diff options
Diffstat (limited to 'ssh.0')
-rw-r--r-- | ssh.0 | 495 |
1 files changed, 275 insertions, 220 deletions
@@ -1,32 +1,33 @@ | |||
1 | SSH(1) BSD General Commands Manual SSH(1) | 1 | SSH(1) OpenBSD Reference Manual SSH(1) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | ssh - OpenSSH SSH client (remote login program) | 4 | ssh - OpenSSH SSH client (remote login program) |
5 | 5 | ||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | ssh [-l login_name] hostname | user@hostname [command] | 7 | ssh [-1246AaCfgkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D port] |
8 | 8 | [-e escape_char] [-F configfile] [-i identity_file] | |
9 | ssh [-afgknqstvxACNTVX1246] [-b bind_address] [-c cipher_spec] | 9 | [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option] |
10 | [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec] | 10 | [-p port] [-R port:host:hostport] [user@]hostname [command] |
11 | [-o option] [-p port] [-F configfile] [-L port:host:hostport] | ||
12 | [-R port:host:hostport] [-D port] hostname | user@hostname [command] | ||
13 | 11 | ||
14 | DESCRIPTION | 12 | DESCRIPTION |
15 | ssh (SSH client) is a program for logging into a remote machine and for | 13 | ssh (SSH client) is a program for logging into a remote machine and for |
16 | executing commands on a remote machine. It is intended to replace rlogin | 14 | executing commands on a remote machine. It is intended to replace rlogin |
17 | and rsh, and provide secure encrypted communications between two | 15 | and rsh, and provide secure encrypted communications between two untrust- |
18 | untrusted hosts over an insecure network. X11 connections and arbitrary | 16 | ed hosts over an insecure network. X11 connections and arbitrary TCP/IP |
19 | TCP/IP ports can also be forwarded over the secure channel. | 17 | ports can also be forwarded over the secure channel. |
18 | |||
19 | ssh connects and logs into the specified hostname (with optional user | ||
20 | name). The user must prove his/her identity to the remote machine using | ||
21 | one of several methods depending on the protocol version used. | ||
20 | 22 | ||
21 | ssh connects and logs into the specified hostname. The user must prove | 23 | If command is specified, command is executed on the remote host instead |
22 | his/her identity to the remote machine using one of several methods | 24 | of a login shell. |
23 | depending on the protocol version used: | ||
24 | 25 | ||
25 | SSH protocol version 1 | 26 | SSH protocol version 1 |
26 | First, if the machine the user logs in from is listed in /etc/hosts.equiv | 27 | First, if the machine the user logs in from is listed in /etc/hosts.equiv |
27 | or /etc/shosts.equiv on the remote machine, and the user names are the | 28 | or /etc/shosts.equiv on the remote machine, and the user names are the |
28 | same on both sides, the user is immediately permitted to log in. Second, | 29 | same on both sides, the user is immediately permitted to log in. Second, |
29 | if .rhosts or .shosts exists in the userM-bM-^@M-^Ys home directory on the remote | 30 | if .rhosts or .shosts exists in the user's home directory on the remote |
30 | machine and contains a line containing the name of the client machine and | 31 | machine and contains a line containing the name of the client machine and |
31 | the name of the user on that machine, the user is permitted to log in. | 32 | the name of the user on that machine, the user is permitted to log in. |
32 | This form of authentication alone is normally not allowed by the server | 33 | This form of authentication alone is normally not allowed by the server |
@@ -35,9 +36,9 @@ DESCRIPTION | |||
35 | The second authentication method is the rhosts or hosts.equiv method com- | 36 | The second authentication method is the rhosts or hosts.equiv method com- |
36 | bined with RSA-based host authentication. It means that if the login | 37 | bined with RSA-based host authentication. It means that if the login |
37 | would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or | 38 | would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or |
38 | /etc/shosts.equiv, and if additionally the server can verify the clientM-bM-^@M-^Ys | 39 | /etc/shosts.equiv, and if additionally the server can verify the client's |
39 | host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the | 40 | host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the |
40 | FILES section), only then login is permitted. This authentication method | 41 | FILES section), only then is login permitted. This authentication method |
41 | closes security holes due to IP spoofing, DNS spoofing and routing spoof- | 42 | closes security holes due to IP spoofing, DNS spoofing and routing spoof- |
42 | ing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and | 43 | ing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and |
43 | the rlogin/rsh protocol in general, are inherently insecure and should be | 44 | the rlogin/rsh protocol in general, are inherently insecure and should be |
@@ -49,21 +50,22 @@ DESCRIPTION | |||
49 | not possible to derive the decryption key from the encryption key. RSA | 50 | not possible to derive the decryption key from the encryption key. RSA |
50 | is one such system. The idea is that each user creates a public/private | 51 | is one such system. The idea is that each user creates a public/private |
51 | key pair for authentication purposes. The server knows the public key, | 52 | key pair for authentication purposes. The server knows the public key, |
52 | and only the user knows the private key. The file | 53 | and only the user knows the private key. |
53 | $HOME/.ssh/authorized_keys lists the public keys that are permitted for | 54 | |
54 | logging in. When the user logs in, the ssh program tells the server | 55 | The file $HOME/.ssh/authorized_keys lists the public keys that are per- |
55 | which key pair it would like to use for authentication. The server | 56 | mitted for logging in. When the user logs in, the ssh program tells the |
56 | checks if this key is permitted, and if so, sends the user (actually the | 57 | server which key pair it would like to use for authentication. The serv- |
57 | ssh program running on behalf of the user) a challenge, a random number, | 58 | er checks if this key is permitted, and if so, sends the user (actually |
58 | encrypted by the userM-bM-^@M-^Ys public key. The challenge can only be decrypted | 59 | the ssh program running on behalf of the user) a challenge, a random num- |
59 | using the proper private key. The userM-bM-^@M-^Ys client then decrypts the chal- | 60 | ber, encrypted by the user's public key. The challenge can only be de- |
60 | lenge using the private key, proving that he/she knows the private key | 61 | crypted using the proper private key. The user's client then decrypts |
61 | but without disclosing it to the server. | 62 | the challenge using the private key, proving that he/she knows the pri- |
