diff options
Diffstat (limited to 'ssh.0')
-rw-r--r-- | ssh.0 | 166 |
1 files changed, 84 insertions, 82 deletions
@@ -30,16 +30,16 @@ DESCRIPTION | |||
30 | bined with RSA-based host authentication. If the machine the user logs | 30 | bined with RSA-based host authentication. If the machine the user logs |
31 | in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote | 31 | in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote |
32 | machine, and the user names are the same on both sides, or if the files | 32 | machine, and the user names are the same on both sides, or if the files |
33 | $HOME/.rhosts or $HOME/.shosts exist in the user's home directory on the | 33 | ~/.rhosts or ~/.shosts exist in the user's home directory on the remote |
34 | remote machine and contain a line containing the name of the client ma- | 34 | machine and contain a line containing the name of the client machine and |
35 | chine and the name of the user on that machine, the user is considered | 35 | the name of the user on that machine, the user is considered for log in. |
36 | for log in. Additionally, if the server can verify the client's host key | 36 | Additionally, if the server can verify the client's host key (see |
37 | (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the FILES | 37 | /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts in the FILES section), |
38 | section), only then is login permitted. This authentication method clos- | 38 | only then is login permitted. This authentication method closes security |
39 | es security holes due to IP spoofing, DNS spoofing and routing spoofing. | 39 | holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to |
40 | [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and the | 40 | the administrator: /etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh proto- |
41 | rlogin/rsh protocol in general, are inherently insecure and should be | 41 | col in general, are inherently insecure and should be disabled if securi- |
42 | disabled if security is desired.] | 42 | ty is desired.] |
43 | 43 | ||
44 | As a second authentication method, ssh supports RSA based authentication. | 44 | As a second authentication method, ssh supports RSA based authentication. |
45 | The scheme is based on public-key cryptography: there are cryptosystems | 45 | The scheme is based on public-key cryptography: there are cryptosystems |
@@ -49,25 +49,25 @@ DESCRIPTION | |||
49 | key pair for authentication purposes. The server knows the public key, | 49 | key pair for authentication purposes. The server knows the public key, |
50 | and only the user knows the private key. | 50 | and only the user knows the private key. |
51 | 51 | ||
52 | The file $HOME/.ssh/authorized_keys lists the public keys that are per- | 52 | The file ~/.ssh/authorized_keys lists the public keys that are permitted |
53 | mitted for logging in. When the user logs in, the ssh program tells the | 53 | for logging in. When the user logs in, the ssh program tells the server |
54 | server which key pair it would like to use for authentication. The serv- | 54 | which key pair it would like to use for authentication. The server |
55 | er checks if this key is permitted, and if so, sends the user (actually | 55 | checks if this key is permitted, and if so, sends the user (actually the |
56 | the ssh program running on behalf of the user) a challenge, a random num- | 56 | ssh program running on behalf of the user) a challenge, a random number, |
57 | ber, encrypted by the user's public key. The challenge can only be de- | 57 | encrypted by the user's public key. The challenge can only be decrypted |
58 | crypted using the proper private key. The user's client then decrypts | 58 | using the proper private key. The user's client then decrypts the chal- |
59 | the challenge using the private key, proving that he/she knows the pri- | 59 | lenge using the private key, proving that he/she knows the private key |
60 | vate key but without disclosing it to the server. | 60 | but without disclosing it to the server. |
61 | 61 | ||
62 | ssh implements the RSA authentication protocol automatically. The user | 62 | ssh implements the RSA authentication protocol automatically. The user |
63 | creates his/her RSA key pair by running ssh-keygen(1). This stores the | 63 | creates his/her RSA key pair by running ssh-keygen(1). This stores the |
64 | private key in $HOME/.ssh/identity and stores the public key in | 64 | private key in ~/.ssh/identity and stores the public key in |
65 | $HOME/.ssh/identity.pub in the user's home directory. The user should | 65 | ~/.ssh/identity.pub in the user's home directory. The user should then |
66 | then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home | 66 | copy the identity.pub to ~/.ssh/authorized_keys in his/her home directory |
67 | directory on the remote machine (the authorized_keys file corresponds to | 67 | on the remote machine (the authorized_keys file corresponds to the con- |
68 | the conventional $HOME/.rhosts file, and has one key per line, though the | 68 | ventional ~/.rhosts file, and has one key per line, though the lines can |
69 | lines can be very long). After this, the user can log in without giving | 69 | be very long). After this, the user can log in without giving the pass- |
70 | the password. | 70 | word. |
71 | 71 | ||
