summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2007-06-12 16:16:35 +0000
committerColin Watson <cjwatson@debian.org>2007-06-12 16:16:35 +0000
commitb7e40fa9da0b5491534a429dadb321eab5a77558 (patch)
treebed1da11e9f829925797aa093e379fc0b5868ecd /ssh.1
parent4f84beedf1005e44ff33c854abd6b711ffc0adb7 (diff)
parent086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff)
* New upstream release (closes: #395507, #397961, #420035). Important
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.1146
1 files changed, 110 insertions, 36 deletions
diff --git a/ssh.1 b/ssh.1
index b1662d7ac..04326e654 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.253 2006/01/30 13:37:49 jmc Exp $ 37.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -78,7 +78,8 @@
78.Oc 78.Oc
79.Op Fl S Ar ctl_path 79.Op Fl S Ar ctl_path
80.Bk -words 80.Bk -words
81.Op Fl w Ar tunnel : Ns Ar tunnel 81.Oo Fl w Ar local_tun Ns
82.Op : Ns Ar remote_tun Oc
82.Oo Ar user Ns @ Oc Ns Ar hostname 83.Oo Ar user Ns @ Oc Ns Ar hostname
83.Op Ar command 84.Op Ar command
84.Ek 85.Ek
@@ -450,6 +451,7 @@ For full details of the options listed below, and their possible values, see
450.It ControlPath 451.It ControlPath
451.It DynamicForward 452.It DynamicForward
452.It EscapeChar 453.It EscapeChar
454.It ExitOnForwardFailure
453.It ForwardAgent 455.It ForwardAgent
454.It ForwardX11 456.It ForwardX11
455.It ForwardX11Trusted 457.It ForwardX11Trusted
@@ -575,7 +577,7 @@ Disable pseudo-tty allocation.
575Force pseudo-tty allocation. 577Force pseudo-tty allocation.
576This can be used to execute arbitrary 578This can be used to execute arbitrary
577screen-based programs on a remote machine, which can be very useful, 579screen-based programs on a remote machine, which can be very useful,
578e.g., when implementing menu services. 580e.g. when implementing menu services.
579Multiple 581Multiple
580.Fl t 582.Fl t
581options force tty allocation, even if 583options force tty allocation, even if
@@ -594,24 +596,35 @@ Multiple
594.Fl v 596.Fl v
595options increase the verbosity. 597options increase the verbosity.
596The maximum is 3. 598The maximum is 3.
597.It Fl w Ar tunnel : Ns Ar tunnel 599.It Fl w Xo
598Requests a 600.Ar local_tun Ns Op : Ns Ar remote_tun
601.Xc
602Requests
603tunnel
604device forwarding with the specified
599.Xr tun 4 605.Xr tun 4
600device on the client 606devices between the client
601(first 607.Pq Ar local_tun
602.Ar tunnel 608and the server
603arg) 609.Pq Ar remote_tun .
604and server 610.Pp
605(second
606.Ar tunnel
607arg).
608The devices may be specified by numerical ID or the keyword 611The devices may be specified by numerical ID or the keyword
609.Dq any , 612.Dq any ,
610which uses the next available tunnel device. 613which uses the next available tunnel device.
614If
615.Ar remote_tun
616is not specified, it defaults to
617.Dq any .
611See also the 618See also the
612.Cm Tunnel 619.Cm Tunnel
613directive in 620and
621.Cm TunnelDevice
622directives in
614.Xr ssh_config 5 . 623.Xr ssh_config 5 .
624If the
625.Cm Tunnel
626directive is unset, it is set to the default tunnel mode, which is
627.Dq point-to-point .
615.It Fl X 628.It Fl X
616Enables X11 forwarding. 629Enables X11 forwarding.
617This can also be specified on a per-host basis in a configuration file. 630This can also be specified on a per-host basis in a configuration file.
@@ -672,6 +685,7 @@ Protocol 1 lacks a strong mechanism for ensuring the
672integrity of the connection. 685integrity of the connection.
673.Pp 686.Pp
674The methods available for authentication are: 687The methods available for authentication are:
688GSSAPI-based authentication,
675host-based authentication, 689host-based authentication,
676public key authentication, 690public key authentication,
677challenge-response authentication, 691challenge-response authentication,
@@ -878,7 +892,9 @@ and
878options (see above). 892options (see above).
879It also allows the cancellation of existing remote port-forwardings 893It also allows the cancellation of existing remote port-forwardings
880using 894using
881.Fl KR Ar hostport . 895.Sm off
896.Fl KR Oo Ar bind_address : Oc Ar port .
897.Sm on
882.Ic !\& Ns Ar command 898.Ic !\& Ns Ar command
883allows the user to execute a local command if the 899allows the user to execute a local command if the
884.Ic PermitLocalCommand 900.Ic PermitLocalCommand
@@ -1031,8 +1047,7 @@ In this example, we are connecting a client to a server,
1031The SSHFP resource records should first be added to the zonefile for 1047The SSHFP resource records should first be added to the zonefile for
1032host.example.com: 1048host.example.com:
1033.Bd -literal -offset indent 1049.Bd -literal -offset indent
1034$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com. 1050$ ssh-keygen -r host.example.com.
1035$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
1036.Ed 1051.Ed
1037.Pp 1052.Pp
1038The output lines will have to be added to the zonefile. 1053The output lines will have to be added to the zonefile.
@@ -1068,12 +1083,22 @@ controls whether the server supports this,
1068and at what level (layer 2 or 3 traffic). 1083and at what level (layer 2 or 3 traffic).
