summaryrefslogtreecommitdiff
path: root/ssh.0
diff options
context:
space:
mode:
Diffstat (limited to 'ssh.0')
-rw-r--r--ssh.0398
1 files changed, 224 insertions, 174 deletions
diff --git a/ssh.0 b/ssh.0
index 50e6020d1..4f5a282f8 100644
--- a/ssh.0
+++ b/ssh.0
@@ -4,12 +4,10 @@ NAME
4 ssh - OpenSSH SSH client (remote login program) 4 ssh - OpenSSH SSH client (remote login program)
5 5
6SYNOPSIS 6SYNOPSIS
7 ssh [-l login_name] hostname | user@hostname [command] 7 ssh [-1246AaCfgkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D port]
8 8 [-e escape_char] [-F configfile] [-i identity_file]
9 ssh [-afgknqstvxACNTVX1246] [-b bind_address] [-c cipher_spec] 9 [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]
10 [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec] 10 [-p port] [-R port:host:hostport] [user@]hostname [command]
11 [-o option] [-p port] [-F configfile] [-L port:host:hostport]
12 [-R port:host:hostport] [-D port] hostname | user@hostname [command]
13 11
14DESCRIPTION 12DESCRIPTION
15 ssh (SSH client) is a program for logging into a remote machine and for 13 ssh (SSH client) is a program for logging into a remote machine and for
@@ -18,12 +16,14 @@ DESCRIPTION
18 ed hosts over an insecure network. X11 connections and arbitrary TCP/IP 16 ed hosts over an insecure network. X11 connections and arbitrary TCP/IP
19 ports can also be forwarded over the secure channel. 17 ports can also be forwarded over the secure channel.
20 18
21 ssh connects and logs into the specified hostname. The user must prove 19 ssh connects and logs into the specified hostname (with optional user
22 his/her identity to the remote machine using one of several methods de- 20 name). The user must prove his/her identity to the remote machine using
23 pending on the protocol version used: 21 one of several methods depending on the protocol version used.
24 22
25 SSH protocol version 1 23 If command is specified, command is executed on the remote host instead
24 of a login shell.
26 25
26 SSH protocol version 1
27 First, if the machine the user logs in from is listed in /etc/hosts.equiv 27 First, if the machine the user logs in from is listed in /etc/hosts.equiv
28 or /etc/shosts.equiv on the remote machine, and the user names are the 28 or /etc/shosts.equiv on the remote machine, and the user names are the
29 same on both sides, the user is immediately permitted to log in. Second, 29 same on both sides, the user is immediately permitted to log in. Second,
@@ -38,7 +38,7 @@ DESCRIPTION
38 would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or 38 would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or
39 /etc/shosts.equiv, and if additionally the server can verify the client's 39 /etc/shosts.equiv, and if additionally the server can verify the client's
40 host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the 40 host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the
41 FILES section), only then login is permitted. This authentication method 41 FILES section), only then is login permitted. This authentication method
42 closes security holes due to IP spoofing, DNS spoofing and routing spoof- 42 closes security holes due to IP spoofing, DNS spoofing and routing spoof-
43 ing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and 43 ing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and
44 the rlogin/rsh protocol in general, are inherently insecure and should be 44 the rlogin/rsh protocol in general, are inherently insecure and should be
@@ -50,20 +50,21 @@ DESCRIPTION
50 not possible to derive the decryption key from the encryption key. RSA 50 not possible to derive the decryption key from the encryption key. RSA
51 is one such system. The idea is that each user creates a public/private 51 is one such system. The idea is that each user creates a public/private
52 key pair for authentication purposes. The server knows the public key, 52 key pair for authentication purposes. The server knows the public key,
53 and only the user knows the private key. The file 53 and only the user knows the private key.
54 $HOME/.ssh/authorized_keys lists the public keys that are permitted for 54
55 logging in. When the user logs in, the ssh program tells the server 55 The file $HOME/.ssh/authorized_keys lists the public keys that are per-
56 which key pair it would like to use for authentication. The server 56 mitted for logging in. When the user logs in, the ssh program tells the
57 checks if this key is permitted, and if so, sends the user (actually the 57 server which key pair it would like to use for authentication. The serv-
58 ssh program running on behalf of the user) a challenge, a random number, 58 er checks if this key is permitted, and if so, sends the user (actually
59 encrypted by the user's public key. The challenge can only be decrypted 59 the ssh program running on behalf of the user) a challenge, a random num-
60 using the proper private key. The user's client then decrypts the chal- 60 ber, encrypted by the user's public key. The challenge can only be de-
61 lenge using the private key, proving that he/she knows the private key 61 crypted using the proper private key. The user's client then decrypts
62 but without disclosing it to the server. 62 the challenge using the private key, proving that he/she knows the pri-
63 vate key but without disclosing it to the server.
