diff options
Diffstat (limited to 'ssh.0')
-rw-r--r-- | ssh.0 | 484 |
1 files changed, 239 insertions, 245 deletions
@@ -1,123 +1,120 @@ | |||
1 | SSH(1) BSD General Commands Manual SSH(1) | 1 | SSH(1) BSD General Commands Manual SSH(1) |
2 | 2 | ||
3 | ^[[1mNAME^[[0m | 3 | NAME |
4 | ^[[1mssh ^[[22mM-bMM-^R OpenSSH SSH client (remote login program) | 4 | ssh - OpenSSH SSH client (remote login program) |
5 | 5 | ||
6 | ^[[1mSYNOPSIS^[[0m | 6 | SYNOPSIS |
7 | ^[[1mssh ^[[22m[^[[1mM-bMM-^Rl ^[[4m^[[22mlogin_name^[[24m] ^[[4mhostname^[[24m | ^[[4muser@hostname^[[24m [^[[4mcommand^[[24m] | 7 | ssh [-l login_name] hostname | user@hostname [command] |
8 | 8 | ||
9 | ^[[1mssh ^[[22m[^[[1mM-bMM-^RafgknqstvxACNTX1246^[[22m] [^[[1mM-bMM-^Rb ^[[4m^[[22mbind_address^[[24m] [^[[1mM-bMM-^Rc ^[[4m^[[22mcipher_spec^[[24m] | 9 | ssh [-afgknqstvxACNTX1246] [-b bind_address] [-c cipher_spec] |
10 | [^[[1mM-bMM-^Re ^[[4m^[[22mescape_char^[[24m] [^[[1mM-bMM-^Ri ^[[4m^[[22midentity_file^[[24m] [^[[1mM-bMM-^Rl ^[[4m^[[22mlogin_name^[[24m] [^[[1mM-bMM-^Rm ^[[4m^[[22mmac_spec^[[24m] | 10 | [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec] |
11 | [^[[1mM-bMM-^Ro ^[[4m^[[22moption^[[24m] [^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[24m] [^[[1mM-bMM-^RF ^[[4m^[[22mconfigfile^[[24m] [^[[1mM-bMM-^RL ^[[4m^[[22mport^[[24m:^[[4mhost^[[24m:^[[4mhostport^[[24m] | 11 | [-o option] [-p port] [-F configfile] [-L port:host:hostport] |
12 | [^[[1mM-bMM-^RR ^[[4m^[[22mport^[[24m:^[[4mhost^[[24m:^[[4mhostport^[[24m] [^[[1mM-bMM-^RD ^[[4m^[[22mport^[[24m] ^[[4mhostname^[[24m | ^[[4muser@hostname^[[24m [^[[4mcommand^[[24m] | 12 | [-R port:host:hostport] [-D port] hostname | user@hostname [command] |
13 | 13 | ||
14 | ^[[1mDESCRIPTION^[[0m | 14 | DESCRIPTION |
15 | ^[[1mssh ^[[22m(SSH client) is a program for logging into a remote machine and for | 15 | ssh (SSH client) is a program for logging into a remote machine and for |
16 | executing commands on a remote machine. It is intended to replace rlogin | 16 | executing commands on a remote machine. It is intended to replace rlogin |
17 | and rsh, and provide secure encrypted communications between two | 17 | and rsh, and provide secure encrypted communications between two |
18 | untrusted hosts over an insecure network. X11 connections and arbitrary | 18 | untrusted hosts over an insecure network. X11 connections and arbitrary |
19 | TCP/IP ports can also be forwarded over the secure channel. | 19 | TCP/IP ports can also be forwarded over the secure channel. |
20 | 20 | ||
21 | ^[[1mssh ^[[22mconnects and logs into the specified ^[[4mhostname^[[24m. The user must prove | 21 | ssh connects and logs into the specified hostname. The user must prove |
22 | his/her identity to the remote machine using one of several methods | 22 | his/her identity to the remote machine using one of several methods |
23 | depending on the protocol version used: | 23 | depending on the protocol version used: |
24 | 24 | ||
25 | ^[[1mSSH protocol version 1^[[0m | 25 | SSH protocol version 1 |
26 | 26 | First, if the machine the user logs in from is listed in /etc/hosts.equiv | |
27 | First, if the machine the user logs in from is listed in ^[[4m/etc/hosts.equiv^[[0m | 27 | or /etc/shosts.equiv on the remote machine, and the user names are the |
28 | or ^[[4m/etc/shosts.equiv^[[24m on the remote machine, and the user names are the | ||
29 | same on both sides, the user is immediately permitted to log in. Second, | 28 | same on both sides, the user is immediately permitted to log in. Second, |
30 | if ^[[4m.rhosts^[[24m or ^[[4m.shosts^[[24m exists in the userM-bM-^@M-^Ys home directory on the remote | 29 | if .rhosts or .shosts exists in the userM-bM-^@M-^Ys home directory on the remote |
31 | machine and contains a line containing the name of the client machine and | 30 | machine and contains a line containing the name of the client machine and |
32 | the name of the user on that machine, the user is permitted to log in. | 31 | the name of the user on that machine, the user is permitted to log in. |
33 | This form of authentication alone is normally not allowed by the server | 32 | This form of authentication alone is normally not allowed by the server |
34 | because it is not secure. | 33 | because it is not secure. |
35 | 34 | ||
36 | The second authentication method is the ^[[4mrhosts^[[24m or ^[[4mhosts.equiv^[[24m method comM-bM-^@M-^P | 35 | The second authentication method is the rhosts or hosts.equiv method com- |
37 | bined with RSAM-bM-^@M-^Pbased host authentication. It means that if the login | 36 | bined with RSA-based host authentication. It means that if the login |
38 | would be permitted by ^[[4m$HOME/.rhosts^[[24m, ^[[4m$HOME/.shosts^[[24m, ^[[4m/etc/hosts.equiv^[[24m, or | 37 | would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or |
39 | ^[[4m/etc/shosts.equiv^[[24m, and if additionally the server can verify the clientM-bM-^@M-^Ys | 38 | /etc/shosts.equiv, and if additionally the server can verify the clientM-bM-^@M-^Ys |
40 | host key (see ^[[4m/etc/ssh/ssh_known_hosts^[[24m and ^[[4m$HOME/.ssh/known_hosts^[[24m in the | 39 | host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the |
41 | ^[[4mFILES^[[24m section), only then login is permitted. This authentication method | 40 | FILES section), only then login is permitted. This authentication method |
42 | closes security holes due to IP spoofing, DNS spoofing and routing spoofM-bM-^@M-^P | 41 | closes security holes due to IP spoofing, DNS spoofing and routing spoof- |
43 | ing. [Note to the administrator: ^[[4m/etc/hosts.equiv^[[24m, ^[[4m$HOME/.rhosts^[[24m, and | 42 | ing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and |
44 | the rlogin/rsh protocol in general, are inherently insecure and should be | 43 | the rlogin/rsh protocol in general, are inherently insecure and should be |
45 | disabled if security is desired.] | 44 | disabled if security is desired.] |
46 | 45 | ||
47 | As a third authentication method, ^[[1mssh ^[[22msupports RSA based authentication. | 46 | As a third authentication method, ssh supports RSA based authentication. |
48 | The scheme is based on publicM-bM-^@M-^Pkey cryptography: there are cryptosystems | 47 | The scheme is based on public-key cryptography: there are cryptosystems |
49 | where encryption and decryption are done using separate keys, and it is | 48 | where encryption and decryption are done using separate keys, and it is |
50 | not possible to derive the decryption key from the encryption key. RSA | 49 | not possible to derive the decryption key from the encryption key. RSA |
51 | is one such system. The idea is that each user creates a public/private | 50 | is one such system. The idea is that each user creates a public/private |
52 | key pair for authentication purposes. The server knows the public key, | 51 | key pair for authentication purposes. The server knows the public key, |
53 | and only the user knows the private key. The file | 52 | and only the user knows the private key. The file |
54 | ^[[4m$HOME/.ssh/authorized_keys^[[24m lists the public keys that are permitted for | 53 | $HOME/.ssh/authorized_keys lists the public keys that are permitted for |
55 | logging in. When the user logs in, the ^[[1mssh ^[[22mprogram tells the server | 54 | logging in. When the user logs in, the ssh program tells the server |
56 | which key pair it would like to use for authentication. The server | 55 | which key pair it would like to use for authentication. The server |
57 | checks if this key is permitted, and if so, sends the user (actually the | 56 | checks if this key is permitted, and if so, sends the user (actually the |
58 | ^[[1mssh ^[[22mprogram running on behalf of the user) a challenge, a random number, | 57 | ssh program running on behalf of the user) a challenge, a random number, |
59 | encrypted by the userM-bM-^@M-^Ys public key. The challenge can only be decrypted | 58 | encrypted by the userM-bM-^@M-^Ys public key. The challenge can only be decrypted |
60 | using the proper private key. The userM-bM-^@M-^Ys client then decrypts the chalM-bM-^@M-^P | 59 | using the proper private key. The userM-bM-^@M-^Ys client then decrypts the chal- |
61 | lenge using the private key, proving that he/she knows the private key | 60 | lenge using the private key, proving that he/she knows the private key |
