |
408 | Disables forwarding of the authentication agent connection. | 398 | Forces |
399 | .Nm | ||
400 | to try protocol version 1 only. | ||
401 | .It Fl 2 | ||
402 | Forces | ||
403 | .Nm | ||
404 | to try protocol version 2 only. | ||
405 | .It Fl 4 | ||
406 | Forces | ||
407 | .Nm | ||
408 | to use IPv4 addresses only. | ||
409 | .It Fl 6 | ||
410 | Forces | ||
411 | .Nm | ||
412 | to use IPv6 addresses only. | ||
409 | .It Fl A | 413 | .It Fl A |
410 | Enables forwarding of the authentication agent connection. | 414 | Enables forwarding of the authentication agent connection. |
411 | This can also be specified on a per-host basis in a configuration file. | 415 | This can also be specified on a per-host basis in a configuration file. |
@@ -417,10 +421,28 @@ can access the local agent through the forwarded connection. | |||
417 | An attacker cannot obtain key material from the agent, | 421 | An attacker cannot obtain key material from the agent, |
418 | however they can perform operations on the keys that enable them to | 422 | however they can perform operations on the keys that enable them to |
419 | authenticate using the identities loaded into the agent. | 423 | authenticate using the identities loaded into the agent. |
424 | .It Fl a | ||
425 | Disables forwarding of the authentication agent connection. | ||
420 | .It Fl b Ar bind_address | 426 | .It Fl b Ar bind_address |
421 | Specify the interface to transmit from on machines with multiple | 427 | Specify the interface to transmit from on machines with multiple |
422 | interfaces or aliased addresses. | 428 | interfaces or aliased addresses. |
423 | .It Fl c Ar blowfish|3des|des | 429 | .It Fl C |
430 | Requests compression of all data (including stdin, stdout, stderr, and | ||
431 | data for forwarded X11 and TCP/IP connections). | ||
432 | The compression algorithm is the same used by | ||
433 | .Xr gzip 1 , | ||
434 | and the | ||
435 | .Dq level | ||
436 | can be controlled by the | ||
437 | .Cm CompressionLevel | ||
438 | option for protocol version 1. | ||
439 | Compression is desirable on modem lines and other | ||
440 | slow connections, but will only slow down things on fast networks. | ||
441 | The default value can be set on a host-by-host basis in the | ||
442 | configuration files; see the | ||
443 | .Cm Compression | ||
444 | option. | ||
445 | .It Fl c Ar blowfish | 3des | des | ||
424 | Selects the cipher to use for encrypting the session. | 446 | Selects the cipher to use for encrypting the session. |
425 | .Ar 3des | 447 | .Ar 3des |
426 | is used by default. | 448 | is used by default. |
@@ -428,7 +450,7 @@ It is believed to be secure. | |||
428 | .Ar 3des | 450 | .Ar 3des |
429 | (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. | 451 | (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
430 | .Ar blowfish | 452 | .Ar blowfish |
431 | is a fast block cipher, it appears very secure and is much faster than | 453 | is a fast block cipher; it appears very secure and is much faster than |
432 | .Ar 3des . | 454 | .Ar 3des . |
433 | .Ar des | 455 | .Ar des |
434 | is only supported in the | 456 | is only supported in the |
@@ -444,18 +466,41 @@ be specified in order of preference. | |||
444 | See | 466 | See |
445 | .Cm Ciphers | 467 | .Cm Ciphers |
446 | for more information. | 468 | for more information. |
447 | .It Fl e Ar ch|^ch|none | 469 | .It Fl D Ar port |
470 | Specifies a local | ||
471 | .Dq dynamic | ||
472 | application-level port forwarding. | ||
473 | This works by allocating a socket to listen to | ||
474 | .Ar port | ||
475 | on the local side, and whenever a connection is made to this port, the | ||
476 | connection is forwarded over the secure channel, and the application | ||
