diff options
Diffstat (limited to 'ssh.0')
-rw-r--r-- | ssh.0 | 146 |
1 files changed, 89 insertions, 57 deletions
@@ -6,8 +6,10 @@ NAME | |||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] | 7 | ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] |
8 | [-D port] [-e escape_char] [-F configfile] [-i identity_file] | 8 | [-D port] [-e escape_char] [-F configfile] [-i identity_file] |
9 | [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option] | 9 | [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] |
10 | [-p port] [-R port:host:hostport] [-S ctl] [user@]hostname [command] | 10 | [-O ctl_cmd] [-o option] [-p port] |
11 | [-R [bind_address:]port:host:hostport] [-S ctl_path] [user@]hostname | ||
12 | [command] | ||
11 | 13 | ||
12 | DESCRIPTION | 14 | DESCRIPTION |
13 | ssh (SSH client) is a program for logging into a remote machine and for | 15 | ssh (SSH client) is a program for logging into a remote machine and for |
@@ -24,27 +26,22 @@ DESCRIPTION | |||
24 | of a login shell. | 26 | of a login shell. |
25 | 27 | ||
26 | SSH protocol version 1 | 28 | SSH protocol version 1 |
27 | First, if the machine the user logs in from is listed in /etc/hosts.equiv | 29 | The first authentication method is the rhosts or hosts.equiv method com- |
28 | or /etc/shosts.equiv on the remote machine, and the user names are the | 30 | bined with RSA-based host authentication. If the machine the user logs |
29 | same on both sides, the user is immediately permitted to log in. Second, | 31 | in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote |
30 | if .rhosts or .shosts exists in the user's home directory on the remote | 32 | machine, and the user names are the same on both sides, or if the files |
31 | machine and contains a line containing the name of the client machine and | 33 | $HOME/.rhosts or $HOME/.shosts exist in the user's home directory on the |
32 | the name of the user on that machine, the user is permitted to log in. | 34 | remote machine and contain a line containing the name of the client ma- |
33 | This form of authentication alone is normally not allowed by the server | 35 | chine and the name of the user on that machine, the user is considered |
34 | because it is not secure. | 36 | for log in. Additionally, if the server can verify the client's host key |
35 | 37 | (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the FILES | |
36 | The second authentication method is the rhosts or hosts.equiv method com- | 38 | section), only then is login permitted. This authentication method clos- |
37 | bined with RSA-based host authentication. It means that if the login | 39 | es security holes due to IP spoofing, DNS spoofing and routing spoofing. |
38 | would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or | 40 | [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and the |
39 | /etc/shosts.equiv, and if additionally the server can verify the client's | 41 | rlogin/rsh protocol in general, are inherently insecure and should be |
40 | host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the | ||
41 | FILES section), only then is login permitted. This authentication method | ||
42 | closes security holes due to IP spoofing, DNS spoofing and routing spoof- | ||
43 | ing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and | ||
44 | the rlogin/rsh protocol in general, are inherently insecure and should be | ||
45 | disabled if security is desired.] | 42 | disabled if security is desired.] |
46 | 43 | ||
47 | As a third authentication method, ssh supports RSA based authentication. | 44 | As a second authentication method, ssh supports RSA based authentication. |
48 | The scheme is based on public-key cryptography: there are cryptosystems | 45 | The scheme is based on public-key cryptography: there are cryptosystems |
49 | where encryption and decryption are done using separate keys, and it is | 46 | where encryption and decryption are done using separate keys, and it is |
50 | not possible to derive the decryption key from the encryption key. RSA | 47 | not possible to derive the decryption key from the encryption key. RSA |
@@ -70,8 +67,7 @@ DESCRIPTION | |||
70 | directory on the remote machine (the authorized_keys file corresponds to | 67 | directory on the remote machine (the authorized_keys file corresponds to |