62 | but without disclosing it to the server. | 61 | but without disclosing it to the server. |
63 | 62 | ||
64 | ^[[1mssh ^[[22mimplements the RSA authentication protocol automatically. The user | 63 | ssh implements the RSA authentication protocol automatically. The user |
65 | creates his/her RSA key pair by running sshM-bM-^@M-^Pkeygen(1). This stores the | 64 | creates his/her RSA key pair by running ssh-keygen(1). This stores the |
66 | private key in ^[[4m$HOME/.ssh/identity^[[24m and the public key in | 65 | private key in $HOME/.ssh/identity and the public key in |
67 | ^[[4m$HOME/.ssh/identity.pub^[[24m in the userM-bM-^@M-^Ys home directory. The user should | 66 | $HOME/.ssh/identity.pub in the userM-bM-^@M-^Ys home directory. The user should |
68 | then copy the ^[[4midentity.pub^[[24m to ^[[4m$HOME/.ssh/authorized_keys^[[24m in his/her home | 67 | then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home |
69 | directory on the remote machine (the ^[[4mauthorized_keys^[[24m file corresponds to | 68 | directory on the remote machine (the authorized_keys file corresponds to |
70 | the conventional ^[[4m$HOME/.rhosts^[[24m file, and has one key per line, though the | 69 | the conventional $HOME/.rhosts file, and has one key per line, though the |
71 | lines can be very long). After this, the user can log in without giving | 70 | lines can be very long). After this, the user can log in without giving |
72 | the password. RSA authentication is much more secure than rhosts authenM-bM-^@M-^P | 71 | the password. RSA authentication is much more secure than rhosts authen- |
73 | tication. | 72 | tication. |
74 | 73 | ||
75 | The most convenient way to use RSA authentication may be with an authenM-bM-^@M-^P | 74 | The most convenient way to use RSA authentication may be with an authen- |
76 | tication agent. See sshM-bM-^@M-^Pagent(1) for more information. | 75 | tication agent. See ssh-agent(1) for more information. |
77 | 76 | ||
78 | If other authentication methods fail, ^[[1mssh ^[[22mprompts the user for a passM-bM-^@M-^P | 77 | If other authentication methods fail, ssh prompts the user for a pass- |
79 | word. The password is sent to the remote host for checking; however, | 78 | word. The password is sent to the remote host for checking; however, |
80 | since all communications are encrypted, the password cannot be seen by | 79 | since all communications are encrypted, the password cannot be seen by |
81 | someone listening on the network. | 80 | someone listening on the network. |
82 | 81 | ||
83 | ^[[1mSSH protocol version 2^[[0m | 82 | SSH protocol version 2 |
84 | |||
85 | When a user connects using protocol version 2 similar authentication | 83 | When a user connects using protocol version 2 similar authentication |
86 | methods are available. Using the default values for | 84 | methods are available. Using the default values for |
87 | ^[[1mPreferredAuthentications^[[22m, the client will try to authenticate first using | 85 | PreferredAuthentications, the client will try to authenticate first using |
88 | the hostbased method; if this method fails public key authentication is | 86 | the hostbased method; if this method fails public key authentication is |
89 | attempted, and finally if this method fails keyboardM-bM-^@M-^Pinteractive and | 87 | attempted, and finally if this method fails keyboard-interactive and |
90 | password authentication are tried. | 88 | password authentication are tried. |
91 | 89 | ||
92 | The public key method is similar to RSA authentication described in the | 90 | The public key method is similar to RSA authentication described in the |
93 | previous section and allows the RSA or DSA algorithm to be used: The | 91 | previous section and allows the RSA or DSA algorithm to be used: The |
94 | client uses his private key, ^[[4m$HOME/.ssh/id_dsa^[[24m or ^[[4m$HOME/.ssh/id_rsa^[[24m, to | 92 | client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, to |
95 | sign the session identifier and sends the result to the server. The | 93 | sign the session identifier and sends the result to the server. The |
96 | server checks whether the matching public key is listed in | 94 | server checks whether the matching public key is listed in |
97 | ^[[4m$HOME/.ssh/authorized_keys^[[24m and grants access if both the key is found and | 95 | $HOME/.ssh/authorized_keys and grants access if both the key is found and |
98 | the signature is correct. The session identifier is derived from a | 96 | the signature is correct. The session identifier is derived from a |
99 | shared DiffieM-bM-^@M-^PHellman value and is only known to the client and the | 97 | shared Diffie-Hellman value and is only known to the client and the |
100 | server. | 98 | server. |
101 | 99 | ||
102 | If public key authentication fails or is not available a password can be | 100 | If public key authentication fails or is not available a password can be |
103 | sent encrypted to the remote host for proving the userM-bM-^@M-^Ys identity. | 101 | sent encrypted to the remote host for proving the userM-bM-^@M-^Ys identity. |
104 | 102 | ||
105 | Additionally, ^[[1mssh ^[[22msupports hostbased or challenge response authenticaM-bM-^@M-^P | 103 | Additionally, ssh supports hostbased or challenge response authentica- |
106 | tion. | 104 | tion. |
107 | 105 | ||
108 | Protocol 2 provides additional mechanisms for confidentiality (the trafM-bM-^@M-^P | 106 | Protocol 2 provides additional mechanisms for confidentiality (the traf- |
109 | fic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) and integrity | 107 | fic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) and integrity |
110 | (hmacM-bM-^@M-^Pmd5, hmacM-bM-^@M-^Psha1). Note that protocol 1 lacks a strong mechanism for | 108 | (hmac-md5, hmac-sha1). Note that protocol 1 lacks a strong mechanism for |
111 | ensuring the integrity of the connection. | 109 | ensuring the integrity of the connection. |
112 | 110 | ||
113 | ^[[1mLogin session and remote execution^[[0m | 111 | Login session and remote execution |
114 | |||
115 | When the userM-bM-^@M-^Ys identity has been accepted by the server, the server | 112 | When the userM-bM-^@M-^Ys identity has been accepted by the server, the server |
116 | either executes the given command, or logs into the machine and gives the | 113 | either executes the given command, or logs into the machine and gives the |
117 | user a normal shell on the remote machine. All communication with the | 114 | user a normal shell on the remote machine. All communication with the |
118 | remote command or shell will be automatically encrypted. | 115 | remote command or shell will be automatically encrypted. |
119 | 116 | ||
120 | If a pseudoM-bM-^@M-^Pterminal has been allocated (normal login session), the user | 117 | If a pseudo-terminal has been allocated (normal login session), the user |
121 | may use the escape characters noted below. | 118 | may use the escape characters noted below. |
122 | 119 | ||
123 | If no pseudo tty has been allocated, the session is transparent and can | 120 | If no pseudo tty has been allocated, the session is transparent and can |
@@ -126,65 +123,63 @@ SSH(1) BSD General Commands Manual SSH(1) | |||
126 | a tty is used. | 123 | a tty is used. |
127 | 124 | ||
128 | The session terminates when the command or shell on the remote machine | 125 | The session terminates when the command or shell on the remote machine |
129 | exits and all X11 and TCP/IP connections have been closed. The exit staM-bM-^@M-^P | 126 | exits and all X11 and TCP/IP connections have been closed. The exit sta- |
130 | tus of the remote program is returned as the exit status of ^[[1mssh^[[22m. | 127 | tus of the remote program is returned as the exit status of ssh. |
131 | 128 | ||
132 | ^[[1mEscape Characters^[[0m | 129 | Escape Characters |
133 | 130 | When a pseudo terminal has been requested, ssh supports a number of func- | |
134 | When a pseudo terminal has been requested, ssh supports a number of funcM-bM-^@M-^P | ||
135 | tions through the use of an escape character. | 131 | tions through the use of an escape character. |
136 | 132 | ||
