diff options
Diffstat (limited to 'ssh.0')
| -rw-r--r-- | ssh.0 | 146 |
1 files changed, 89 insertions, 57 deletions
| @@ -6,8 +6,10 @@ NAME | |||
| 6 | SYNOPSIS | 6 | SYNOPSIS |
| 7 | ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] | 7 | ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] |
| 8 | [-D port] [-e escape_char] [-F configfile] [-i identity_file] | 8 | [-D port] [-e escape_char] [-F configfile] [-i identity_file] |
| 9 | [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option] | 9 | [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] |
| 10 | [-p port] [-R port:host:hostport] [-S ctl] [user@]hostname [command] | 10 | [-O ctl_cmd] [-o option] [-p port] |
| 11 | [-R [bind_address:]port:host:hostport] [-S ctl_path] [user@]hostname | ||
| 12 | [command] | ||
| 11 | 13 | ||
| 12 | DESCRIPTION | 14 | DESCRIPTION |
| 13 | ssh (SSH client) is a program for logging into a remote machine and for | 15 | ssh (SSH client) is a program for logging into a remote machine and for |
| @@ -24,27 +26,22 @@ DESCRIPTION | |||
| 24 | of a login shell. | 26 | of a login shell. |
| 25 | 27 | ||
| 26 | SSH protocol version 1 | 28 | SSH protocol version 1 |
| 27 | First, if the machine the user logs in from is listed in /etc/hosts.equiv | 29 | The first authentication method is the rhosts or hosts.equiv method com- |
| 28 | or /etc/shosts.equiv on the remote machine, and the user names are the | 30 | bined with RSA-based host authentication. If the machine the user logs |
| 29 | same on both sides, the user is immediately permitted to log in. Second, | 31 | in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote |
| 30 | if .rhosts or .shosts exists in the user's home directory on the remote | 32 | machine, and the user names are the same on both sides, or if the files |
| 31 | machine and contains a line containing the name of the client machine and | 33 | $HOME/.rhosts or $HOME/.shosts exist in the user's home directory on the |
| 32 | the name of the user on that machine, the user is permitted to log in. | 34 | remote machine and contain a line containing the name of the client ma- |
| 33 | This form of authentication alone is normally not allowed by the server | 35 | chine and the name of the user on that machine, the user is considered |
| 34 | because it is not secure. | 36 | for log in. Additionally, if the server can verify the client's host key |
| 35 | 37 | (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the FILES | |
| 36 | The second authentication method is the rhosts or hosts.equiv method com- | 38 | section), only then is login permitted. This authentication method clos- |
| 37 | bined with RSA-based host authentication. It means that if the login | 39 | es security holes due to IP spoofing, DNS spoofing and routing spoofing. |
| 38 | would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or | 40 | [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and the |
| 39 | /etc/shosts.equiv, and if additionally the server can verify the client's | 41 | rlogin/rsh protocol in general, are inherently insecure and should be |
| 40 | host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the | ||
| 41 | FILES section), only then is login permitted. This authentication method | ||
| 42 | closes security holes due to IP spoofing, DNS spoofing and routing spoof- | ||
| 43 | ing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and | ||
| 44 | the rlogin/rsh protocol in general, are inherently insecure and should be | ||
| 45 | disabled if security is desired.] | 42 | disabled if security is desired.] |
| 46 | 43 | ||
| 47 | As a third authentication method, ssh supports RSA based authentication. | 44 | As a second authentication method, ssh supports RSA based authentication. |
| 48 | The scheme is based on public-key cryptography: there are cryptosystems | 45 | The scheme is based on public-key cryptography: there are cryptosystems |
| 49 | where encryption and decryption are done using separate keys, and it is | 46 | where encryption and decryption are done using separate keys, and it is |
| 50 | not possible to derive the decryption key from the encryption key. RSA | 47 | not possible to derive the decryption key from the encryption key. RSA |
| @@ -70,8 +67,7 @@ DESCRIPTION | |||
| 70 | directory on the remote machine (the authorized_keys file corresponds to | 67 | directory on the remote machine (the authorized_keys file corresponds to |
