diff options
author | Colin Watson <cjwatson@debian.org> | 2009-12-29 21:38:40 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2009-12-29 21:38:40 +0000 |
commit | 1b816ea846aca3ee89e7995373ace609e9518424 (patch) | |
tree | b41cdc8495cae7fa9c2e0f98a5f2e71656b61f9a /ssh.1 | |
parent | fa585019a79ebcb4e0202b1c33f87ff1c5c9ce1c (diff) | |
parent | 086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff) |
import openssh-4.6p1-gsskex-20070312.patch
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 146 |
1 files changed, 110 insertions, 36 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.253 2006/01/30 13:37:49 jmc Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -78,7 +78,8 @@ | |||
78 | .Oc | 78 | .Oc |
79 | .Op Fl S Ar ctl_path | 79 | .Op Fl S Ar ctl_path |
80 | .Bk -words | 80 | .Bk -words |
81 | .Op Fl w Ar tunnel : Ns Ar tunnel | 81 | .Oo Fl w Ar local_tun Ns |
82 | .Op : Ns Ar remote_tun Oc | ||
82 | .Oo Ar user Ns @ Oc Ns Ar hostname | 83 | .Oo Ar user Ns @ Oc Ns Ar hostname |
83 | .Op Ar command | 84 | .Op Ar command |
84 | .Ek | 85 | .Ek |
@@ -448,6 +449,7 @@ For full details of the options listed below, and their possible values, see | |||
448 | .It ControlPath | 449 | .It ControlPath |
449 | .It DynamicForward | 450 | .It DynamicForward |
450 | .It EscapeChar | 451 | .It EscapeChar |
452 | .It ExitOnForwardFailure | ||
451 | .It ForwardAgent | 453 | .It ForwardAgent |
452 | .It ForwardX11 | 454 | .It ForwardX11 |
453 | .It ForwardX11Trusted | 455 | .It ForwardX11Trusted |
@@ -569,7 +571,7 @@ Disable pseudo-tty allocation. | |||
569 | Force pseudo-tty allocation. | 571 | Force pseudo-tty allocation. |
570 | This can be used to execute arbitrary | 572 | This can be used to execute arbitrary |
571 | screen-based programs on a remote machine, which can be very useful, | 573 | screen-based programs on a remote machine, which can be very useful, |
572 | e.g., when implementing menu services. | 574 | e.g. when implementing menu services. |
573 | Multiple | 575 | Multiple |
574 | .Fl t | 576 | .Fl t |
575 | options force tty allocation, even if | 577 | options force tty allocation, even if |
@@ -588,24 +590,35 @@ Multiple | |||
588 | .Fl v | 590 | .Fl v |
589 | options increase the verbosity. | 591 | options increase the verbosity. |
590 | The maximum is 3. | 592 | The maximum is 3. |
591 | .It Fl w Ar tunnel : Ns Ar tunnel | 593 | .It Fl w Xo |
592 | Requests a | 594 | .Ar local_tun Ns Op : Ns Ar remote_tun |
595 | .Xc | ||
596 | Requests | ||
597 | tunnel | ||
598 | device forwarding with the specified | ||
593 | .Xr tun 4 | 599 | .Xr tun 4 |
594 | device on the client | 600 | devices between the client |
595 | (first | 601 | .Pq Ar local_tun |
596 | .Ar tunnel | 602 | and the server |
597 | arg) | 603 | .Pq Ar remote_tun . |
598 | and server | 604 | .Pp |
599 | (second | ||
600 | .Ar tunnel | ||
601 | arg). | ||
602 | The devices may be specified by numerical ID or the keyword | 605 | The devices may be specified by numerical ID or the keyword |
603 | .Dq any , | 606 | .Dq any , |
604 | which uses the next available tunnel device. | 607 | which uses the next available tunnel device. |
608 | If | ||
609 | .Ar remote_tun | ||
610 | is not specified, it defaults to | ||
611 | .Dq any . | ||
605 | See also the | 612 | See also the |
606 | .Cm Tunnel | 613 | .Cm Tunnel |
607 | directive in | 614 | and |
615 | .Cm TunnelDevice | ||
616 | directives in | ||
608 | .Xr ssh_config 5 . | 617 | .Xr ssh_config 5 . |
618 | If the | ||
619 | .Cm Tunnel | ||
620 | directive is unset, it is set to the default tunnel mode, which is | ||
621 | .Dq point-to-point . | ||
609 | .It Fl X | 622 | .It Fl X |
610 | Enables X11 forwarding. | 623 | Enables X11 forwarding. |
611 | This can also be specified on a per-host basis in a configuration file. | 624 | This can also be specified on a per-host basis in a configuration file. |
@@ -666,6 +679,7 @@ Protocol 1 lacks a strong mechanism for ensuring the | |||