137 | A single tilde character can be sent as ^[[1m~~ ^[[22mor by following the tilde by a | 133 | A single tilde character can be sent as ~~ or by following the tilde by a |
138 | character other than those described below. The escape character must | 134 | character other than those described below. The escape character must |
139 | always follow a newline to be interpreted as special. The escape characM-bM-^@M-^P | 135 | always follow a newline to be interpreted as special. The escape charac- |
140 | ter can be changed in configuration files using the ^[[1mEscapeChar ^[[22mconfiguraM-bM-^@M-^P | 136 | ter can be changed in configuration files using the EscapeChar configura- |
141 | tion directive or on the command line by the ^[[1mM-bMM-^Re ^[[22moption. | 137 | tion directive or on the command line by the -e option. |
142 | 138 | ||
143 | The supported escapes (assuming the default M-bM-^@M-^X~M-bM-^@M-^Y) are: | 139 | The supported escapes (assuming the default M-bM-^@M-^X~M-bM-^@M-^Y) are: |
144 | 140 | ||
145 | ^[[1m~. ^[[22mDisconnect | 141 | ~. Disconnect |
146 | 142 | ||
147 | ^[[1m~^Z ^[[22mBackground ssh | 143 | ~^Z Background ssh |
148 | 144 | ||
149 | ^[[1m~# ^[[22mList forwarded connections | 145 | ~# List forwarded connections |
150 | 146 | ||
151 | ^[[1m~& ^[[22mBackground ssh at logout when waiting for forwarded connection / | 147 | ~& Background ssh at logout when waiting for forwarded connection / |
152 | X11 sessions to terminate | 148 | X11 sessions to terminate |
153 | 149 | ||
154 | ^[[1m~? ^[[22mDisplay a list of escape characters | 150 | ~? Display a list of escape characters |
155 | 151 | ||
156 | ^[[1m~C ^[[22mOpen command line (only useful for adding port forwardings using | 152 | ~C Open command line (only useful for adding port forwardings using |
157 | the ^[[1mM-bMM-^RL ^[[22mand ^[[1mM-bMM-^RR ^[[22moptions) | 153 | the -L and -R options) |
158 | 154 | ||
159 | ^[[1m~R ^[[22mRequest rekeying of the connection (only useful for SSH protocol | 155 | ~R Request rekeying of the connection (only useful for SSH protocol |
160 | version 2 and if the peer supports it) | 156 | version 2 and if the peer supports it) |
161 | 157 | ||
162 | ^[[1mX11 and TCP forwarding^[[0m | 158 | X11 and TCP forwarding |
163 | 159 | If the ForwardX11 variable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or, see the description of | |
164 | If the ^[[1mForwardX11 ^[[22mvariable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or, see the description of | 160 | the -X and -x options described later) and the user is using X11 (the |
165 | the ^[[1mM-bMM-^RX ^[[22mand ^[[1mM-bMM-^Rx ^[[22moptions described later) and the user is using X11 (the | ||
166 | DISPLAY environment variable is set), the connection to the X11 display | 161 | DISPLAY environment variable is set), the connection to the X11 display |
167 | is automatically forwarded to the remote side in such a way that any X11 | 162 | is automatically forwarded to the remote side in such a way that any X11 |
168 | programs started from the shell (or command) will go through the | 163 | programs started from the shell (or command) will go through the |
169 | encrypted channel, and the connection to the real X server will be made | 164 | encrypted channel, and the connection to the real X server will be made |
170 | from the local machine. The user should not manually set DISPLAY. ForM-bM-^@M-^P | 165 | from the local machine. The user should not manually set DISPLAY. For- |
171 | warding of X11 connections can be configured on the command line or in | 166 | warding of X11 connections can be configured on the command line or in |
172 | configuration files. | 167 | configuration files. |
173 | 168 | ||
174 | The DISPLAY value set by ^[[1mssh ^[[22mwill point to the server machine, but with a | 169 | The DISPLAY value set by ssh will point to the server machine, but with a |
175 | display number greater than zero. This is normal, and happens because | 170 | display number greater than zero. This is normal, and happens because |
176 | ^[[1mssh ^[[22mcreates a M-bM-^@M-^\proxyM-bM-^@M-^] X server on the server machine for forwarding the | 171 | ssh creates a M-bM-^@M-^\proxyM-bM-^@M-^] X server on the server machine for forwarding the |
177 | connections over the encrypted channel. | 172 | connections over the encrypted channel. |
178 | 173 | ||
179 | ^[[1mssh ^[[22mwill also automatically set up Xauthority data on the server machine. | 174 | ssh will also automatically set up Xauthority data on the server machine. |
180 | For this purpose, it will generate a random authorization cookie, store | 175 | For this purpose, it will generate a random authorization cookie, store |
181 | it in Xauthority on the server, and verify that any forwarded connections | 176 | it in Xauthority on the server, and verify that any forwarded connections |
182 | carry this cookie and replace it by the real cookie when the connection | 177 | carry this cookie and replace it by the real cookie when the connection |
183 | is opened. The real authentication cookie is never sent to the server | 178 | is opened. The real authentication cookie is never sent to the server |
184 | machine (and no cookies are sent in the plain). | 179 | machine (and no cookies are sent in the plain). |
185 | 180 | ||
186 | If the ^[[1mForwardAgent ^[[22mvariable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or, see the description of | 181 | If the ForwardAgent variable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or, see the description of |
187 | the ^[[1mM-bMM-^RA ^[[22mand ^[[1mM-bMM-^Ra ^[[22moptions described later) and the user is using an authentiM-bM-^@M-^P | 182 | the -A and -a options described later) and the user is using an authenti- |
188 | cation agent, the connection to the agent is automatically forwarded to | 183 | cation agent, the connection to the agent is automatically forwarded to |
189 | the remote side. | 184 | the remote side. |
190 | 185 | ||
@@ -193,144 +188,143 @@ SSH(1) BSD General Commands Manual SSH(1) | |||
193 | possible application of TCP/IP forwarding is a secure connection to an | 188 | possible application of TCP/IP forwarding is a secure connection to an |
194 | electronic purse; another is going through firewalls. | 189 | electronic purse; another is going through firewalls. |
195 | 190 | ||
196 | ^[[1mServer authentication^[[0m | 191 | Server authentication |
197 | 192 | ssh automatically maintains and checks a database containing identifica- | |
198 | ^[[1mssh ^[[22mautomatically maintains and checks a database containing identificaM-bM-^@M-^P | ||
199 | tions for all hosts it has ever been used with. Host keys are stored in | 193 | tions for all hosts it has ever been used with. Host keys are stored in |
200 | ^[[4m$HOME/.ssh/known_hosts^[[24m in the userM-bM-^@M-^Ys home directory. Additionally, the | 194 | $HOME/.ssh/known_hosts in the userM-bM-^@M-^Ys home directory. Additionally, the |
201 | file ^[[4m/etc/ssh/ssh_known_hosts^[[24m is automatically checked for known hosts. | 195 | file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. |
202 | Any new hosts are automatically added to the userM-bM-^@M-^Ys file. If a hostM-bM-^@M-^Ys | 196 | Any new hosts are automatically added to the userM-bM-^@M-^Ys file. If a hostM-bM-^@M-^Ys |
203 | identification ever changes, ^[[1mssh ^[[22mwarns about this and disables password | 197 | identification ever changes, ssh warns about this and disables password |
204 | authentication to prevent a trojan horse from getting the userM-bM-^@M-^Ys passM-bM-^@M-^P | 198 | authentication to prevent a trojan horse from getting the userM-bM-^@M-^Ys pass- |
205 | word. Another purpose of this mechanism is to prevent manM-bM-^@M-^PinM-bM-^@M-^PtheM-bM-^@M-^Pmiddle | 199 | word. Another purpose of this mechanism is to prevent man-in-the-middle |
206 | attacks which could otherwise be used to circumvent the encryption. The | 200 | attacks which could otherwise be used to circumvent the encryption. The |
207 | ^[[1mStrictHostKeyChecking ^[[22moption can be used to prevent logins to machines | 201 | StrictHostKeyChecking option can be used to prevent logins to machines |
208 | whose host key is not known or has changed. | 202 | whose host key is not known or has changed. |
209 | 203 | ||
210 | The options are as follows: | 204 | The options are as follows: |
