diff options
Diffstat (limited to 'ssh.0')
-rw-r--r-- | ssh.0 | 171 |
1 files changed, 88 insertions, 83 deletions
@@ -1,4 +1,4 @@ | |||
1 | SSH(1) BSD General Commands Manual SSH(1) | 1 | SSH(1) OpenBSD Reference Manual SSH(1) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | ssh - OpenSSH SSH client (remote login program) | 4 | ssh - OpenSSH SSH client (remote login program) |
@@ -14,19 +14,20 @@ SYNOPSIS | |||
14 | DESCRIPTION | 14 | DESCRIPTION |
15 | ssh (SSH client) is a program for logging into a remote machine and for | 15 | ssh (SSH client) is a program for logging into a remote machine and for |
16 | executing commands on a remote machine. It is intended to replace rlogin | 16 | executing commands on a remote machine. It is intended to replace rlogin |
17 | and rsh, and provide secure encrypted communications between two | 17 | and rsh, and provide secure encrypted communications between two untrust- |
18 | untrusted hosts over an insecure network. X11 connections and arbitrary | 18 | ed hosts over an insecure network. X11 connections and arbitrary TCP/IP |
19 | TCP/IP ports can also be forwarded over the secure channel. | 19 | ports can also be forwarded over the secure channel. |
20 | 20 | ||
21 | ssh connects and logs into the specified hostname. The user must prove | 21 | ssh connects and logs into the specified hostname. The user must prove |
22 | his/her identity to the remote machine using one of several methods | 22 | his/her identity to the remote machine using one of several methods de- |
23 | depending on the protocol version used: | 23 | pending on the protocol version used: |
24 | 24 | ||
25 | SSH protocol version 1 | 25 | SSH protocol version 1 |
26 | |||
26 | First, if the machine the user logs in from is listed in /etc/hosts.equiv | 27 | First, if the machine the user logs in from is listed in /etc/hosts.equiv |
27 | or /etc/shosts.equiv on the remote machine, and the user names are the | 28 | or /etc/shosts.equiv on the remote machine, and the user names are the |
28 | same on both sides, the user is immediately permitted to log in. Second, | 29 | same on both sides, the user is immediately permitted to log in. Second, |
29 | if .rhosts or .shosts exists in the userM-bM-^@M-^Ys home directory on the remote | 30 | if .rhosts or .shosts exists in the user's home directory on the remote |
30 | machine and contains a line containing the name of the client machine and | 31 | machine and contains a line containing the name of the client machine and |
31 | the name of the user on that machine, the user is permitted to log in. | 32 | the name of the user on that machine, the user is permitted to log in. |
32 | This form of authentication alone is normally not allowed by the server | 33 | This form of authentication alone is normally not allowed by the server |
@@ -35,7 +36,7 @@ DESCRIPTION | |||
35 | The second authentication method is the rhosts or hosts.equiv method com- | 36 | The second authentication method is the rhosts or hosts.equiv method com- |
36 | bined with RSA-based host authentication. It means that if the login | 37 | bined with RSA-based host authentication. It means that if the login |
37 | would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or | 38 | would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or |
38 | /etc/shosts.equiv, and if additionally the server can verify the clientM-bM-^@M-^Ys | 39 | /etc/shosts.equiv, and if additionally the server can verify the client's |
39 | host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the | 40 | host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the |
40 | FILES section), only then login is permitted. This authentication method | 41 | FILES section), only then login is permitted. This authentication method |
41 | closes security holes due to IP spoofing, DNS spoofing and routing spoof- | 42 | closes security holes due to IP spoofing, DNS spoofing and routing spoof- |
@@ -55,15 +56,15 @@ DESCRIPTION | |||
55 | which key pair it would like to use for authentication. The server | 56 | which key pair it would like to use for authentication. The server |
56 | checks if this key is permitted, and if so, sends the user (actually the | 57 | checks if this key is permitted, and if so, sends the user (actually the |
57 | ssh program running on behalf of the user) a challenge, a random number, | 58 | ssh program running on behalf of the user) a challenge, a random number, |
