summaryrefslogtreecommitdiff
path: root/ssh.0
diff options
context:
space:
mode:
Diffstat (limited to 'ssh.0')
-rw-r--r--ssh.0114
1 files changed, 50 insertions, 64 deletions
diff --git a/ssh.0 b/ssh.0
index ad4817aff..9aaf4367d 100644
--- a/ssh.0
+++ b/ssh.0
@@ -8,22 +8,19 @@ SYNOPSIS
8 [-D [bind_address:]port] [-E log_file] [-e escape_char] 8 [-D [bind_address:]port] [-E log_file] [-e escape_char]
9 [-F configfile] [-I pkcs11] [-i identity_file] [-L address] 9 [-F configfile] [-I pkcs11] [-i identity_file] [-L address]
10 [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] 10 [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
11 [-Q cipher | cipher-auth | mac | kex | key | protocol-version] 11 [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
12 [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] 12 [-w local_tun[:remote_tun]] [user@]hostname [command]
13 [user@]hostname [command]
14 13
15DESCRIPTION 14DESCRIPTION
16 ssh (SSH client) is a program for logging into a remote machine and for 15 ssh (SSH client) is a program for logging into a remote machine and for
17 executing commands on a remote machine. It is intended to replace rlogin 16 executing commands on a remote machine. It is intended to provide secure
18 and rsh, and provide secure encrypted communications between two 17 encrypted communications between two untrusted hosts over an insecure
19 untrusted hosts over an insecure network. X11 connections, arbitrary TCP 18 network. X11 connections, arbitrary TCP ports and UNIX-domain sockets
20 ports and UNIX-domain sockets can also be forwarded over the secure 19 can also be forwarded over the secure channel.
21 channel.
22 20
23 ssh connects and logs into the specified hostname (with optional user 21 ssh connects and logs into the specified hostname (with optional user
24 name). The user must prove his/her identity to the remote machine using 22 name). The user must prove his/her identity to the remote machine using
25 one of several methods depending on the protocol version used (see 23 one of several methods (see below).
26 below).
27 24
28 If command is specified, it is executed on the remote host instead of a 25 If command is specified, it is executed on the remote host instead of a
29 login shell. 26 login shell.
@@ -144,9 +141,11 @@ DESCRIPTION
144 ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. 141 ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
145 Identity files may also be specified on a per-host basis in the 142 Identity files may also be specified on a per-host basis in the
146 configuration file. It is possible to have multiple -i options 143 configuration file. It is possible to have multiple -i options
147 (and multiple identities specified in configuration files). ssh 144 (and multiple identities specified in configuration files). If
148 will also try to load certificate information from the filename 145 no certificates have been explicitly specified by the
149 obtained by appending -cert.pub to identity filenames. 146 CertificateFile directive, ssh will also try to load certificate
147 information from the filename obtained by appending -cert.pub to
148 identity filenames.
150 149
151 -K Enables GSSAPI-based authentication and forwarding (delegation) 150 -K Enables GSSAPI-based authentication and forwarding (delegation)
152 of GSSAPI credentials to the server. 151 of GSSAPI credentials to the server.
@@ -190,12 +189,12 @@ DESCRIPTION
190 details. 189 details.
191 190
192 -m mac_spec 191 -m mac_spec
193 Additionally, for protocol version 2 a comma-separated list of 192 A comma-separated list of MAC (message authentication code)
194 MAC (message authentication code) algorithms can be specified in 193 algorithms, specified in order of preference. See the MACs
195 order of preference. See the MACs keyword for more information. 194 keyword for more information.
196 195
197 -N Do not execute a remote command. This is useful for just 196 -N Do not execute a remote command. This is useful for just
198 forwarding ports (protocol version 2 only). 197 forwarding ports.
199 198
200 -n Redirects stdin from /dev/null (actually, prevents reading from 199 -n Redirects stdin from /dev/null (actually, prevents reading from
201 stdin). This must be used when ssh is run in the background. A 200 stdin). This must be used when ssh is run in the background. A
@@ -224,6 +223,7 @@ DESCRIPTION
224 of the options listed below, and their possible values, see 223 of the options listed below, and their possible values, see
225 ssh_config(5). 224 ssh_config(5).