666 | integrity of the connection. | 679 | integrity of the connection. |
667 | .Pp | 680 | .Pp |
668 | The methods available for authentication are: | 681 | The methods available for authentication are: |
682 | GSSAPI-based authentication, | ||
669 | host-based authentication, | 683 | host-based authentication, |
670 | public key authentication, | 684 | public key authentication, |
671 | challenge-response authentication, | 685 | challenge-response authentication, |
@@ -872,7 +886,9 @@ and | |||
872 | options (see above). | 886 | options (see above). |
873 | It also allows the cancellation of existing remote port-forwardings | 887 | It also allows the cancellation of existing remote port-forwardings |
874 | using | 888 | using |
875 | .Fl KR Ar hostport . | 889 | .Sm off |
890 | .Fl KR Oo Ar bind_address : Oc Ar port . | ||
891 | .Sm on | ||
876 | .Ic !\& Ns Ar command | 892 | .Ic !\& Ns Ar command |
877 | allows the user to execute a local command if the | 893 | allows the user to execute a local command if the |
878 | .Ic PermitLocalCommand | 894 | .Ic PermitLocalCommand |
@@ -1025,8 +1041,7 @@ In this example, we are connecting a client to a server, | |||
1025 | The SSHFP resource records should first be added to the zonefile for | 1041 | The SSHFP resource records should first be added to the zonefile for |
1026 | host.example.com: | 1042 | host.example.com: |
1027 | .Bd -literal -offset indent | 1043 | .Bd -literal -offset indent |
1028 | $ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com. | 1044 | $ ssh-keygen -r host.example.com. |
1029 | $ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com. | ||
1030 | .Ed | 1045 | .Ed |
1031 | .Pp | 1046 | .Pp |
1032 | The output lines will have to be added to the zonefile. | 1047 | The output lines will have to be added to the zonefile. |
@@ -1062,12 +1077,22 @@ controls whether the server supports this, | |||
1062 | and at what level (layer 2 or 3 traffic). | 1077 | and at what level (layer 2 or 3 traffic). |
1063 | .Pp | 1078 | .Pp |
1064 | The following example would connect client network 10.0.50.0/24 | 1079 | The following example would connect client network 10.0.50.0/24 |
1065 | with remote network 10.0.99.0/24, provided that the SSH server | 1080 | with remote network 10.0.99.0/24 using a point-to-point connection |
1066 | running on the gateway to the remote network, | 1081 | from 10.1.1.1 to 10.1.1.2, |
1067 | at 192.168.1.15, allows it: | 1082 | provided that the SSH server running on the gateway to the remote network, |
1083 | at 192.168.1.15, allows it. | ||
1084 | .Pp | ||
1085 | On the client: | ||
1068 | .Bd -literal -offset indent | 1086 | .Bd -literal -offset indent |
1069 | # ssh -f -w 0:1 192.168.1.15 true | 1087 | # ssh -f -w 0:1 192.168.1.15 true |
1070 | # ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252 | 1088 | # ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252 |
1089 | # route add 10.0.99.0/24 10.1.1.2 | ||
1090 | .Ed | ||
1091 | .Pp | ||
1092 | On the server: | ||
1093 | .Bd -literal -offset indent | ||
1094 | # ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252 | ||
1095 | # route add 10.0.50.0/24 10.1.1.1 | ||
1071 | .Ed | 1096 | .Ed |
1072 | .Pp | 1097 | .Pp |
1073 | Client access may be more finely tuned via the | 1098 | Client access may be more finely tuned via the |
@@ -1075,11 +1100,11 @@ Client access may be more finely tuned via the | |||
1075 | file (see below) and the | 1100 | file (see below) and the |
1076 | .Cm PermitRootLogin | 1101 | .Cm PermitRootLogin |
1077 | server option. | 1102 | server option. |
1078 | The following entry would permit connections on the first | 1103 | The following entry would permit connections on |
1079 | .Xr tun 4 | 1104 | .Xr tun 4 |
1080 | device from user | 1105 | device 1 from user |
1081 | .Dq jane | 1106 | .Dq jane |
1082 | and on the second device from user | 1107 | and on tun device 2 from user |
1083 | .Dq john , | 1108 | .Dq john , |
1084 | if | 1109 | if |