63 64
64 ssh implements the RSA authentication protocol automatically. The user 65 ssh implements the RSA authentication protocol automatically. The user
65 creates his/her RSA key pair by running ssh-keygen(1). This stores the 66 creates his/her RSA key pair by running ssh-keygen(1). This stores the
66 private key in $HOME/.ssh/identity and the public key in 67 private key in $HOME/.ssh/identity and stores the public key in
67 $HOME/.ssh/identity.pub in the user's home directory. The user should 68 $HOME/.ssh/identity.pub in the user's home directory. The user should
68 then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home 69 then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home
69 directory on the remote machine (the authorized_keys file corresponds to 70 directory on the remote machine (the authorized_keys file corresponds to
@@ -81,12 +82,11 @@ DESCRIPTION
81 someone listening on the network. 82 someone listening on the network.
82 83
83 SSH protocol version 2 84 SSH protocol version 2
84 85 When a user connects using protocol version 2, similar authentication
85 When a user connects using protocol version 2 similar authentication
86 methods are available. Using the default values for 86 methods are available. Using the default values for
87 PreferredAuthentications, the client will try to authenticate first using 87 PreferredAuthentications, the client will try to authenticate first using
88 the hostbased method; if this method fails public key authentication is 88 the hostbased method; if this method fails, public key authentication is
89 attempted, and finally if this method fails keyboard-interactive and 89 attempted, and finally if this method fails, keyboard-interactive and
90 password authentication are tried. 90 password authentication are tried.
91 91
92 The public key method is similar to RSA authentication described in the 92 The public key method is similar to RSA authentication described in the
@@ -99,8 +99,8 @@ DESCRIPTION
99 shared Diffie-Hellman value and is only known to the client and the serv- 99 shared Diffie-Hellman value and is only known to the client and the serv-
100 er. 100 er.
101 101
102 If public key authentication fails or is not available a password can be 102 If public key authentication fails or is not available, a password can be
103 sent encrypted to the remote host for proving the user's identity. 103 sent encrypted to the remote host to prove the user's identity.
104 104
105 Additionally, ssh supports hostbased or challenge response authentica- 105 Additionally, ssh supports hostbased or challenge response authentica-
106 tion. 106 tion.
@@ -111,7 +111,6 @@ DESCRIPTION
111 ensuring the integrity of the connection. 111 ensuring the integrity of the connection.
112 112
113 Login session and remote execution 113 Login session and remote execution
114
115 When the user's identity has been accepted by the server, the server ei- 114 When the user's identity has been accepted by the server, the server ei-
116 ther executes the given command, or logs into the machine and gives the 115 ther executes the given command, or logs into the machine and gives the
117 user a normal shell on the remote machine. All communication with the 116 user a normal shell on the remote machine. All communication with the
@@ -120,7 +119,7 @@ DESCRIPTION
120 If a pseudo-terminal has been allocated (normal login session), the user 119 If a pseudo-terminal has been allocated (normal login session), the user
121 may use the escape characters noted below. 120 may use the escape characters noted below.
122 121
123 If no pseudo tty has been allocated, the session is transparent and can 122 If no pseudo-tty has been allocated, the session is transparent and can
124 be used to reliably transfer binary data. On most systems, setting the 123 be used to reliably transfer binary data. On most systems, setting the
125 escape character to ``none'' will also make the session transparent even 124 escape character to ``none'' will also make the session transparent even
126 if a tty is used. 125 if a tty is used.
@@ -130,8 +129,7 @@ DESCRIPTION
130 tus of the remote program is returned as the exit status of ssh. 129 tus of the remote program is returned as the exit status of ssh.
131 130
132 Escape Characters 131 Escape Characters
133 132 When a pseudo-terminal has been requested, ssh supports a number of func-
134 When a pseudo terminal has been requested, ssh supports a number of func-
135 tions through the use of an escape character. 133 tions through the use of an escape character.
136 134
137 A single tilde character can be sent as ~~ or by following the tilde by a 135 A single tilde character can be sent as ~~ or by following the tilde by a
@@ -142,29 +140,28 @@ DESCRIPTION
142 140
143 The supported escapes (assuming the default `~') are: 141 The supported escapes (assuming the default `~') are:
144 142
145 ~. Disconnect 143 ~. Disconnect.
146 144
147 ~^Z Background ssh 145 ~^Z Background ssh.
148 146
149 ~# List forwarded connections 147 ~# List forwarded connections.