211 | 205 | ||
212 | ^[[1mM-bMM-^Ra ^[[22mDisables forwarding of the authentication agent connection. | 206 | -a Disables forwarding of the authentication agent connection. |
213 | 207 | ||
214 | ^[[1mM-bMM-^RA ^[[22mEnables forwarding of the authentication agent connection. This | 208 | -A Enables forwarding of the authentication agent connection. This |
215 | can also be specified on a perM-bM-^@M-^Phost basis in a configuration | 209 | can also be specified on a per-host basis in a configuration |
216 | file. | 210 | file. |
217 | 211 | ||
218 | Agent forwarding should be enabled with caution. Users with the | 212 | Agent forwarding should be enabled with caution. Users with the |
219 | ability to bypass file permissions on the remote host (for the | 213 | ability to bypass file permissions on the remote host (for the |
220 | agentM-bM-^@M-^Ys UnixM-bM-^@M-^Pdomain socket) can access the local agent through | 214 | agentM-bM-^@M-^Ys Unix-domain socket) can access the local agent through |
221 | the forwarded connection. An attacker cannot obtain key material | 215 | the forwarded connection. An attacker cannot obtain key material |
222 | from the agent, however they can perform operations on the keys | 216 | from the agent, however they can perform operations on the keys |
223 | that enable them to authenticate using the identities loaded into | 217 | that enable them to authenticate using the identities loaded into |
224 | the agent. | 218 | the agent. |
225 | 219 | ||
226 | ^[[1mM-bMM-^Rb ^[[4m^[[22mbind_address^[[0m | 220 | -b bind_address |
227 | Specify the interface to transmit from on machines with multiple | 221 | Specify the interface to transmit from on machines with multiple |
228 | interfaces or aliased addresses. | 222 | interfaces or aliased addresses. |
229 | 223 | ||
230 | ^[[1mM-bMM-^Rc ^[[4m^[[22mblowfish|3des|des^[[0m | 224 | -c blowfish|3des|des |
231 | Selects the cipher to use for encrypting the session. ^[[4m3des^[[24m is | 225 | Selects the cipher to use for encrypting the session. 3des is |
232 | used by default. It is believed to be secure. ^[[4m3des^[[24m (tripleM-bM-^@M-^Pdes) | 226 | used by default. It is believed to be secure. 3des (triple-des) |
233 | is an encryptM-bM-^@M-^PdecryptM-bM-^@M-^Pencrypt triple with three different keys. | 227 | is an encrypt-decrypt-encrypt triple with three different keys. |
234 | ^[[4mblowfish^[[24m is a fast block cipher, it appears very secure and is | 228 | blowfish is a fast block cipher, it appears very secure and is |
235 | much faster than ^[[4m3des^[[24m. ^[[4mdes^[[24m is only supported in the ^[[1mssh ^[[22mclient | 229 | much faster than 3des. des is only supported in the ssh client |
236 | for interoperability with legacy protocol 1 implementations that | 230 | for interoperability with legacy protocol 1 implementations that |
237 | do not support the ^[[4m3des^[[24m cipher. Its use is strongly discouraged | 231 | do not support the 3des cipher. Its use is strongly discouraged |
238 | due to cryptographic weaknesses. | 232 | due to cryptographic weaknesses. |
239 | 233 | ||
240 | ^[[1mM-bMM-^Rc ^[[4m^[[22mcipher_spec^[[0m | 234 | -c cipher_spec |
241 | Additionally, for protocol version 2 a commaM-bM-^@M-^Pseparated list of | 235 | Additionally, for protocol version 2 a comma-separated list of |
242 | ciphers can be specified in order of preference. See ^[[1mCiphers ^[[22mfor | 236 | ciphers can be specified in order of preference. See Ciphers for |
243 | more information. | 237 | more information. |
244 | 238 | ||
245 | ^[[1mM-bMM-^Re ^[[4m^[[22mch|^ch|none^[[0m | 239 | -e ch|^ch|none |
246 | Sets the escape character for sessions with a pty (default: M-bM-^@M-^X~M-bM-^@M-^Y). | 240 | Sets the escape character for sessions with a pty (default: M-bM-^@M-^X~M-bM-^@M-^Y). |
247 | The escape character is only recognized at the beginning of a | 241 | The escape character is only recognized at the beginning of a |
248 | line. The escape character followed by a dot (M-bM-^@M-^X.M-bM-^@M-^Y) closes the | 242 | line. The escape character followed by a dot (M-bM-^@M-^X.M-bM-^@M-^Y) closes the |
249 | connection, followed by controlM-bM-^@M-^PZ suspends the connection, and | 243 | connection, followed by control-Z suspends the connection, and |
250 | followed by itself sends the escape character once. Setting the | 244 | followed by itself sends the escape character once. Setting the |
251 | character to M-bM-^@M-^\noneM-bM-^@M-^] disables any escapes and makes the session | 245 | character to M-bM-^@M-^\noneM-bM-^@M-^] disables any escapes and makes the session |
252 | fully transparent. | 246 | fully transparent. |
253 | 247 | ||
254 | ^[[1mM-bMM-^Rf ^[[22mRequests ^[[1mssh ^[[22mto go to background just before command execution. | 248 | -f Requests ssh to go to background just before command execution. |
255 | This is useful if ^[[1mssh ^[[22mis going to ask for passwords or | 249 | This is useful if ssh is going to ask for passwords or |
256 | passphrases, but the user wants it in the background. This | 250 | passphrases, but the user wants it in the background. This |
257 | implies ^[[1mM-bMM-^Rn^[[22m. The recommended way to start X11 programs at a | 251 | implies -n. The recommended way to start X11 programs at a |
258 | remote site is with something like ^[[1mssh M-bM-^@M-^Pf host xterm^[[22m. | 252 | remote site is with something like ssh -f host xterm. |
259 | 253 | ||
260 | ^[[1mM-bMM-^Rg ^[[22mAllows remote hosts to connect to local forwarded ports. | 254 | -g Allows remote hosts to connect to local forwarded ports. |
261 | 255 | ||
262 | ^[[1mM-bMM-^Ri ^[[4m^[[22midentity_file^[[0m | 256 | -i identity_file |
263 | Selects a file from which the identity (private key) for RSA or | 257 | Selects a file from which the identity (private key) for RSA or |
264 | DSA authentication is read. The default is ^[[4m$HOME/.ssh/identity^[[0m | 258 | DSA authentication is read. The default is $HOME/.ssh/identity |
265 | for protocol version 1, and ^[[4m$HOME/.ssh/id_rsa^[[24m and | 259 | for protocol version 1, and $HOME/.ssh/id_rsa and |
266 | ^[[4m$HOME/.ssh/id_dsa^[[24m for protocol version 2. Identity files may | 260 | $HOME/.ssh/id_dsa for protocol version 2. Identity files may |
267 | also be specified on a perM-bM-^@M-^Phost basis in the configuration file. | 261 | also be specified on a per-host basis in the configuration file. |
268 | It is possible to have multiple ^[[1mM-bMM-^Ri ^[[22moptions (and multiple identiM-bM-^@M-^P | 262 | It is possible to have multiple -i options (and multiple identi- |
269 | ties specified in configuration files). | 263 | ties specified in configuration files). |
270 | 264 | ||
271 | ^[[1mM-bMM-^RI ^[[4m^[[22msmartcard_device^[[0m | 265 | -I smartcard_device |
272 | Specifies which smartcard device to use. The argument is the | 266 | Specifies which smartcard device to use. The argument is the |
273 | device ^[[1mssh ^[[22mshould use to communicate with a smartcard used for | 267 | device ssh should use to communicate with a smartcard used for |
274 | storing the userM-bM-^@M-^Ys private RSA key. | 268 | storing the userM-bM-^@M-^Ys private RSA key. |
275 | 269 | ||
276 | ^[[1mM-bMM-^Rk ^[[22mDisables forwarding of Kerberos tickets and AFS tokens. This may | 270 | -k Disables forwarding of Kerberos tickets and AFS tokens. This may |
277 | also be specified on a perM-bM-^@M-^Phost basis in the configuration file. | 271 | also be specified on a per-host basis in the configuration file. |
278 | 272 | ||
279 | ^[[1mM-bMM-^Rl ^[[4m^[[22mlogin_name^[[0m | 273 | -l login_name |
280 | Specifies the user to log in as on the remote machine. This also | 274 | Specifies the user to log in as on the remote machine. This also |
281 | may be specified on a perM-bM-^@M-^Phost basis in the configuration file. | 275 | may be specified on a per-host basis in the configuration file. |
282 | 276 | ||
283 | ^[[1mM-bMM-^Rm ^[[4m^[[22mmac_spec^[[0m | 277 | -m mac_spec |
284 | Additionally, for protocol version 2 a commaM-bM-^@M-^Pseparated list of | 278 | Additionally, for protocol version 2 a comma-separated list of |
285 | MAC (message authentication code) algorithms can be specified in | 279 | MAC (message authentication code) algorithms can be specified in |