| 71 | the conventional $HOME/.rhosts file, and has one key per line, though the | 68 | the conventional $HOME/.rhosts file, and has one key per line, though the |
| 72 | lines can be very long). After this, the user can log in without giving | 69 | lines can be very long). After this, the user can log in without giving |
| 73 | the password. RSA authentication is much more secure than rhosts authen- | 70 | the password. |
| 74 | tication. | ||
| 75 | 71 | ||
| 76 | The most convenient way to use RSA authentication may be with an authen- | 72 | The most convenient way to use RSA authentication may be with an authen- |
| 77 | tication agent. See ssh-agent(1) for more information. | 73 | tication agent. See ssh-agent(1) for more information. |
| @@ -323,16 +319,24 @@ DESCRIPTION | |||
| 323 | -k Disables forwarding (delegation) of GSSAPI credentials to the | 319 | -k Disables forwarding (delegation) of GSSAPI credentials to the |
| 324 | server. | 320 | server. |
| 325 | 321 | ||
| 326 | -L port:host:hostport | 322 | -L [bind_address:]port:host:hostport |
| 327 | Specifies that the given port on the local (client) host is to be | 323 | Specifies that the given port on the local (client) host is to be |
| 328 | forwarded to the given host and port on the remote side. This | 324 | forwarded to the given host and port on the remote side. This |
| 329 | works by allocating a socket to listen to port on the local side, | 325 | works by allocating a socket to listen to port on the local side, |
| 330 | and whenever a connection is made to this port, the connection is | 326 | optionally bound to the specified bind_address. Whenever a con- |
| 331 | forwarded over the secure channel, and a connection is made to | 327 | nection is made to this port, the connection is forwarded over |
| 332 | host port hostport from the remote machine. Port forwardings can | 328 | the secure channel, and a connection is made to host port |
| 333 | also be specified in the configuration file. Only root can for- | 329 | hostport from the remote machine. Port forwardings can also be |
| 334 | ward privileged ports. IPv6 addresses can be specified with an | 330 | specified in the configuration file. IPv6 addresses can be spec- |
| 335 | alternative syntax: port/host/hostport. | 331 | ified with an alternative syntax: [bind_address/]port/host/host- |
| 332 | port or by enclosing the address in square brackets. Only the | ||
| 333 | superuser can forward privileged ports. By default, the local | ||
| 334 | port is bound in accordance with the GatewayPorts setting. How- | ||
| 335 | ever, an explicit bind_address may be used to bind the connection | ||
| 336 | to a specific address. The bind_address of ``localhost'' indi- | ||
| 337 | cates that the listening port be bound for local use only, while | ||
| 338 | an empty address or `*' indicates that the port should be avail- | ||
| 339 | able from all interfaces. | ||
| 336 | 340 | ||
| 337 | -l login_name | 341 | -l login_name |
| 338 | Specifies the user to log in as on the remote machine. This also | 342 | Specifies the user to log in as on the remote machine. This also |
| @@ -359,6 +363,13 @@ DESCRIPTION | |||
| 359 | will be put in the background. (This does not work if ssh needs | 363 | will be put in the background. (This does not work if ssh needs |
| 360 | to ask for a password or passphrase; see also the -f option.) | 364 | to ask for a password or passphrase; see also the -f option.) |
| 361 | 365 | ||
| 366 | -O ctl_cmd | ||
| 367 | Control an active connection multiplexing master process. When | ||
| 368 | the -O option is specified, the ctl_cmd argument is interpreted | ||
| 369 | and passed to the master process. Valid commands are: ``check'' | ||
| 370 | (check that the master process is running) and ``exit'' (request | ||
| 371 | the master to exit). | ||
| 372 | |||
| 362 | -o option | 373 | -o option |
| 363 | Can be used to give options in the format used in the configura- | 374 | Can be used to give options in the format used in the configura- |
| 364 | tion file. This is useful for specifying options for which there | 375 | tion file. This is useful for specifying options for which there |
| @@ -388,6 +399,7 @@ DESCRIPTION | |||
| 388 | GlobalKnownHostsFile | 399 | GlobalKnownHostsFile |
| 389 | GSSAPIAuthentication | 400 | GSSAPIAuthentication |
| 390 | GSSAPIDelegateCredentials | 401 | GSSAPIDelegateCredentials |
| 402 | HashKnownHosts | ||
| 391 | Host | 403 | Host |
| 392 | HostbasedAuthentication | 404 | HostbasedAuthentication |