477 | protocol is then used to determine where to connect to from the | ||
478 | remote machine. | ||
479 | Currently the SOCKS4 and SOCKS5 protocols are supported, and | ||
480 | .Nm | ||
481 | will act as a SOCKS server. | ||
482 | Only root can forward privileged ports. | ||
483 | Dynamic port forwardings can also be specified in the configuration file. | ||
484 | .It Fl e Ar ch | ^ch | none | ||
448 | Sets the escape character for sessions with a pty (default: | 485 | Sets the escape character for sessions with a pty (default: |
449 | .Ql ~ ) . | 486 | .Ql ~ ) . |
450 | The escape character is only recognized at the beginning of a line. | 487 | The escape character is only recognized at the beginning of a line. |
451 | The escape character followed by a dot | 488 | The escape character followed by a dot |
452 | .Pq Ql \&. | 489 | .Pq Ql \&. |
453 | closes the connection, followed | 490 | closes the connection; |
454 | by control-Z suspends the connection, and followed by itself sends the | 491 | followed by control-Z suspends the connection; |
455 | escape character once. | 492 | and followed by itself sends the escape character once. |
456 | Setting the character to | 493 | Setting the character to |
457 | .Dq none | 494 | .Dq none |
458 | disables any escapes and makes the session fully transparent. | 495 | disables any escapes and makes the session fully transparent. |
496 | .It Fl F Ar configfile | ||
497 | Specifies an alternative per-user configuration file. | ||
498 | If a configuration file is given on the command line, | ||
499 | the system-wide configuration file | ||
500 | .Pq Pa /etc/ssh/ssh_config | ||
501 | will be ignored. | ||
502 | The default for the per-user configuration file is | ||
503 | .Pa $HOME/.ssh/config . | ||
459 | .It Fl f | 504 | .It Fl f |
460 | Requests | 505 | Requests |
461 | .Nm | 506 | .Nm |
@@ -471,6 +516,12 @@ something like | |||
471 | .Ic ssh -f host xterm . | 516 | .Ic ssh -f host xterm . |
472 | .It Fl g | 517 | .It Fl g |
473 | Allows remote hosts to connect to local forwarded ports. | 518 | Allows remote hosts to connect to local forwarded ports. |
519 | .It Fl I Ar smartcard_device | ||
520 | Specifies which smartcard device to use. | ||
521 | The argument is the device | ||
522 | .Nm | ||
523 | should use to communicate with a smartcard used for storing the user's | ||
524 | private RSA key. | ||
474 | .It Fl i Ar identity_file | 525 | .It Fl i Ar identity_file |
475 | Selects a file from which the identity (private key) for | 526 | Selects a file from which the identity (private key) for |
476 | RSA or DSA authentication is read. | 527 | RSA or DSA authentication is read. |
@@ -487,15 +538,34 @@ It is possible to have multiple | |||
487 | .Fl i | 538 | .Fl i |
488 | options (and multiple identities specified in | 539 | options (and multiple identities specified in |
489 | configuration files). | 540 | configuration files). |
490 | .It Fl I Ar smartcard_device | ||
491 | Specifies which smartcard device to use. | ||
492 | The argument is the device | ||
493 | .Nm | ||
494 | should use to communicate with a smartcard used for storing the user's | ||
495 | private RSA key. | ||
496 | .It Fl k | 541 | .It Fl k |
497 | Disables forwarding of Kerberos tickets. | 542 | Disables forwarding of Kerberos tickets. |
498 | This may also be specified on a per-host basis in the configuration file. | 543 | This may also be specified on a per-host basis in the configuration file. |
544 | .It Fl L Xo | ||
545 | .Sm off | ||
546 | .Ar port : host : hostport | ||
547 | .Sm on | ||
548 | .Xc | ||
549 | Specifies that the given port on the local (client) host is to be | ||
550 | forwarded to the given host and port on the remote side. | ||
551 | This works by allocating a socket to listen to | ||