286 | order of preference. See the ^[[1mMACs ^[[22mkeyword for more information. | 280 | order of preference. See the MACs keyword for more information. |
287 | 281 | ||
288 | ^[[1mM-bMM-^Rn ^[[22mRedirects stdin from ^[[4m/dev/null^[[24m (actually, prevents reading from | 282 | -n Redirects stdin from /dev/null (actually, prevents reading from |
289 | stdin). This must be used when ^[[1mssh ^[[22mis run in the background. A | 283 | stdin). This must be used when ssh is run in the background. A |
290 | common trick is to use this to run X11 programs on a remote | 284 | common trick is to use this to run X11 programs on a remote |
291 | machine. For example, ^[[1mssh M-bM-^@M-^Pn shadows.cs.hut.fi emacs & ^[[22mwill | 285 | machine. For example, ssh -n shadows.cs.hut.fi emacs & will |
292 | start an emacs on shadows.cs.hut.fi, and the X11 connection will | 286 | start an emacs on shadows.cs.hut.fi, and the X11 connection will |
293 | be automatically forwarded over an encrypted channel. The ^[[1mssh^[[0m | 287 | be automatically forwarded over an encrypted channel. The ssh |
294 | program will be put in the background. (This does not work if | 288 | program will be put in the background. (This does not work if |
295 | ^[[1mssh ^[[22mneeds to ask for a password or passphrase; see also the ^[[1mM-bMM-^Rf^[[0m | 289 | ssh needs to ask for a password or passphrase; see also the -f |
296 | option.) | 290 | option.) |
297 | 291 | ||
298 | ^[[1mM-bMM-^RN ^[[22mDo not execute a remote command. This is useful for just forM-bM-^@M-^P | 292 | -N Do not execute a remote command. This is useful for just for- |
299 | warding ports (protocol version 2 only). | 293 | warding ports (protocol version 2 only). |
300 | 294 | ||
301 | ^[[1mM-bMM-^Ro ^[[4m^[[22moption^[[0m | 295 | -o option |
302 | Can be used to give options in the format used in the configuraM-bM-^@M-^P | 296 | Can be used to give options in the format used in the configura- |
303 | tion file. This is useful for specifying options for which there | 297 | tion file. This is useful for specifying options for which there |
304 | is no separate commandM-bM-^@M-^Pline flag. | 298 | is no separate command-line flag. |
305 | 299 | ||
306 | ^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[0m | 300 | -p port |
307 | Port to connect to on the remote host. This can be specified on | 301 | Port to connect to on the remote host. This can be specified on |
308 | a perM-bM-^@M-^Phost basis in the configuration file. | 302 | a per-host basis in the configuration file. |
309 | 303 | ||
310 | ^[[1mM-bMM-^Rq ^[[22mQuiet mode. Causes all warning and diagnostic messages to be | 304 | -q Quiet mode. Causes all warning and diagnostic messages to be |
311 | suppressed. | 305 | suppressed. |
312 | 306 | ||
313 | ^[[1mM-bMM-^Rs ^[[22mMay be used to request invocation of a subsystem on the remote | 307 | -s May be used to request invocation of a subsystem on the remote |
314 | system. Subsystems are a feature of the SSH2 protocol which | 308 | system. Subsystems are a feature of the SSH2 protocol which |
315 | facilitate the use of SSH as a secure transport for other appliM-bM-^@M-^P | 309 | facilitate the use of SSH as a secure transport for other appli- |
316 | cations (eg. sftp). The subsystem is specified as the remote comM-bM-^@M-^P | 310 | cations (eg. sftp). The subsystem is specified as the remote com- |
317 | mand. | 311 | mand. |
318 | 312 | ||
319 | ^[[1mM-bMM-^Rt ^[[22mForce pseudoM-bM-^@M-^Ptty allocation. This can be used to execute arbiM-bM-^@M-^P | 313 | -t Force pseudo-tty allocation. This can be used to execute arbi- |
320 | trary screenM-bM-^@M-^Pbased programs on a remote machine, which can be | 314 | trary screen-based programs on a remote machine, which can be |
321 | very useful, e.g., when implementing menu services. Multiple ^[[1mM-bMM-^Rt^[[0m | 315 | very useful, e.g., when implementing menu services. Multiple -t |
322 | options force tty allocation, even if ^[[1mssh ^[[22mhas no local tty. | 316 | options force tty allocation, even if ssh has no local tty. |
323 | 317 | ||
324 | ^[[1mM-bMM-^RT ^[[22mDisable pseudoM-bM-^@M-^Ptty allocation. | 318 | -T Disable pseudo-tty allocation. |
325 | 319 | ||
326 | ^[[1mM-bMM-^Rv ^[[22mVerbose mode. Causes ^[[1mssh ^[[22mto print debugging messages about its | 320 | -v Verbose mode. Causes ssh to print debugging messages about its |
327 | progress. This is helpful in debugging connection, authenticaM-bM-^@M-^P | 321 | progress. This is helpful in debugging connection, authentica- |
328 | tion, and configuration problems. Multiple ^[[1mM-bMM-^Rv ^[[22moptions increases | 322 | tion, and configuration problems. Multiple -v options increases |
329 | the verbosity. Maximum is 3. | 323 | the verbosity. Maximum is 3. |
330 | 324 | ||
331 | ^[[1mM-bMM-^Rx ^[[22mDisables X11 forwarding. | 325 | -x Disables X11 forwarding. |
332 | 326 | ||
333 | ^[[1mM-bMM-^RX ^[[22mEnables X11 forwarding. This can also be specified on a perM-bM-^@M-^Phost | 327 | -X Enables X11 forwarding. This can also be specified on a per-host |
334 | basis in a configuration file. | 328 | basis in a configuration file. |
335 | 329 | ||
336 | X11 forwarding should be enabled with caution. Users with the | 330 | X11 forwarding should be enabled with caution. Users with the |
@@ -339,76 +333,76 @@ SSH(1) BSD General Commands Manual SSH(1) | |||
339 | through the forwarded connection. An attacker may then be able | 333 | through the forwarded connection. An attacker may then be able |
340 | to perform activities such as keystroke monitoring. | 334 | to perform activities such as keystroke monitoring. |
341 | 335 | ||
342 | ^[[1mM-bMM-^RC ^[[22mRequests compression of all data (including stdin, stdout, | 336 | -C Requests compression of all data (including stdin, stdout, |
343 | stderr, and data for forwarded X11 and TCP/IP connections). The | 337 | stderr, and data for forwarded X11 and TCP/IP connections). The |
344 | compression algorithm is the same used by gzip(1), and the | 338 | compression algorithm is the same used by gzip(1), and the |
345 | M-bM-^@M-^\levelM-bM-^@M-^] can be controlled by the ^[[1mCompressionLevel ^[[22moption for proM-bM-^@M-^P | 339 | M-bM-^@M-^\levelM-bM-^@M-^] can be controlled by the CompressionLevel option for pro- |
346 | tocol version 1. Compression is desirable on modem lines and | 340 | tocol version 1. Compression is desirable on modem lines and |
347 | other slow connections, but will only slow down things on fast | 341 | other slow connections, but will only slow down things on fast |
348 | networks. The default value can be set on a hostM-bM-^@M-^PbyM-bM-^@M-^Phost basis | 342 | networks. The default value can be set on a host-by-host basis |
349 | in the configuration files; see the ^[[1mCompression ^[[22moption. | 343 | in the configuration files; see the Compression option. |
350 | 344 | ||
351 | ^[[1mM-bMM-^RF ^[[4m^[[22mconfigfile^[[0m | 345 | -F configfile |
352 | Specifies an alternative perM-bM-^@M-^Puser configuration file. If a conM-bM-^@M-^P | 346 | Specifies an alternative per-user configuration file. If a con- |
353 | figuration file is given on the command line, the systemM-bM-^@M-^Pwide | 347 | figuration file is given on the command line, the system-wide |
354 | configuration file (^[[4m/etc/ssh/ssh_config^[[24m) will be ignored. The | 348 | configuration file (/etc/ssh/ssh_config) will be ignored. The |
355 | default for the perM-bM-^@M-^Puser configuration file is ^[[4m$HOME/.ssh/config^[[24m. | 349 | default for the per-user configuration file is $HOME/.ssh/config. |
356 | 350 | ||
357 | ^[[1mM-bMM-^RL ^[[4m^[[22mport:host:hostport^[[0m | 351 | -L port:host:hostport |
358 | Specifies that the given port on the local (client) host is to be | 352 | Specifies that the given port on the local (client) host is to be |
359 | forwarded to the given host and port on the remote side. This | 353 | forwarded to the given host and port on the remote side. This |
360 | works by allocating a socket to listen to ^[[4mport^[[24m on the local side, | 354 | works by allocating a socket to listen to port on the local side, |
361 | and whenever a connection is made to this port, the connection is | 355 | and whenever a connection is made to this port, the connection is |
