diff options
Diffstat (limited to 'ssh.0')
| -rw-r--r-- | ssh.0 | 56 |
1 files changed, 34 insertions, 22 deletions
| @@ -5,10 +5,10 @@ NAME | |||
| 5 | 5 | ||
| 6 | SYNOPSIS | 6 | SYNOPSIS |
| 7 | ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] | 7 | ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] |
| 8 | [-D [bind_address:]port] [-e escape_char] [-F configfile] | 8 | [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] |
| 9 | [-i identity_file] [-L [bind_address:]port:host:hostport] | 9 | [-i identity_file] [-L [bind_address:]port:host:hostport] |
| 10 | [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] | 10 | [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] |
| 11 | [-R [bind_address:]port:host:hostport] [-S ctl_path] | 11 | [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] |
| 12 | [-w local_tun[:remote_tun]] [user@]hostname [command] | 12 | [-w local_tun[:remote_tun]] [user@]hostname [command] |
| 13 | 13 | ||
| 14 | DESCRIPTION | 14 | DESCRIPTION |
| @@ -42,7 +42,7 @@ DESCRIPTION | |||
| 42 | 42 | ||
| 43 | Agent forwarding should be enabled with caution. Users with the | 43 | Agent forwarding should be enabled with caution. Users with the |
| 44 | ability to bypass file permissions on the remote host (for the | 44 | ability to bypass file permissions on the remote host (for the |
| 45 | agent's Unix-domain socket) can access the local agent through | 45 | agent's UNIX-domain socket) can access the local agent through |
| 46 | the forwarded connection. An attacker cannot obtain key material | 46 | the forwarded connection. An attacker cannot obtain key material |
| 47 | from the agent, however they can perform operations on the keys | 47 | from the agent, however they can perform operations on the keys |
| 48 | that enable them to authenticate using the identities loaded into | 48 | that enable them to authenticate using the identities loaded into |
| @@ -131,11 +131,9 @@ DESCRIPTION | |||
| 131 | 131 | ||
| 132 | -g Allows remote hosts to connect to local forwarded ports. | 132 | -g Allows remote hosts to connect to local forwarded ports. |
| 133 | 133 | ||
| 134 | -I smartcard_device | 134 | -I pkcs11 |
| 135 | Specify the device ssh should use to communicate with a smartcard | 135 | Specify the PKCS#11 shared library ssh should use to communicate |
| 136 | used for storing the user's private RSA key. This option is only | 136 | with a PKCS#11 token providing the user's private RSA key. |
| 137 | available if support for smartcard devices is compiled in (de- | ||
| 138 | fault is no support). | ||
| 139 | 137 | ||
| 140 | -i identity_file | 138 | -i identity_file |
| 141 | Selects a file from which the identity (private key) for RSA or | 139 | Selects a file from which the identity (private key) for RSA or |
| @@ -144,7 +142,9 @@ DESCRIPTION | |||
| 144 | tocol version 2. Identity files may also be specified on a per- | 142 | tocol version 2. Identity files may also be specified on a per- |
| 145 | host basis in the configuration file. It is possible to have | 143 | host basis in the configuration file. It is possible to have |
| 146 | multiple -i options (and multiple identities specified in config- | 144 | multiple -i options (and multiple identities specified in config- |
| 147 | uration files). | 145 | uration files). ssh will also try to load certificate informa- |
| 146 | tion from the filename obtained by appending -cert.pub to identi- | ||
| 147 | ty filenames. | ||
| 148 | 148 | ||
| 149 | -K Enables GSSAPI-based authentication and forwarding (delegation) | 149 | -K Enables GSSAPI-based authentication and forwarding (delegation) |
| 150 | of GSSAPI credentials to the server. | 150 | of GSSAPI credentials to the server. |
| @@ -252,6 +252,7 @@ DESCRIPTION | |||
| 252 | NumberOfPasswordPrompts | 252 | NumberOfPasswordPrompts |
| 253 | PasswordAuthentication | 253 | PasswordAuthentication |
| 254 | PermitLocalCommand | 254 | PermitLocalCommand |
| 255 | PKCS11Provider | ||
| 255 | Port | 256 | Port |
| 256 | PreferredAuthentications | 257 | PreferredAuthentications |
| 257 | Protocol | 258 | Protocol |
| @@ -264,7 +265,6 @@ DESCRIPTION | |||
| 264 | SendEnv | 265 | SendEnv |
| 265 | ServerAliveInterval | 266 | ServerAliveInterval |
| 266 | ServerAliveCountMax | 267 | ServerAliveCountMax |
| 267 | SmartcardDevice | ||
| 268 | StrictHostKeyChecking | 268 | StrictHostKeyChecking |
| 269 | TCPKeepAlive | 269 | TCPKeepAlive |
| 270 | Tunnel | 270 | Tunnel |