552 | .Ar port | ||
553 | on the local side, and whenever a connection is made to this port, the | ||
554 | connection is forwarded over the secure channel, and a connection is | ||
555 | made to | ||
556 | .Ar host | ||
557 | port | ||
558 | .Ar hostport | ||
559 | from the remote machine. | ||
560 | Port forwardings can also be specified in the configuration file. | ||
561 | Only root can forward privileged ports. | ||
562 | IPv6 addresses can be specified with an alternative syntax: | ||
563 | .Sm off | ||
564 | .Xo | ||
565 | .Ar port No / Ar host No / | ||
566 | .Ar hostport . | ||
567 | .Xc | ||
568 | .Sm on | ||
499 | .It Fl l Ar login_name | 569 | .It Fl l Ar login_name |
500 | Specifies the user to log in as on the remote machine. | 570 | Specifies the user to log in as on the remote machine. |
501 | This also may be specified on a per-host basis in the configuration file. | 571 | This also may be specified on a per-host basis in the configuration file. |
@@ -506,6 +576,10 @@ be specified in order of preference. | |||
506 | See the | 576 | See the |
507 | .Cm MACs | 577 | .Cm MACs |
508 | keyword for more information. | 578 | keyword for more information. |
579 | .It Fl N | ||
580 | Do not execute a remote command. | ||
581 | This is useful for just forwarding ports | ||
582 | (protocol version 2 only). | ||
509 | .It Fl n | 583 | .It Fl n |
510 | Redirects stdin from | 584 | Redirects stdin from |
511 | .Pa /dev/null | 585 | .Pa /dev/null |
@@ -526,14 +600,64 @@ program will be put in the background. | |||
526 | needs to ask for a password or passphrase; see also the | 600 | needs to ask for a password or passphrase; see also the |
527 | .Fl f | 601 | .Fl f |
528 | option.) | 602 | option.) |
529 | .It Fl N | ||
530 | Do not execute a remote command. | ||
531 | This is useful for just forwarding ports | ||
532 | (protocol version 2 only). | ||
533 | .It Fl o Ar option | 603 | .It Fl o Ar option |
534 | Can be used to give options in the format used in the configuration file. | 604 | Can be used to give options in the format used in the configuration file. |
535 | This is useful for specifying options for which there is no separate | 605 | This is useful for specifying options for which there is no separate |
536 | command-line flag. | 606 | command-line flag. |
607 | For full details of the options listed below, and their possible values, see | ||
608 | .Xr ssh_config 5 . | ||
609 | .Pp | ||
610 | .Bl -tag -width Ds -offset indent -compact | ||
611 | .It AddressFamily | ||
612 | .It BatchMode | ||
613 | .It BindAddress | ||
614 | .It ChallengeResponseAuthentication | ||
615 | .It CheckHostIP | ||
616 | .It Cipher | ||
617 | .It Ciphers | ||
618 | .It ClearAllForwardings | ||
619 | .It Compression | ||
620 | .It CompressionLevel | ||
621 | .It ConnectionAttempts | ||
622 | .It ConnectionTimeout | ||
623 | .It DynamicForward | ||
624 | .It EnableSSHKeysign | ||
625 | .It EscapeChar | ||
626 | .It ForwardAgent | ||
627 | .It ForwardX11 | ||
628 | .It GatewayPorts | ||
629 | .It GlobalKnownHostsFile | ||
630 | .It GSSAPIAuthentication | ||
631 | .It GSSAPIDelegateCredentials | ||
632 | .It Host | ||
633 | .It HostbasedAuthentication | ||
634 | .It HostKeyAlgorithms | ||
635 | .It HostKeyAlias | ||
636 | .It HostName | ||
637 | .It IdentityFile | ||
638 | .It KeepAlive | ||
639 | .It LocalForward | ||
640 | .It LogLevel | ||
641 | .It MACs | ||
642 | .It NoHostAuthenticationForLocalhost | ||
643 | .It NumberOfPasswordPrompts | ||
644 | .It PasswordAuthentication | ||
645 | .It Port | ||
646 | .It PreferredAuthentications | ||
647 | .It Protocol | ||
648 | .It ProxyCommand | ||
649 | .It PubkeyAuthentication | ||
650 | .It RemoteForward | ||
651 | .It RhostsRSAAuthentication | ||