226 225
226 AddKeysToAgent
227 AddressFamily 227 AddressFamily
228 BatchMode 228 BatchMode
229 BindAddress 229 BindAddress
@@ -232,6 +232,7 @@ DESCRIPTION
232 CanonicalizeHostname 232 CanonicalizeHostname
233 CanonicalizeMaxDots 233 CanonicalizeMaxDots
234 CanonicalizePermittedCNAMEs 234 CanonicalizePermittedCNAMEs
235 CertificateFile
235 ChallengeResponseAuthentication 236 ChallengeResponseAuthentication
236 CheckHostIP 237 CheckHostIP
237 Cipher 238 Cipher
@@ -312,13 +313,14 @@ DESCRIPTION
312 Port to connect to on the remote host. This can be specified on 313 Port to connect to on the remote host. This can be specified on
313 a per-host basis in the configuration file. 314 a per-host basis in the configuration file.
314 315
315 -Q cipher | cipher-auth | mac | kex | key | protocol-version 316 -Q query_option
316 Queries ssh for the algorithms supported for the specified 317 Queries ssh for the algorithms supported for the specified
317 version 2. The available features are: cipher (supported 318 version 2. The available features are: cipher (supported
318 symmetric ciphers), cipher-auth (supported symmetric ciphers that 319 symmetric ciphers), cipher-auth (supported symmetric ciphers that
319 support authenticated encryption), mac (supported message 320 support authenticated encryption), mac (supported message
320 integrity codes), kex (key exchange algorithms), key (key types) 321 integrity codes), kex (key exchange algorithms), key (key types),
321 and protocol-version (supported SSH protocol versions). 322 key-cert (certificate key types), key-plain (non-certificate key
323 types), and protocol-version (supported SSH protocol versions).
322 324
323 -q Quiet mode. Causes most warning and diagnostic messages to be 325 -q Quiet mode. Causes most warning and diagnostic messages to be
324 suppressed. 326 suppressed.
@@ -361,10 +363,9 @@ DESCRIPTION
361 ssh_config(5) for details. 363 ssh_config(5) for details.
362 364
363 -s May be used to request invocation of a subsystem on the remote 365 -s May be used to request invocation of a subsystem on the remote
364 system. Subsystems are a feature of the SSH2 protocol which 366 system. Subsystems facilitate the use of SSH as a secure
365 facilitate the use of SSH as a secure transport for other 367 transport for other applications (e.g. sftp(1)). The subsystem
366 applications (eg. sftp(1)). The subsystem is specified as the 368 is specified as the remote command.
367 remote command.
368 369
369 -T Disable pseudo-terminal allocation. 370 -T Disable pseudo-terminal allocation.
370 371
@@ -383,8 +384,7 @@ DESCRIPTION
383 -W host:port 384 -W host:port
384 Requests that standard input and output on the client be 385 Requests that standard input and output on the client be
385 forwarded to host on port over the secure channel. Implies -N, 386 forwarded to host on port over the secure channel. Implies -N,
386 -T, ExitOnForwardFailure and ClearAllForwardings. Works with 387 -T, ExitOnForwardFailure and ClearAllForwardings.
387 Protocol version 2 only.
388 388
389 -w local_tun[:remote_tun] 389 -w local_tun[:remote_tun]
390 Requests tunnel device forwarding with the specified tun(4) 390 Requests tunnel device forwarding with the specified tun(4)
@@ -427,20 +427,16 @@ DESCRIPTION
427AUTHENTICATION 427AUTHENTICATION
428 The OpenSSH SSH client supports SSH protocols 1 and 2. The default is to 428 The OpenSSH SSH client supports SSH protocols 1 and 2. The default is to
429 use protocol 2 only, though this can be changed via the Protocol option 429 use protocol 2 only, though this can be changed via the Protocol option
430 in ssh_config(5) or the -1 and -2 options (see above). Both protocols 430 in ssh_config(5) or the -1 and -2 options (see above). Protocol 1 should
431 support similar authentication methods, but protocol 2 is the default 431 not be used and is only offered to support legacy devices. It suffers
432 since it provides additional mechanisms for confidentiality (the traffic 432 from a number of cryptographic weaknesses and doesn't support many of the
433 is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and 433 advanced features available for protocol 2.