150 148
151 ~& Background ssh at logout when waiting for forwarded connection / 149 ~& Background ssh at logout when waiting for forwarded connection /
152 X11 sessions to terminate 150 X11 sessions to terminate.
153 151
154 ~? Display a list of escape characters 152 ~? Display a list of escape characters.
155 153
156 ~B Send a BREAK to the remote system (only useful for SSH protocol 154 ~B Send a BREAK to the remote system (only useful for SSH protocol
157 version 2 and if the peer supports it) 155 version 2 and if the peer supports it).
158 156
159 ~C Open command line (only useful for adding port forwardings using 157 ~C Open command line (only useful for adding port forwardings using
160 the -L and -R options) 158 the -L and -R options).
161 159
162 ~R Request rekeying of the connection (only useful for SSH protocol 160 ~R Request rekeying of the connection (only useful for SSH protocol
163 version 2 and if the peer supports it) 161 version 2 and if the peer supports it).
164 162
165 X11 and TCP forwarding 163 X11 and TCP forwarding
166 164 If the ForwardX11 variable is set to ``yes'' (or see the description of
167 If the ForwardX11 variable is set to ``yes'' (or, see the description of
168 the -X and -x options described later) and the user is using X11 (the 165 the -X and -x options described later) and the user is using X11 (the
169 DISPLAY environment variable is set), the connection to the X11 display 166 DISPLAY environment variable is set), the connection to the X11 display
170 is automatically forwarded to the remote side in such a way that any X11 167 is automatically forwarded to the remote side in such a way that any X11
@@ -186,10 +183,10 @@ DESCRIPTION
186 is opened. The real authentication cookie is never sent to the server 183 is opened. The real authentication cookie is never sent to the server
187 machine (and no cookies are sent in the plain). 184 machine (and no cookies are sent in the plain).
188 185
189 If the ForwardAgent variable is set to ``yes'' (or, see the description 186 If the ForwardAgent variable is set to ``yes'' (or see the description of
190 of the -A and -a options described later) and the user is using an au- 187 the -A and -a options described later) and the user is using an authenti-
191 thentication agent, the connection to the agent is automatically forward- 188 cation agent, the connection to the agent is automatically forwarded to
192 ed to the remote side. 189 the remote side.
193 190
194 Forwarding of arbitrary TCP/IP connections over the secure channel can be 191 Forwarding of arbitrary TCP/IP connections over the secure channel can be
195 specified either on the command line or in a configuration file. One 192 specified either on the command line or in a configuration file. One
@@ -197,7 +194,6 @@ DESCRIPTION
197 electronic purse; another is going through firewalls. 194 electronic purse; another is going through firewalls.
198 195
199 Server authentication 196 Server authentication
200
201 ssh automatically maintains and checks a database containing identifica- 197 ssh automatically maintains and checks a database containing identifica-
202 tions for all hosts it has ever been used with. Host keys are stored in 198 tions for all hosts it has ever been used with. Host keys are stored in
203 $HOME/.ssh/known_hosts in the user's home directory. Additionally, the 199 $HOME/.ssh/known_hosts in the user's home directory. Additionally, the
@@ -212,7 +208,13 @@ DESCRIPTION
212 208
213 The options are as follows: 209 The options are as follows:
214 210
215 -a Disables forwarding of the authentication agent connection. 211 -1 Forces ssh to try protocol version 1 only.
212
213 -2 Forces ssh to try protocol version 2 only.
214
215 -4 Forces ssh to use IPv4 addresses only.
216
217 -6 Forces ssh to use IPv6 addresses only.
216 218
217 -A Enables forwarding of the authentication agent connection. This 219 -A Enables forwarding of the authentication agent connection. This
218 can also be specified on a per-host basis in a configuration 220 can also be specified on a per-host basis in a configuration
@@ -226,15 +228,26 @@ DESCRIPTION
226 that enable them to authenticate using the identities loaded into 228 that enable them to authenticate using the identities loaded into
227 the agent. 229 the agent.
228 230
231 -a Disables forwarding of the authentication agent connection.
232
229 -b bind_address 233 -b bind_address
230 Specify the interface to transmit from on machines with multiple 234 Specify the interface to transmit from on machines with multiple
231 interfaces or aliased addresses. 235 interfaces or aliased addresses.
232 236
233 -c blowfish|3des|des 237 -C Requests compression of all data (including stdin, stdout,
238 stderr, and data for forwarded X11 and TCP/IP connections). The
239 compression algorithm is the same used by gzip(1), and the
240 ``level'' can be controlled by the CompressionLevel option for
241 protocol version 1. Compression is desirable on modem lines and
242 other slow connections, but will only slow down things on fast
243 networks. The default value can be set on a host-by-host basis
244 in the configuration files; see the Compression option.