71 | the conventional $HOME/.rhosts file, and has one key per line, though the | 68 | the conventional $HOME/.rhosts file, and has one key per line, though the |
72 | lines can be very long). After this, the user can log in without giving | 69 | lines can be very long). After this, the user can log in without giving |
73 | the password. RSA authentication is much more secure than rhosts authen- | 70 | the password. |
74 | tication. | ||
75 | 71 | ||
76 | The most convenient way to use RSA authentication may be with an authen- | 72 | The most convenient way to use RSA authentication may be with an authen- |
77 | tication agent. See ssh-agent(1) for more information. | 73 | tication agent. See ssh-agent(1) for more information. |
@@ -323,16 +319,24 @@ DESCRIPTION | |||
323 | -k Disables forwarding (delegation) of GSSAPI credentials to the | 319 | -k Disables forwarding (delegation) of GSSAPI credentials to the |
324 | server. | 320 | server. |
325 | 321 | ||
326 | -L port:host:hostport | 322 | -L [bind_address:]port:host:hostport |
327 | Specifies that the given port on the local (client) host is to be | 323 | Specifies that the given port on the local (client) host is to be |
328 | forwarded to the given host and port on the remote side. This | 324 | forwarded to the given host and port on the remote side. This |
329 | works by allocating a socket to listen to port on the local side, | 325 | works by allocating a socket to listen to port on the local side, |
330 | and whenever a connection is made to this port, the connection is | 326 | optionally bound to the specified bind_address. Whenever a con- |
331 | forwarded over the secure channel, and a connection is made to | 327 | nection is made to this port, the connection is forwarded over |
332 | host port hostport from the remote machine. Port forwardings can | 328 | the secure channel, and a connection is made to host port |
333 | also be specified in the configuration file. Only root can for- | 329 | hostport from the remote machine. Port forwardings can also be |
334 | ward privileged ports. IPv6 addresses can be specified with an | 330 | specified in the configuration file. IPv6 addresses can be spec- |
335 | alternative syntax: port/host/hostport. | 331 | ified with an alternative syntax: [bind_address/]port/host/host- |
332 | port or by enclosing the address in square brackets. Only the | ||
333 | superuser can forward privileged ports. By default, the local | ||
334 | port is bound in accordance with the GatewayPorts setting. How- | ||
335 | ever, an explicit bind_address may be used to bind the connection | ||
336 | to a specific address. The bind_address of ``localhost'' indi- | ||
337 | cates that the listening port be bound for local use only, while | ||
338 | an empty address or `*' indicates that the port should be avail- | ||
339 | able from all interfaces. | ||
336 | 340 | ||
337 | -l login_name | 341 | -l login_name |
338 | Specifies the user to log in as on the remote machine. This also | 342 | Specifies the user to log in as on the remote machine. This also |
@@ -359,6 +363,13 @@ DESCRIPTION | |||
359 | will be put in the background. (This does not work if ssh needs | 363 | will be put in the background. (This does not work if ssh needs |
360 | to ask for a password or passphrase; see also the -f option.) | 364 | to ask for a password or passphrase; see also the -f option.) |
361 | 365 | ||
366 | -O ctl_cmd | ||
367 | Control an active connection multiplexing master process. When | ||
368 | the -O option is specified, the ctl_cmd argument is interpreted | ||
369 | and passed to the master process. Valid commands are: ``check'' | ||
370 | (check that the master process is running) and ``exit'' (request | ||
371 | the master to exit). | ||
372 | |||
362 | -o option | 373 | -o option |
363 | Can be used to give options in the format used in the configura- | 374 | Can be used to give options in the format used in the configura- |
364 | tion file. This is useful for specifying options for which there | 375 | tion file. This is useful for specifying options for which there |
@@ -388,6 +399,7 @@ DESCRIPTION | |||
388 | GlobalKnownHostsFile | 399 | GlobalKnownHostsFile |
389 | GSSAPIAuthentication | 400 | GSSAPIAuthentication |
390 | GSSAPIDelegateCredentials | 401 | GSSAPIDelegateCredentials |
402 | HashKnownHosts | ||
391 | Host | 403 | Host |
392 | HostbasedAuthentication | 404 | HostbasedAuthentication |