58 | encrypted by the userM-bM-^@M-^Ys public key. The challenge can only be decrypted | 59 | encrypted by the user's public key. The challenge can only be decrypted |
59 | using the proper private key. The userM-bM-^@M-^Ys client then decrypts the chal- | 60 | using the proper private key. The user's client then decrypts the chal- |
60 | lenge using the private key, proving that he/she knows the private key | 61 | lenge using the private key, proving that he/she knows the private key |
61 | but without disclosing it to the server. | 62 | but without disclosing it to the server. |
62 | 63 | ||
63 | ssh implements the RSA authentication protocol automatically. The user | 64 | ssh implements the RSA authentication protocol automatically. The user |
64 | creates his/her RSA key pair by running ssh-keygen(1). This stores the | 65 | creates his/her RSA key pair by running ssh-keygen(1). This stores the |
65 | private key in $HOME/.ssh/identity and the public key in | 66 | private key in $HOME/.ssh/identity and the public key in |
66 | $HOME/.ssh/identity.pub in the userM-bM-^@M-^Ys home directory. The user should | 67 | $HOME/.ssh/identity.pub in the user's home directory. The user should |
67 | then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home | 68 | then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home |
68 | directory on the remote machine (the authorized_keys file corresponds to | 69 | directory on the remote machine (the authorized_keys file corresponds to |
69 | the conventional $HOME/.rhosts file, and has one key per line, though the | 70 | the conventional $HOME/.rhosts file, and has one key per line, though the |
@@ -80,6 +81,7 @@ DESCRIPTION | |||
80 | someone listening on the network. | 81 | someone listening on the network. |
81 | 82 | ||
82 | SSH protocol version 2 | 83 | SSH protocol version 2 |
84 | |||
83 | When a user connects using protocol version 2 similar authentication | 85 | When a user connects using protocol version 2 similar authentication |
84 | methods are available. Using the default values for | 86 | methods are available. Using the default values for |
85 | PreferredAuthentications, the client will try to authenticate first using | 87 | PreferredAuthentications, the client will try to authenticate first using |
@@ -94,11 +96,11 @@ DESCRIPTION | |||
94 | server checks whether the matching public key is listed in | 96 | server checks whether the matching public key is listed in |
95 | $HOME/.ssh/authorized_keys and grants access if both the key is found and | 97 | $HOME/.ssh/authorized_keys and grants access if both the key is found and |
96 | the signature is correct. The session identifier is derived from a | 98 | the signature is correct. The session identifier is derived from a |
97 | shared Diffie-Hellman value and is only known to the client and the | 99 | shared Diffie-Hellman value and is only known to the client and the serv- |
98 | server. | 100 | er. |
99 | 101 | ||
100 | If public key authentication fails or is not available a password can be | 102 | If public key authentication fails or is not available a password can be |
101 | sent encrypted to the remote host for proving the userM-bM-^@M-^Ys identity. | 103 | sent encrypted to the remote host for proving the user's identity. |
102 | 104 | ||
103 | Additionally, ssh supports hostbased or challenge response authentica- | 105 | Additionally, ssh supports hostbased or challenge response authentica- |
104 | tion. | 106 | tion. |
@@ -109,8 +111,9 @@ DESCRIPTION | |||
109 | ensuring the integrity of the connection. | 111 | ensuring the integrity of the connection. |
110 | 112 | ||
111 | Login session and remote execution | 113 | Login session and remote execution |
112 | When the userM-bM-^@M-^Ys identity has been accepted by the server, the server | 114 | |
113 | either executes the given command, or logs into the machine and gives the | 115 | When the user's identity has been accepted by the server, the server ei- |
116 | ther executes the given command, or logs into the machine and gives the | ||
114 | user a normal shell on the remote machine. All communication with the | 117 | user a normal shell on the remote machine. All communication with the |
115 | remote command or shell will be automatically encrypted. | 118 | remote command or shell will be automatically encrypted. |