1085 | .Cm PermitRootLogin | 1110 | .Cm PermitRootLogin |
@@ -1087,10 +1112,10 @@ is set to | |||
1087 | .Dq forced-commands-only : | 1112 | .Dq forced-commands-only : |
1088 | .Bd -literal -offset 2n | 1113 | .Bd -literal -offset 2n |
1089 | tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane | 1114 | tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane |
1090 | tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john | 1115 | tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john |
1091 | .Ed | 1116 | .Ed |
1092 | .Pp | 1117 | .Pp |
1093 | Since a SSH-based setup entails a fair amount of overhead, | 1118 | Since an SSH-based setup entails a fair amount of overhead, |
1094 | it may be more suited to temporary setups, | 1119 | it may be more suited to temporary setups, |
1095 | such as for wireless VPNs. | 1120 | such as for wireless VPNs. |
1096 | More permanent VPNs are better provided by tools such as | 1121 | More permanent VPNs are better provided by tools such as |
@@ -1178,7 +1203,7 @@ If the current session has no tty, | |||
1178 | this variable is not set. | 1203 | this variable is not set. |
1179 | .It Ev TZ | 1204 | .It Ev TZ |
1180 | This variable is set to indicate the present time zone if it | 1205 | This variable is set to indicate the present time zone if it |
1181 | was set when the daemon was started (i.e., the daemon passes the value | 1206 | was set when the daemon was started (i.e. the daemon passes the value |
1182 | on to new connections). | 1207 | on to new connections). |
1183 | .It Ev USER | 1208 | .It Ev USER |
1184 | Set to the name of the user logging in. | 1209 | Set to the name of the user logging in. |
@@ -1339,15 +1364,64 @@ manual page for more information. | |||
1339 | .Xr ssh-keysign 8 , | 1364 | .Xr ssh-keysign 8 , |
1340 | .Xr sshd 8 | 1365 | .Xr sshd 8 |
1341 | .Rs | 1366 | .Rs |
1342 | .%A T. Ylonen | 1367 | .%R RFC 4250 |
1343 | .%A T. Kivinen | 1368 | .%T "The Secure Shell (SSH) Protocol Assigned Numbers" |
1344 | .%A M. Saarinen | 1369 | .%D 2006 |
1345 | .%A T. Rinne | 1370 | .Re |
1346 | .%A S. Lehtinen | 1371 | .Rs |
1347 | .%T "SSH Protocol Architecture" | 1372 | .%R RFC 4251 |
1348 | .%N draft-ietf-secsh-architecture-12.txt | 1373 | .%T "The Secure Shell (SSH) Protocol Architecture" |
1349 | .%D January 2002 | 1374 | .%D 2006 |
1350 | .%O work in progress material | 1375 | .Re |
1376 | .Rs | ||
1377 | .%R RFC 4252 | ||
1378 | .%T "The Secure Shell (SSH) Authentication Protocol" | ||
1379 | .%D 2006 | ||
1380 | .Re | ||
1381 | .Rs | ||
1382 | .%R RFC 4253 | ||
1383 | .%T "The Secure Shell (SSH) Transport Layer Protocol" | ||
1384 | .%D 2006 | ||
1385 | .Re | ||
1386 | .Rs | ||
1387 | .%R RFC 4254 | ||
1388 | .%T "The Secure Shell (SSH) Connection Protocol" | ||
1389 | .%D 2006 | ||
1390 | .Re | ||
1391 | .Rs | ||
1392 | .%R RFC 4255 | ||
1393 | .%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" | ||
1394 | .%D 2006 | ||
1395 | .Re | ||
1396 | .Rs | ||
1397 | .%R RFC 4256 | ||
1398 | .%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)" | ||
1399 | .%D 2006 | ||
1400 | .Re | ||
1401 | .Rs | ||
1402 | .%R RFC 4335 | ||
1403 | .%T "The Secure Shell (SSH) Session Channel Break Extension" | ||
1404 | .%D 2006 | ||
1405 | .Re | ||
1406 | .Rs | ||
1407 | .%R RFC 4344 | ||
1408 | .%T "The Secure Shell (SSH) Transport Layer Encryption Modes" | ||
1409 | .%D 2006 | ||
1410 | .Re | ||
1411 | .Rs | ||
1412 | .%R RFC 4345 | ||
1413 | .%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol" | ||
1414 | .%D 2006 | ||
1415 | .Re | ||
1416 | .Rs | ||
1417 | .%R RFC 4419 | ||
1418 | .%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" | ||
1419 | .%D 2006 | ||
1420 | .Re | ||
1421 | .Rs | ||
1422 | .%R RFC 4716 | ||
1423 | .%T "The Secure Shell (SSH) Public Key File Format" | ||
1424 | .%D 2006 | ||
1351 | .Re | 1425 | .Re |
1352 | .Sh AUTHORS | 1426 | .Sh AUTHORS |
1353 | OpenSSH is a derivative of the original and free | 1427 | OpenSSH is a derivative of the original and free |