434 integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, umac-64,
435 umac-128, hmac-ripemd160). Protocol 1 lacks a strong mechanism for
436 ensuring the integrity of the connection.
437 434
438 The methods available for authentication are: GSSAPI-based 435 The methods available for authentication are: GSSAPI-based
439 authentication, host-based authentication, public key authentication, 436 authentication, host-based authentication, public key authentication,
440 challenge-response authentication, and password authentication. 437 challenge-response authentication, and password authentication.
441 Authentication methods are tried in the order specified above, though 438 Authentication methods are tried in the order specified above, though
442 protocol 2 has a configuration option to change the default order: 439 PreferredAuthentications can be used to change the default order.
443 PreferredAuthentications.
444 440
445 Host-based authentication works as follows: If the machine the user logs 441 Host-based authentication works as follows: If the machine the user logs
446 in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote 442 in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
@@ -463,10 +459,8 @@ AUTHENTICATION
463 creates a public/private key pair for authentication purposes. The 459 creates a public/private key pair for authentication purposes. The
464 server knows the public key, and only the user knows the private key. 460 server knows the public key, and only the user knows the private key.
465 ssh implements public key authentication protocol automatically, using 461 ssh implements public key authentication protocol automatically, using
466 one of the DSA, ECDSA, Ed25519 or RSA algorithms. Protocol 1 is 462 one of the DSA, ECDSA, Ed25519 or RSA algorithms. The HISTORY section of
467 restricted to using only RSA keys, but protocol 2 may use any. The 463 ssl(8) contains a brief discussion of the DSA and RSA algorithms.
468 HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA
469 algorithms.
470 464
471 The file ~/.ssh/authorized_keys lists the public keys that are permitted 465 The file ~/.ssh/authorized_keys lists the public keys that are permitted
472 for logging in. When the user logs in, the ssh program tells the server 466 for logging in. When the user logs in, the ssh program tells the server
@@ -475,13 +469,12 @@ AUTHENTICATION
475 the corresponding public key is authorized to accept the account. 469 the corresponding public key is authorized to accept the account.
476 470
477 The user creates his/her key pair by running ssh-keygen(1). This stores 471 The user creates his/her key pair by running ssh-keygen(1). This stores
478 the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol 472 the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (DSA),
479 2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), ~/.ssh/id_ed25519 (protocol 2 473 ~/.ssh/id_ecdsa (ECDSA), ~/.ssh/id_ed25519 (Ed25519), or ~/.ssh/id_rsa
480 Ed25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in 474 (RSA) and stores the public key in ~/.ssh/identity.pub (protocol 1),
481 ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), 475 ~/.ssh/id_dsa.pub (DSA), ~/.ssh/id_ecdsa.pub (ECDSA),
482 ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), ~/.ssh/id_ed25519.pub (protocol 2 476 ~/.ssh/id_ed25519.pub (Ed25519), or ~/.ssh/id_rsa.pub (RSA) in the user's
483 Ed25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home 477 home directory. The user should then copy the public key to
484 directory. The user should then copy the public key to
485 ~/.ssh/authorized_keys in his/her home directory on the remote machine. 478 ~/.ssh/authorized_keys in his/her home directory on the remote machine.
486 The authorized_keys file corresponds to the conventional ~/.rhosts file, 479 The authorized_keys file corresponds to the conventional ~/.rhosts file,
487 and has one key per line, though the lines can be very long. After this, 480 and has one key per line, though the lines can be very long. After this,
@@ -495,15 +488,13 @@ AUTHENTICATION
495 more information. 488 more information.