1069.Pp 1084.Pp
1070The following example would connect client network 10.0.50.0/24 1085The following example would connect client network 10.0.50.0/24
1071with remote network 10.0.99.0/24, provided that the SSH server 1086with remote network 10.0.99.0/24 using a point-to-point connection
1072running on the gateway to the remote network, 1087from 10.1.1.1 to 10.1.1.2,
1073at 192.168.1.15, allows it: 1088provided that the SSH server running on the gateway to the remote network,
1089at 192.168.1.15, allows it.
1090.Pp
1091On the client:
1074.Bd -literal -offset indent 1092.Bd -literal -offset indent
1075# ssh -f -w 0:1 192.168.1.15 true 1093# ssh -f -w 0:1 192.168.1.15 true
1076# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252 1094# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
1095# route add 10.0.99.0/24 10.1.1.2
1096.Ed
1097.Pp
1098On the server:
1099.Bd -literal -offset indent
1100# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
1101# route add 10.0.50.0/24 10.1.1.1
1077.Ed 1102.Ed
1078.Pp 1103.Pp
1079Client access may be more finely tuned via the 1104Client access may be more finely tuned via the
@@ -1081,11 +1106,11 @@ Client access may be more finely tuned via the
1081file (see below) and the 1106file (see below) and the
1082.Cm PermitRootLogin 1107.Cm PermitRootLogin
1083server option. 1108server option.
1084The following entry would permit connections on the first 1109The following entry would permit connections on
1085.Xr tun 4 1110.Xr tun 4
1086device from user 1111device 1 from user
1087.Dq jane 1112.Dq jane
1088and on the second device from user 1113and on tun device 2 from user
1089.Dq john , 1114.Dq john ,
1090if 1115if
1091.Cm PermitRootLogin 1116.Cm PermitRootLogin
@@ -1093,10 +1118,10 @@ is set to
1093.Dq forced-commands-only : 1118.Dq forced-commands-only :
1094.Bd -literal -offset 2n 1119.Bd -literal -offset 2n
1095tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane 1120tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
1096tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john 1121tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
1097.Ed 1122.Ed
1098.Pp 1123.Pp
1099Since a SSH-based setup entails a fair amount of overhead, 1124Since an SSH-based setup entails a fair amount of overhead,
1100it may be more suited to temporary setups, 1125it may be more suited to temporary setups,
1101such as for wireless VPNs. 1126such as for wireless VPNs.
1102More permanent VPNs are better provided by tools such as 1127More permanent VPNs are better provided by tools such as
@@ -1184,7 +1209,7 @@ If the current session has no tty,
1184this variable is not set. 1209this variable is not set.
1185.It Ev TZ 1210.It Ev TZ
1186This variable is set to indicate the present time zone if it 1211This variable is set to indicate the present time zone if it
1187was set when the daemon was started (i.e., the daemon passes the value 1212was set when the daemon was started (i.e. the daemon passes the value
1188on to new connections). 1213on to new connections).
1189.It Ev USER 1214.It Ev USER
1190Set to the name of the user logging in. 1215Set to the name of the user logging in.
@@ -1348,15 +1373,64 @@ manual page for more information.
1348.Xr ssh-keysign 8 , 1373.Xr ssh-keysign 8 ,
1349.Xr sshd 8 1374.Xr sshd 8
1350.Rs 1375.Rs
1351.%A T. Ylonen 1376.%R RFC 4250
1352.%A T. Kivinen 1377.%T "The Secure Shell (SSH) Protocol Assigned Numbers"
1353.%A M. Saarinen 1378.%D 2006
1354.%A T. Rinne 1379.Re
1355.%A S. Lehtinen 1380.Rs
1356.%T "SSH Protocol Architecture" 1381.%R RFC 4251
1357.%N draft-ietf-secsh-architecture-12.txt 1382.%T "The Secure Shell (SSH) Protocol Architecture"
1358.%D January 2002 1383.%D 2006
1359.%O work in progress material 1384.Re
1385.Rs
1386.%R RFC 4252
1387.%T "The Secure Shell (SSH) Authentication Protocol"
1388.%D 2006
1389.Re
1390.Rs
1391.%R RFC 4253
1392.%T "The Secure Shell (SSH) Transport Layer Protocol"
1393.%D 2006
1394.Re
1395.Rs
1396.%R RFC 4254
1397.%T "The Secure Shell (SSH) Connection Protocol"
1398.%D 2006
1399.Re
1400.Rs
1401.%R RFC 4255
1402.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
1403.%D 2006
1404.Re
1405.Rs
1406.%R RFC 4256
1407.%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)"
1408.%D 2006
1409.Re
1410.Rs
1411.%R RFC 4335
1412.%T "The Secure Shell (SSH) Session Channel Break Extension"
1413.%D 2006
1414.Re
1415.Rs
1416.%R RFC 4344
1417.%T "The Secure Shell (SSH) Transport Layer Encryption Modes"
1418.%D 2006
1419.Re
1420.Rs
1421.%R RFC 4345
1422.%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol"
1423.%D 2006
1424.Re
1425.Rs
1426.%R RFC 4419
1427.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
1428.%D 2006
1429.Re
1430.Rs
1431.%R RFC 4716
1432.%T "The Secure Shell (SSH) Public Key File Format"
1433.%D 2006
1360.Re 1434.Re
1361.Sh AUTHORS 1435.Sh AUTHORS
1362OpenSSH is a derivative of the original and free 1436OpenSSH is a derivative of the original and free