63 | vate key but without disclosing it to the server. | ||
62 | 64 | ||
63 | ssh implements the RSA authentication protocol automatically. The user | 65 | ssh implements the RSA authentication protocol automatically. The user |
64 | creates his/her RSA key pair by running ssh-keygen(1). This stores the | 66 | creates his/her RSA key pair by running ssh-keygen(1). This stores the |
65 | private key in $HOME/.ssh/identity and the public key in | 67 | private key in $HOME/.ssh/identity and stores the public key in |
66 | $HOME/.ssh/identity.pub in the userM-bM-^@M-^Ys home directory. The user should | 68 | $HOME/.ssh/identity.pub in the user's home directory. The user should |
67 | then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home | 69 | then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home |
68 | directory on the remote machine (the authorized_keys file corresponds to | 70 | directory on the remote machine (the authorized_keys file corresponds to |
69 | the conventional $HOME/.rhosts file, and has one key per line, though the | 71 | the conventional $HOME/.rhosts file, and has one key per line, though the |
@@ -80,11 +82,11 @@ DESCRIPTION | |||
80 | someone listening on the network. | 82 | someone listening on the network. |
81 | 83 | ||
82 | SSH protocol version 2 | 84 | SSH protocol version 2 |
83 | When a user connects using protocol version 2 similar authentication | 85 | When a user connects using protocol version 2, similar authentication |
84 | methods are available. Using the default values for | 86 | methods are available. Using the default values for |
85 | PreferredAuthentications, the client will try to authenticate first using | 87 | PreferredAuthentications, the client will try to authenticate first using |
86 | the hostbased method; if this method fails public key authentication is | 88 | the hostbased method; if this method fails, public key authentication is |
87 | attempted, and finally if this method fails keyboard-interactive and | 89 | attempted, and finally if this method fails, keyboard-interactive and |
88 | password authentication are tried. | 90 | password authentication are tried. |
89 | 91 | ||
90 | The public key method is similar to RSA authentication described in the | 92 | The public key method is similar to RSA authentication described in the |
@@ -94,11 +96,11 @@ DESCRIPTION | |||
94 | server checks whether the matching public key is listed in | 96 | server checks whether the matching public key is listed in |
95 | $HOME/.ssh/authorized_keys and grants access if both the key is found and | 97 | $HOME/.ssh/authorized_keys and grants access if both the key is found and |
96 | the signature is correct. The session identifier is derived from a | 98 | the signature is correct. The session identifier is derived from a |
97 | shared Diffie-Hellman value and is only known to the client and the | 99 | shared Diffie-Hellman value and is only known to the client and the serv- |
98 | server. | 100 | er. |
99 | 101 | ||
100 | If public key authentication fails or is not available a password can be | 102 | If public key authentication fails or is not available, a password can be |
101 | sent encrypted to the remote host for proving the userM-bM-^@M-^Ys identity. | 103 | sent encrypted to the remote host to prove the user's identity. |
102 | 104 | ||
103 | Additionally, ssh supports hostbased or challenge response authentica- | 105 | Additionally, ssh supports hostbased or challenge response authentica- |
104 | tion. | 106 | tion. |
@@ -109,25 +111,25 @@ DESCRIPTION | |||
109 | ensuring the integrity of the connection. | 111 | ensuring the integrity of the connection. |
110 | 112 | ||
111 | Login session and remote execution | 113 | Login session and remote execution |
112 | When the userM-bM-^@M-^Ys identity has been accepted by the server, the server | 114 | When the user's identity has been accepted by the server, the server ei- |
113 | either executes the given command, or logs into the machine and gives the | 115 | ther executes the given command, or logs into the machine and gives the |
114 | user a normal shell on the remote machine. All communication with the | 116 | user a normal shell on the remote machine. All communication with the |
115 | remote command or shell will be automatically encrypted. | 117 | remote command or shell will be automatically encrypted. |
116 | 118 | ||
117 | If a pseudo-terminal has been allocated (normal login session), the user | 119 | If a pseudo-terminal has been allocated (normal login session), the user |
118 | may use the escape characters noted below. | 120 | may use the escape characters noted below. |
119 | 121 | ||
120 | If no pseudo tty has been allocated, the session is transparent and can | 122 | If no pseudo-tty has been allocated, the session is transparent and can |
121 | be used to reliably transfer binary data. On most systems, setting the | 123 | be used to reliably transfer binary data. On most systems, setting the |
122 | escape character to M-bM-^@M-^\noneM-bM-^@M-^] will also make the session transparent even if | 124 | escape character to ``none'' will also make the session transparent even |
123 | a tty is used. | 125 | if a tty is used. |
124 | 126 | ||
125 | The session terminates when the command or shell on the remote machine | 127 | The session terminates when the command or shell on the remote machine |
126 | exits and all X11 and TCP/IP connections have been closed. The exit sta- | 128 | exits and all X11 and TCP/IP connections have been closed. The exit sta- |
127 | tus of the remote program is returned as the exit status of ssh. | 129 | tus of the remote program is returned as the exit status of ssh. |
128 | 130 | ||
129 | Escape Characters | 131 | Escape Characters |
130 | When a pseudo terminal has been requested, ssh supports a number of func- | 132 | When a pseudo-terminal has been requested, ssh supports a number of func- |
131 | tions through the use of an escape character. | 133 | tions through the use of an escape character. |
132 | 134 | ||
133 | A single tilde character can be sent as ~~ or by following the tilde by a | 135 | A single tilde character can be sent as ~~ or by following the tilde by a |
@@ -136,42 +138,42 @@ DESCRIPTION | |||
136 | ter can be changed in configuration files using the EscapeChar configura- | 138 | ter can be changed in configuration files using the EscapeChar configura- |
137 | tion directive or on the command line by the -e option. | 139 | tion directive or on the command line by the -e option. |
138 | 140 | ||
139 | The supported escapes (assuming the default M-bM-^@M-^X~M-bM-^@M-^Y) are: | 141 | The supported escapes (assuming the default `~') are: |
140 | 142 | ||
141 | ~. Disconnect | 143 | ~. Disconnect. |
142 | 144 | ||
143 | ~^Z Background ssh | 145 | ~^Z Background ssh. |
144 | 146 | ||
145 | ~# List forwarded connections | 147 | ~# List forwarded connections. |
146 | 148 | ||
