diff options
| author | Colin Watson <cjwatson@debian.org> | 2005-01-04 13:07:27 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2005-01-04 13:07:27 +0000 |
| commit | fd0f611b70a83d80fe8793af785542ee5541b7cd (patch) | |
| tree | bededd22bb7eeec52e20083237ab7e4113445a16 /ssh.1 | |
| parent | c44fe9a5b9d3db96a7249b04d915f17e4a3a3b04 (diff) | |
| parent | ebd2ce335af5861020c79fddb1ae35c03bf036cf (diff) | |
Merge 3.9p1 to the trunk.
Diffstat (limited to 'ssh.1')
| -rw-r--r-- | ssh.1 | 103 |
1 files changed, 84 insertions, 19 deletions
| @@ -34,7 +34,7 @@ | |||
| 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 36 | .\" | 36 | .\" |
| 37 | .\" $OpenBSD: ssh.1,v 1.182 2004/03/05 10:53:58 markus Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $ |
| 38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
| 39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
| 40 | .Os | 40 | .Os |
| @@ -43,14 +43,14 @@ | |||
| 43 | .Nd OpenSSH SSH client (remote login program) | 43 | .Nd OpenSSH SSH client (remote login program) |
| 44 | .Sh SYNOPSIS | 44 | .Sh SYNOPSIS |
| 45 | .Nm ssh | 45 | .Nm ssh |
| 46 | .Op Fl 1246AaCfgkNnqsTtVvXxY | 46 | .Op Fl 1246AaCfgkMNnqsTtVvXxY |
| 47 | .Op Fl b Ar bind_address | 47 | .Op Fl b Ar bind_address |
| 48 | .Op Fl c Ar cipher_spec | 48 | .Op Fl c Ar cipher_spec |
| 49 | .Bk -words | ||
| 49 | .Op Fl D Ar port | 50 | .Op Fl D Ar port |
| 50 | .Op Fl e Ar escape_char | 51 | .Op Fl e Ar escape_char |
| 51 | .Op Fl F Ar configfile | 52 | .Op Fl F Ar configfile |
| 52 | .Op Fl i Ar identity_file | 53 | .Op Fl i Ar identity_file |
| 53 | .Bk -words | ||
| 54 | .Oo Fl L Xo | 54 | .Oo Fl L Xo |
| 55 | .Sm off | 55 | .Sm off |
| 56 | .Ar port : | 56 | .Ar port : |
| @@ -74,6 +74,7 @@ | |||
| 74 | .Sm on | 74 | .Sm on |
| 75 | .Xc | 75 | .Xc |
| 76 | .Oc | 76 | .Oc |
| 77 | .Op Fl S Ar ctl | ||
| 77 | .Oo Ar user Ns @ Oc Ns Ar hostname | 78 | .Oo Ar user Ns @ Oc Ns Ar hostname |
| 78 | .Op Ar command | 79 | .Op Ar command |
| 79 | .Sh DESCRIPTION | 80 | .Sh DESCRIPTION |
| @@ -241,8 +242,8 @@ Additionally, | |||
| 241 | supports hostbased or challenge response authentication. | 242 | supports hostbased or challenge response authentication. |
| 242 | .Pp | 243 | .Pp |
| 243 | Protocol 2 provides additional mechanisms for confidentiality | 244 | Protocol 2 provides additional mechanisms for confidentiality |
| 244 | (the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) | 245 | (the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) |
| 245 | and integrity (hmac-md5, hmac-sha1). | 246 | and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). |
| 246 | Note that protocol 1 lacks a strong mechanism for ensuring the | 247 | Note that protocol 1 lacks a strong mechanism for ensuring the |
| 247 | integrity of the connection. | 248 | integrity of the connection. |
| 248 | .Ss Login session and remote execution | 249 | .Ss Login session and remote execution |
| @@ -302,11 +303,18 @@ Display a list of escape characters. | |||
| 302 | Send a BREAK to the remote system | 303 | Send a BREAK to the remote system |
| 303 | (only useful for SSH protocol version 2 and if the peer supports it). | 304 | (only useful for SSH protocol version 2 and if the peer supports it). |
| 304 | .It Cm ~C | 305 | .It Cm ~C |
| 305 | Open command line (only useful for adding port forwardings using the | 306 | Open command line. |
| 307 | Currently this allows the addition of port forwardings using the | ||
| 306 | .Fl L | 308 | .Fl L |
| 307 | and | 309 | and |
| 308 | .Fl R | 310 | .Fl R |
| 309 | options). | 311 | options (see below). |
| 312 | It also allows the cancellation of existing remote port-forwardings | ||
| 313 | using | ||
| 314 | .Fl KR Ar hostport . | ||
| 315 | Basic help is available, using the | ||