393 | HostKeyAlgorithms | 405 | HostKeyAlgorithms |
@@ -395,6 +407,7 @@ DESCRIPTION | |||
395 | HostName | 407 | HostName |
396 | IdentityFile | 408 | IdentityFile |
397 | IdentitiesOnly | 409 | IdentitiesOnly |
410 | KbdInteractiveDevices | ||
398 | LocalForward | 411 | LocalForward |
399 | LogLevel | 412 | LogLevel |
400 | MACs | 413 | MACs |
@@ -428,19 +441,29 @@ DESCRIPTION | |||
428 | -q Quiet mode. Causes all warning and diagnostic messages to be | 441 | -q Quiet mode. Causes all warning and diagnostic messages to be |
429 | suppressed. | 442 | suppressed. |
430 | 443 | ||
431 | -R port:host:hostport | 444 | -R [bind_address:]port:host:hostport |
432 | Specifies that the given port on the remote (server) host is to | 445 | Specifies that the given port on the remote (server) host is to |
433 | be forwarded to the given host and port on the local side. This | 446 | be forwarded to the given host and port on the local side. This |
434 | works by allocating a socket to listen to port on the remote | 447 | works by allocating a socket to listen to port on the remote |
435 | side, and whenever a connection is made to this port, the connec- | 448 | side, and whenever a connection is made to this port, the connec- |
436 | tion is forwarded over the secure channel, and a connection is | 449 | tion is forwarded over the secure channel, and a connection is |
437 | made to host port hostport from the local machine. Port forward- | 450 | made to host port hostport from the local machine. |
438 | ings can also be specified in the configuration file. Privileged | 451 | |
439 | ports can be forwarded only when logging in as root on the remote | 452 | Port forwardings can also be specified in the configuration file. |
440 | machine. IPv6 addresses can be specified with an alternative | 453 | Privileged ports can be forwarded only when logging in as root on |
441 | syntax: port/host/hostport. | 454 | the remote machine. IPv6 addresses can be specified by enclosing |
442 | 455 | the address in square braces or using an alternative syntax: | |
443 | -S ctl Specifies the location of a control socket for connection shar- | 456 | [bind_address/]host/port/hostport. |
457 | |||
458 | By default, the listening socket on the server will be bound to | ||
459 | the loopback interface only. This may be overriden by specifying | ||
460 | a bind_address. An empty bind_address, or the address `*', indi- | ||
461 | cates that the remote socket should listen on all interfaces. | ||
462 | Specifying a remote bind_address will only succeed if the serv- | ||
463 | er's GatewayPorts option is enabled (see sshd_config(5)). | ||
464 | |||
465 | -S ctl_path | ||
466 | Specifies the location of a control socket for connection shar- | ||
444 | ing. Refer to the description of ControlPath and ControlMaster | 467 | ing. Refer to the description of ControlPath and ControlMaster |
445 | in ssh_config(5) for details. | 468 | in ssh_config(5) for details. |
446 | 469 | ||
@@ -473,9 +496,15 @@ DESCRIPTION | |||
473 | through the forwarded connection. An attacker may then be able | 496 | through the forwarded connection. An attacker may then be able |
474 | to perform activities such as keystroke monitoring. | 497 | to perform activities such as keystroke monitoring. |
475 | 498 | ||
499 | For this reason, X11 forwarding is subjected to X11 SECURITY ex- | ||
500 | tension restrictions by default. Please refer to the ssh -Y op- | ||
501 | tion and the ForwardX11Trusted directive in ssh_config(5) for | ||
502 | more information. | ||
503 | |||
476 | -x Disables X11 forwarding. | 504 | -x Disables X11 forwarding. |
477 | 505 | ||
478 | -Y Enables trusted X11 forwarding. | 506 | -Y Enables trusted X11 forwarding. Trusted X11 forwardings are not |
507 | subjected to the X11 SECURITY extension controls. | ||
479 | 508 | ||
480 | CONFIGURATION FILES | 509 | CONFIGURATION FILES |
481 | ssh may additionally obtain configuration data from a per-user configura- | 510 | ssh may additionally obtain configuration data from a per-user configura- |
@@ -509,7 +538,7 @@ ENVIRONMENT | |||
509 | have a terminal associated with it but DISPLAY and SSH_ASKPASS | 538 | have a terminal associated with it but DISPLAY and SSH_ASKPASS |
510 | are set, it will execute the program specified by SSH_ASKPASS | 539 | are set, it will execute the program specified by SSH_ASKPASS |