116 | 119 | ||
@@ -119,14 +122,15 @@ DESCRIPTION | |||
119 | 122 | ||
120 | If no pseudo tty has been allocated, the session is transparent and can | 123 | If no pseudo tty has been allocated, the session is transparent and can |
121 | be used to reliably transfer binary data. On most systems, setting the | 124 | be used to reliably transfer binary data. On most systems, setting the |
122 | escape character to M-bM-^@M-^\noneM-bM-^@M-^] will also make the session transparent even if | 125 | escape character to ``none'' will also make the session transparent even |
123 | a tty is used. | 126 | if a tty is used. |
124 | 127 | ||
125 | The session terminates when the command or shell on the remote machine | 128 | The session terminates when the command or shell on the remote machine |
126 | exits and all X11 and TCP/IP connections have been closed. The exit sta- | 129 | exits and all X11 and TCP/IP connections have been closed. The exit sta- |
127 | tus of the remote program is returned as the exit status of ssh. | 130 | tus of the remote program is returned as the exit status of ssh. |
128 | 131 | ||
129 | Escape Characters | 132 | Escape Characters |
133 | |||
130 | When a pseudo terminal has been requested, ssh supports a number of func- | 134 | When a pseudo terminal has been requested, ssh supports a number of func- |
131 | tions through the use of an escape character. | 135 | tions through the use of an escape character. |
132 | 136 | ||
@@ -136,7 +140,7 @@ DESCRIPTION | |||
136 | ter can be changed in configuration files using the EscapeChar configura- | 140 | ter can be changed in configuration files using the EscapeChar configura- |
137 | tion directive or on the command line by the -e option. | 141 | tion directive or on the command line by the -e option. |
138 | 142 | ||
139 | The supported escapes (assuming the default M-bM-^@M-^X~M-bM-^@M-^Y) are: | 143 | The supported escapes (assuming the default `~') are: |
140 | 144 | ||
141 | ~. Disconnect | 145 | ~. Disconnect |
142 | 146 | ||
@@ -159,19 +163,20 @@ DESCRIPTION | |||
159 | version 2 and if the peer supports it) | 163 | version 2 and if the peer supports it) |
160 | 164 | ||
161 | X11 and TCP forwarding | 165 | X11 and TCP forwarding |
162 | If the ForwardX11 variable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or, see the description of | 166 | |
167 | If the ForwardX11 variable is set to ``yes'' (or, see the description of | ||
163 | the -X and -x options described later) and the user is using X11 (the | 168 | the -X and -x options described later) and the user is using X11 (the |
164 | DISPLAY environment variable is set), the connection to the X11 display | 169 | DISPLAY environment variable is set), the connection to the X11 display |
165 | is automatically forwarded to the remote side in such a way that any X11 | 170 | is automatically forwarded to the remote side in such a way that any X11 |
166 | programs started from the shell (or command) will go through the | 171 | programs started from the shell (or command) will go through the encrypt- |
167 | encrypted channel, and the connection to the real X server will be made | 172 | ed channel, and the connection to the real X server will be made from the |
168 | from the local machine. The user should not manually set DISPLAY. For- | 173 | local machine. The user should not manually set DISPLAY. Forwarding of |
169 | warding of X11 connections can be configured on the command line or in | 174 | X11 connections can be configured on the command line or in configuration |
170 | configuration files. | 175 | files. |
171 | 176 | ||
172 | The DISPLAY value set by ssh will point to the server machine, but with a | 177 | The DISPLAY value set by ssh will point to the server machine, but with a |
173 | display number greater than zero. This is normal, and happens because | 178 | display number greater than zero. This is normal, and happens because |
174 | ssh creates a M-bM-^@M-^\proxyM-bM-^@M-^] X server on the server machine for forwarding the | 179 | ssh creates a ``proxy'' X server on the server machine for forwarding the |
175 | connections over the encrypted channel. | 180 | connections over the encrypted channel. |
176 | 181 | ||
177 | ssh will also automatically set up Xauthority data on the server machine. | 182 | ssh will also automatically set up Xauthority data on the server machine. |