652 | .It RSAAuthentication | ||
653 | .It SmartcardDevice | ||
654 | .It StrictHostKeyChecking | ||
655 | .It UsePrivilegedPort | ||
656 | .It User | ||
657 | .It UserKnownHostsFile | ||
658 | .It VerifyHostKeyDNS | ||
659 | .It XAuthLocation | ||
660 | .El | ||
537 | .It Fl p Ar port | 661 | .It Fl p Ar port |
538 | Port to connect to on the remote host. | 662 | Port to connect to on the remote host. |
539 | This can be specified on a | 663 | This can be specified on a |
@@ -541,11 +665,40 @@ per-host basis in the configuration file. | |||
541 | .It Fl q | 665 | .It Fl q |
542 | Quiet mode. | 666 | Quiet mode. |
543 | Causes all warning and diagnostic messages to be suppressed. | 667 | Causes all warning and diagnostic messages to be suppressed. |
668 | .It Fl R Xo | ||
669 | .Sm off | ||
670 | .Ar port : host : hostport | ||
671 | .Sm on | ||
672 | .Xc | ||
673 | Specifies that the given port on the remote (server) host is to be | ||
674 | forwarded to the given host and port on the local side. | ||
675 | This works by allocating a socket to listen to | ||
676 | .Ar port | ||
677 | on the remote side, and whenever a connection is made to this port, the | ||
678 | connection is forwarded over the secure channel, and a connection is | ||
679 | made to | ||
680 | .Ar host | ||
681 | port | ||
682 | .Ar hostport | ||
683 | from the local machine. | ||
684 | Port forwardings can also be specified in the configuration file. | ||
685 | Privileged ports can be forwarded only when | ||
686 | logging in as root on the remote machine. | ||
687 | IPv6 addresses can be specified with an alternative syntax: | ||
688 | .Sm off | ||
689 | .Xo | ||
690 | .Ar port No / Ar host No / | ||
691 | .Ar hostport . | ||
692 | .Xc | ||
693 | .Sm on | ||
544 | .It Fl s | 694 | .It Fl s |
545 | May be used to request invocation of a subsystem on the remote system. | 695 | May be used to request invocation of a subsystem on the remote system. |
546 | Subsystems are a feature of the SSH2 protocol which facilitate the use | 696 | Subsystems are a feature of the SSH2 protocol which facilitate the use |
547 | of SSH as a secure transport for other applications (eg. sftp). | 697 | of SSH as a secure transport for other applications (eg.\& |
698 | .Xr sftp 1 ) . | ||
548 | The subsystem is specified as the remote command. | 699 | The subsystem is specified as the remote command. |
700 | .It Fl T | ||
701 | Disable pseudo-tty allocation. | ||
549 | .It Fl t | 702 | .It Fl t |
550 | Force pseudo-tty allocation. | 703 | Force pseudo-tty allocation. |
551 | This can be used to execute arbitrary | 704 | This can be used to execute arbitrary |
@@ -556,8 +709,8 @@ Multiple | |||
556 | options force tty allocation, even if | 709 | options force tty allocation, even if |
557 | .Nm | 710 | .Nm |
558 | has no local tty. | 711 | has no local tty. |
559 | .It Fl T | 712 | .It Fl V |
560 | Disable pseudo-tty allocation. | 713 | Display the version number and exit. |
561 | .It Fl v | 714 | .It Fl v |
562 | Verbose mode. | 715 | Verbose mode. |
563 | Causes | 716 | Causes |
@@ -569,10 +722,6 @@ Multiple | |||
569 | .Fl v | 722 | .Fl v |
570 | options increase the verbosity. | 723 | options increase the verbosity. |
571 | The maximum is 3. | 724 | The maximum is 3. |
572 | .It Fl V | ||
573 | Display the version number and exit. | ||
574 | .It Fl x | ||
575 | Disables X11 forwarding. | ||
576 | .It Fl X | 725 | .It Fl X |
577 | Enables X11 forwarding. | 726 | Enables X11 forwarding. |
578 | This can also be specified on a per-host basis in a configuration file. | 727 | This can also be specified on a per-host basis in a configuration file. |
@@ -582,94 +731,8 @@ Users with the ability to bypass file permissions on the remote host | |||