| 316 | .Fl h | ||
| 317 | option. | ||
| 310 | .It Cm ~R | 318 | .It Cm ~R |
| 311 | Request rekeying of the connection | 319 | Request rekeying of the connection |
| 312 | (only useful for SSH protocol version 2 and if the peer supports it). | 320 | (only useful for SSH protocol version 2 and if the peer supports it). |
| @@ -392,6 +400,15 @@ The | |||
| 392 | option can be used to prevent logins to machines whose | 400 | option can be used to prevent logins to machines whose |
| 393 | host key is not known or has changed. | 401 | host key is not known or has changed. |
| 394 | .Pp | 402 | .Pp |
| 403 | .Nm | ||
| 404 | can be configured to verify host identification using fingerprint resource | ||
| 405 | records (SSHFP) published in DNS. | ||
| 406 | The | ||
| 407 | .Cm VerifyHostKeyDNS | ||
| 408 | option can be used to control how DNS lookups are performed. | ||
| 409 | SSHFP resource records can be generated using | ||
| 410 | .Xr ssh-keygen 1 . | ||
| 411 | .Pp | ||
| 395 | The options are as follows: | 412 | The options are as follows: |
| 396 | .Bl -tag -width Ds | 413 | .Bl -tag -width Ds |
| 397 | .It Fl 1 | 414 | .It Fl 1 |
| @@ -442,13 +459,18 @@ The default value can be set on a host-by-host basis in the | |||
| 442 | configuration files; see the | 459 | configuration files; see the |
| 443 | .Cm Compression | 460 | .Cm Compression |
| 444 | option. | 461 | option. |
| 445 | .It Fl c Ar blowfish | 3des | des | 462 | .It Fl c Ar cipher_spec |
| 446 | Selects the cipher to use for encrypting the session. | 463 | Selects the cipher specification for encrypting the session. |
| 447 | .Ar 3des | 464 | .Pp |
| 448 | is used by default. | 465 | Protocol version 1 allows specification of a single cipher. |
| 449 | It is believed to be secure. | 466 | The suported values are |
| 467 | .Dq 3des , | ||
| 468 | .Dq blowfish | ||
| 469 | and | ||
| 470 | .Dq des . | ||
| 450 | .Ar 3des | 471 | .Ar 3des |
| 451 | (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. | 472 | (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
| 473 | It is believed to be secure. | ||
| 452 | .Ar blowfish | 474 | .Ar blowfish |
| 453 | is a fast block cipher; it appears very secure and is much faster than | 475 | is a fast block cipher; it appears very secure and is much faster than |
| 454 | .Ar 3des . | 476 | .Ar 3des . |
| @@ -460,12 +482,30 @@ that do not support the | |||
| 460 | .Ar 3des | 482 | .Ar 3des |
| 461 | cipher. | 483 | cipher. |
| 462 | Its use is strongly discouraged due to cryptographic weaknesses. | 484 | Its use is strongly discouraged due to cryptographic weaknesses. |
| 463 | .It Fl c Ar cipher_spec | 485 | The default is |
| 464 | Additionally, for protocol version 2 a comma-separated list of ciphers can | 486 | .Dq 3des . |
| 465 | be specified in order of preference. | 487 | .Pp |
| 466 | See | 488 | For protocol version 2 |
| 467 | .Cm Ciphers | 489 | .Ar cipher_spec |
| 468 | for more information. | 490 | is a comma-separated list of ciphers |
| 491 | listed in order of preference. | ||
| 492 | The supported ciphers are | ||
| 493 | .Dq 3des-cbc , | ||
| 494 | .Dq aes128-cbc , | ||
| 495 | .Dq aes192-cbc , | ||
| 496 | .Dq aes256-cbc , | ||
| 497 | .Dq aes128-ctr , | ||
| 498 | .Dq aes192-ctr , | ||
| 499 | .Dq aes256-ctr , | ||
| 500 | .Dq arcfour , | ||
| 501 | .Dq blowfish-cbc , | ||
| 502 | and | ||
| 503 | .Dq cast128-cbc . | ||
| 504 | The default is | ||
| 505 | .Bd -literal | ||
| 506 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | ||
| 507 | aes192-cbc,aes256-cbc'' | ||
| 508 | .Ed | ||
| 469 | .It Fl D Ar port | 509 | .It Fl D Ar port |
| 470 | Specifies a local | 510 | Specifies a local |
| 471 | .Dq dynamic | 511 | .Dq dynamic |