| 393 | HostKeyAlgorithms | 405 | HostKeyAlgorithms |
| @@ -395,6 +407,7 @@ DESCRIPTION | |||
| 395 | HostName | 407 | HostName |
| 396 | IdentityFile | 408 | IdentityFile |
| 397 | IdentitiesOnly | 409 | IdentitiesOnly |
| 410 | KbdInteractiveDevices | ||
| 398 | LocalForward | 411 | LocalForward |
| 399 | LogLevel | 412 | LogLevel |
| 400 | MACs | 413 | MACs |
| @@ -428,19 +441,29 @@ DESCRIPTION | |||
| 428 | -q Quiet mode. Causes all warning and diagnostic messages to be | 441 | -q Quiet mode. Causes all warning and diagnostic messages to be |
| 429 | suppressed. | 442 | suppressed. |
| 430 | 443 | ||
| 431 | -R port:host:hostport | 444 | -R [bind_address:]port:host:hostport |
| 432 | Specifies that the given port on the remote (server) host is to | 445 | Specifies that the given port on the remote (server) host is to |
| 433 | be forwarded to the given host and port on the local side. This | 446 | be forwarded to the given host and port on the local side. This |
| 434 | works by allocating a socket to listen to port on the remote | 447 | works by allocating a socket to listen to port on the remote |
| 435 | side, and whenever a connection is made to this port, the connec- | 448 | side, and whenever a connection is made to this port, the connec- |
| 436 | tion is forwarded over the secure channel, and a connection is | 449 | tion is forwarded over the secure channel, and a connection is |
| 437 | made to host port hostport from the local machine. Port forward- | 450 | made to host port hostport from the local machine. |
| 438 | ings can also be specified in the configuration file. Privileged | 451 | |
| 439 | ports can be forwarded only when logging in as root on the remote | 452 | Port forwardings can also be specified in the configuration file. |
| 440 | machine. IPv6 addresses can be specified with an alternative | 453 | Privileged ports can be forwarded only when logging in as root on |
| 441 | syntax: port/host/hostport. | 454 | the remote machine. IPv6 addresses can be specified by enclosing |
| 442 | 455 | the address in square braces or using an alternative syntax: | |
| 443 | -S ctl Specifies the location of a control socket for connection shar- | 456 | [bind_address/]host/port/hostport. |
| 457 | |||
| 458 | By default, the listening socket on the server will be bound to | ||
| 459 | the loopback interface only. This may be overriden by specifying | ||
| 460 | a bind_address. An empty bind_address, or the address `*', indi- | ||
| 461 | cates that the remote socket should listen on all interfaces. | ||
| 462 | Specifying a remote bind_address will only succeed if the serv- | ||
| 463 | er's GatewayPorts option is enabled (see sshd_config(5)). | ||
| 464 | |||
| 465 | -S ctl_path | ||
| 466 | Specifies the location of a control socket for connection shar- | ||
| 444 | ing. Refer to the description of ControlPath and ControlMaster | 467 | ing. Refer to the description of ControlPath and ControlMaster |
| 445 | in ssh_config(5) for details. | 468 | in ssh_config(5) for details. |
| 446 | 469 | ||
| @@ -473,9 +496,15 @@ DESCRIPTION | |||
| 473 | through the forwarded connection. An attacker may then be able | 496 | through the forwarded connection. An attacker may then be able |
| 474 | to perform activities such as keystroke monitoring. | 497 | to perform activities such as keystroke monitoring. |
| 475 | 498 | ||
| 499 | For this reason, X11 forwarding is subjected to X11 SECURITY ex- | ||
| 500 | tension restrictions by default. Please refer to the ssh -Y op- | ||
| 501 | tion and the ForwardX11Trusted directive in ssh_config(5) for | ||
| 502 | more information. | ||
| 503 | |||
| 476 | -x Disables X11 forwarding. | 504 | -x Disables X11 forwarding. |
| 477 | 505 | ||
| 478 | -Y Enables trusted X11 forwarding. | 506 | -Y Enables trusted X11 forwarding. Trusted X11 forwardings are not |
| 507 | subjected to the X11 SECURITY extension controls. | ||
| 479 | 508 | ||
| 480 | CONFIGURATION FILES | 509 | CONFIGURATION FILES |
| 481 | ssh may additionally obtain configuration data from a per-user configura- | 510 | ssh may additionally obtain configuration data from a per-user configura- |
| @@ -509,7 +538,7 @@ ENVIRONMENT | |||
| 509 | have a terminal associated with it but DISPLAY and SSH_ASKPASS | 538 | have a terminal associated with it but DISPLAY and SSH_ASKPASS |
| 510 | are set, it will execute the program specified by SSH_ASKPASS | 539 | are set, it will execute the program specified by SSH_ASKPASS |