582 | (for the user's X authorization database) | 731 | (for the user's X authorization database) |
583 | can access the local X11 display through the forwarded connection. | 732 | can access the local X11 display through the forwarded connection. |
584 | An attacker may then be able to perform activities such as keystroke monitoring. | 733 | An attacker may then be able to perform activities such as keystroke monitoring. |
585 | .It Fl C | 734 | .It Fl x |
586 | Requests compression of all data (including stdin, stdout, stderr, and | 735 | Disables X11 forwarding. |
587 | data for forwarded X11 and TCP/IP connections). | ||
588 | The compression algorithm is the same used by | ||
589 | .Xr gzip 1 , | ||
590 | and the | ||
591 | .Dq level | ||
592 | can be controlled by the | ||
593 | .Cm CompressionLevel | ||
594 | option for protocol version 1. | ||
595 | Compression is desirable on modem lines and other | ||
596 | slow connections, but will only slow down things on fast networks. | ||
597 | The default value can be set on a host-by-host basis in the | ||
598 | configuration files; see the | ||
599 | .Cm Compression | ||
600 | option. | ||
601 | .It Fl F Ar configfile | ||
602 | Specifies an alternative per-user configuration file. | ||
603 | If a configuration file is given on the command line, | ||
604 | the system-wide configuration file | ||
605 | .Pq Pa /etc/ssh/ssh_config | ||
606 | will be ignored. | ||
607 | The default for the per-user configuration file is | ||
608 | .Pa $HOME/.ssh/config . | ||
609 | .It Fl L Ar port:host:hostport | ||
610 | Specifies that the given port on the local (client) host is to be | ||
611 | forwarded to the given host and port on the remote side. | ||
612 | This works by allocating a socket to listen to | ||
613 | .Ar port | ||
614 | on the local side, and whenever a connection is made to this port, the | ||
615 | connection is forwarded over the secure channel, and a connection is | ||
616 | made to | ||
617 | .Ar host | ||
618 | port | ||
619 | .Ar hostport | ||
620 | from the remote machine. | ||
621 | Port forwardings can also be specified in the configuration file. | ||
622 | Only root can forward privileged ports. | ||
623 | IPv6 addresses can be specified with an alternative syntax: | ||
624 | .Ar port/host/hostport | ||
625 | .It Fl R Ar port:host:hostport | ||
626 | Specifies that the given port on the remote (server) host is to be | ||
627 | forwarded to the given host and port on the local side. | ||
628 | This works by allocating a socket to listen to | ||
629 | .Ar port | ||
630 | on the remote side, and whenever a connection is made to this port, the | ||
631 | connection is forwarded over the secure channel, and a connection is | ||
632 | made to | ||
633 | .Ar host | ||
634 | port | ||
635 | .Ar hostport | ||
636 | from the local machine. | ||
637 | Port forwardings can also be specified in the configuration file. | ||
638 | Privileged ports can be forwarded only when | ||
639 | logging in as root on the remote machine. | ||
640 | IPv6 addresses can be specified with an alternative syntax: | ||
641 | .Ar port/host/hostport | ||
642 | .It Fl D Ar port | ||
643 | Specifies a local | ||
644 | .Dq dynamic | ||
645 | application-level port forwarding. | ||
646 | This works by allocating a socket to listen to | ||
647 | .Ar port | ||
648 | on the local side, and whenever a connection is made to this port, the | ||
649 | connection is forwarded over the secure channel, and the application | ||
650 | protocol is then used to determine where to connect to from the | ||
651 | remote machine. | ||
652 | Currently the SOCKS4 and SOCKS5 protocols are supported, and | ||
653 | .Nm | ||
654 | will act as a SOCKS server. | ||
655 | Only root can forward privileged ports. | ||