@@ -181,10 +186,10 @@ DESCRIPTION | |||
181 | is opened. The real authentication cookie is never sent to the server | 186 | is opened. The real authentication cookie is never sent to the server |
182 | machine (and no cookies are sent in the plain). | 187 | machine (and no cookies are sent in the plain). |
183 | 188 | ||
184 | If the ForwardAgent variable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or, see the description of | 189 | If the ForwardAgent variable is set to ``yes'' (or, see the description |
185 | the -A and -a options described later) and the user is using an authenti- | 190 | of the -A and -a options described later) and the user is using an au- |
186 | cation agent, the connection to the agent is automatically forwarded to | 191 | thentication agent, the connection to the agent is automatically forward- |
187 | the remote side. | 192 | ed to the remote side. |
188 | 193 | ||
189 | Forwarding of arbitrary TCP/IP connections over the secure channel can be | 194 | Forwarding of arbitrary TCP/IP connections over the secure channel can be |
190 | specified either on the command line or in a configuration file. One | 195 | specified either on the command line or in a configuration file. One |
@@ -192,13 +197,14 @@ DESCRIPTION | |||
192 | electronic purse; another is going through firewalls. | 197 | electronic purse; another is going through firewalls. |
193 | 198 | ||
194 | Server authentication | 199 | Server authentication |
200 | |||
195 | ssh automatically maintains and checks a database containing identifica- | 201 | ssh automatically maintains and checks a database containing identifica- |
196 | tions for all hosts it has ever been used with. Host keys are stored in | 202 | tions for all hosts it has ever been used with. Host keys are stored in |
197 | $HOME/.ssh/known_hosts in the userM-bM-^@M-^Ys home directory. Additionally, the | 203 | $HOME/.ssh/known_hosts in the user's home directory. Additionally, the |
198 | file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. | 204 | file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. |
199 | Any new hosts are automatically added to the userM-bM-^@M-^Ys file. If a hostM-bM-^@M-^Ys | 205 | Any new hosts are automatically added to the user's file. If a host's |
200 | identification ever changes, ssh warns about this and disables password | 206 | identification ever changes, ssh warns about this and disables password |
201 | authentication to prevent a trojan horse from getting the userM-bM-^@M-^Ys pass- | 207 | authentication to prevent a trojan horse from getting the user's pass- |
202 | word. Another purpose of this mechanism is to prevent man-in-the-middle | 208 | word. Another purpose of this mechanism is to prevent man-in-the-middle |
203 | attacks which could otherwise be used to circumvent the encryption. The | 209 | attacks which could otherwise be used to circumvent the encryption. The |
204 | StrictHostKeyChecking option can be used to prevent logins to machines | 210 | StrictHostKeyChecking option can be used to prevent logins to machines |
@@ -214,7 +220,7 @@ DESCRIPTION | |||
214 | 220 | ||
215 | Agent forwarding should be enabled with caution. Users with the | 221 | Agent forwarding should be enabled with caution. Users with the |
216 | ability to bypass file permissions on the remote host (for the | 222 | ability to bypass file permissions on the remote host (for the |
217 | agentM-bM-^@M-^Ys Unix-domain socket) can access the local agent through | 223 | agent's Unix-domain socket) can access the local agent through |
218 | the forwarded connection. An attacker cannot obtain key material | 224 | the forwarded connection. An attacker cannot obtain key material |
219 | from the agent, however they can perform operations on the keys | 225 | from the agent, however they can perform operations on the keys |
220 | that enable them to authenticate using the identities loaded into | 226 | that enable them to authenticate using the identities loaded into |
@@ -240,19 +246,19 @@ DESCRIPTION | |||
240 | more information. | 246 | more information. |
241 | 247 | ||
242 | -e ch|^ch|none | 248 | -e ch|^ch|none |
243 | Sets the escape character for sessions with a pty (default: M-bM-^@M-^X~M-bM-^@M-^Y). | 249 | Sets the escape character for sessions with a pty (default: `~'). |