245
246 -c blowfish | 3des | des
234 Selects the cipher to use for encrypting the session. 3des is 247 Selects the cipher to use for encrypting the session. 3des is
235 used by default. It is believed to be secure. 3des (triple-des) 248 used by default. It is believed to be secure. 3des (triple-des)
236 is an encrypt-decrypt-encrypt triple with three different keys. 249 is an encrypt-decrypt-encrypt triple with three different keys.
237 blowfish is a fast block cipher, it appears very secure and is 250 blowfish is a fast block cipher; it appears very secure and is
238 much faster than 3des. des is only supported in the ssh client 251 much faster than 3des. des is only supported in the ssh client
239 for interoperability with legacy protocol 1 implementations that 252 for interoperability with legacy protocol 1 implementations that
240 do not support the 3des cipher. Its use is strongly discouraged 253 do not support the 3des cipher. Its use is strongly discouraged
@@ -245,15 +258,32 @@ DESCRIPTION
245 ciphers can be specified in order of preference. See Ciphers for 258 ciphers can be specified in order of preference. See Ciphers for
246 more information. 259 more information.
247 260
248 -e ch|^ch|none 261 -D port
262 Specifies a local ``dynamic'' application-level port forwarding.
263 This works by allocating a socket to listen to port on the local
264 side, and whenever a connection is made to this port, the connec-
265 tion is forwarded over the secure channel, and the application
266 protocol is then used to determine where to connect to from the
267 remote machine. Currently the SOCKS4 and SOCKS5 protocols are
268 supported, and ssh will act as a SOCKS server. Only root can
269 forward privileged ports. Dynamic port forwardings can also be
270 specified in the configuration file.
271
272 -e ch | ^ch | none
249 Sets the escape character for sessions with a pty (default: `~'). 273 Sets the escape character for sessions with a pty (default: `~').
250 The escape character is only recognized at the beginning of a 274 The escape character is only recognized at the beginning of a
251 line. The escape character followed by a dot (`.') closes the 275 line. The escape character followed by a dot (`.') closes the
252 connection, followed by control-Z suspends the connection, and 276 connection; followed by control-Z suspends the connection; and
253 followed by itself sends the escape character once. Setting the 277 followed by itself sends the escape character once. Setting the
254 character to ``none'' disables any escapes and makes the session 278 character to ``none'' disables any escapes and makes the session
255 fully transparent. 279 fully transparent.
256 280
281 -F configfile
282 Specifies an alternative per-user configuration file. If a con-
283 figuration file is given on the command line, the system-wide
284 configuration file (/etc/ssh/ssh_config) will be ignored. The
285 default for the per-user configuration file is $HOME/.ssh/config.
286
257 -f Requests ssh to go to background just before command execution. 287 -f Requests ssh to go to background just before command execution.
258 This is useful if ssh is going to ask for passwords or passphras- 288 This is useful if ssh is going to ask for passwords or passphras-
259 es, but the user wants it in the background. This implies -n. 289 es, but the user wants it in the background. This implies -n.
@@ -262,6 +292,11 @@ DESCRIPTION
262 292
263 -g Allows remote hosts to connect to local forwarded ports. 293 -g Allows remote hosts to connect to local forwarded ports.
264 294
295 -I smartcard_device
296 Specifies which smartcard device to use. The argument is the de-
297 vice ssh should use to communicate with a smartcard used for
298 storing the user's private RSA key.
299
265 -i identity_file 300 -i identity_file
266 Selects a file from which the identity (private key) for RSA or 301 Selects a file from which the identity (private key) for RSA or
267 DSA authentication is read. The default is $HOME/.ssh/identity 302 DSA authentication is read. The default is $HOME/.ssh/identity
@@ -271,13 +306,19 @@ DESCRIPTION
271 It is possible to have multiple -i options (and multiple identi- 306 It is possible to have multiple -i options (and multiple identi-
272 ties specified in configuration files). 307 ties specified in configuration files).
273 308
274 -I smartcard_device 309 -k Disables forwarding (delegation) of GSSAPI credentials to the
275 Specifies which smartcard device to use. The argument is the de- 310 server.
276 vice ssh should use to communicate with a smartcard used for
277 storing the user's private RSA key.
278 311
279 -k Disables forwarding of Kerberos tickets. This may also be speci- 312 -L port:host:hostport
280 fied on a per-host basis in the configuration file. 313 Specifies that the given port on the local (client) host is to be
314 forwarded to the given host and port on the remote side. This
315 works by allocating a socket to listen to port on the local side,
316 and whenever a connection is made to this port, the connection is
317 forwarded over the secure channel, and a connection is made to
318 host port hostport from the remote machine. Port forwardings can
319 also be specified in the configuration file. Only root can for-
320 ward privileged ports. IPv6 addresses can be specified with an
321 alternative syntax: port/host/hostport.
