diff options
Diffstat (limited to 'ssh.0')
-rw-r--r-- | ssh.0 | 50 |
1 files changed, 31 insertions, 19 deletions
@@ -6,7 +6,7 @@ NAME | |||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | ssh [-l login_name] hostname | user@hostname [command] | 7 | ssh [-l login_name] hostname | user@hostname [command] |
8 | 8 | ||
9 | ssh [-afgknqstvxACNPTX1246] [-b bind_address] [-c cipher_spec] | 9 | ssh [-afgknqstvxACNTX1246] [-b bind_address] [-c cipher_spec] |
10 | [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec] | 10 | [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec] |
11 | [-o option] [-p port] [-F configfile] [-L port:host:hostport] [-R | 11 | [-o option] [-p port] [-F configfile] [-L port:host:hostport] [-R |
12 | port:host:hostport] [-D port] hostname | user@hostname [command] | 12 | port:host:hostport] [-D port] hostname | user@hostname [command] |
@@ -183,9 +183,10 @@ DESCRIPTION | |||
183 | is opened. The real authentication cookie is never sent to the server | 183 | is opened. The real authentication cookie is never sent to the server |
184 | machine (and no cookies are sent in the plain). | 184 | machine (and no cookies are sent in the plain). |
185 | 185 | ||
186 | If the user is using an authentication agent, the connection to the agent | 186 | If the ForwardAgent variable is set to ``yes'' (or, see the description |
187 | is automatically forwarded to the remote side unless disabled on the comM-- | 187 | of the -A and -a options described later) and the user is using an |
188 | mand line or in a configuration file. | 188 | authentication agent, the connection to the agent is automatically forM-- |
189 | warded to the remote side. | ||
189 | 190 | ||
190 | Forwarding of arbitrary TCP/IP connections over the secure channel can be | 191 | Forwarding of arbitrary TCP/IP connections over the secure channel can be |
191 | specified either on the command line or in a configuration file. One | 192 | specified either on the command line or in a configuration file. One |
@@ -214,6 +215,14 @@ DESCRIPTION | |||
214 | can also be specified on a per-host basis in a configuration | 215 | can also be specified on a per-host basis in a configuration |
215 | file. | 216 | file. |
216 | 217 | ||
218 | Agent forwarding should be enabled with caution. Users with the | ||
219 | ability to bypass file permissions on the remote host (for the | ||
220 | agent's Unix-domain socket) can access the local agent through | ||
221 | the forwarded connection. An attacker cannot obtain key material | ||
222 | from the agent, however they can perform operations on the keys | ||
223 | that enable them to authenticate using the identities loaded into | ||
224 | the agent. | ||
225 | |||
217 | -b bind_address | 226 | -b bind_address |
218 | Specify the interface to transmit from on machines with multiple | 227 | Specify the interface to transmit from on machines with multiple |
219 | interfaces or aliased addresses. | 228 | interfaces or aliased addresses. |
@@ -298,11 +307,6 @@ DESCRIPTION | |||
298 | Port to connect to on the remote host. This can be specified on | 307 | Port to connect to on the remote host. This can be specified on |
299 | a per-host basis in the configuration file. | 308 | a per-host basis in the configuration file. |
300 | 309 | ||
301 | -P Use a non-privileged port for outgoing connections. This can be | ||
302 | used if a firewall does not permit connections from privileged | ||
303 | ports. Note that this option turns off RhostsAuthentication and | ||
304 | RhostsRSAAuthentication for older servers. | ||
305 | |||
306 | -q Quiet mode. Causes all warning and diagnostic messages to be | 310 | -q Quiet mode. Causes all warning and diagnostic messages to be |
307 | suppressed. | 311 | suppressed. |
308 | 312 | ||
@@ -329,14 +333,20 @@ DESCRIPTION | |||
329 | -X Enables X11 forwarding. This can also be specified on a per-host | 333 | -X Enables X11 forwarding. This can also be specified on a per-host |
330 | basis in a configuration file. | 334 | basis in a configuration file. |
331 | 335 | ||
336 | X11 forwarding should be enabled with caution. Users with the | ||
337 | ability to bypass file permissions on the remote host (for the | ||
338 | user's X authorization database) can access the local X11 display | ||
339 | through the forwarded connection. An attacker may then be able | ||
340 | to perform activities such as keystroke monitoring. | ||
341 | |||
332 | -C Requests compression of all data (including stdin, stdout, | 342 | -C Requests compression of all data (including stdin, stdout, |
333 | stderr, and data for forwarded X11 and TCP/IP connections). The | 343 | stderr, and data for forwarded X11 and TCP/IP connections). The |
334 | compression algorithm is the same used by gzip(1), and the | 344 | compression algorithm is the same used by gzip(1), and the |
335 | ``level'' can be controlled by the CompressionLevel option. ComM-- | 345 | ``level'' can be controlled by the CompressionLevel option for |
336 | pression is desirable on modem lines and other slow connections, | 346 | protocol version 1. Compression is desirable on modem lines and |
337 | but will only slow down things on fast networks. The default | 347 | other slow connections, but will only slow down things on fast |
338 | value can be set on a host-by-host basis in the configuration | 348 | networks. The default value can be set on a host-by-host basis |
339 | files; see the Compression option. | 349 | in the configuration files; see the Compression option. |
340 | 350 | ||
341 | -F configfile | 351 | -F configfile |
342 | Specifies an alternative per-user configuration file. If a conM-- | 352 | Specifies an alternative per-user configuration file. If a conM-- |
@@ -428,10 +438,10 @@ ENVIRONMENT | |||
428 | Identifies the path of a unix-domain socket used to communicate | 438 | Identifies the path of a unix-domain socket used to communicate |
429 | with the agent. | 439 | with the agent. |
430 | 440 | ||
431 | SSH_CLIENT | 441 | SSH_CONNECTION |
432 | Identifies the client end of the connection. The variable conM-- | 442 | Identifies the client and server ends of the connection. The |
433 | tains three space-separated values: client ip-address, client | 443 | variable contains four space-separated values: client ip-address, |
434 | port number, and server port number. | 444 | client port number, server ip-address and server port number. |
435 | 445 | ||
436 | SSH_ORIGINAL_COMMAND | 446 | SSH_ORIGINAL_COMMAND |
437 | The variable contains the original command line if a forced comM-- | 447 | The variable contains the original command line if a forced comM-- |
@@ -450,7 +460,9 @@ ENVIRONMENT | |||
450 | USER Set to the name of the user logging in. | 460 | USER Set to the name of the user logging in. |
451 | 461 | ||
452 | Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the | 462 | Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the |
453 | format ``VARNAME=value'' to the environment. | 463 | format ``VARNAME=value'' to the environment if the file exists and if |
464 | users are allowed to change their environment. See the | ||
465 | PermitUserEnvironment option in sshd_config(5). | ||
454 | 466 | ||
455 | FILES | 467 | FILES |
456 | $HOME/.ssh/known_hosts | 468 | $HOME/.ssh/known_hosts |