244 | The escape character is only recognized at the beginning of a | 250 | The escape character is only recognized at the beginning of a |
245 | line. The escape character followed by a dot (M-bM-^@M-^X.M-bM-^@M-^Y) closes the | 251 | line. The escape character followed by a dot (`.') closes the |
246 | connection, followed by control-Z suspends the connection, and | 252 | connection, followed by control-Z suspends the connection, and |
247 | followed by itself sends the escape character once. Setting the | 253 | followed by itself sends the escape character once. Setting the |
248 | character to M-bM-^@M-^\noneM-bM-^@M-^] disables any escapes and makes the session | 254 | character to ``none'' disables any escapes and makes the session |
249 | fully transparent. | 255 | fully transparent. |
250 | 256 | ||
251 | -f Requests ssh to go to background just before command execution. | 257 | -f Requests ssh to go to background just before command execution. |
252 | This is useful if ssh is going to ask for passwords or | 258 | This is useful if ssh is going to ask for passwords or passphras- |
253 | passphrases, but the user wants it in the background. This | 259 | es, but the user wants it in the background. This implies -n. |
254 | implies -n. The recommended way to start X11 programs at a | 260 | The recommended way to start X11 programs at a remote site is |
255 | remote site is with something like ssh -f host xterm. | 261 | with something like ssh -f host xterm. |
256 | 262 | ||
257 | -g Allows remote hosts to connect to local forwarded ports. | 263 | -g Allows remote hosts to connect to local forwarded ports. |
258 | 264 | ||
@@ -260,15 +266,15 @@ DESCRIPTION | |||
260 | Selects a file from which the identity (private key) for RSA or | 266 | Selects a file from which the identity (private key) for RSA or |
261 | DSA authentication is read. The default is $HOME/.ssh/identity | 267 | DSA authentication is read. The default is $HOME/.ssh/identity |
262 | for protocol version 1, and $HOME/.ssh/id_rsa and | 268 | for protocol version 1, and $HOME/.ssh/id_rsa and |
263 | $HOME/.ssh/id_dsa for protocol version 2. Identity files may | 269 | $HOME/.ssh/id_dsa for protocol version 2. Identity files may al- |
264 | also be specified on a per-host basis in the configuration file. | 270 | so be specified on a per-host basis in the configuration file. |
265 | It is possible to have multiple -i options (and multiple identi- | 271 | It is possible to have multiple -i options (and multiple identi- |
266 | ties specified in configuration files). | 272 | ties specified in configuration files). |
267 | 273 | ||
268 | -I smartcard_device | 274 | -I smartcard_device |
269 | Specifies which smartcard device to use. The argument is the | 275 | Specifies which smartcard device to use. The argument is the de- |
270 | device ssh should use to communicate with a smartcard used for | 276 | vice ssh should use to communicate with a smartcard used for |
271 | storing the userM-bM-^@M-^Ys private RSA key. | 277 | storing the user's private RSA key. |
272 | 278 | ||
273 | -k Disables forwarding of Kerberos tickets. This may also be speci- | 279 | -k Disables forwarding of Kerberos tickets. This may also be speci- |
274 | fied on a per-host basis in the configuration file. | 280 | fied on a per-host basis in the configuration file. |
@@ -284,13 +290,12 @@ DESCRIPTION | |||
284 | 290 | ||
285 | -n Redirects stdin from /dev/null (actually, prevents reading from | 291 | -n Redirects stdin from /dev/null (actually, prevents reading from |
286 | stdin). This must be used when ssh is run in the background. A | 292 | stdin). This must be used when ssh is run in the background. A |
287 | common trick is to use this to run X11 programs on a remote | 293 | common trick is to use this to run X11 programs on a remote ma- |
288 | machine. For example, ssh -n shadows.cs.hut.fi emacs & will | 294 | chine. For example, ssh -n shadows.cs.hut.fi emacs & will start |
289 | start an emacs on shadows.cs.hut.fi, and the X11 connection will | 295 | an emacs on shadows.cs.hut.fi, and the X11 connection will be au- |
290 | be automatically forwarded over an encrypted channel. The ssh | 296 | tomatically forwarded over an encrypted channel. The ssh program |
291 | program will be put in the background. (This does not work if | 297 | will be put in the background. (This does not work if ssh needs |