362 | forwarded over the secure channel, and a connection is made to | 356 | forwarded over the secure channel, and a connection is made to |
363 | ^[[4mhost^[[24m port ^[[4mhostport^[[24m from the remote machine. Port forwardings can | 357 | host port hostport from the remote machine. Port forwardings can |
364 | also be specified in the configuration file. Only root can forM-bM-^@M-^P | 358 | also be specified in the configuration file. Only root can for- |
365 | ward privileged ports. IPv6 addresses can be specified with an | 359 | ward privileged ports. IPv6 addresses can be specified with an |
366 | alternative syntax: ^[[4mport/host/hostport^[[0m | 360 | alternative syntax: port/host/hostport |
367 | 361 | ||
368 | ^[[1mM-bMM-^RR ^[[4m^[[22mport:host:hostport^[[0m | 362 | -R port:host:hostport |
369 | Specifies that the given port on the remote (server) host is to | 363 | Specifies that the given port on the remote (server) host is to |
370 | be forwarded to the given host and port on the local side. This | 364 | be forwarded to the given host and port on the local side. This |
371 | works by allocating a socket to listen to ^[[4mport^[[24m on the remote | 365 | works by allocating a socket to listen to port on the remote |
372 | side, and whenever a connection is made to this port, the connecM-bM-^@M-^P | 366 | side, and whenever a connection is made to this port, the connec- |
373 | tion is forwarded over the secure channel, and a connection is | 367 | tion is forwarded over the secure channel, and a connection is |
374 | made to ^[[4mhost^[[24m port ^[[4mhostport^[[24m from the local machine. Port forwardM-bM-^@M-^P | 368 | made to host port hostport from the local machine. Port forward- |
375 | ings can also be specified in the configuration file. Privileged | 369 | ings can also be specified in the configuration file. Privileged |
376 | ports can be forwarded only when logging in as root on the remote | 370 | ports can be forwarded only when logging in as root on the remote |
377 | machine. IPv6 addresses can be specified with an alternative | 371 | machine. IPv6 addresses can be specified with an alternative |
378 | syntax: ^[[4mport/host/hostport^[[0m | 372 | syntax: port/host/hostport |
379 | 373 | ||
380 | ^[[1mM-bMM-^RD ^[[4m^[[22mport^[[0m | 374 | -D port |
381 | Specifies a local M-bM-^@M-^\dynamicM-bM-^@M-^] applicationM-bM-^@M-^Plevel port forwarding. | 375 | Specifies a local M-bM-^@M-^\dynamicM-bM-^@M-^] application-level port forwarding. |
382 | This works by allocating a socket to listen to ^[[4mport^[[24m on the local | 376 | This works by allocating a socket to listen to port on the local |
383 | side, and whenever a connection is made to this port, the connecM-bM-^@M-^P | 377 | side, and whenever a connection is made to this port, the connec- |
384 | tion is forwarded over the secure channel, and the application | 378 | tion is forwarded over the secure channel, and the application |
385 | protocol is then used to determine where to connect to from the | 379 | protocol is then used to determine where to connect to from the |
386 | remote machine. Currently the SOCKS4 protocol is supported, and | 380 | remote machine. Currently the SOCKS4 protocol is supported, and |
387 | ^[[1mssh ^[[22mwill act as a SOCKS4 server. Only root can forward priviM-bM-^@M-^P | 381 | ssh will act as a SOCKS4 server. Only root can forward privi- |
388 | leged ports. Dynamic port forwardings can also be specified in | 382 | leged ports. Dynamic port forwardings can also be specified in |
389 | the configuration file. | 383 | the configuration file. |
390 | 384 | ||
391 | ^[[1mM-bMM-^R1 ^[[22mForces ^[[1mssh ^[[22mto try protocol version 1 only. | 385 | -1 Forces ssh to try protocol version 1 only. |
392 | 386 | ||
393 | ^[[1mM-bMM-^R2 ^[[22mForces ^[[1mssh ^[[22mto try protocol version 2 only. | 387 | -2 Forces ssh to try protocol version 2 only. |
394 | 388 | ||
395 | ^[[1mM-bMM-^R4 ^[[22mForces ^[[1mssh ^[[22mto use IPv4 addresses only. | 389 | -4 Forces ssh to use IPv4 addresses only. |
396 | 390 | ||
397 | ^[[1mM-bMM-^R6 ^[[22mForces ^[[1mssh ^[[22mto use IPv6 addresses only. | 391 | -6 Forces ssh to use IPv6 addresses only. |
398 | 392 | ||
399 | ^[[1mCONFIGURATION FILES^[[0m | 393 | CONFIGURATION FILES |
400 | ^[[1mssh ^[[22mmay additionally obtain configuration data from a perM-bM-^@M-^Puser configuraM-bM-^@M-^P | 394 | ssh may additionally obtain configuration data from a per-user configura- |
401 | tion file and a systemM-bM-^@M-^Pwide configuration file. The file format and conM-bM-^@M-^P | 395 | tion file and a system-wide configuration file. The file format and con- |
402 | figuration options are described in ssh_config(5). | 396 | figuration options are described in ssh_config(5). |
403 | 397 | ||
404 | ^[[1mENVIRONMENT^[[0m | 398 | ENVIRONMENT |
405 | ^[[1mssh ^[[22mwill normally set the following environment variables: | 399 | ssh will normally set the following environment variables: |
406 | 400 | ||
407 | DISPLAY | 401 | DISPLAY |
408 | The DISPLAY variable indicates the location of the X11 server. | 402 | The DISPLAY variable indicates the location of the X11 server. |
409 | It is automatically set by ^[[1mssh ^[[22mto point to a value of the form | 403 | It is automatically set by ssh to point to a value of the form |
410 | M-bM-^@M-^\hostname:nM-bM-^@M-^] where hostname indicates the host where the shell | 404 | M-bM-^@M-^\hostname:nM-bM-^@M-^] where hostname indicates the host where the shell |
411 | runs, and n is an integer >= 1. ^[[1mssh ^[[22muses this special value to | 405 | runs, and n is an integer >= 1. ssh uses this special value to |
412 | forward X11 connections over the secure channel. The user should | 406 | forward X11 connections over the secure channel. The user should |
413 | normally not set DISPLAY explicitly, as that will render the X11 | 407 | normally not set DISPLAY explicitly, as that will render the X11 |
414 | connection insecure (and will require the user to manually copy | 408 | connection insecure (and will require the user to manually copy |
@@ -422,34 +416,34 @@ SSH(1) BSD General Commands Manual SSH(1) | |||
422 | 416 | ||
423 | MAIL Set to the path of the userM-bM-^@M-^Ys mailbox. | 417 | MAIL Set to the path of the userM-bM-^@M-^Ys mailbox. |
424 | 418 | ||
425 | PATH Set to the default PATH, as specified when compiling ^[[1mssh^[[22m. | 419 | PATH Set to the default PATH, as specified when compiling ssh. |
426 | 420 | ||
427 | SSH_ASKPASS | 421 | SSH_ASKPASS |
428 | If ^[[1mssh ^[[22mneeds a passphrase, it will read the passphrase from the | 422 | If ssh needs a passphrase, it will read the passphrase from the |
429 | current terminal if it was run from a terminal. If ^[[1mssh ^[[22mdoes not | 423 | current terminal if it was run from a terminal. If ssh does not |
430 | have a terminal associated with it but DISPLAY and SSH_ASKPASS | 424 | have a terminal associated with it but DISPLAY and SSH_ASKPASS |
431 | are set, it will execute the program specified by SSH_ASKPASS and | 425 | are set, it will execute the program specified by SSH_ASKPASS and |
432 | open an X11 window to read the passphrase. This is particularly | 426 | open an X11 window to read the passphrase. This is particularly |
433 | useful when calling ^[[1mssh ^[[22mfrom a ^[[4m.Xsession^[[24m or related script. | 427 | useful when calling ssh from a .Xsession or related script. |
434 | (Note that on some machines it may be necessary to redirect the | 428 | (Note that on some machines it may be necessary to redirect the |
435 | input from ^[[4m/dev/null^[[24m to make this work.) | 429 | input from /dev/null to make this work.) |
436 | 430 | ||
437 | SSH_AUTH_SOCK | 431 | SSH_AUTH_SOCK |
438 | Identifies the path of a unixM-bM-^@M-^Pdomain socket used to communicate | 432 | Identifies the path of a unix-domain socket used to communicate |
439 | with the agent. | 433 | with the agent. |
440 | 434 | ||
441 | SSH_CONNECTION | 435 | SSH_CONNECTION |
442 | Identifies the client and server ends of the connection. The | 436 | Identifies the client and server ends of the connection. The |
443 | variable contains four spaceM-bM-^@M-^Pseparated values: client ipM-bM-^@M-^Paddress, | 437 | variable contains four space-separated values: client ip-address, |