72 | The most convenient way to use RSA authentication may be with an authen- | 72 | The most convenient way to use RSA authentication may be with an authen- |
73 | tication agent. See ssh-agent(1) for more information. | 73 | tication agent. See ssh-agent(1) for more information. |
@@ -87,13 +87,12 @@ DESCRIPTION | |||
87 | 87 | ||
88 | The public key method is similar to RSA authentication described in the | 88 | The public key method is similar to RSA authentication described in the |
89 | previous section and allows the RSA or DSA algorithm to be used: The | 89 | previous section and allows the RSA or DSA algorithm to be used: The |
90 | client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, to | 90 | client uses his private key, ~/.ssh/id_dsa or ~/.ssh/id_rsa, to sign the |
91 | sign the session identifier and sends the result to the server. The | 91 | session identifier and sends the result to the server. The server checks |
92 | server checks whether the matching public key is listed in | 92 | whether the matching public key is listed in ~/.ssh/authorized_keys and |
93 | $HOME/.ssh/authorized_keys and grants access if both the key is found and | 93 | grants access if both the key is found and the signature is correct. The |
94 | the signature is correct. The session identifier is derived from a | 94 | session identifier is derived from a shared Diffie-Hellman value and is |
95 | shared Diffie-Hellman value and is only known to the client and the serv- | 95 | only known to the client and the server. |
96 | er. | ||
97 | 96 | ||
98 | If public key authentication fails or is not available, a password can be | 97 | If public key authentication fails or is not available, a password can be |
99 | sent encrypted to the remote host to prove the user's identity. | 98 | sent encrypted to the remote host to prove the user's identity. |
@@ -194,13 +193,13 @@ DESCRIPTION | |||
194 | Server authentication | 193 | Server authentication |
195 | ssh automatically maintains and checks a database containing identifica- | 194 | ssh automatically maintains and checks a database containing identifica- |
196 | tions for all hosts it has ever been used with. Host keys are stored in | 195 | tions for all hosts it has ever been used with. Host keys are stored in |
197 | $HOME/.ssh/known_hosts in the user's home directory. Additionally, the | 196 | ~/.ssh/known_hosts in the user's home directory. Additionally, the file |
198 | file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. | 197 | /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any |
199 | Any new hosts are automatically added to the user's file. If a host's | 198 | new hosts are automatically added to the user's file. If a host's iden- |
200 | identification ever changes, ssh warns about this and disables password | 199 | tification ever changes, ssh warns about this and disables password au- |
201 | authentication to prevent a trojan horse from getting the user's pass- | 200 | thentication to prevent a trojan horse from getting the user's password. |
202 | word. Another purpose of this mechanism is to prevent man-in-the-middle | 201 | Another purpose of this mechanism is to prevent man-in-the-middle attacks |
203 | attacks which could otherwise be used to circumvent the encryption. The | 202 | which could otherwise be used to circumvent the encryption. The |
204 | StrictHostKeyChecking option can be used to prevent logins to machines | 203 | StrictHostKeyChecking option can be used to prevent logins to machines |
205 | whose host key is not known or has changed. | 204 | whose host key is not known or has changed. |
206 | 205 | ||
@@ -234,8 +233,9 @@ DESCRIPTION | |||
234 | -a Disables forwarding of the authentication agent connection. | 233 | -a Disables forwarding of the authentication agent connection. |
235 | 234 | ||
236 | -b bind_address | 235 | -b bind_address |
237 | Specify the interface to transmit from on machines with multiple | 236 | Use bind_address on the local machine as the source address of |
238 | interfaces or aliased addresses. | 237 | the connection. Only useful on systems with more than one ad- |
238 | dress. | ||
239 | 239 | ||
240 | -C Requests compression of all data (including stdin, stdout, | 240 | -C Requests compression of all data (including stdin, stdout, |
241 | stderr, and data for forwarded X11 and TCP/IP connections). The | 241 | stderr, and data for forwarded X11 and TCP/IP connections). The |
@@ -262,11 +262,13 @@ DESCRIPTION | |||
262 | For protocol version 2 cipher_spec is a comma-separated list of | 262 | For protocol version 2 cipher_spec is a comma-separated list of |
263 | ciphers listed in order of preference. The supported ciphers are | 263 | ciphers listed in order of preference. The supported ciphers are |
264 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', | 264 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', |
265 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour'', | 265 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', |
266 | ``blowfish-cbc'', and ``cast128-cbc''. The default is | 266 | ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and |
267 | ``cast128-cbc''. The default is | ||
267 | 268 | ||
268 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 269 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