281 322
282 -l login_name 323 -l login_name
283 Specifies the user to log in as on the remote machine. This also 324 Specifies the user to log in as on the remote machine. This also
@@ -288,6 +329,9 @@ DESCRIPTION
288 MAC (message authentication code) algorithms can be specified in 329 MAC (message authentication code) algorithms can be specified in
289 order of preference. See the MACs keyword for more information. 330 order of preference. See the MACs keyword for more information.
290 331
332 -N Do not execute a remote command. This is useful for just for-
333 warding ports (protocol version 2 only).
334
291 -n Redirects stdin from /dev/null (actually, prevents reading from 335 -n Redirects stdin from /dev/null (actually, prevents reading from
292 stdin). This must be used when ssh is run in the background. A 336 stdin). This must be used when ssh is run in the background. A
293 common trick is to use this to run X11 programs on a remote ma- 337 common trick is to use this to run X11 programs on a remote ma-
@@ -297,13 +341,63 @@ DESCRIPTION
297 will be put in the background. (This does not work if ssh needs 341 will be put in the background. (This does not work if ssh needs
298 to ask for a password or passphrase; see also the -f option.) 342 to ask for a password or passphrase; see also the -f option.)
299 343
300 -N Do not execute a remote command. This is useful for just for-
301 warding ports (protocol version 2 only).
302
303 -o option 344 -o option
304 Can be used to give options in the format used in the configura- 345 Can be used to give options in the format used in the configura-
305 tion file. This is useful for specifying options for which there 346 tion file. This is useful for specifying options for which there
306 is no separate command-line flag. 347 is no separate command-line flag. For full details of the op-
348 tions listed below, and their possible values, see ssh_config(5).
349
350 AddressFamily
351 BatchMode
352 BindAddress
353 ChallengeResponseAuthentication
354 CheckHostIP
355 Cipher
356 Ciphers
357 ClearAllForwardings
358 Compression
359 CompressionLevel
360 ConnectionAttempts
361 ConnectionTimeout
362 DynamicForward
363 EscapeChar
364 ForwardAgent
365 ForwardX11
366 ForwardX11Trusted
367 GatewayPorts
368 GlobalKnownHostsFile
369 GSSAPIAuthentication
370 GSSAPIDelegateCredentials
371 Host
372 HostbasedAuthentication
373 HostKeyAlgorithms
374 HostKeyAlias
375 HostName
376 IdentityFile
377 LocalForward
378 LogLevel
379 MACs
380 NoHostAuthenticationForLocalhost
381 NumberOfPasswordPrompts
382 PasswordAuthentication
383 Port
384 PreferredAuthentications
385 Protocol
386 ProxyCommand
387 PubkeyAuthentication
388 RemoteForward
389 RhostsRSAAuthentication
390 RSAAuthentication
391 ServerAliveInterval
392 ServerAliveCountMax
393 SmartcardDevice
394 StrictHostKeyChecking
395 TCPKeepAlive
396 UsePrivilegedPort
397 User
398 UserKnownHostsFile
399 VerifyHostKeyDNS
400 XAuthLocation
307 401
308 -p port 402 -p port
309 Port to connect to on the remote host. This can be specified on 403 Port to connect to on the remote host. This can be specified on
@@ -312,28 +406,38 @@ DESCRIPTION
312 -q Quiet mode. Causes all warning and diagnostic messages to be 406 -q Quiet mode. Causes all warning and diagnostic messages to be
313 suppressed. 407 suppressed.
314 408
409 -R port:host:hostport
410 Specifies that the given port on the remote (server) host is to
411 be forwarded to the given host and port on the local side. This
412 works by allocating a socket to listen to port on the remote
413 side, and whenever a connection is made to this port, the connec-
414 tion is forwarded over the secure channel, and a connection is
415 made to host port hostport from the local machine. Port forward-
416 ings can also be specified in the configuration file. Privileged
417 ports can be forwarded only when logging in as root on the remote
418 machine. IPv6 addresses can be specified with an alternative
419 syntax: port/host/hostport.
420
315 -s May be used to request invocation of a subsystem on the remote 421 -s May be used to request invocation of a subsystem on the remote
316 system. Subsystems are a feature of the SSH2 protocol which fa- 422 system. Subsystems are a feature of the SSH2 protocol which fa-
317 cilitate the use of SSH as a secure transport for other applica- 423 cilitate the use of SSH as a secure transport for other applica-
318 tions (eg. sftp). The subsystem is specified as the remote com- 424 tions (eg. sftp(1)). The subsystem is specified as the remote
319 mand. 425 command.