147 | ~& Background ssh at logout when waiting for forwarded connection / | 149 | ~& Background ssh at logout when waiting for forwarded connection / |
148 | X11 sessions to terminate | 150 | X11 sessions to terminate. |
149 | 151 | ||
150 | ~? Display a list of escape characters | 152 | ~? Display a list of escape characters. |
151 | 153 | ||
152 | ~B Send a BREAK to the remote system (only useful for SSH protocol | 154 | ~B Send a BREAK to the remote system (only useful for SSH protocol |
153 | version 2 and if the peer supports it) | 155 | version 2 and if the peer supports it). |
154 | 156 | ||
155 | ~C Open command line (only useful for adding port forwardings using | 157 | ~C Open command line (only useful for adding port forwardings using |
156 | the -L and -R options) | 158 | the -L and -R options). |
157 | 159 | ||
158 | ~R Request rekeying of the connection (only useful for SSH protocol | 160 | ~R Request rekeying of the connection (only useful for SSH protocol |
159 | version 2 and if the peer supports it) | 161 | version 2 and if the peer supports it). |
160 | 162 | ||
161 | X11 and TCP forwarding | 163 | X11 and TCP forwarding |
162 | If the ForwardX11 variable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or, see the description of | 164 | If the ForwardX11 variable is set to ``yes'' (or see the description of |
163 | the -X and -x options described later) and the user is using X11 (the | 165 | the -X and -x options described later) and the user is using X11 (the |
164 | DISPLAY environment variable is set), the connection to the X11 display | 166 | DISPLAY environment variable is set), the connection to the X11 display |
165 | is automatically forwarded to the remote side in such a way that any X11 | 167 | is automatically forwarded to the remote side in such a way that any X11 |
166 | programs started from the shell (or command) will go through the | 168 | programs started from the shell (or command) will go through the encrypt- |
167 | encrypted channel, and the connection to the real X server will be made | 169 | ed channel, and the connection to the real X server will be made from the |
168 | from the local machine. The user should not manually set DISPLAY. For- | 170 | local machine. The user should not manually set DISPLAY. Forwarding of |
169 | warding of X11 connections can be configured on the command line or in | 171 | X11 connections can be configured on the command line or in configuration |
170 | configuration files. | 172 | files. |
171 | 173 | ||
172 | The DISPLAY value set by ssh will point to the server machine, but with a | 174 | The DISPLAY value set by ssh will point to the server machine, but with a |
173 | display number greater than zero. This is normal, and happens because | 175 | display number greater than zero. This is normal, and happens because |
174 | ssh creates a M-bM-^@M-^\proxyM-bM-^@M-^] X server on the server machine for forwarding the | 176 | ssh creates a ``proxy'' X server on the server machine for forwarding the |
175 | connections over the encrypted channel. | 177 | connections over the encrypted channel. |
176 | 178 | ||
177 | ssh will also automatically set up Xauthority data on the server machine. | 179 | ssh will also automatically set up Xauthority data on the server machine. |
@@ -181,7 +183,7 @@ DESCRIPTION | |||
181 | is opened. The real authentication cookie is never sent to the server | 183 | is opened. The real authentication cookie is never sent to the server |
182 | machine (and no cookies are sent in the plain). | 184 | machine (and no cookies are sent in the plain). |
183 | 185 | ||
184 | If the ForwardAgent variable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or, see the description of | 186 | If the ForwardAgent variable is set to ``yes'' (or see the description of |
185 | the -A and -a options described later) and the user is using an authenti- | 187 | the -A and -a options described later) and the user is using an authenti- |
186 | cation agent, the connection to the agent is automatically forwarded to | 188 | cation agent, the connection to the agent is automatically forwarded to |
187 | the remote side. | 189 | the remote side. |
@@ -194,11 +196,11 @@ DESCRIPTION | |||
194 | Server authentication | 196 | Server authentication |
195 | ssh automatically maintains and checks a database containing identifica- | 197 | ssh automatically maintains and checks a database containing identifica- |
196 | tions for all hosts it has ever been used with. Host keys are stored in | 198 | tions for all hosts it has ever been used with. Host keys are stored in |
197 | $HOME/.ssh/known_hosts in the userM-bM-^@M-^Ys home directory. Additionally, the | 199 | $HOME/.ssh/known_hosts in the user's home directory. Additionally, the |
198 | file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. | 200 | file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. |
199 | Any new hosts are automatically added to the userM-bM-^@M-^Ys file. If a hostM-bM-^@M-^Ys | 201 | Any new hosts are automatically added to the user's file. If a host's |
200 | identification ever changes, ssh warns about this and disables password | 202 | identification ever changes, ssh warns about this and disables password |
201 | authentication to prevent a trojan horse from getting the userM-bM-^@M-^Ys pass- | 203 | authentication to prevent a trojan horse from getting the user's pass- |
202 | word. Another purpose of this mechanism is to prevent man-in-the-middle | 204 | word. Another purpose of this mechanism is to prevent man-in-the-middle |
203 | attacks which could otherwise be used to circumvent the encryption. The | 205 | attacks which could otherwise be used to circumvent the encryption. The |
204 | StrictHostKeyChecking option can be used to prevent logins to machines | 206 | StrictHostKeyChecking option can be used to prevent logins to machines |
@@ -206,7 +208,13 @@ DESCRIPTION | |||
206 | 208 | ||
207 | The options are as follows: | 209 | The options are as follows: |
208 | 210 | ||
209 | -a Disables forwarding of the authentication agent connection. | 211 | -1 Forces ssh to try protocol version 1 only. |
212 | |||
213 | -2 Forces ssh to try protocol version 2 only. | ||
214 | |||
215 | -4 Forces ssh to use IPv4 addresses only. | ||
216 | |||
217 | -6 Forces ssh to use IPv6 addresses only. | ||
210 | 218 | ||
211 | -A Enables forwarding of the authentication agent connection. This | 219 | -A Enables forwarding of the authentication agent connection. This |
212 | can also be specified on a per-host basis in a configuration | 220 | can also be specified on a per-host basis in a configuration |
@@ -214,21 +222,32 @@ DESCRIPTION | |||
214 | 222 | ||
215 | Agent forwarding should be enabled with caution. Users with the | 223 | Agent forwarding should be enabled with caution. Users with the |
216 | ability to bypass file permissions on the remote host (for the | 224 | ability to bypass file permissions on the remote host (for the |