269 | aes192-cbc,aes256-cbc'' | 270 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
271 | aes192-ctr,aes256-ctr'' | ||
270 | 272 | ||
271 | -D port | 273 | -D port |
272 | Specifies a local ``dynamic'' application-level port forwarding. | 274 | Specifies a local ``dynamic'' application-level port forwarding. |
@@ -292,7 +294,7 @@ DESCRIPTION | |||
292 | Specifies an alternative per-user configuration file. If a con- | 294 | Specifies an alternative per-user configuration file. If a con- |
293 | figuration file is given on the command line, the system-wide | 295 | figuration file is given on the command line, the system-wide |
294 | configuration file (/etc/ssh/ssh_config) will be ignored. The | 296 | configuration file (/etc/ssh/ssh_config) will be ignored. The |
295 | default for the per-user configuration file is $HOME/.ssh/config. | 297 | default for the per-user configuration file is ~/.ssh/config. |
296 | 298 | ||
297 | -f Requests ssh to go to background just before command execution. | 299 | -f Requests ssh to go to background just before command execution. |
298 | This is useful if ssh is going to ask for passwords or passphras- | 300 | This is useful if ssh is going to ask for passwords or passphras- |
@@ -309,12 +311,12 @@ DESCRIPTION | |||
309 | 311 | ||
310 | -i identity_file | 312 | -i identity_file |
311 | Selects a file from which the identity (private key) for RSA or | 313 | Selects a file from which the identity (private key) for RSA or |
312 | DSA authentication is read. The default is $HOME/.ssh/identity | 314 | DSA authentication is read. The default is ~/.ssh/identity for |
313 | for protocol version 1, and $HOME/.ssh/id_rsa and | 315 | protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro- |
314 | $HOME/.ssh/id_dsa for protocol version 2. Identity files may al- | 316 | tocol version 2. Identity files may also be specified on a per- |
315 | so be specified on a per-host basis in the configuration file. | 317 | host basis in the configuration file. It is possible to have |
316 | It is possible to have multiple -i options (and multiple identi- | 318 | multiple -i options (and multiple identities specified in config- |
317 | ties specified in configuration files). | 319 | uration files). |
318 | 320 | ||
319 | -k Disables forwarding (delegation) of GSSAPI credentials to the | 321 | -k Disables forwarding (delegation) of GSSAPI credentials to the |
320 | server. | 322 | server. |
@@ -567,17 +569,17 @@ ENVIRONMENT | |||
567 | 569 | ||
568 | USER Set to the name of the user logging in. | 570 | USER Set to the name of the user logging in. |
569 | 571 | ||
570 | Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the | 572 | Additionally, ssh reads ~/.ssh/environment, and adds lines of the format |
571 | format ``VARNAME=value'' to the environment if the file exists and if | 573 | ``VARNAME=value'' to the environment if the file exists and if users are |
572 | users are allowed to change their environment. For more information, see | 574 | allowed to change their environment. For more information, see the |
573 | the PermitUserEnvironment option in sshd_config(5). | 575 | PermitUserEnvironment option in sshd_config(5). |
574 | 576 | ||
575 | FILES | 577 | FILES |
576 | $HOME/.ssh/known_hosts | 578 | ~/.ssh/known_hosts |
577 | Records host keys for all hosts the user has logged into that are | 579 | Records host keys for all hosts the user has logged into that are |
578 | not in /etc/ssh/ssh_known_hosts. See sshd(8). | 580 | not in /etc/ssh/ssh_known_hosts. See sshd(8). |
579 | 581 | ||
580 | $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa | 582 | ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa |
581 | Contains the authentication identity of the user. They are for | 583 | Contains the authentication identity of the user. They are for |
582 | protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. | 584 | protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. |
583 | These files contain sensitive data and should be readable by the | 585 | These files contain sensitive data and should be readable by the |
@@ -587,27 +589,27 @@ FILES | |||
587 | key; the passphrase will be used to encrypt the sensitive part of | 589 | key; the passphrase will be used to encrypt the sensitive part of |
588 | this file using 3DES. | 590 | this file using 3DES. |
589 | 591 | ||
590 | $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub | 592 | ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub |
591 | Contains the public key for authentication (public part of the | 593 | Contains the public key for authentication (public part of the |
592 | identity file in human-readable form). The contents of the | 594 | identity file in human-readable form). The contents of the |
593 | $HOME/.ssh/identity.pub file should be added to the file | 595 | ~/.ssh/identity.pub file should be added to the file |
594 | $HOME/.ssh/authorized_keys on all machines where the user wishes | 596 | ~/.ssh/authorized_keys on all machines where the user wishes to |
595 | to log in using protocol version 1 RSA authentication. The con- | 597 | log in using protocol version 1 RSA authentication. The contents |
596 | tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file | 598 | of the ~/.ssh/id_dsa.pub and ~/.ssh/id_rsa.pub file should be |
