diff options
Diffstat (limited to 'ssh.0')
| -rw-r--r-- | ssh.0 | 50 |
1 files changed, 31 insertions, 19 deletions
| @@ -6,7 +6,7 @@ NAME | |||
| 6 | SYNOPSIS | 6 | SYNOPSIS |
| 7 | ssh [-l login_name] hostname | user@hostname [command] | 7 | ssh [-l login_name] hostname | user@hostname [command] |
| 8 | 8 | ||
| 9 | ssh [-afgknqstvxACNPTX1246] [-b bind_address] [-c cipher_spec] | 9 | ssh [-afgknqstvxACNTX1246] [-b bind_address] [-c cipher_spec] |
| 10 | [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec] | 10 | [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec] |
| 11 | [-o option] [-p port] [-F configfile] [-L port:host:hostport] [-R | 11 | [-o option] [-p port] [-F configfile] [-L port:host:hostport] [-R |
| 12 | port:host:hostport] [-D port] hostname | user@hostname [command] | 12 | port:host:hostport] [-D port] hostname | user@hostname [command] |
| @@ -183,9 +183,10 @@ DESCRIPTION | |||
| 183 | is opened. The real authentication cookie is never sent to the server | 183 | is opened. The real authentication cookie is never sent to the server |
| 184 | machine (and no cookies are sent in the plain). | 184 | machine (and no cookies are sent in the plain). |
| 185 | 185 | ||
| 186 | If the user is using an authentication agent, the connection to the agent | 186 | If the ForwardAgent variable is set to ``yes'' (or, see the description |
| 187 | is automatically forwarded to the remote side unless disabled on the comM-- | 187 | of the -A and -a options described later) and the user is using an |
| 188 | mand line or in a configuration file. | 188 | authentication agent, the connection to the agent is automatically forM-- |
| 189 | warded to the remote side. | ||
| 189 | 190 | ||
| 190 | Forwarding of arbitrary TCP/IP connections over the secure channel can be | 191 | Forwarding of arbitrary TCP/IP connections over the secure channel can be |
| 191 | specified either on the command line or in a configuration file. One | 192 | specified either on the command line or in a configuration file. One |
| @@ -214,6 +215,14 @@ DESCRIPTION | |||
| 214 | can also be specified on a per-host basis in a configuration | 215 | can also be specified on a per-host basis in a configuration |
| 215 | file. | 216 | file. |
| 216 | 217 | ||
| 218 | Agent forwarding should be enabled with caution. Users with the | ||
| 219 | ability to bypass file permissions on the remote host (for the | ||
| 220 | agent's Unix-domain socket) can access the local agent through | ||
| 221 | the forwarded connection. An attacker cannot obtain key material | ||
| 222 | from the agent, however they can perform operations on the keys | ||
| 223 | that enable them to authenticate using the identities loaded into | ||
| 224 | the agent. | ||
| 225 | |||
| 217 | -b bind_address | 226 | -b bind_address |
| 218 | Specify the interface to transmit from on machines with multiple | 227 | Specify the interface to transmit from on machines with multiple |
| 219 | interfaces or aliased addresses. | 228 | interfaces or aliased addresses. |
| @@ -298,11 +307,6 @@ DESCRIPTION | |||
| 298 | Port to connect to on the remote host. This can be specified on | 307 | Port to connect to on the remote host. This can be specified on |
| 299 | a per-host basis in the configuration file. | 308 | a per-host basis in the configuration file. |
| 300 | 309 | ||
| 301 | -P Use a non-privileged port for outgoing connections. This can be | ||
| 302 | used if a firewall does not permit connections from privileged | ||
| 303 | ports. Note that this option turns off RhostsAuthentication and | ||
| 304 | RhostsRSAAuthentication for older servers. | ||
| 305 | |||
| 306 | -q Quiet mode. Causes all warning and diagnostic messages to be | 310 | -q Quiet mode. Causes all warning and diagnostic messages to be |
| 307 | suppressed. | 311 | suppressed. |
| 308 | 312 | ||
| @@ -329,14 +333,20 @@ DESCRIPTION | |||
| 329 | -X Enables X11 forwarding. This can also be specified on a per-host | 333 | -X Enables X11 forwarding. This can also be specified on a per-host |
| 330 | basis in a configuration file. | 334 | basis in a configuration file. |
| 331 | 335 | ||
| 336 | X11 forwarding should be enabled with caution. Users with the | ||
| 337 | ability to bypass file permissions on the remote host (for the | ||
| 338 | user's X authorization database) can access the local X11 display | ||
| 339 | through the forwarded connection. An attacker may then be able | ||
| 340 | to perform activities such as keystroke monitoring. | ||
| 341 | |||
| 332 | -C Requests compression of all data (including stdin, stdout, | 342 | -C Requests compression of all data (including stdin, stdout, |
| 333 | stderr, and data for forwarded X11 and TCP/IP connections). The | 343 | stderr, and data for forwarded X11 and TCP/IP connections). The |
| 334 | compression algorithm is the same used by gzip(1), and the | 344 | compression algorithm is the same used by gzip(1), and the |
| 335 | ``level'' can be controlled by the CompressionLevel option. ComM-- | 345 | ``level'' can be controlled by the CompressionLevel option for |
| 336 | pression is desirable on modem lines and other slow connections, | 346 | protocol version 1. Compression is desirable on modem lines and |
| 337 | but will only slow down things on fast networks. The default | 347 | other slow connections, but will only slow down things on fast |
| 338 | value can be set on a host-by-host basis in the configuration | 348 | networks. The default value can be set on a host-by-host basis |
| 339 | files; see the Compression option. | 349 | in the configuration files; see the Compression option. |
| 340 | 350 | ||
| 341 | -F configfile | 351 | -F configfile |
| 342 | Specifies an alternative per-user configuration file. If a conM-- | 352 | Specifies an alternative per-user configuration file. If a conM-- |
| @@ -428,10 +438,10 @@ ENVIRONMENT | |||
| 428 | Identifies the path of a unix-domain socket used to communicate | 438 | Identifies the path of a unix-domain socket used to communicate |
| 429 | with the agent. | 439 | with the agent. |
| 430 | 440 | ||
| 431 | SSH_CLIENT | 441 | SSH_CONNECTION |
| 432 | Identifies the client end of the connection. The variable conM-- | 442 | Identifies the client and server ends of the connection. The |
| 433 | tains three space-separated values: client ip-address, client | 443 | variable contains four space-separated values: client ip-address, |
| 434 | port number, and server port number. | 444 | client port number, server ip-address and server port number. |
| 435 | 445 | ||
| 436 | SSH_ORIGINAL_COMMAND | 446 | SSH_ORIGINAL_COMMAND |
| 437 | The variable contains the original command line if a forced comM-- | 447 | The variable contains the original command line if a forced comM-- |
| @@ -450,7 +460,9 @@ ENVIRONMENT | |||
| 450 | USER Set to the name of the user logging in. | 460 | USER Set to the name of the user logging in. |
| 451 | 461 | ||
| 452 | Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the | 462 | Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the |
| 453 | format ``VARNAME=value'' to the environment. | 463 | format ``VARNAME=value'' to the environment if the file exists and if |
| 464 | users are allowed to change their environment. See the | ||
| 465 | PermitUserEnvironment option in sshd_config(5). | ||
| 454 | 466 | ||
| 455 | FILES | 467 | FILES |
| 456 | $HOME/.ssh/known_hosts | 468 | $HOME/.ssh/known_hosts |