217 | agentM-bM-^@M-^Ys Unix-domain socket) can access the local agent through | 225 | agent's Unix-domain socket) can access the local agent through |
218 | the forwarded connection. An attacker cannot obtain key material | 226 | the forwarded connection. An attacker cannot obtain key material |
219 | from the agent, however they can perform operations on the keys | 227 | from the agent, however they can perform operations on the keys |
220 | that enable them to authenticate using the identities loaded into | 228 | that enable them to authenticate using the identities loaded into |
221 | the agent. | 229 | the agent. |
222 | 230 | ||
231 | -a Disables forwarding of the authentication agent connection. | ||
232 | |||
223 | -b bind_address | 233 | -b bind_address |
224 | Specify the interface to transmit from on machines with multiple | 234 | Specify the interface to transmit from on machines with multiple |
225 | interfaces or aliased addresses. | 235 | interfaces or aliased addresses. |
226 | 236 | ||
227 | -c blowfish|3des|des | 237 | -C Requests compression of all data (including stdin, stdout, |
238 | stderr, and data for forwarded X11 and TCP/IP connections). The | ||
239 | compression algorithm is the same used by gzip(1), and the | ||
240 | ``level'' can be controlled by the CompressionLevel option for | ||
241 | protocol version 1. Compression is desirable on modem lines and | ||
242 | other slow connections, but will only slow down things on fast | ||
243 | networks. The default value can be set on a host-by-host basis | ||
244 | in the configuration files; see the Compression option. | ||
245 | |||
246 | -c blowfish | 3des | des | ||
228 | Selects the cipher to use for encrypting the session. 3des is | 247 | Selects the cipher to use for encrypting the session. 3des is |
229 | used by default. It is believed to be secure. 3des (triple-des) | 248 | used by default. It is believed to be secure. 3des (triple-des) |
230 | is an encrypt-decrypt-encrypt triple with three different keys. | 249 | is an encrypt-decrypt-encrypt triple with three different keys. |
231 | blowfish is a fast block cipher, it appears very secure and is | 250 | blowfish is a fast block cipher; it appears very secure and is |
232 | much faster than 3des. des is only supported in the ssh client | 251 | much faster than 3des. des is only supported in the ssh client |
233 | for interoperability with legacy protocol 1 implementations that | 252 | for interoperability with legacy protocol 1 implementations that |
234 | do not support the 3des cipher. Its use is strongly discouraged | 253 | do not support the 3des cipher. Its use is strongly discouraged |
@@ -239,39 +258,67 @@ DESCRIPTION | |||
239 | ciphers can be specified in order of preference. See Ciphers for | 258 | ciphers can be specified in order of preference. See Ciphers for |
240 | more information. | 259 | more information. |
241 | 260 | ||
242 | -e ch|^ch|none | 261 | -D port |
243 | Sets the escape character for sessions with a pty (default: M-bM-^@M-^X~M-bM-^@M-^Y). | 262 | Specifies a local ``dynamic'' application-level port forwarding. |
263 | This works by allocating a socket to listen to port on the local | ||
264 | side, and whenever a connection is made to this port, the connec- | ||
265 | tion is forwarded over the secure channel, and the application | ||
266 | protocol is then used to determine where to connect to from the | ||
267 | remote machine. Currently the SOCKS4 and SOCKS5 protocols are | ||
268 | supported, and ssh will act as a SOCKS server. Only root can | ||
269 | forward privileged ports. Dynamic port forwardings can also be | ||
270 | specified in the configuration file. | ||
271 | |||
272 | -e ch | ^ch | none | ||
273 | Sets the escape character for sessions with a pty (default: `~'). | ||
244 | The escape character is only recognized at the beginning of a | 274 | The escape character is only recognized at the beginning of a |
245 | line. The escape character followed by a dot (M-bM-^@M-^X.M-bM-^@M-^Y) closes the | 275 | line. The escape character followed by a dot (`.') closes the |
246 | connection, followed by control-Z suspends the connection, and | 276 | connection; followed by control-Z suspends the connection; and |
247 | followed by itself sends the escape character once. Setting the | 277 | followed by itself sends the escape character once. Setting the |
248 | character to M-bM-^@M-^\noneM-bM-^@M-^] disables any escapes and makes the session | 278 | character to ``none'' disables any escapes and makes the session |
249 | fully transparent. | 279 | fully transparent. |
250 | 280 | ||
281 | -F configfile | ||
282 | Specifies an alternative per-user configuration file. If a con- | ||
283 | figuration file is given on the command line, the system-wide | ||
284 | configuration file (/etc/ssh/ssh_config) will be ignored. The | ||
285 | default for the per-user configuration file is $HOME/.ssh/config. | ||
286 | |||
251 | -f Requests ssh to go to background just before command execution. | 287 | -f Requests ssh to go to background just before command execution. |
252 | This is useful if ssh is going to ask for passwords or | 288 | This is useful if ssh is going to ask for passwords or passphras- |
253 | passphrases, but the user wants it in the background. This | 289 | es, but the user wants it in the background. This implies -n. |
254 | implies -n. The recommended way to start X11 programs at a | 290 | The recommended way to start X11 programs at a remote site is |
255 | remote site is with something like ssh -f host xterm. | 291 | with something like ssh -f host xterm. |
256 | 292 | ||
257 | -g Allows remote hosts to connect to local forwarded ports. | 293 | -g Allows remote hosts to connect to local forwarded ports. |
258 | 294 | ||
295 | -I smartcard_device | ||
296 | Specifies which smartcard device to use. The argument is the de- | ||
297 | vice ssh should use to communicate with a smartcard used for | ||
298 | storing the user's private RSA key. | ||
299 | |||
259 | -i identity_file | 300 | -i identity_file |
260 | Selects a file from which the identity (private key) for RSA or | 301 | Selects a file from which the identity (private key) for RSA or |
261 | DSA authentication is read. The default is $HOME/.ssh/identity | 302 | DSA authentication is read. The default is $HOME/.ssh/identity |
262 | for protocol version 1, and $HOME/.ssh/id_rsa and | 303 | for protocol version 1, and $HOME/.ssh/id_rsa and |
263 | $HOME/.ssh/id_dsa for protocol version 2. Identity files may | 304 | $HOME/.ssh/id_dsa for protocol version 2. Identity files may al- |
264 | also be specified on a per-host basis in the configuration file. | 305 | so be specified on a per-host basis in the configuration file. |
265 | It is possible to have multiple -i options (and multiple identi- | 306 | It is possible to have multiple -i options (and multiple identi- |
266 | ties specified in configuration files). | 307 | ties specified in configuration files). |