597 | should be added to $HOME/.ssh/authorized_keys on all machines | 599 | added to ~/.ssh/authorized_keys on all machines where the user |
598 | where the user wishes to log in using protocol version 2 DSA/RSA | 600 | wishes to log in using protocol version 2 DSA/RSA authentication. |
599 | authentication. These files are not sensitive and can (but need | 601 | These files are not sensitive and can (but need not) be readable |
600 | not) be readable by anyone. These files are never used automati- | 602 | by anyone. These files are never used automatically and are not |
601 | cally and are not necessary; they are only provided for the con- | 603 | necessary; they are only provided for the convenience of the us- |
602 | venience of the user. | 604 | er. |
603 | 605 | ||
604 | $HOME/.ssh/config | 606 | ~/.ssh/config |
605 | This is the per-user configuration file. The file format and | 607 | This is the per-user configuration file. The file format and |
606 | configuration options are described in ssh_config(5). Because of | 608 | configuration options are described in ssh_config(5). Because of |
607 | the potential for abuse, this file must have strict permissions: | 609 | the potential for abuse, this file must have strict permissions: |
608 | read/write for the user, and not accessible by others. | 610 | read/write for the user, and not accessible by others. |
609 | 611 | ||
610 | $HOME/.ssh/authorized_keys | 612 | ~/.ssh/authorized_keys |
611 | Lists the public keys (RSA/DSA) that can be used for logging in | 613 | Lists the public keys (RSA/DSA) that can be used for logging in |
612 | as this user. The format of this file is described in the | 614 | as this user. The format of this file is described in the |
613 | sshd(8) manual page. In the simplest form the format is the same | 615 | sshd(8) manual page. In the simplest form the format is the same |
@@ -648,7 +650,7 @@ FILES | |||
648 | requirement that ssh be setuid root when that authentication | 650 | requirement that ssh be setuid root when that authentication |
649 | method is used. By default ssh is not setuid root. | 651 | method is used. By default ssh is not setuid root. |
650 | 652 | ||
651 | $HOME/.rhosts | 653 | ~/.rhosts |
652 | This file is used in RhostsRSAAuthentication and | 654 | This file is used in RhostsRSAAuthentication and |
653 | HostbasedAuthentication authentication to list the host/user | 655 | HostbasedAuthentication authentication to list the host/user |
654 | pairs that are permitted to log in. (Note that this file is also | 656 | pairs that are permitted to log in. (Note that this file is also |
@@ -665,12 +667,12 @@ FILES | |||
665 | Note that sshd(8) allows authentication only in combination with | 667 | Note that sshd(8) allows authentication only in combination with |
666 | client host key authentication before permitting log in. If the | 668 | client host key authentication before permitting log in. If the |
667 | server machine does not have the client's host key in | 669 | server machine does not have the client's host key in |
668 | /etc/ssh/ssh_known_hosts, it can be stored in | 670 | /etc/ssh/ssh_known_hosts, it can be stored in ~/.ssh/known_hosts. |
669 | $HOME/.ssh/known_hosts. The easiest way to do this is to connect | 671 | The easiest way to do this is to connect back to the client from |
670 | back to the client from the server machine using ssh; this will | 672 | the server machine using ssh; this will automatically add the |
671 | automatically add the host key to $HOME/.ssh/known_hosts. | 673 | host key to ~/.ssh/known_hosts. |
672 | 674 | ||
673 | $HOME/.shosts | 675 | ~/.shosts |
674 | This file is used exactly the same way as .rhosts. The purpose | 676 | This file is used exactly the same way as .rhosts. The purpose |
675 | for having this file is to be able to use RhostsRSAAuthentication | 677 | for having this file is to be able to use RhostsRSAAuthentication |
676 | and HostbasedAuthentication authentication without permitting lo- | 678 | and HostbasedAuthentication authentication without permitting lo- |
@@ -696,12 +698,12 @@ FILES | |||
696 | just before the user's shell (or command) is started. See the | 698 | just before the user's shell (or command) is started. See the |
697 | sshd(8) manual page for more information. | 699 | sshd(8) manual page for more information. |
698 | 700 | ||
699 | $HOME/.ssh/rc | 701 | ~/.ssh/rc |
700 | Commands in this file are executed by ssh when the user logs in | 702 | Commands in this file are executed by ssh when the user logs in |
701 | just before the user's shell (or command) is started. See the | 703 | just before the user's shell (or command) is started. See the |
702 | sshd(8) manual page for more information. | 704 | sshd(8) manual page for more information. |
703 | 705 | ||
704 | $HOME/.ssh/environment | 706 | ~/.ssh/environment |
705 | Contains additional definitions for environment variables, see | 707 | Contains additional definitions for environment variables, see |
706 | section ENVIRONMENT above. | 708 | section ENVIRONMENT above. |
707 | 709 | ||
@@ -725,4 +727,4 @@ AUTHORS | |||
725 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 727 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
726 | versions 1.5 and 2.0. | 728 | versions 1.5 and 2.0. |
727 | 729 | ||
728 | OpenBSD 3.7 September 25, 1999 11 | 730 | OpenBSD 3.8 September 25, 1999 12 |