| @@ -332,6 +332,12 @@ DESCRIPTION | |||
| 332 | tion, and configuration problems. Multiple -v options increase | 332 | tion, and configuration problems. Multiple -v options increase |
| 333 | the verbosity. The maximum is 3. | 333 | the verbosity. The maximum is 3. |
| 334 | 334 | ||
| 335 | -W host:port | ||
| 336 | Requests that standard input and output on the client be forward- | ||
| 337 | ed to host on port over the secure channel. Implies -N, -T, | ||
| 338 | ExitOnForwardFailure and ClearAllForwardings and works with Pro- | ||
| 339 | tocol version 2 only. | ||
| 340 | |||
| 335 | -w local_tun[:remote_tun] | 341 | -w local_tun[:remote_tun] |
| 336 | Requests tunnel device forwarding with the specified tun(4) de- | 342 | Requests tunnel device forwarding with the specified tun(4) de- |
| 337 | vices between the client (local_tun) and the server (remote_tun). | 343 | vices between the client (local_tun) and the server (remote_tun). |
| @@ -373,15 +379,14 @@ DESCRIPTION | |||
| 373 | error occurred. | 379 | error occurred. |
| 374 | 380 | ||
| 375 | AUTHENTICATION | 381 | AUTHENTICATION |
| 376 | The OpenSSH SSH client supports SSH protocols 1 and 2. Protocol 2 is the | 382 | The OpenSSH SSH client supports SSH protocols 1 and 2. The default is to |
| 377 | default, with ssh falling back to protocol 1 if it detects protocol 2 is | 383 | use protocol 2 only, though this can be changed via the Protocol option |
| 378 | unsupported. These settings may be altered using the Protocol option in | 384 | in ssh_config(5) or the -1 and -2 options (see above). Both protocols |
| 379 | ssh_config(5), or enforced using the -1 and -2 options (see above). Both | 385 | support similar authentication methods, but protocol 2 is the default |
| 380 | protocols support similar authentication methods, but protocol 2 is pre- | 386 | since it provides additional mechanisms for confidentiality (the traffic |
| 381 | ferred since it provides additional mechanisms for confidentiality (the | 387 | is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and integri- |
| 382 | traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and | 388 | ty (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1 lacks a |
| 383 | integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1 | 389 | strong mechanism for ensuring the integrity of the connection. |
| 384 | lacks a strong mechanism for ensuring the integrity of the connection. | ||
| 385 | 390 | ||
| 386 | The methods available for authentication are: GSSAPI-based authentica- | 391 | The methods available for authentication are: GSSAPI-based authentica- |
| 387 | tion, host-based authentication, public key authentication, challenge-re- | 392 | tion, host-based authentication, public key authentication, challenge-re- |
| @@ -431,8 +436,15 @@ AUTHENTICATION | |||
| 431 | though the lines can be very long. After this, the user can log in with- | 436 | though the lines can be very long. After this, the user can log in with- |
| 432 | out giving the password. | 437 | out giving the password. |
| 433 | 438 | ||
| 434 | The most convenient way to use public key authentication may be with an | 439 | A variation on public key authentication is available in the form of cer- |
| 435 | authentication agent. See ssh-agent(1) for more information. | 440 | tificate authentication: instead of a set of public/private keys, signed |
| 441 | certificates are used. This has the advantage that a single trusted cer- | ||
| 442 | tification authority can be used in place of many public/private keys. | ||
| 443 | See the CERTIFICATES section of ssh-keygen(1) for more information. | ||
| 444 | |||
| 445 | The most convenient way to use public key or certificate authentication | ||
| 446 | may be with an authentication agent. See ssh-agent(1) for more informa- | ||
| 447 | tion. | ||
| 436 | 448 | ||
| 437 | Challenge-response authentication works as follows: The server sends an | 449 | Challenge-response authentication works as follows: The server sends an |
| 438 | arbitrary "challenge" text, and prompts for a response. Protocol 2 al- | 450 | arbitrary "challenge" text, and prompts for a response. Protocol 2 al- |
| @@ -864,4 +876,4 @@ AUTHORS | |||
| 864 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 876 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 865 | versions 1.5 and 2.0. | 877 | versions 1.5 and 2.0. |
| 866 | 878 | ||
| 867 | OpenBSD 4.6 March 19, 2009 14 | 879 | OpenBSD 4.6 March 5, 2010 14 |