267 | 308 | ||
268 | -I smartcard_device | 309 | -k Disables forwarding (delegation) of GSSAPI credentials to the |
269 | Specifies which smartcard device to use. The argument is the | 310 | server. |
270 | device ssh should use to communicate with a smartcard used for | ||
271 | storing the userM-bM-^@M-^Ys private RSA key. | ||
272 | 311 | ||
273 | -k Disables forwarding of Kerberos tickets. This may also be speci- | 312 | -L port:host:hostport |
274 | fied on a per-host basis in the configuration file. | 313 | Specifies that the given port on the local (client) host is to be |
314 | forwarded to the given host and port on the remote side. This | ||
315 | works by allocating a socket to listen to port on the local side, | ||
316 | and whenever a connection is made to this port, the connection is | ||
317 | forwarded over the secure channel, and a connection is made to | ||
318 | host port hostport from the remote machine. Port forwardings can | ||
319 | also be specified in the configuration file. Only root can for- | ||
320 | ward privileged ports. IPv6 addresses can be specified with an | ||
321 | alternative syntax: port/host/hostport. | ||
275 | 322 | ||
276 | -l login_name | 323 | -l login_name |
277 | Specifies the user to log in as on the remote machine. This also | 324 | Specifies the user to log in as on the remote machine. This also |
@@ -282,23 +329,75 @@ DESCRIPTION | |||
282 | MAC (message authentication code) algorithms can be specified in | 329 | MAC (message authentication code) algorithms can be specified in |
283 | order of preference. See the MACs keyword for more information. | 330 | order of preference. See the MACs keyword for more information. |
284 | 331 | ||
285 | -n Redirects stdin from /dev/null (actually, prevents reading from | ||
286 | stdin). This must be used when ssh is run in the background. A | ||
287 | common trick is to use this to run X11 programs on a remote | ||
288 | machine. For example, ssh -n shadows.cs.hut.fi emacs & will | ||
289 | start an emacs on shadows.cs.hut.fi, and the X11 connection will | ||
290 | be automatically forwarded over an encrypted channel. The ssh | ||
291 | program will be put in the background. (This does not work if | ||
292 | ssh needs to ask for a password or passphrase; see also the -f | ||
293 | option.) | ||
294 | |||
295 | -N Do not execute a remote command. This is useful for just for- | 332 | -N Do not execute a remote command. This is useful for just for- |
296 | warding ports (protocol version 2 only). | 333 | warding ports (protocol version 2 only). |
297 | 334 | ||
335 | -n Redirects stdin from /dev/null (actually, prevents reading from | ||
336 | stdin). This must be used when ssh is run in the background. A | ||
337 | common trick is to use this to run X11 programs on a remote ma- | ||
338 | chine. For example, ssh -n shadows.cs.hut.fi emacs & will start | ||
339 | an emacs on shadows.cs.hut.fi, and the X11 connection will be au- | ||
340 | tomatically forwarded over an encrypted channel. The ssh program | ||
341 | will be put in the background. (This does not work if ssh needs | ||
342 | to ask for a password or passphrase; see also the -f option.) | ||
343 | |||
298 | -o option | 344 | -o option |
299 | Can be used to give options in the format used in the configura- | 345 | Can be used to give options in the format used in the configura- |
300 | tion file. This is useful for specifying options for which there | 346 | tion file. This is useful for specifying options for which there |
301 | is no separate command-line flag. | 347 | is no separate command-line flag. For full details of the op- |
348 | tions listed below, and their possible values, see ssh_config(5). | ||
349 | |||
350 | AddressFamily | ||
351 | BatchMode | ||
352 | BindAddress | ||
353 | ChallengeResponseAuthentication | ||
354 | CheckHostIP | ||
355 | Cipher | ||
356 | Ciphers | ||
357 | ClearAllForwardings | ||
358 | Compression | ||
359 | CompressionLevel | ||
360 | ConnectionAttempts | ||
361 | ConnectionTimeout | ||
362 | DynamicForward | ||
363 | EscapeChar | ||
364 | ForwardAgent | ||
365 | ForwardX11 | ||
366 | ForwardX11Trusted | ||
367 | GatewayPorts | ||
368 | GlobalKnownHostsFile | ||
369 | GSSAPIAuthentication | ||
370 | GSSAPIDelegateCredentials | ||
371 | Host | ||
372 | HostbasedAuthentication | ||
373 | HostKeyAlgorithms | ||
374 | HostKeyAlias | ||
375 | HostName | ||
376 | IdentityFile | ||
377 | LocalForward | ||
378 | LogLevel | ||
379 | MACs | ||
380 | NoHostAuthenticationForLocalhost | ||
381 | NumberOfPasswordPrompts | ||
382 | PasswordAuthentication | ||
383 | Port | ||
384 | PreferredAuthentications | ||
385 | Protocol | ||
386 | ProxyCommand | ||
387 | PubkeyAuthentication | ||
388 | RemoteForward | ||
389 | RhostsRSAAuthentication | ||
390 | RSAAuthentication | ||
391 | ServerAliveInterval | ||
392 | ServerAliveCountMax | ||
393 | SmartcardDevice | ||
394 | StrictHostKeyChecking | ||
395 | TCPKeepAlive | ||
396 | UsePrivilegedPort | ||
397 | User | ||
398 | UserKnownHostsFile | ||
399 | VerifyHostKeyDNS | ||
400 | XAuthLocation | ||
302 | 401 | ||
303 | -p port | 402 | -p port |
304 | Port to connect to on the remote host. This can be specified on | 403 | Port to connect to on the remote host. This can be specified on |
@@ -307,93 +406,50 @@ DESCRIPTION | |||
307 | -q Quiet mode. Causes all warning and diagnostic messages to be | 406 | -q Quiet mode. Causes all warning and diagnostic messages to be |
308 | suppressed. | 407 | suppressed. |
309 | 408 | ||
409 | -R port:host:hostport | ||
410 | Specifies that the given port on the remote (server) host is to | ||
411 | be forwarded to the given host and port on the local side. This | ||
412 | works by allocating a socket to listen to port on the remote | ||
413 | side, and whenever a connection is made to this port, the connec- | ||
414 | tion is forwarded over the secure channel, and a connection is | ||
415 | made to host port hostport from the local machine. Port forward- | ||
416 | ings can also be specified in the configuration file. Privileged | ||
417 | ports can be forwarded only when logging in as root on the remote | ||
418 | machine. IPv6 addresses can be specified with an alternative | ||
419 | syntax: port/host/hostport. | ||
420 | |||
310 | -s May be used to request invocation of a subsystem on the remote | 421 | -s May be used to request invocation of a subsystem on the remote |
311 | system. Subsystems are a feature of the SSH2 protocol which | 422 | system. Subsystems are a feature of the SSH2 protocol which fa- |
312 | facilitate the use of SSH as a secure transport for other appli- | 423 | cilitate the use of SSH as a secure transport for other applica- |
313 | cations (eg. sftp). The subsystem is specified as the remote | 424 | tions (eg. sftp(1)). The subsystem is specified as the remote |
314 | command. | 425 | command. |
315 | 426 | ||
427 | -T Disable pseudo-tty allocation. | ||