| 511 | and open an X11 window to read the passphrase. This is particu- | 540 | and open an X11 window to read the passphrase. This is particu- |
| 512 | larly useful when calling ssh from a .Xsession or related | 541 | larly useful when calling ssh from a .xsession or related |
| 513 | script. (Note that on some machines it may be necessary to | 542 | script. (Note that on some machines it may be necessary to |
| 514 | redirect the input from /dev/null to make this work.) | 543 | redirect the input from /dev/null to make this work.) |
| 515 | 544 | ||
| @@ -620,7 +649,8 @@ FILES | |||
| 620 | method is used. By default ssh is not setuid root. | 649 | method is used. By default ssh is not setuid root. |
| 621 | 650 | ||
| 622 | $HOME/.rhosts | 651 | $HOME/.rhosts |
| 623 | This file is used in rhosts authentication to list the host/user | 652 | This file is used in RhostsRSAAuthentication and |
| 653 | HostbasedAuthentication authentication to list the host/user | ||
| 624 | pairs that are permitted to log in. (Note that this file is also | 654 | pairs that are permitted to log in. (Note that this file is also |
| 625 | used by rlogin and rsh, which makes using this file insecure.) | 655 | used by rlogin and rsh, which makes using this file insecure.) |
| 626 | Each line of the file contains a host name (in the canonical form | 656 | Each line of the file contains a host name (in the canonical form |
| @@ -632,27 +662,29 @@ FILES | |||
| 632 | for anyone else. The recommended permission for most machines is | 662 | for anyone else. The recommended permission for most machines is |
| 633 | read/write for the user, and not accessible by others. | 663 | read/write for the user, and not accessible by others. |
| 634 | 664 | ||
| 635 | Note that by default sshd(8) will be installed so that it re- | 665 | Note that sshd(8) allows authentication only in combination with |
| 636 | quires successful RSA host authentication before permitting | 666 | client host key authentication before permitting log in. If the |
| 637 | rhosts authentication. If the server machine does not have the | 667 | server machine does not have the client's host key in |
| 638 | client's host key in /etc/ssh/ssh_known_hosts, it can be stored | 668 | /etc/ssh/ssh_known_hosts, it can be stored in |
| 639 | in $HOME/.ssh/known_hosts. The easiest way to do this is to con- | 669 | $HOME/.ssh/known_hosts. The easiest way to do this is to connect |
| 640 | nect back to the client from the server machine using ssh; this | 670 | back to the client from the server machine using ssh; this will |
| 641 | will automatically add the host key to $HOME/.ssh/known_hosts. | 671 | automatically add the host key to $HOME/.ssh/known_hosts. |
| 642 | 672 | ||
| 643 | $HOME/.shosts | 673 | $HOME/.shosts |
| 644 | This file is used exactly the same way as .rhosts. The purpose | 674 | This file is used exactly the same way as .rhosts. The purpose |
| 645 | for having this file is to be able to use rhosts authentication | 675 | for having this file is to be able to use RhostsRSAAuthentication |
| 646 | with ssh without permitting login with rlogin or rsh(1). | 676 | and HostbasedAuthentication authentication without permitting lo- |
| 677 | gin with rlogin or rsh(1). | ||
| 647 | 678 | ||
| 648 | /etc/hosts.equiv | 679 | /etc/hosts.equiv |
| 649 | This file is used during rhosts authentication. It contains | 680 | This file is used during RhostsRSAAuthentication and |
| 650 | canonical hosts names, one per line (the full format is described | 681 | HostbasedAuthentication authentication. It contains canonical |
| 651 | in the sshd(8) manual page). If the client host is found in this | 682 | hosts names, one per line (the full format is described in the |
| 652 | file, login is automatically permitted provided client and server | 683 | sshd(8) manual page). If the client host is found in this file, |
| 653 | user names are the same. Additionally, successful RSA host au- | 684 | login is automatically permitted provided client and server user |
| 654 | thentication is normally required. This file should only be | 685 | names are the same. Additionally, successful client host key au- |
| 655 | writable by root. | 686 | thentication is required. This file should only be writable by |
| 687 | root. | ||
| 656 | 688 | ||
| 657 | /etc/shosts.equiv | 689 | /etc/shosts.equiv |
| 658 | This file is processed exactly as /etc/hosts.equiv. This file | 690 | This file is processed exactly as /etc/hosts.equiv. This file |