444 | client port number, server ipM-bM-^@M-^Paddress and server port number. | 438 | client port number, server ip-address and server port number. |
445 | 439 | ||
446 | SSH_ORIGINAL_COMMAND | 440 | SSH_ORIGINAL_COMMAND |
447 | The variable contains the original command line if a forced comM-bM-^@M-^P | 441 | The variable contains the original command line if a forced com- |
448 | mand is executed. It can be used to extract the original arguM-bM-^@M-^P | 442 | mand is executed. It can be used to extract the original argu- |
449 | ments. | 443 | ments. |
450 | 444 | ||
451 | SSH_TTY | 445 | SSH_TTY |
452 | This is set to the name of the tty (path to the device) associM-bM-^@M-^P | 446 | This is set to the name of the tty (path to the device) associ- |
453 | ated with the current shell or command. If the current session | 447 | ated with the current shell or command. If the current session |
454 | has no tty, this variable is not set. | 448 | has no tty, this variable is not set. |
455 | 449 | ||
@@ -459,42 +453,42 @@ SSH(1) BSD General Commands Manual SSH(1) | |||
459 | 453 | ||
460 | USER Set to the name of the user logging in. | 454 | USER Set to the name of the user logging in. |
461 | 455 | ||
462 | Additionally, ^[[1mssh ^[[22mreads ^[[4m$HOME/.ssh/environment^[[24m, and adds lines of the | 456 | Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the |
463 | format M-bM-^@M-^\VARNAME=valueM-bM-^@M-^] to the environment if the file exists and if users | 457 | format M-bM-^@M-^\VARNAME=valueM-bM-^@M-^] to the environment if the file exists and if users |
464 | are allowed to change their environment. See the ^[[1mPermitUserEnvironment^[[0m | 458 | are allowed to change their environment. See the PermitUserEnvironment |
465 | option in sshd_config(5). | 459 | option in sshd_config(5). |
466 | 460 | ||
467 | ^[[1mFILES^[[0m | 461 | FILES |
468 | $HOME/.ssh/known_hosts | 462 | $HOME/.ssh/known_hosts |
469 | Records host keys for all hosts the user has logged into that are | 463 | Records host keys for all hosts the user has logged into that are |
470 | not in ^[[4m/etc/ssh/ssh_known_hosts^[[24m. See sshd(8). | 464 | not in /etc/ssh/ssh_known_hosts. See sshd(8). |
471 | 465 | ||
472 | $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa | 466 | $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa |
473 | Contains the authentication identity of the user. They are for | 467 | Contains the authentication identity of the user. They are for |
474 | protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. | 468 | protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. |
475 | These files contain sensitive data and should be readable by the | 469 | These files contain sensitive data and should be readable by the |
476 | user but not accessible by others (read/write/execute). Note | 470 | user but not accessible by others (read/write/execute). Note |
477 | that ^[[1mssh ^[[22mignores a private key file if it is accessible by othM-bM-^@M-^P | 471 | that ssh ignores a private key file if it is accessible by oth- |
478 | ers. It is possible to specify a passphrase when generating the | 472 | ers. It is possible to specify a passphrase when generating the |
479 | key; the passphrase will be used to encrypt the sensitive part of | 473 | key; the passphrase will be used to encrypt the sensitive part of |
480 | this file using 3DES. | 474 | this file using 3DES. |
481 | 475 | ||
482 | $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub | 476 | $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub |
483 | Contains the public key for authentication (public part of the | 477 | Contains the public key for authentication (public part of the |
484 | identity file in humanM-bM-^@M-^Preadable form). The contents of the | 478 | identity file in human-readable form). The contents of the |
485 | ^[[4m$HOME/.ssh/identity.pub^[[24m file should be added to | 479 | $HOME/.ssh/identity.pub file should be added to |
486 | ^[[4m$HOME/.ssh/authorized_keys^[[24m on all machines where the user wishes | 480 | $HOME/.ssh/authorized_keys on all machines where the user wishes |
487 | to log in using protocol version 1 RSA authentication. The conM-bM-^@M-^P | 481 | to log in using protocol version 1 RSA authentication. The con- |
488 | tents of the ^[[4m$HOME/.ssh/id_dsa.pub^[[24m and ^[[4m$HOME/.ssh/id_rsa.pub^[[24m file | 482 | tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file |
489 | should be added to ^[[4m$HOME/.ssh/authorized_keys^[[24m on all machines | 483 | should be added to $HOME/.ssh/authorized_keys on all machines |
490 | where the user wishes to log in using protocol version 2 DSA/RSA | 484 | where the user wishes to log in using protocol version 2 DSA/RSA |
491 | authentication. These files are not sensitive and can (but need | 485 | authentication. These files are not sensitive and can (but need |
492 | not) be readable by anyone. These files are never used automatiM-bM-^@M-^P | 486 | not) be readable by anyone. These files are never used automati- |
493 | cally and are not necessary; they are only provided for the conM-bM-^@M-^P | 487 | cally and are not necessary; they are only provided for the con- |
494 | venience of the user. | 488 | venience of the user. |
495 | 489 | ||
496 | $HOME/.ssh/config | 490 | $HOME/.ssh/config |
497 | This is the perM-bM-^@M-^Puser configuration file. The file format and | 491 | This is the per-user configuration file. The file format and |
498 | configuration options are described in ssh_config(5). | 492 | configuration options are described in ssh_config(5). |
499 | 493 | ||
500 | $HOME/.ssh/authorized_keys | 494 | $HOME/.ssh/authorized_keys |
@@ -508,17 +502,17 @@ SSH(1) BSD General Commands Manual SSH(1) | |||
508 | /etc/ssh/ssh_known_hosts | 502 | /etc/ssh/ssh_known_hosts |
509 | Systemwide list of known host keys. This file should be prepared | 503 | Systemwide list of known host keys. This file should be prepared |
510 | by the system administrator to contain the public host keys of | 504 | by the system administrator to contain the public host keys of |
511 | all machines in the organization. This file should be worldM-bM-^@M-^P | 505 | all machines in the organization. This file should be world- |
512 | readable. This file contains public keys, one per line, in the | 506 | readable. This file contains public keys, one per line, in the |
513 | following format (fields separated by spaces): system name, pubM-bM-^@M-^P | 507 | following format (fields separated by spaces): system name, pub- |
514 | lic key and optional comment field. When different names are | 508 | lic key and optional comment field. When different names are |
515 | used for the same machine, all such names should be listed, sepaM-bM-^@M-^P | 509 | used for the same machine, all such names should be listed, sepa- |
516 | rated by commas. The format is described on the sshd(8) manual | 510 | rated by commas. The format is described on the sshd(8) manual |
517 | page. | 511 | page. |
518 | 512 | ||
519 | The canonical system name (as returned by name servers) is used | 513 | The canonical system name (as returned by name servers) is used |
520 | by sshd(8) to verify the client host when logging in; other names | 514 | by sshd(8) to verify the client host when logging in; other names |
521 | are needed because ^[[1mssh ^[[22mdoes not convert the userM-bM-^@M-^Psupplied name to | 515 | are needed because ssh does not convert the user-supplied name to |
522 | a canonical name before checking the key, because someone with | 516 | a canonical name before checking the key, because someone with |
523 | access to the name servers would then be able to fool host | 517 | access to the name servers would then be able to fool host |
524 | authentication. | 518 | authentication. |
@@ -530,22 +524,22 @@ SSH(1) BSD General Commands Manual SSH(1) | |||
530 | /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, | 524 | /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, |
531 | /etc/ssh/ssh_host_rsa_key | 525 | /etc/ssh/ssh_host_rsa_key |
532 | These three files contain the private parts of the host keys and | 526 | These three files contain the private parts of the host keys and |
533 | are used for ^[[1mRhostsRSAAuthentication ^[[22mand ^[[1mHostbasedAuthentication^[[22m. | 527 | are used for RhostsRSAAuthentication and HostbasedAuthentication. |