496 489
497 The most convenient way to use public key or certificate authentication 490 The most convenient way to use public key or certificate authentication
498 may be with an authentication agent. See ssh-agent(1) for more 491 may be with an authentication agent. See ssh-agent(1) and (optionally)
499 information. 492 the AddKeysToAgent directive in ssh_config(5) for more information.
500 493
501 Challenge-response authentication works as follows: The server sends an 494 Challenge-response authentication works as follows: The server sends an
502 arbitrary "challenge" text, and prompts for a response. Protocol 2 495 arbitrary "challenge" text, and prompts for a response. Examples of
503 allows multiple challenges and responses; protocol 1 is restricted to 496 challenge-response authentication include BSD Authentication (see
504 just one challenge/response. Examples of challenge-response 497 login.conf(5)) and PAM (some non-OpenBSD systems).
505 authentication include BSD Authentication (see login.conf(5)) and PAM
506 (some non-OpenBSD systems).
507 498
508 Finally, if other authentication methods fail, ssh prompts the user for a 499 Finally, if other authentication methods fail, ssh prompts the user for a
509 password. The password is sent to the remote host for checking; however, 500 password. The password is sent to the remote host for checking; however,
@@ -565,8 +556,8 @@ ESCAPE CHARACTERS
565 556
566 ~? Display a list of escape characters. 557 ~? Display a list of escape characters.
567 558
568 ~B Send a BREAK to the remote system (only useful for SSH protocol 559 ~B Send a BREAK to the remote system (only useful if the peer
569 version 2 and if the peer supports it). 560 supports it).
570 561
571 ~C Open command line. Currently this allows the addition of port 562 ~C Open command line. Currently this allows the addition of port
572 forwardings using the -L, -R and -D options (see above). It also 563 forwardings using the -L, -R and -D options (see above). It also
@@ -577,8 +568,8 @@ ESCAPE CHARACTERS
577 PermitLocalCommand option is enabled in ssh_config(5). Basic 568 PermitLocalCommand option is enabled in ssh_config(5). Basic
578 help is available, using the -h option. 569 help is available, using the -h option.
579 570
580 ~R Request rekeying of the connection (only useful for SSH protocol 571 ~R Request rekeying of the connection (only useful if the peer
581 version 2 and if the peer supports it). 572 supports it).
582 573
583 ~V Decrease the verbosity (LogLevel) when errors are being written 574 ~V Decrease the verbosity (LogLevel) when errors are being written
584 to stderr. 575 to stderr.
@@ -892,12 +883,7 @@ FILES
892 /etc/ssh/ssh_host_ed25519_key 883 /etc/ssh/ssh_host_ed25519_key
893 /etc/ssh/ssh_host_rsa_key 884 /etc/ssh/ssh_host_rsa_key
894 These files contain the private parts of the host keys and are 885 These files contain the private parts of the host keys and are
895 used for host-based authentication. If protocol version 1 is 886 used for host-based authentication.
896 used, ssh must be setuid root, since the host key is readable
897 only by root. For protocol version 2, ssh uses ssh-keysign(8) to
898 access the host keys, eliminating the requirement that ssh be
899 setuid root when host-based authentication is used. By default
900 ssh is not setuid root.
901 887
902 /etc/ssh/ssh_known_hosts 888 /etc/ssh/ssh_known_hosts
903 Systemwide list of known host keys. This file should be prepared 889 Systemwide list of known host keys. This file should be prepared
@@ -969,4 +955,4 @@ AUTHORS
969 created OpenSSH. Markus Friedl contributed the support for SSH protocol 955 created OpenSSH. Markus Friedl contributed the support for SSH protocol
970 versions 1.5 and 2.0. 956 versions 1.5 and 2.0.
971 957
972OpenBSD 5.8 July 20, 2015 OpenBSD 5.8 958OpenBSD 5.9 February 17, 2016 OpenBSD 5.9