| @@ -568,6 +608,17 @@ IPv6 addresses can be specified with an alternative syntax: | |||
| 568 | .It Fl l Ar login_name | 608 | .It Fl l Ar login_name |
| 569 | Specifies the user to log in as on the remote machine. | 609 | Specifies the user to log in as on the remote machine. |
| 570 | This also may be specified on a per-host basis in the configuration file. | 610 | This also may be specified on a per-host basis in the configuration file. |
| 611 | .It Fl M | ||
| 612 | Places the | ||
| 613 | .Nm | ||
| 614 | client into | ||
| 615 | .Dq master | ||
| 616 | mode for connection sharing. | ||
| 617 | Refer to the description of | ||
| 618 | .Cm ControlMaster | ||
| 619 | in | ||
| 620 | .Xr ssh_config 5 | ||
| 621 | for details. | ||
| 571 | .It Fl m Ar mac_spec | 622 | .It Fl m Ar mac_spec |
| 572 | Additionally, for protocol version 2 a comma-separated list of MAC | 623 | Additionally, for protocol version 2 a comma-separated list of MAC |
| 573 | (message authentication code) algorithms can | 624 | (message authentication code) algorithms can |
| @@ -618,7 +669,9 @@ For full details of the options listed below, and their possible values, see | |||
| 618 | .It Compression | 669 | .It Compression |
| 619 | .It CompressionLevel | 670 | .It CompressionLevel |
| 620 | .It ConnectionAttempts | 671 | .It ConnectionAttempts |
| 621 | .It ConnectionTimeout | 672 | .It ConnectTimeout |
| 673 | .It ControlMaster | ||
| 674 | .It ControlPath | ||
| 622 | .It DynamicForward | 675 | .It DynamicForward |
| 623 | .It EscapeChar | 676 | .It EscapeChar |
| 624 | .It ForwardAgent | 677 | .It ForwardAgent |
| @@ -649,6 +702,7 @@ For full details of the options listed below, and their possible values, see | |||
| 649 | .It RemoteForward | 702 | .It RemoteForward |
| 650 | .It RhostsRSAAuthentication | 703 | .It RhostsRSAAuthentication |
| 651 | .It RSAAuthentication | 704 | .It RSAAuthentication |
| 705 | .It SendEnv | ||
| 652 | .It ServerAliveInterval | 706 | .It ServerAliveInterval |
| 653 | .It ServerAliveCountMax | 707 | .It ServerAliveCountMax |
| 654 | .It SmartcardDevice | 708 | .It SmartcardDevice |
| @@ -697,6 +751,15 @@ IPv6 addresses can be specified with an alternative syntax: | |||
| 697 | .Ar hostport . | 751 | .Ar hostport . |
| 698 | .Xc | 752 | .Xc |
| 699 | .Sm on | 753 | .Sm on |
| 754 | .It Fl S Ar ctl | ||
| 755 | Specifies the location of a control socket for connection sharing. | ||
| 756 | Refer to the description of | ||
| 757 | .Cm ControlPath | ||
| 758 | and | ||
| 759 | .Cm ControlMaster | ||
| 760 | in | ||
| 761 | .Xr ssh_config 5 | ||
| 762 | for details. | ||
| 700 | .It Fl s | 763 | .It Fl s |
| 701 | May be used to request invocation of a subsystem on the remote system. | 764 | May be used to request invocation of a subsystem on the remote system. |
| 702 | Subsystems are a feature of the SSH2 protocol which facilitate the use | 765 | Subsystems are a feature of the SSH2 protocol which facilitate the use |
| @@ -889,6 +952,8 @@ the convenience of the user. | |||
| 889 | This is the per-user configuration file. | 952 | This is the per-user configuration file. |
| 890 | The file format and configuration options are described in | 953 | The file format and configuration options are described in |
| 891 | .Xr ssh_config 5 . | 954 | .Xr ssh_config 5 . |
| 955 | Because of the potential for abuse, this file must have strict permissions: | ||
| 956 | read/write for the user, and not accessible by others. | ||
| 892 | .It Pa $HOME/.ssh/authorized_keys | 957 | .It Pa $HOME/.ssh/authorized_keys |
| 893 | Lists the public keys (RSA/DSA) that can be used for logging in as this user. | 958 | Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
| 894 | The format of this file is described in the | 959 | The format of this file is described in the |