428 | |||
316 | -t Force pseudo-tty allocation. This can be used to execute arbi- | 429 | -t Force pseudo-tty allocation. This can be used to execute arbi- |
317 | trary screen-based programs on a remote machine, which can be | 430 | trary screen-based programs on a remote machine, which can be |
318 | very useful, e.g., when implementing menu services. Multiple -t | 431 | very useful, e.g., when implementing menu services. Multiple -t |
319 | options force tty allocation, even if ssh has no local tty. | 432 | options force tty allocation, even if ssh has no local tty. |
320 | 433 | ||
321 | -T Disable pseudo-tty allocation. | 434 | -V Display the version number and exit. |
322 | 435 | ||
323 | -v Verbose mode. Causes ssh to print debugging messages about its | 436 | -v Verbose mode. Causes ssh to print debugging messages about its |
324 | progress. This is helpful in debugging connection, authentica- | 437 | progress. This is helpful in debugging connection, authentica- |
325 | tion, and configuration problems. Multiple -v options increase | 438 | tion, and configuration problems. Multiple -v options increase |
326 | the verbosity. The maximum is 3. | 439 | the verbosity. The maximum is 3. |
327 | 440 | ||
328 | -V Display the version number and exit. | ||
329 | |||
330 | -x Disables X11 forwarding. | ||
331 | |||
332 | -X Enables X11 forwarding. This can also be specified on a per-host | 441 | -X Enables X11 forwarding. This can also be specified on a per-host |
333 | basis in a configuration file. | 442 | basis in a configuration file. |
334 | 443 | ||
335 | X11 forwarding should be enabled with caution. Users with the | 444 | X11 forwarding should be enabled with caution. Users with the |
336 | ability to bypass file permissions on the remote host (for the | 445 | ability to bypass file permissions on the remote host (for the |
337 | userM-bM-^@M-^Ys X authorization database) can access the local X11 display | 446 | user's X authorization database) can access the local X11 display |
338 | through the forwarded connection. An attacker may then be able | 447 | through the forwarded connection. An attacker may then be able |
339 | to perform activities such as keystroke monitoring. | 448 | to perform activities such as keystroke monitoring. |
340 | 449 | ||
341 | -C Requests compression of all data (including stdin, stdout, | 450 | -x Disables X11 forwarding. |
342 | stderr, and data for forwarded X11 and TCP/IP connections). The | ||
343 | compression algorithm is the same used by gzip(1), and the | ||
344 | M-bM-^@M-^\levelM-bM-^@M-^] can be controlled by the CompressionLevel option for pro- | ||
345 | tocol version 1. Compression is desirable on modem lines and | ||
346 | other slow connections, but will only slow down things on fast | ||
347 | networks. The default value can be set on a host-by-host basis | ||
348 | in the configuration files; see the Compression option. | ||
349 | |||
350 | -F configfile | ||
351 | Specifies an alternative per-user configuration file. If a con- | ||
352 | figuration file is given on the command line, the system-wide | ||
353 | configuration file (/etc/ssh/ssh_config) will be ignored. The | ||
354 | default for the per-user configuration file is $HOME/.ssh/config. | ||
355 | |||
356 | -L port:host:hostport | ||
357 | Specifies that the given port on the local (client) host is to be | ||
358 | forwarded to the given host and port on the remote side. This | ||
359 | works by allocating a socket to listen to port on the local side, | ||
360 | and whenever a connection is made to this port, the connection is | ||
361 | forwarded over the secure channel, and a connection is made to | ||
362 | host port hostport from the remote machine. Port forwardings can | ||
363 | also be specified in the configuration file. Only root can for- | ||
364 | ward privileged ports. IPv6 addresses can be specified with an | ||
365 | alternative syntax: port/host/hostport | ||
366 | |||
367 | -R port:host:hostport | ||
368 | Specifies that the given port on the remote (server) host is to | ||
369 | be forwarded to the given host and port on the local side. This | ||
370 | works by allocating a socket to listen to port on the remote | ||
371 | side, and whenever a connection is made to this port, the connec- | ||
372 | tion is forwarded over the secure channel, and a connection is | ||
373 | made to host port hostport from the local machine. Port forward- | ||
374 | ings can also be specified in the configuration file. Privileged | ||
375 | ports can be forwarded only when logging in as root on the remote | ||
376 | machine. IPv6 addresses can be specified with an alternative | ||
377 | syntax: port/host/hostport | ||
378 | |||
379 | -D port | ||
380 | Specifies a local M-bM-^@M-^\dynamicM-bM-^@M-^] application-level port forwarding. | ||
381 | This works by allocating a socket to listen to port on the local | ||
382 | side, and whenever a connection is made to this port, the connec- | ||
383 | tion is forwarded over the secure channel, and the application | ||
384 | protocol is then used to determine where to connect to from the | ||
385 | remote machine. Currently the SOCKS4 and SOCKS5 protocols are | ||
386 | supported, and ssh will act as a SOCKS server. Only root can | ||
387 | forward privileged ports. Dynamic port forwardings can also be | ||
388 | specified in the configuration file. | ||
389 | |||
390 | -1 Forces ssh to try protocol version 1 only. | ||
391 | |||
392 | -2 Forces ssh to try protocol version 2 only. | ||
393 | |||
394 | -4 Forces ssh to use IPv4 addresses only. | ||
395 | 451 | ||
396 | -6 Forces ssh to use IPv6 addresses only. | 452 | -Y Enables trusted X11 forwarding. |
397 | 453 | ||
398 | CONFIGURATION FILES | 454 | CONFIGURATION FILES |
399 | ssh may additionally obtain configuration data from a per-user configura- | 455 | ssh may additionally obtain configuration data from a per-user configura- |
@@ -403,65 +459,63 @@ CONFIGURATION FILES | |||
403 | ENVIRONMENT | 459 | ENVIRONMENT |
404 | ssh will normally set the following environment variables: | 460 | ssh will normally set the following environment variables: |
405 | 461 | ||
406 | DISPLAY | 462 | DISPLAY The DISPLAY variable indicates the location of the X11 server. |
407 | The DISPLAY variable indicates the location of the X11 server. | 463 | It is automatically set by ssh to point to a value of the form |
408 | It is automatically set by ssh to point to a value of the form | 464 | ``hostname:n'' where hostname indicates the host where the shell |
409 | M-bM-^@M-^\hostname:nM-bM-^@M-^] where hostname indicates the host where the shell | 465 | runs, and n is an integer >= 1. ssh uses this special value to |
410 | runs, and n is an integer >= 1. ssh uses this special value to | 466 | forward X11 connections over the secure channel. The user |
411 | forward X11 connections over the secure channel. The user should | 467 | should normally not set DISPLAY explicitly, as that will render |