426
427 -T Disable pseudo-tty allocation.
320 428
321 -t Force pseudo-tty allocation. This can be used to execute arbi- 429 -t Force pseudo-tty allocation. This can be used to execute arbi-
322 trary screen-based programs on a remote machine, which can be 430 trary screen-based programs on a remote machine, which can be
323 very useful, e.g., when implementing menu services. Multiple -t 431 very useful, e.g., when implementing menu services. Multiple -t
324 options force tty allocation, even if ssh has no local tty. 432 options force tty allocation, even if ssh has no local tty.
325 433
326 -T Disable pseudo-tty allocation. 434 -V Display the version number and exit.
327 435
328 -v Verbose mode. Causes ssh to print debugging messages about its 436 -v Verbose mode. Causes ssh to print debugging messages about its
329 progress. This is helpful in debugging connection, authentica- 437 progress. This is helpful in debugging connection, authentica-
330 tion, and configuration problems. Multiple -v options increase 438 tion, and configuration problems. Multiple -v options increase
331 the verbosity. The maximum is 3. 439 the verbosity. The maximum is 3.
332 440
333 -V Display the version number and exit.
334
335 -x Disables X11 forwarding.
336
337 -X Enables X11 forwarding. This can also be specified on a per-host 441 -X Enables X11 forwarding. This can also be specified on a per-host
338 basis in a configuration file. 442 basis in a configuration file.
339 443
@@ -343,62 +447,9 @@ DESCRIPTION
343 through the forwarded connection. An attacker may then be able 447 through the forwarded connection. An attacker may then be able
344 to perform activities such as keystroke monitoring. 448 to perform activities such as keystroke monitoring.
345 449
346 -C Requests compression of all data (including stdin, stdout, 450 -x Disables X11 forwarding.
347 stderr, and data for forwarded X11 and TCP/IP connections). The
348 compression algorithm is the same used by gzip(1), and the
349 ``level'' can be controlled by the CompressionLevel option for
350 protocol version 1. Compression is desirable on modem lines and
351 other slow connections, but will only slow down things on fast
352 networks. The default value can be set on a host-by-host basis
353 in the configuration files; see the Compression option.
354
355 -F configfile
356 Specifies an alternative per-user configuration file. If a con-
357 figuration file is given on the command line, the system-wide
358 configuration file (/etc/ssh/ssh_config) will be ignored. The
359 default for the per-user configuration file is $HOME/.ssh/config.
360
361 -L port:host:hostport
362 Specifies that the given port on the local (client) host is to be
363 forwarded to the given host and port on the remote side. This
364 works by allocating a socket to listen to port on the local side,
365 and whenever a connection is made to this port, the connection is
366 forwarded over the secure channel, and a connection is made to
367 host port hostport from the remote machine. Port forwardings can
368 also be specified in the configuration file. Only root can for-
369 ward privileged ports. IPv6 addresses can be specified with an
370 alternative syntax: port/host/hostport
371
372 -R port:host:hostport
373 Specifies that the given port on the remote (server) host is to
374 be forwarded to the given host and port on the local side. This
375 works by allocating a socket to listen to port on the remote
376 side, and whenever a connection is made to this port, the connec-
377 tion is forwarded over the secure channel, and a connection is
378 made to host port hostport from the local machine. Port forward-
379 ings can also be specified in the configuration file. Privileged
380 ports can be forwarded only when logging in as root on the remote
381 machine. IPv6 addresses can be specified with an alternative
382 syntax: port/host/hostport
383
384 -D port
385 Specifies a local ``dynamic'' application-level port forwarding.
386 This works by allocating a socket to listen to port on the local
387 side, and whenever a connection is made to this port, the connec-
388 tion is forwarded over the secure channel, and the application
389 protocol is then used to determine where to connect to from the
390 remote machine. Currently the SOCKS4 and SOCKS5 protocols are
391 supported, and ssh will act as a SOCKS server. Only root can
392 forward privileged ports. Dynamic port forwardings can also be
393 specified in the configuration file.
394
395 -1 Forces ssh to try protocol version 1 only.
396
397 -2 Forces ssh to try protocol version 2 only.
398
399 -4 Forces ssh to use IPv4 addresses only.
400 451
401 -6 Forces ssh to use IPv6 addresses only. 452 -Y Enables trusted X11 forwarding.