511 | and open an X11 window to read the passphrase. This is particu- | 540 | and open an X11 window to read the passphrase. This is particu- |
512 | larly useful when calling ssh from a .Xsession or related | 541 | larly useful when calling ssh from a .xsession or related |
513 | script. (Note that on some machines it may be necessary to | 542 | script. (Note that on some machines it may be necessary to |
514 | redirect the input from /dev/null to make this work.) | 543 | redirect the input from /dev/null to make this work.) |
515 | 544 | ||
@@ -620,7 +649,8 @@ FILES | |||
620 | method is used. By default ssh is not setuid root. | 649 | method is used. By default ssh is not setuid root. |
621 | 650 | ||
622 | $HOME/.rhosts | 651 | $HOME/.rhosts |
623 | This file is used in rhosts authentication to list the host/user | 652 | This file is used in RhostsRSAAuthentication and |
653 | HostbasedAuthentication authentication to list the host/user | ||
624 | pairs that are permitted to log in. (Note that this file is also | 654 | pairs that are permitted to log in. (Note that this file is also |
625 | used by rlogin and rsh, which makes using this file insecure.) | 655 | used by rlogin and rsh, which makes using this file insecure.) |
626 | Each line of the file contains a host name (in the canonical form | 656 | Each line of the file contains a host name (in the canonical form |
@@ -632,27 +662,29 @@ FILES | |||
632 | for anyone else. The recommended permission for most machines is | 662 | for anyone else. The recommended permission for most machines is |
633 | read/write for the user, and not accessible by others. | 663 | read/write for the user, and not accessible by others. |
634 | 664 | ||
635 | Note that by default sshd(8) will be installed so that it re- | 665 | Note that sshd(8) allows authentication only in combination with |
636 | quires successful RSA host authentication before permitting | 666 | client host key authentication before permitting log in. If the |
637 | rhosts authentication. If the server machine does not have the | 667 | server machine does not have the client's host key in |
638 | client's host key in /etc/ssh/ssh_known_hosts, it can be stored | 668 | /etc/ssh/ssh_known_hosts, it can be stored in |
639 | in $HOME/.ssh/known_hosts. The easiest way to do this is to con- | 669 | $HOME/.ssh/known_hosts. The easiest way to do this is to connect |
640 | nect back to the client from the server machine using ssh; this | 670 | back to the client from the server machine using ssh; this will |
641 | will automatically add the host key to $HOME/.ssh/known_hosts. | 671 | automatically add the host key to $HOME/.ssh/known_hosts. |
642 | 672 | ||
643 | $HOME/.shosts | 673 | $HOME/.shosts |
644 | This file is used exactly the same way as .rhosts. The purpose | 674 | This file is used exactly the same way as .rhosts. The purpose |
645 | for having this file is to be able to use rhosts authentication | 675 | for having this file is to be able to use RhostsRSAAuthentication |
646 | with ssh without permitting login with rlogin or rsh(1). | 676 | and HostbasedAuthentication authentication without permitting lo- |
677 | gin with rlogin or rsh(1). | ||
647 | 678 | ||
648 | /etc/hosts.equiv | 679 | /etc/hosts.equiv |
649 | This file is used during rhosts authentication. It contains | 680 | This file is used during RhostsRSAAuthentication and |
650 | canonical hosts names, one per line (the full format is described | 681 | HostbasedAuthentication authentication. It contains canonical |
651 | in the sshd(8) manual page). If the client host is found in this | 682 | hosts names, one per line (the full format is described in the |
652 | file, login is automatically permitted provided client and server | 683 | sshd(8) manual page). If the client host is found in this file, |
653 | user names are the same. Additionally, successful RSA host au- | 684 | login is automatically permitted provided client and server user |
654 | thentication is normally required. This file should only be | 685 | names are the same. Additionally, successful client host key au- |
655 | writable by root. | 686 | thentication is required. This file should only be writable by |
687 | root. | ||
656 | 688 | ||
657 | /etc/shosts.equiv | 689 | /etc/shosts.equiv |
658 | This file is processed exactly as /etc/hosts.equiv. This file | 690 | This file is processed exactly as /etc/hosts.equiv. This file |