656 | Dynamic port forwardings can also be specified in the configuration file. | ||
657 | .It Fl 1 | ||
658 | Forces | ||
659 | .Nm | ||
660 | to try protocol version 1 only. | ||
661 | .It Fl 2 | ||
662 | Forces | ||
663 | .Nm | ||
664 | to try protocol version 2 only. | ||
665 | .It Fl 4 | ||
666 | Forces | ||
667 | .Nm | ||
668 | to use IPv4 addresses only. | ||
669 | .It Fl 6 | ||
670 | Forces | ||
671 | .Nm | ||
672 | to use IPv6 addresses only. | ||
673 | .El | 736 | .El |
674 | .Sh CONFIGURATION FILES | 737 | .Sh CONFIGURATION FILES |
675 | .Nm | 738 | .Nm |
@@ -680,7 +743,7 @@ The file format and configuration options are described in | |||
680 | .Sh ENVIRONMENT | 743 | .Sh ENVIRONMENT |
681 | .Nm | 744 | .Nm |
682 | will normally set the following environment variables: | 745 | will normally set the following environment variables: |
683 | .Bl -tag -width Ds | 746 | .Bl -tag -width LOGNAME |
684 | .It Ev DISPLAY | 747 | .It Ev DISPLAY |
685 | The | 748 | The |
686 | .Ev DISPLAY | 749 | .Ev DISPLAY |
@@ -690,7 +753,7 @@ It is automatically set by | |||
690 | to point to a value of the form | 753 | to point to a value of the form |
691 | .Dq hostname:n | 754 | .Dq hostname:n |
692 | where hostname indicates | 755 | where hostname indicates |
693 | the host where the shell runs, and n is an integer >= 1. | 756 | the host where the shell runs, and n is an integer \*(Ge 1. |
694 | .Nm | 757 | .Nm |
695 | uses this special value to forward X11 connections over the secure | 758 | uses this special value to forward X11 connections over the secure |
696 | channel. | 759 | channel. |
@@ -768,7 +831,7 @@ and adds lines of the format | |||
768 | .Dq VARNAME=value | 831 | .Dq VARNAME=value |
769 | to the environment if the file exists and if users are allowed to | 832 | to the environment if the file exists and if users are allowed to |
770 | change their environment. | 833 | change their environment. |
771 | See the | 834 | For more information, see the |
772 | .Cm PermitUserEnvironment | 835 | .Cm PermitUserEnvironment |
773 | option in | 836 | option in |
774 | .Xr sshd_config 5 . | 837 | .Xr sshd_config 5 . |
@@ -797,7 +860,7 @@ Contains the public key for authentication (public part of the | |||
797 | identity file in human-readable form). | 860 | identity file in human-readable form). |
798 | The contents of the | 861 | The contents of the |
799 | .Pa $HOME/.ssh/identity.pub | 862 | .Pa $HOME/.ssh/identity.pub |
800 | file should be added to | 863 | file should be added to the file |
801 | .Pa $HOME/.ssh/authorized_keys | 864 | .Pa $HOME/.ssh/authorized_keys |
802 | on all machines | 865 | on all machines |
803 | where the user wishes to log in using protocol version 1 RSA authentication. | 866 | where the user wishes to log in using protocol version 1 RSA authentication. |
@@ -823,7 +886,8 @@ Lists the public keys (RSA/DSA) that can be used for logging in as this user. | |||
823 | The format of this file is described in the | 886 | The format of this file is described in the |
824 | .Xr sshd 8 | 887 | .Xr sshd 8 |
825 | manual page. | 888 | manual page. |
826 | In the simplest form the format is the same as the .pub | 889 | In the simplest form the format is the same as the |
890 | .Pa .pub | ||
827 | identity files. | 891 | identity files. |
828 | This file is not highly sensitive, but the recommended | 892 | This file is not highly sensitive, but the recommended |
829 | permissions are read/write for the user, and not accessible by others. | 893 | permissions are read/write for the user, and not accessible by others. |
@@ -839,7 +903,7 @@ by spaces): system name, public key and optional comment field. | |||
839 | When different names are used | 903 | When different names are used |