412 | normally not set DISPLAY explicitly, as that will render the X11 | 468 | the X11 connection insecure (and will require the user to manu- |
413 | connection insecure (and will require the user to manually copy | 469 | ally copy any required authorization cookies). |
414 | any required authorization cookies). | ||
415 | 470 | ||
416 | HOME Set to the path of the userM-bM-^@M-^Ys home directory. | 471 | HOME Set to the path of the user's home directory. |
417 | 472 | ||
418 | LOGNAME | 473 | LOGNAME Synonym for USER; set for compatibility with systems that use |
419 | Synonym for USER; set for compatibility with systems that use | 474 | this variable. |
420 | this variable. | ||
421 | 475 | ||
422 | MAIL Set to the path of the userM-bM-^@M-^Ys mailbox. | 476 | MAIL Set to the path of the user's mailbox. |
423 | 477 | ||
424 | PATH Set to the default PATH, as specified when compiling ssh. | 478 | PATH Set to the default PATH, as specified when compiling ssh. |
425 | 479 | ||
426 | SSH_ASKPASS | 480 | SSH_ASKPASS |
427 | If ssh needs a passphrase, it will read the passphrase from the | 481 | If ssh needs a passphrase, it will read the passphrase from the |
428 | current terminal if it was run from a terminal. If ssh does not | 482 | current terminal if it was run from a terminal. If ssh does not |
429 | have a terminal associated with it but DISPLAY and SSH_ASKPASS | 483 | have a terminal associated with it but DISPLAY and SSH_ASKPASS |
430 | are set, it will execute the program specified by SSH_ASKPASS and | 484 | are set, it will execute the program specified by SSH_ASKPASS |
431 | open an X11 window to read the passphrase. This is particularly | 485 | and open an X11 window to read the passphrase. This is particu- |
432 | useful when calling ssh from a .Xsession or related script. | 486 | larly useful when calling ssh from a .Xsession or related |
433 | (Note that on some machines it may be necessary to redirect the | 487 | script. (Note that on some machines it may be necessary to |
434 | input from /dev/null to make this work.) | 488 | redirect the input from /dev/null to make this work.) |
435 | 489 | ||
436 | SSH_AUTH_SOCK | 490 | SSH_AUTH_SOCK |
437 | Identifies the path of a unix-domain socket used to communicate | 491 | Identifies the path of a unix-domain socket used to communicate |
438 | with the agent. | 492 | with the agent. |
439 | 493 | ||
440 | SSH_CONNECTION | 494 | SSH_CONNECTION |
441 | Identifies the client and server ends of the connection. The | 495 | Identifies the client and server ends of the connection. The |
442 | variable contains four space-separated values: client ip-address, | 496 | variable contains four space-separated values: client ip-ad- |
443 | client port number, server ip-address and server port number. | 497 | dress, client port number, server ip-address and server port |
498 | number. | ||
444 | 499 | ||
445 | SSH_ORIGINAL_COMMAND | 500 | SSH_ORIGINAL_COMMAND |
446 | The variable contains the original command line if a forced com- | 501 | The variable contains the original command line if a forced com- |
447 | mand is executed. It can be used to extract the original argu- | 502 | mand is executed. It can be used to extract the original argu- |
448 | ments. | 503 | ments. |
449 | 504 | ||
450 | SSH_TTY | 505 | SSH_TTY This is set to the name of the tty (path to the device) associ- |
451 | This is set to the name of the tty (path to the device) associ- | 506 | ated with the current shell or command. If the current session |
452 | ated with the current shell or command. If the current session | 507 | has no tty, this variable is not set. |
453 | has no tty, this variable is not set. | ||
454 | 508 | ||
455 | TZ The timezone variable is set to indicate the present timezone if | 509 | TZ The timezone variable is set to indicate the present timezone if |
456 | it was set when the daemon was started (i.e., the daemon passes | 510 | it was set when the daemon was started (i.e., the daemon passes |
457 | the value on to new connections). | 511 | the value on to new connections). |
458 | 512 | ||
459 | USER Set to the name of the user logging in. | 513 | USER Set to the name of the user logging in. |
460 | 514 | ||
461 | Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the | 515 | Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the |
462 | format M-bM-^@M-^\VARNAME=valueM-bM-^@M-^] to the environment if the file exists and if users | 516 | format ``VARNAME=value'' to the environment if the file exists and if |
463 | are allowed to change their environment. See the PermitUserEnvironment | 517 | users are allowed to change their environment. For more information, see |
464 | option in sshd_config(5). | 518 | the PermitUserEnvironment option in sshd_config(5). |
465 | 519 | ||
466 | FILES | 520 | FILES |
467 | $HOME/.ssh/known_hosts | 521 | $HOME/.ssh/known_hosts |
@@ -481,7 +535,7 @@ FILES | |||
481 | $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub | 535 | $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub |
482 | Contains the public key for authentication (public part of the | 536 | Contains the public key for authentication (public part of the |
483 | identity file in human-readable form). The contents of the | 537 | identity file in human-readable form). The contents of the |
484 | $HOME/.ssh/identity.pub file should be added to | 538 | $HOME/.ssh/identity.pub file should be added to the file |
485 | $HOME/.ssh/authorized_keys on all machines where the user wishes | 539 | $HOME/.ssh/authorized_keys on all machines where the user wishes |
486 | to log in using protocol version 1 RSA authentication. The con- | 540 | to log in using protocol version 1 RSA authentication. The con- |
487 | tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file | 541 | tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file |
@@ -512,15 +566,15 @@ FILES | |||
512 | following format (fields separated by spaces): system name, pub- | 566 | following format (fields separated by spaces): system name, pub- |
513 | lic key and optional comment field. When different names are | 567 | lic key and optional comment field. When different names are |
514 | used for the same machine, all such names should be listed, sepa- | 568 | used for the same machine, all such names should be listed, sepa- |
515 | rated by commas. The format is described on the sshd(8) manual | 569 | rated by commas. The format is described in the sshd(8) manual |
516 | page. | 570 | page. |
517 | 571 | ||
518 | The canonical system name (as returned by name servers) is used | 572 | The canonical system name (as returned by name servers) is used |
519 | by sshd(8) to verify the client host when logging in; other names | 573 | by sshd(8) to verify the client host when logging in; other names |
520 | are needed because ssh does not convert the user-supplied name to | 574 | are needed because ssh does not convert the user-supplied name to |