402 453
403CONFIGURATION FILES 454CONFIGURATION FILES
404 ssh may additionally obtain configuration data from a per-user configura- 455 ssh may additionally obtain configuration data from a per-user configura-
@@ -408,65 +459,63 @@ CONFIGURATION FILES
408ENVIRONMENT 459ENVIRONMENT
409 ssh will normally set the following environment variables: 460 ssh will normally set the following environment variables:
410 461
411 DISPLAY 462 DISPLAY The DISPLAY variable indicates the location of the X11 server.
412 The DISPLAY variable indicates the location of the X11 server. 463 It is automatically set by ssh to point to a value of the form
413 It is automatically set by ssh to point to a value of the form 464 ``hostname:n'' where hostname indicates the host where the shell
414 ``hostname:n'' where hostname indicates the host where the shell 465 runs, and n is an integer >= 1. ssh uses this special value to
415 runs, and n is an integer >= 1. ssh uses this special value to 466 forward X11 connections over the secure channel. The user
416 forward X11 connections over the secure channel. The user should 467 should normally not set DISPLAY explicitly, as that will render
417 normally not set DISPLAY explicitly, as that will render the X11 468 the X11 connection insecure (and will require the user to manu-
418 connection insecure (and will require the user to manually copy 469 ally copy any required authorization cookies).
419 any required authorization cookies).
420 470
421 HOME Set to the path of the user's home directory. 471 HOME Set to the path of the user's home directory.
422 472
423 LOGNAME 473 LOGNAME Synonym for USER; set for compatibility with systems that use
424 Synonym for USER; set for compatibility with systems that use 474 this variable.
425 this variable.
426 475
427 MAIL Set to the path of the user's mailbox. 476 MAIL Set to the path of the user's mailbox.
428 477
429 PATH Set to the default PATH, as specified when compiling ssh. 478 PATH Set to the default PATH, as specified when compiling ssh.
430 479
431 SSH_ASKPASS 480 SSH_ASKPASS
432 If ssh needs a passphrase, it will read the passphrase from the 481 If ssh needs a passphrase, it will read the passphrase from the
433 current terminal if it was run from a terminal. If ssh does not 482 current terminal if it was run from a terminal. If ssh does not
434 have a terminal associated with it but DISPLAY and SSH_ASKPASS 483 have a terminal associated with it but DISPLAY and SSH_ASKPASS
435 are set, it will execute the program specified by SSH_ASKPASS and 484 are set, it will execute the program specified by SSH_ASKPASS
436 open an X11 window to read the passphrase. This is particularly 485 and open an X11 window to read the passphrase. This is particu-
437 useful when calling ssh from a .Xsession or related script. 486 larly useful when calling ssh from a .Xsession or related
438 (Note that on some machines it may be necessary to redirect the 487 script. (Note that on some machines it may be necessary to
439 input from /dev/null to make this work.) 488 redirect the input from /dev/null to make this work.)
440 489
441 SSH_AUTH_SOCK 490 SSH_AUTH_SOCK
442 Identifies the path of a unix-domain socket used to communicate 491 Identifies the path of a unix-domain socket used to communicate
443 with the agent. 492 with the agent.
444 493
445 SSH_CONNECTION 494 SSH_CONNECTION
446 Identifies the client and server ends of the connection. The 495 Identifies the client and server ends of the connection. The
447 variable contains four space-separated values: client ip-address, 496 variable contains four space-separated values: client ip-ad-
448 client port number, server ip-address and server port number. 497 dress, client port number, server ip-address and server port
498 number.
449 499
450 SSH_ORIGINAL_COMMAND 500 SSH_ORIGINAL_COMMAND
451 The variable contains the original command line if a forced com- 501 The variable contains the original command line if a forced com-
452 mand is executed. It can be used to extract the original argu- 502 mand is executed. It can be used to extract the original argu-
453 ments. 503 ments.
454 504
455 SSH_TTY 505 SSH_TTY This is set to the name of the tty (path to the device) associ-
456 This is set to the name of the tty (path to the device) associat- 506 ated with the current shell or command. If the current session
457 ed with the current shell or command. If the current session has 507 has no tty, this variable is not set.
458 no tty, this variable is not set.
459 508
460 TZ The timezone variable is set to indicate the present timezone if 509 TZ The timezone variable is set to indicate the present timezone if
461 it was set when the daemon was started (i.e., the daemon passes 510 it was set when the daemon was started (i.e., the daemon passes
462 the value on to new connections). 511 the value on to new connections).