292 | ssh needs to ask for a password or passphrase; see also the -f | 298 | to ask for a password or passphrase; see also the -f option.) |
293 | option.) | ||
294 | 299 | ||
295 | -N Do not execute a remote command. This is useful for just for- | 300 | -N Do not execute a remote command. This is useful for just for- |
296 | warding ports (protocol version 2 only). | 301 | warding ports (protocol version 2 only). |
@@ -308,10 +313,10 @@ DESCRIPTION | |||
308 | suppressed. | 313 | suppressed. |
309 | 314 | ||
310 | -s May be used to request invocation of a subsystem on the remote | 315 | -s May be used to request invocation of a subsystem on the remote |
311 | system. Subsystems are a feature of the SSH2 protocol which | 316 | system. Subsystems are a feature of the SSH2 protocol which fa- |
312 | facilitate the use of SSH as a secure transport for other appli- | 317 | cilitate the use of SSH as a secure transport for other applica- |
313 | cations (eg. sftp). The subsystem is specified as the remote | 318 | tions (eg. sftp). The subsystem is specified as the remote com- |
314 | command. | 319 | mand. |
315 | 320 | ||
316 | -t Force pseudo-tty allocation. This can be used to execute arbi- | 321 | -t Force pseudo-tty allocation. This can be used to execute arbi- |
317 | trary screen-based programs on a remote machine, which can be | 322 | trary screen-based programs on a remote machine, which can be |
@@ -334,15 +339,15 @@ DESCRIPTION | |||
334 | 339 | ||
335 | X11 forwarding should be enabled with caution. Users with the | 340 | X11 forwarding should be enabled with caution. Users with the |
336 | ability to bypass file permissions on the remote host (for the | 341 | ability to bypass file permissions on the remote host (for the |
337 | userM-bM-^@M-^Ys X authorization database) can access the local X11 display | 342 | user's X authorization database) can access the local X11 display |
338 | through the forwarded connection. An attacker may then be able | 343 | through the forwarded connection. An attacker may then be able |
339 | to perform activities such as keystroke monitoring. | 344 | to perform activities such as keystroke monitoring. |
340 | 345 | ||
341 | -C Requests compression of all data (including stdin, stdout, | 346 | -C Requests compression of all data (including stdin, stdout, |
342 | stderr, and data for forwarded X11 and TCP/IP connections). The | 347 | stderr, and data for forwarded X11 and TCP/IP connections). The |
343 | compression algorithm is the same used by gzip(1), and the | 348 | compression algorithm is the same used by gzip(1), and the |
344 | M-bM-^@M-^\levelM-bM-^@M-^] can be controlled by the CompressionLevel option for pro- | 349 | ``level'' can be controlled by the CompressionLevel option for |
345 | tocol version 1. Compression is desirable on modem lines and | 350 | protocol version 1. Compression is desirable on modem lines and |
346 | other slow connections, but will only slow down things on fast | 351 | other slow connections, but will only slow down things on fast |
347 | networks. The default value can be set on a host-by-host basis | 352 | networks. The default value can be set on a host-by-host basis |
348 | in the configuration files; see the Compression option. | 353 | in the configuration files; see the Compression option. |
@@ -377,7 +382,7 @@ DESCRIPTION | |||
377 | syntax: port/host/hostport | 382 | syntax: port/host/hostport |
378 | 383 | ||
379 | -D port | 384 | -D port |
380 | Specifies a local M-bM-^@M-^\dynamicM-bM-^@M-^] application-level port forwarding. | 385 | Specifies a local ``dynamic'' application-level port forwarding. |
381 | This works by allocating a socket to listen to port on the local | 386 | This works by allocating a socket to listen to port on the local |
382 | side, and whenever a connection is made to this port, the connec- | 387 | side, and whenever a connection is made to this port, the connec- |
383 | tion is forwarded over the secure channel, and the application | 388 | tion is forwarded over the secure channel, and the application |
@@ -406,20 +411,20 @@ ENVIRONMENT | |||
406 | DISPLAY | 411 | DISPLAY |
407 | The DISPLAY variable indicates the location of the X11 server. | 412 | The DISPLAY variable indicates the location of the X11 server. |
408 | It is automatically set by ssh to point to a value of the form | 413 | It is automatically set by ssh to point to a value of the form |