521 | a canonical name before checking the key, because someone with | 575 | a canonical name before checking the key, because someone with |
522 | access to the name servers would then be able to fool host | 576 | access to the name servers would then be able to fool host au- |
523 | authentication. | 577 | thentication. |
524 | 578 | ||
525 | /etc/ssh/ssh_config | 579 | /etc/ssh/ssh_config |
526 | Systemwide configuration file. The file format and configuration | 580 | Systemwide configuration file. The file format and configuration |
@@ -538,22 +592,22 @@ FILES | |||
538 | method is used. By default ssh is not setuid root. | 592 | method is used. By default ssh is not setuid root. |
539 | 593 | ||
540 | $HOME/.rhosts | 594 | $HOME/.rhosts |
541 | This file is used in .rhosts authentication to list the host/user | 595 | This file is used in rhosts authentication to list the host/user |
542 | pairs that are permitted to log in. (Note that this file is also | 596 | pairs that are permitted to log in. (Note that this file is also |
543 | used by rlogin and rsh, which makes using this file insecure.) | 597 | used by rlogin and rsh, which makes using this file insecure.) |
544 | Each line of the file contains a host name (in the canonical form | 598 | Each line of the file contains a host name (in the canonical form |
545 | returned by name servers), and then a user name on that host, | 599 | returned by name servers), and then a user name on that host, |
546 | separated by a space. On some machines this file may need to be | 600 | separated by a space. On some machines this file may need to be |
547 | world-readable if the userM-bM-^@M-^Ys home directory is on a NFS parti- | 601 | world-readable if the user's home directory is on a NFS parti- |
548 | tion, because sshd(8) reads it as root. Additionally, this file | 602 | tion, because sshd(8) reads it as root. Additionally, this file |
549 | must be owned by the user, and must not have write permissions | 603 | must be owned by the user, and must not have write permissions |
550 | for anyone else. The recommended permission for most machines is | 604 | for anyone else. The recommended permission for most machines is |
551 | read/write for the user, and not accessible by others. | 605 | read/write for the user, and not accessible by others. |
552 | 606 | ||
553 | Note that by default sshd(8) will be installed so that it | 607 | Note that by default sshd(8) will be installed so that it re- |
554 | requires successful RSA host authentication before permitting | 608 | quires successful RSA host authentication before permitting |
555 | .rhosts authentication. If the server machine does not have the | 609 | rhosts authentication. If the server machine does not have the |
556 | clientM-bM-^@M-^Ys host key in /etc/ssh/ssh_known_hosts, it can be stored | 610 | client's host key in /etc/ssh/ssh_known_hosts, it can be stored |
557 | in $HOME/.ssh/known_hosts. The easiest way to do this is to con- | 611 | in $HOME/.ssh/known_hosts. The easiest way to do this is to con- |
558 | nect back to the client from the server machine using ssh; this | 612 | nect back to the client from the server machine using ssh; this |
559 | will automatically add the host key to $HOME/.ssh/known_hosts. | 613 | will automatically add the host key to $HOME/.ssh/known_hosts. |
@@ -564,12 +618,12 @@ FILES | |||
564 | with ssh without permitting login with rlogin or rsh(1). | 618 | with ssh without permitting login with rlogin or rsh(1). |
565 | 619 | ||
566 | /etc/hosts.equiv | 620 | /etc/hosts.equiv |
567 | This file is used during .rhosts authentication. It contains | 621 | This file is used during rhosts authentication. It contains |
568 | canonical hosts names, one per line (the full format is described | 622 | canonical hosts names, one per line (the full format is described |
569 | on the sshd(8) manual page). If the client host is found in this | 623 | in the sshd(8) manual page). If the client host is found in this |
570 | file, login is automatically permitted provided client and server | 624 | file, login is automatically permitted provided client and server |
571 | user names are the same. Additionally, successful RSA host | 625 | user names are the same. Additionally, successful RSA host au- |
572 | authentication is normally required. This file should only be | 626 | thentication is normally required. This file should only be |
573 | writable by root. | 627 | writable by root. |
574 | 628 | ||
575 | /etc/shosts.equiv | 629 | /etc/shosts.equiv |
@@ -579,12 +633,12 @@ FILES | |||
579 | 633 | ||
580 | /etc/ssh/sshrc | 634 | /etc/ssh/sshrc |
581 | Commands in this file are executed by ssh when the user logs in | 635 | Commands in this file are executed by ssh when the user logs in |
582 | just before the userM-bM-^@M-^Ys shell (or command) is started. See the | 636 | just before the user's shell (or command) is started. See the |
583 | sshd(8) manual page for more information. | 637 | sshd(8) manual page for more information. |
584 | 638 | ||
585 | $HOME/.ssh/rc | 639 | $HOME/.ssh/rc |
586 | Commands in this file are executed by ssh when the user logs in | 640 | Commands in this file are executed by ssh when the user logs in |
587 | just before the userM-bM-^@M-^Ys shell (or command) is started. See the | 641 | just before the user's shell (or command) is started. See the |
588 | sshd(8) manual page for more information. | 642 | sshd(8) manual page for more information. |
589 | 643 | ||
590 | $HOME/.ssh/environment | 644 | $HOME/.ssh/environment |
@@ -596,8 +650,9 @@ DIAGNOSTICS | |||
596 | error occurred. | 650 | error occurred. |
597 | 651 | ||
598 | SEE ALSO | 652 | SEE ALSO |
599 | rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), | 653 | gzip(1), rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), |
600 | telnet(1), ssh_config(5), ssh-keysign(8), sshd(8) | 654 | ssh-keygen(1), telnet(1), hosts.equiv(5), ssh_config(5), ssh-keysign(8), |
655 | sshd(8) | ||
601 | 656 | ||
602 | T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH | 657 | T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH |
603 | Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January | 658 | Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January |
@@ -606,8 +661,8 @@ SEE ALSO | |||
606 | AUTHORS | 661 | AUTHORS |
607 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 662 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
608 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | 663 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
609 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | 664 | de Raadt and Dug Song removed many bugs, re-added newer features and |
610 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 665 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
611 | versions 1.5 and 2.0. | 666 | versions 1.5 and 2.0. |
612 | 667 | ||
613 | BSD September 25, 1999 BSD | 668 | OpenBSD 3.4 September 25, 1999 11 |