840 | for the same machine, all such names should be listed, separated by | 904 | for the same machine, all such names should be listed, separated by |
841 | commas. | 905 | commas. |
842 | The format is described on the | 906 | The format is described in the |
843 | .Xr sshd 8 | 907 | .Xr sshd 8 |
844 | manual page. | 908 | manual page. |
845 | .Pp | 909 | .Pp |
@@ -879,7 +943,7 @@ By default | |||
879 | is not setuid root. | 943 | is not setuid root. |
880 | .It Pa $HOME/.rhosts | 944 | .It Pa $HOME/.rhosts |
881 | This file is used in | 945 | This file is used in |
882 | .Pa \&.rhosts | 946 | .Em rhosts |
883 | authentication to list the | 947 | authentication to list the |
884 | host/user pairs that are permitted to log in. | 948 | host/user pairs that are permitted to log in. |
885 | (Note that this file is | 949 | (Note that this file is |
@@ -901,7 +965,9 @@ accessible by others. | |||
901 | Note that by default | 965 | Note that by default |
902 | .Xr sshd 8 | 966 | .Xr sshd 8 |
903 | will be installed so that it requires successful RSA host | 967 | will be installed so that it requires successful RSA host |
904 | authentication before permitting \s+2.\s0rhosts authentication. | 968 | authentication before permitting |
969 | .Em rhosts | ||
970 | authentication. | ||
905 | If the server machine does not have the client's host key in | 971 | If the server machine does not have the client's host key in |
906 | .Pa /etc/ssh/ssh_known_hosts , | 972 | .Pa /etc/ssh/ssh_known_hosts , |
907 | it can be stored in | 973 | it can be stored in |
@@ -912,21 +978,20 @@ will automatically add the host key to | |||
912 | .Pa $HOME/.ssh/known_hosts . | 978 | .Pa $HOME/.ssh/known_hosts . |
913 | .It Pa $HOME/.shosts | 979 | .It Pa $HOME/.shosts |
914 | This file is used exactly the same way as | 980 | This file is used exactly the same way as |
915 | .Pa \&.rhosts . | 981 | .Pa .rhosts . |
916 | The purpose for | 982 | The purpose for |
917 | having this file is to be able to use rhosts authentication with | 983 | having this file is to be able to use rhosts authentication with |
918 | .Nm | 984 | .Nm |
919 | without permitting login with | 985 | without permitting login with |
920 | .Nm rlogin | 986 | .Xr rlogin |
921 | or | 987 | or |
922 | .Xr rsh 1 . | 988 | .Xr rsh 1 . |
923 | .It Pa /etc/hosts.equiv | 989 | .It Pa /etc/hosts.equiv |
924 | This file is used during | 990 | This file is used during |
925 | .Pa \&.rhosts | 991 | .Em rhosts |
926 | authentication. | 992 | authentication. |
927 | It contains | 993 | It contains |
928 | canonical hosts names, one per line (the full format is described on | 994 | canonical hosts names, one per line (the full format is described in the |
929 | the | ||
930 | .Xr sshd 8 | 995 | .Xr sshd 8 |
931 | manual page). | 996 | manual page). |
932 | If the client host is found in this file, login is | 997 | If the client host is found in this file, login is |
@@ -966,6 +1031,7 @@ above. | |||
966 | exits with the exit status of the remote command or with 255 | 1031 | exits with the exit status of the remote command or with 255 |
967 | if an error occurred. | 1032 | if an error occurred. |
968 | .Sh SEE ALSO | 1033 | .Sh SEE ALSO |
1034 | .Xr gzip 1 , | ||
969 | .Xr rsh 1 , | 1035 | .Xr rsh 1 , |
970 | .Xr scp 1 , | 1036 | .Xr scp 1 , |
971 | .Xr sftp 1 , | 1037 | .Xr sftp 1 , |
@@ -973,6 +1039,7 @@ if an error occurred. | |||
973 | .Xr ssh-agent 1 , | 1039 | .Xr ssh-agent 1 , |
974 | .Xr ssh-keygen 1 , | 1040 | .Xr ssh-keygen 1 , |
975 | .Xr telnet 1 , | 1041 | .Xr telnet 1 , |
1042 | .Xr hosts.equiv 5 , | ||
976 | .Xr ssh_config 5 , | 1043 | .Xr ssh_config 5 , |
977 | .Xr ssh-keysign 8 , | 1044 | .Xr ssh-keysign 8 , |
978 | .Xr sshd 8 | 1045 | .Xr sshd 8 |