409 | M-bM-^@M-^\hostname:nM-bM-^@M-^] where hostname indicates the host where the shell | 414 | ``hostname:n'' where hostname indicates the host where the shell |
410 | runs, and n is an integer >= 1. ssh uses this special value to | 415 | runs, and n is an integer >= 1. ssh uses this special value to |
411 | forward X11 connections over the secure channel. The user should | 416 | forward X11 connections over the secure channel. The user should |
412 | normally not set DISPLAY explicitly, as that will render the X11 | 417 | normally not set DISPLAY explicitly, as that will render the X11 |
413 | connection insecure (and will require the user to manually copy | 418 | connection insecure (and will require the user to manually copy |
414 | any required authorization cookies). | 419 | any required authorization cookies). |
415 | 420 | ||
416 | HOME Set to the path of the userM-bM-^@M-^Ys home directory. | 421 | HOME Set to the path of the user's home directory. |
417 | 422 | ||
418 | LOGNAME | 423 | LOGNAME |
419 | Synonym for USER; set for compatibility with systems that use | 424 | Synonym for USER; set for compatibility with systems that use |
420 | this variable. | 425 | this variable. |
421 | 426 | ||
422 | MAIL Set to the path of the userM-bM-^@M-^Ys mailbox. | 427 | MAIL Set to the path of the user's mailbox. |
423 | 428 | ||
424 | PATH Set to the default PATH, as specified when compiling ssh. | 429 | PATH Set to the default PATH, as specified when compiling ssh. |
425 | 430 | ||
@@ -448,9 +453,9 @@ ENVIRONMENT | |||
448 | ments. | 453 | ments. |
449 | 454 | ||
450 | SSH_TTY | 455 | SSH_TTY |
451 | This is set to the name of the tty (path to the device) associ- | 456 | This is set to the name of the tty (path to the device) associat- |
452 | ated with the current shell or command. If the current session | 457 | ed with the current shell or command. If the current session has |
453 | has no tty, this variable is not set. | 458 | no tty, this variable is not set. |
454 | 459 | ||
455 | TZ The timezone variable is set to indicate the present timezone if | 460 | TZ The timezone variable is set to indicate the present timezone if |
456 | it was set when the daemon was started (i.e., the daemon passes | 461 | it was set when the daemon was started (i.e., the daemon passes |
@@ -459,9 +464,9 @@ ENVIRONMENT | |||
459 | USER Set to the name of the user logging in. | 464 | USER Set to the name of the user logging in. |
460 | 465 | ||
461 | Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the | 466 | Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the |
462 | format M-bM-^@M-^\VARNAME=valueM-bM-^@M-^] to the environment if the file exists and if users | 467 | format ``VARNAME=value'' to the environment if the file exists and if |
463 | are allowed to change their environment. See the PermitUserEnvironment | 468 | users are allowed to change their environment. See the |
464 | option in sshd_config(5). | 469 | PermitUserEnvironment option in sshd_config(5). |
465 | 470 | ||
466 | FILES | 471 | FILES |
467 | $HOME/.ssh/known_hosts | 472 | $HOME/.ssh/known_hosts |
@@ -519,8 +524,8 @@ FILES | |||
519 | by sshd(8) to verify the client host when logging in; other names | 524 | by sshd(8) to verify the client host when logging in; other names |
520 | are needed because ssh does not convert the user-supplied name to | 525 | are needed because ssh does not convert the user-supplied name to |
521 | a canonical name before checking the key, because someone with | 526 | a canonical name before checking the key, because someone with |
522 | access to the name servers would then be able to fool host | 527 | access to the name servers would then be able to fool host au- |
523 | authentication. | 528 | thentication. |
524 | 529 | ||
525 | /etc/ssh/ssh_config | 530 | /etc/ssh/ssh_config |
526 | Systemwide configuration file. The file format and configuration | 531 | Systemwide configuration file. The file format and configuration |
@@ -544,16 +549,16 @@ FILES | |||
544 | Each line of the file contains a host name (in the canonical form | 549 | Each line of the file contains a host name (in the canonical form |
545 | returned by name servers), and then a user name on that host, | 550 | returned by name servers), and then a user name on that host, |