463 512
464 USER Set to the name of the user logging in. 513 USER Set to the name of the user logging in.
465 514
466 Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the 515 Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the
467 format ``VARNAME=value'' to the environment if the file exists and if 516 format ``VARNAME=value'' to the environment if the file exists and if
468 users are allowed to change their environment. See the 517 users are allowed to change their environment. For more information, see
469 PermitUserEnvironment option in sshd_config(5). 518 the PermitUserEnvironment option in sshd_config(5).
470 519
471FILES 520FILES
472 $HOME/.ssh/known_hosts 521 $HOME/.ssh/known_hosts
@@ -486,7 +535,7 @@ FILES
486 $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub 535 $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub
487 Contains the public key for authentication (public part of the 536 Contains the public key for authentication (public part of the
488 identity file in human-readable form). The contents of the 537 identity file in human-readable form). The contents of the
489 $HOME/.ssh/identity.pub file should be added to 538 $HOME/.ssh/identity.pub file should be added to the file
490 $HOME/.ssh/authorized_keys on all machines where the user wishes 539 $HOME/.ssh/authorized_keys on all machines where the user wishes
491 to log in using protocol version 1 RSA authentication. The con- 540 to log in using protocol version 1 RSA authentication. The con-
492 tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file 541 tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file
@@ -517,7 +566,7 @@ FILES
517 following format (fields separated by spaces): system name, pub- 566 following format (fields separated by spaces): system name, pub-
518 lic key and optional comment field. When different names are 567 lic key and optional comment field. When different names are
519 used for the same machine, all such names should be listed, sepa- 568 used for the same machine, all such names should be listed, sepa-
520 rated by commas. The format is described on the sshd(8) manual 569 rated by commas. The format is described in the sshd(8) manual
521 page. 570 page.
522 571
523 The canonical system name (as returned by name servers) is used 572 The canonical system name (as returned by name servers) is used
@@ -543,7 +592,7 @@ FILES
543 method is used. By default ssh is not setuid root. 592 method is used. By default ssh is not setuid root.
544 593
545 $HOME/.rhosts 594 $HOME/.rhosts
546 This file is used in .rhosts authentication to list the host/user 595 This file is used in rhosts authentication to list the host/user
547 pairs that are permitted to log in. (Note that this file is also 596 pairs that are permitted to log in. (Note that this file is also
548 used by rlogin and rsh, which makes using this file insecure.) 597 used by rlogin and rsh, which makes using this file insecure.)
549 Each line of the file contains a host name (in the canonical form 598 Each line of the file contains a host name (in the canonical form
@@ -557,7 +606,7 @@ FILES
557 606
558 Note that by default sshd(8) will be installed so that it re- 607 Note that by default sshd(8) will be installed so that it re-
559 quires successful RSA host authentication before permitting 608 quires successful RSA host authentication before permitting
560 .rhosts authentication. If the server machine does not have the 609 rhosts authentication. If the server machine does not have the
561 client's host key in /etc/ssh/ssh_known_hosts, it can be stored 610 client's host key in /etc/ssh/ssh_known_hosts, it can be stored
562 in $HOME/.ssh/known_hosts. The easiest way to do this is to con- 611 in $HOME/.ssh/known_hosts. The easiest way to do this is to con-
563 nect back to the client from the server machine using ssh; this 612 nect back to the client from the server machine using ssh; this
@@ -569,9 +618,9 @@ FILES
569 with ssh without permitting login with rlogin or rsh(1). 618 with ssh without permitting login with rlogin or rsh(1).
570 619
571 /etc/hosts.equiv 620 /etc/hosts.equiv
572 This file is used during .rhosts authentication. It contains 621 This file is used during rhosts authentication. It contains
573 canonical hosts names, one per line (the full format is described 622 canonical hosts names, one per line (the full format is described
574 on the sshd(8) manual page). If the client host is found in this 623 in the sshd(8) manual page). If the client host is found in this
575 file, login is automatically permitted provided client and server 624 file, login is automatically permitted provided client and server
576 user names are the same. Additionally, successful RSA host au- 625 user names are the same. Additionally, successful RSA host au-
577 thentication is normally required. This file should only be 626 thentication is normally required. This file should only be
@@ -601,8 +650,9 @@ DIAGNOSTICS
601 error occurred. 650 error occurred.
602 651
603SEE ALSO 652SEE ALSO
604 rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), 653 gzip(1), rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1),
605 telnet(1), ssh_config(5), ssh-keysign(8), sshd(8) 654 ssh-keygen(1), telnet(1), hosts.equiv(5), ssh_config(5), ssh-keysign(8),
655 sshd(8)
606 656
607 T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH 657 T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH
608 Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January 658 Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January
@@ -615,4 +665,4 @@ AUTHORS
615 created OpenSSH. Markus Friedl contributed the support for SSH protocol 665 created OpenSSH. Markus Friedl contributed the support for SSH protocol
616 versions 1.5 and 2.0. 666 versions 1.5 and 2.0.
617 667
618OpenBSD 3.4 September 25, 1999 10 668OpenBSD 3.4 September 25, 1999 11
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 08:39:24 +0000