534 | If the protocol version 1 ^[[1mRhostsRSAAuthentication ^[[22mmethod is used, | 528 | If the protocol version 1 RhostsRSAAuthentication method is used, |
535 | ^[[1mssh ^[[22mmust be setuid root, since the host key is readable only by | 529 | ssh must be setuid root, since the host key is readable only by |
536 | root. For protocol version 2, ^[[1mssh ^[[22muses sshM-bM-^@M-^Pkeysign(8) to access | 530 | root. For protocol version 2, ssh uses ssh-keysign(8) to access |
537 | the host keys for ^[[1mHostbasedAuthentication^[[22m. This eliminates the | 531 | the host keys for HostbasedAuthentication. This eliminates the |
538 | requirement that ^[[1mssh ^[[22mbe setuid root when that authentication | 532 | requirement that ssh be setuid root when that authentication |
539 | method is used. By default ^[[1mssh ^[[22mis not setuid root. | 533 | method is used. By default ssh is not setuid root. |
540 | 534 | ||
541 | $HOME/.rhosts | 535 | $HOME/.rhosts |
542 | This file is used in ^[[4m.rhosts^[[24m authentication to list the host/user | 536 | This file is used in .rhosts authentication to list the host/user |
543 | pairs that are permitted to log in. (Note that this file is also | 537 | pairs that are permitted to log in. (Note that this file is also |
544 | used by rlogin and rsh, which makes using this file insecure.) | 538 | used by rlogin and rsh, which makes using this file insecure.) |
545 | Each line of the file contains a host name (in the canonical form | 539 | Each line of the file contains a host name (in the canonical form |
546 | returned by name servers), and then a user name on that host, | 540 | returned by name servers), and then a user name on that host, |
547 | separated by a space. On some machines this file may need to be | 541 | separated by a space. On some machines this file may need to be |
548 | worldM-bM-^@M-^Preadable if the userM-bM-^@M-^Ys home directory is on a NFS partiM-bM-^@M-^P | 542 | world-readable if the userM-bM-^@M-^Ys home directory is on a NFS parti- |
549 | tion, because sshd(8) reads it as root. Additionally, this file | 543 | tion, because sshd(8) reads it as root. Additionally, this file |
550 | must be owned by the user, and must not have write permissions | 544 | must be owned by the user, and must not have write permissions |
551 | for anyone else. The recommended permission for most machines is | 545 | for anyone else. The recommended permission for most machines is |
@@ -554,18 +548,18 @@ SSH(1) BSD General Commands Manual SSH(1) | |||
554 | Note that by default sshd(8) will be installed so that it | 548 | Note that by default sshd(8) will be installed so that it |
555 | requires successful RSA host authentication before permitting | 549 | requires successful RSA host authentication before permitting |
556 | .rhosts authentication. If the server machine does not have the | 550 | .rhosts authentication. If the server machine does not have the |
557 | clientM-bM-^@M-^Ys host key in ^[[4m/etc/ssh/ssh_known_hosts^[[24m, it can be stored | 551 | clientM-bM-^@M-^Ys host key in /etc/ssh/ssh_known_hosts, it can be stored |
558 | in ^[[4m$HOME/.ssh/known_hosts^[[24m. The easiest way to do this is to conM-bM-^@M-^P | 552 | in $HOME/.ssh/known_hosts. The easiest way to do this is to con- |
559 | nect back to the client from the server machine using ssh; this | 553 | nect back to the client from the server machine using ssh; this |
560 | will automatically add the host key to ^[[4m$HOME/.ssh/known_hosts^[[24m. | 554 | will automatically add the host key to $HOME/.ssh/known_hosts. |
561 | 555 | ||
562 | $HOME/.shosts | 556 | $HOME/.shosts |
563 | This file is used exactly the same way as ^[[4m.rhosts^[[24m. The purpose | 557 | This file is used exactly the same way as .rhosts. The purpose |
564 | for having this file is to be able to use rhosts authentication | 558 | for having this file is to be able to use rhosts authentication |
565 | with ^[[1mssh ^[[22mwithout permitting login with ^[[1mrlogin ^[[22mor rsh(1). | 559 | with ssh without permitting login with rlogin or rsh(1). |
566 | 560 | ||
567 | /etc/hosts.equiv | 561 | /etc/hosts.equiv |
568 | This file is used during ^[[4m.rhosts^[[24m ^[[4mauthentication.^[[24m It contains | 562 | This file is used during .rhosts authentication. It contains |
569 | canonical hosts names, one per line (the full format is described | 563 | canonical hosts names, one per line (the full format is described |
570 | on the sshd(8) manual page). If the client host is found in this | 564 | on the sshd(8) manual page). If the client host is found in this |
571 | file, login is automatically permitted provided client and server | 565 | file, login is automatically permitted provided client and server |
@@ -574,41 +568,41 @@ SSH(1) BSD General Commands Manual SSH(1) | |||
574 | writable by root. | 568 | writable by root. |
575 | 569 | ||
576 | /etc/shosts.equiv | 570 | /etc/shosts.equiv |
577 | This file is processed exactly as ^[[4m/etc/hosts.equiv^[[24m. This file | 571 | This file is processed exactly as /etc/hosts.equiv. This file |
578 | may be useful to permit logins using ^[[1mssh ^[[22mbut not using | 572 | may be useful to permit logins using ssh but not using |
579 | rsh/rlogin. | 573 | rsh/rlogin. |
580 | 574 | ||
581 | /etc/ssh/sshrc | 575 | /etc/ssh/sshrc |
582 | Commands in this file are executed by ^[[1mssh ^[[22mwhen the user logs in | 576 | Commands in this file are executed by ssh when the user logs in |
583 | just before the userM-bM-^@M-^Ys shell (or command) is started. See the | 577 | just before the userM-bM-^@M-^Ys shell (or command) is started. See the |
584 | sshd(8) manual page for more information. | 578 | sshd(8) manual page for more information. |
585 | 579 | ||
586 | $HOME/.ssh/rc | 580 | $HOME/.ssh/rc |
587 | Commands in this file are executed by ^[[1mssh ^[[22mwhen the user logs in | 581 | Commands in this file are executed by ssh when the user logs in |
588 | just before the userM-bM-^@M-^Ys shell (or command) is started. See the | 582 | just before the userM-bM-^@M-^Ys shell (or command) is started. See the |
589 | sshd(8) manual page for more information. | 583 | sshd(8) manual page for more information. |
590 | 584 | ||
591 | $HOME/.ssh/environment | 585 | $HOME/.ssh/environment |
592 | Contains additional definitions for environment variables, see | 586 | Contains additional definitions for environment variables, see |
593 | section ^[[4mENVIRONMENT^[[24m above. | 587 | section ENVIRONMENT above. |
594 | 588 | ||
595 | ^[[1mDIAGNOSTICS^[[0m | 589 | DIAGNOSTICS |
596 | ^[[1mssh ^[[22mexits with the exit status of the remote command or with 255 if an | 590 | ssh exits with the exit status of the remote command or with 255 if an |
597 | error occurred. | 591 | error occurred. |
598 | 592 | ||
599 | ^[[1mAUTHORS^[[0m | 593 | AUTHORS |
600 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 594 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
601 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | 595 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
602 | de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P | 596 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- |
603 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 597 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
604 | versions 1.5 and 2.0. | 598 | versions 1.5 and 2.0. |
605 | 599 | ||
606 | ^[[1mSEE ALSO^[[0m | 600 | SEE ALSO |
607 | rsh(1), scp(1), sftp(1), sshM-bM-^@M-^Padd(1), sshM-bM-^@M-^Pagent(1), sshM-bM-^@M-^Pkeygen(1), | 601 | rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), |
608 | telnet(1), ssh_config(5), sshM-bM-^@M-^Pkeysign(8), sshd(8) | 602 | telnet(1), ssh_config(5), ssh-keysign(8), sshd(8) |
609 | 603 | ||
610 | T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, ^[[4mSSH^[[0m | 604 | T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH |
611 | ^[[4mProtocol^[[24m ^[[4mArchitecture^[[24m, draftM-bM-^@M-^PietfM-bM-^@M-^PsecshM-bM-^@M-^ParchitectureM-bM-^@M-^P12.txt, January | 605 | Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January |
612 | 2002, work in progress material. | 606 | 2002, work in progress material. |
613 | 607 | ||
614 | BSD September 25, 1999 BSD | 608 | BSD September 25, 1999 BSD |