summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.167
1 files changed, 33 insertions, 34 deletions
diff --git a/ssh.1 b/ssh.1
index 1bcc8edab..4e298cb56 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh.1,v 1.399 2018/09/20 06:58:48 jmc Exp $ 36.\" $OpenBSD: ssh.1,v 1.402 2019/03/16 19:14:21 jmc Exp $
37.Dd $Mdocdate: September 20 2018 $ 37.Dd $Mdocdate: March 16 2019 $
38.Dt SSH 1 38.Dt SSH 1
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -270,8 +270,8 @@ on the master process.
270.It Fl I Ar pkcs11 270.It Fl I Ar pkcs11
271Specify the PKCS#11 shared library 271Specify the PKCS#11 shared library
272.Nm 272.Nm
273should use to communicate with a PKCS#11 token providing the user's 273should use to communicate with a PKCS#11 token providing keys for user
274private RSA key. 274authentication.
275.Pp 275.Pp
276.It Fl i Ar identity_file 276.It Fl i Ar identity_file
277Selects a file from which the identity (private key) for 277Selects a file from which the identity (private key) for
@@ -308,6 +308,11 @@ Multiple jump hops may be specified separated by comma characters.
308This is a shortcut to specify a 308This is a shortcut to specify a
309.Cm ProxyJump 309.Cm ProxyJump
310configuration directive. 310configuration directive.
311Note that configuration directives supplied on the command-line generally
312apply to the destination host and not any specified jump hosts.
313Use
314.Pa ~/.ssh/config
315to specify configuration for jump hosts.
311.Pp 316.Pp
312.It Fl K 317.It Fl K
313Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI 318Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
@@ -492,7 +497,13 @@ For full details of the options listed below, and their possible values, see
492.It GatewayPorts 497.It GatewayPorts
493.It GlobalKnownHostsFile 498.It GlobalKnownHostsFile
494.It GSSAPIAuthentication 499.It GSSAPIAuthentication
500.It GSSAPIKeyExchange
501.It GSSAPIClientIdentity
495.It GSSAPIDelegateCredentials 502.It GSSAPIDelegateCredentials
503.It GSSAPIKexAlgorithms
504.It GSSAPIRenewalForcesRekey
505.It GSSAPIServerIdentity
506.It GSSAPITrustDns
496.It HashKnownHosts 507.It HashKnownHosts
497.It Host 508.It Host
498.It HostbasedAuthentication 509.It HostbasedAuthentication
@@ -568,6 +579,8 @@ flag),
568(supported message integrity codes), 579(supported message integrity codes),
569.Ar kex 580.Ar kex
570(key exchange algorithms), 581(key exchange algorithms),
582.Ar kex-gss
583(GSSAPI key exchange algorithms),
571.Ar key 584.Ar key
572(key types), 585(key types),
573.Ar key-cert 586.Ar key-cert
@@ -1110,49 +1123,35 @@ Increase the verbosity
1110when errors are being written to stderr. 1123when errors are being written to stderr.
1111.El 1124.El
1112.Sh TCP FORWARDING 1125.Sh TCP FORWARDING
1113Forwarding of arbitrary TCP connections over the secure channel can 1126Forwarding of arbitrary TCP connections over a secure channel
1114be specified either on the command line or in a configuration file. 1127can be specified either on the command line or in a configuration file.
1115One possible application of TCP forwarding is a secure connection to a 1128One possible application of TCP forwarding is a secure connection to a
1116mail server; another is going through firewalls. 1129mail server; another is going through firewalls.
1117.Pp 1130.Pp
1118In the example below, we look at encrypting communication between 1131In the example below, we look at encrypting communication for an IRC client,
1119an IRC client and server, even though the IRC server does not directly 1132even though the IRC server it connects to does not directly
1120support encrypted communications. 1133support encrypted communication.
1121This works as follows: 1134This works as follows:
1122the user connects to the remote host using 1135the user connects to the remote host using
1123.Nm , 1136.Nm ,
1124specifying a port to be used to forward connections 1137specifying the ports to be used to forward the connection.
1125to the remote server. 1138After that it is possible to start the program locally,
1126After that it is possible to start the service which is to be encrypted
1127on the client machine,
1128connecting to the same local port,
1129and 1139and
1130.Nm 1140.Nm
1131will encrypt and forward the connection. 1141will encrypt and forward the connection to the remote server.
1132.Pp 1142.Pp
1133The following example tunnels an IRC session from client machine 1143The following example tunnels an IRC session from the client
1134.Dq 127.0.0.1 1144to an IRC server at
1135(localhost)
1136to remote server
1137.Dq server.example.com :
1138.Bd -literal -offset 4n
1139$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
1140$ irc -c '#users' -p 1234 pinky 127.0.0.1
1141.Ed
1142.Pp
1143This tunnels a connection to IRC server
1144.Dq server.example.com , 1145.Dq server.example.com ,
1145joining channel 1146joining channel
1146.Dq #users , 1147.Dq #users ,
1147nickname 1148nickname
1148.Dq pinky , 1149.Dq pinky ,
1149using port 1234. 1150using the standard IRC port, 6667:
1150It doesn't matter which port is used, 1151.Bd -literal -offset 4n
1151as long as it's greater than 1023 1152$ ssh -f -L 6667:localhost:6667 server.example.com sleep 10
1152(remember, only root can open sockets on privileged ports) 1153$ irc -c '#users' pinky IRC/127.0.0.1
1153and doesn't conflict with any ports already in use. 1154.Ed
1154The connection is forwarded to port 6667 on the remote server,
1155since that's the standard port for IRC services.
1156.Pp 1155.Pp
1157The 1156The
1158.Fl f 1157.Fl f
@@ -1162,7 +1161,7 @@ and the remote command
1162.Dq sleep 10 1161.Dq sleep 10
1163is specified to allow an amount of time 1162is specified to allow an amount of time
1164(10 seconds, in the example) 1163(10 seconds, in the example)
1165to start the service which is to be tunnelled. 1164to start the program which is going to use the tunnel.
1166If no connections are made within the time specified, 1165If no connections are made within the time specified,
1167.Nm 1166.Nm
1168will exit. 1167will exit.