546 | separated by a space. On some machines this file may need to be | 551 | separated by a space. On some machines this file may need to be |
547 | world-readable if the userM-bM-^@M-^Ys home directory is on a NFS parti- | 552 | world-readable if the user's home directory is on a NFS parti- |
548 | tion, because sshd(8) reads it as root. Additionally, this file | 553 | tion, because sshd(8) reads it as root. Additionally, this file |
549 | must be owned by the user, and must not have write permissions | 554 | must be owned by the user, and must not have write permissions |
550 | for anyone else. The recommended permission for most machines is | 555 | for anyone else. The recommended permission for most machines is |
551 | read/write for the user, and not accessible by others. | 556 | read/write for the user, and not accessible by others. |
552 | 557 | ||
553 | Note that by default sshd(8) will be installed so that it | 558 | Note that by default sshd(8) will be installed so that it re- |
554 | requires successful RSA host authentication before permitting | 559 | quires successful RSA host authentication before permitting |
555 | .rhosts authentication. If the server machine does not have the | 560 | .rhosts authentication. If the server machine does not have the |
556 | clientM-bM-^@M-^Ys host key in /etc/ssh/ssh_known_hosts, it can be stored | 561 | client's host key in /etc/ssh/ssh_known_hosts, it can be stored |
557 | in $HOME/.ssh/known_hosts. The easiest way to do this is to con- | 562 | in $HOME/.ssh/known_hosts. The easiest way to do this is to con- |
558 | nect back to the client from the server machine using ssh; this | 563 | nect back to the client from the server machine using ssh; this |
559 | will automatically add the host key to $HOME/.ssh/known_hosts. | 564 | will automatically add the host key to $HOME/.ssh/known_hosts. |
@@ -568,8 +573,8 @@ FILES | |||
568 | canonical hosts names, one per line (the full format is described | 573 | canonical hosts names, one per line (the full format is described |
569 | on the sshd(8) manual page). If the client host is found in this | 574 | on the sshd(8) manual page). If the client host is found in this |
570 | file, login is automatically permitted provided client and server | 575 | file, login is automatically permitted provided client and server |
571 | user names are the same. Additionally, successful RSA host | 576 | user names are the same. Additionally, successful RSA host au- |
572 | authentication is normally required. This file should only be | 577 | thentication is normally required. This file should only be |
573 | writable by root. | 578 | writable by root. |
574 | 579 | ||
575 | /etc/shosts.equiv | 580 | /etc/shosts.equiv |
@@ -579,12 +584,12 @@ FILES | |||
579 | 584 | ||
580 | /etc/ssh/sshrc | 585 | /etc/ssh/sshrc |
581 | Commands in this file are executed by ssh when the user logs in | 586 | Commands in this file are executed by ssh when the user logs in |
582 | just before the userM-bM-^@M-^Ys shell (or command) is started. See the | 587 | just before the user's shell (or command) is started. See the |
583 | sshd(8) manual page for more information. | 588 | sshd(8) manual page for more information. |
584 | 589 | ||
585 | $HOME/.ssh/rc | 590 | $HOME/.ssh/rc |
586 | Commands in this file are executed by ssh when the user logs in | 591 | Commands in this file are executed by ssh when the user logs in |
587 | just before the userM-bM-^@M-^Ys shell (or command) is started. See the | 592 | just before the user's shell (or command) is started. See the |
588 | sshd(8) manual page for more information. | 593 | sshd(8) manual page for more information. |
589 | 594 | ||
590 | $HOME/.ssh/environment | 595 | $HOME/.ssh/environment |
@@ -606,8 +611,8 @@ SEE ALSO | |||
606 | AUTHORS | 611 | AUTHORS |
607 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 612 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
608 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | 613 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
609 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | 614 | de Raadt and Dug Song removed many bugs, re-added newer features and |
610 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 615 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
611 | versions 1.5 and 2.0. | 616 | versions 1.5 and 2.0. |
612 | 617 | ||
613 | BSD September 25, 1999 BSD | 618 | OpenBSD 3.4 September 25, 1999 10 |