diff options
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 85 |
1 files changed, 50 insertions, 35 deletions
@@ -1,4 +1,3 @@ | |||
1 | .\" -*- nroff -*- | ||
2 | .\" | 1 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 2 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -34,8 +33,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 35 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.308 2010/08/04 05:37:01 djm Exp $ | 36 | .\" $OpenBSD: ssh.1,v 1.316 2010/11/18 15:01:00 jmc Exp $ |
38 | .Dd $Mdocdate: August 4 2010 $ | 37 | .Dd $Mdocdate: November 18 2010 $ |
39 | .Dt SSH 1 | 38 | .Dt SSH 1 |
40 | .Os | 39 | .Os |
41 | .Sh NAME | 40 | .Sh NAME |
@@ -269,13 +268,14 @@ should use to communicate with a PKCS#11 token providing the user's | |||
269 | private RSA key. | 268 | private RSA key. |
270 | .It Fl i Ar identity_file | 269 | .It Fl i Ar identity_file |
271 | Selects a file from which the identity (private key) for | 270 | Selects a file from which the identity (private key) for |
272 | RSA or DSA authentication is read. | 271 | public key authentication is read. |
273 | The default is | 272 | The default is |
274 | .Pa ~/.ssh/identity | 273 | .Pa ~/.ssh/identity |
275 | for protocol version 1, and | 274 | for protocol version 1, and |
276 | .Pa ~/.ssh/id_rsa | 275 | .Pa ~/.ssh/id_dsa , |
276 | .Pa ~/.ssh/id_ecdsa | ||
277 | and | 277 | and |
278 | .Pa ~/.ssh/id_dsa | 278 | .Pa ~/.ssh/id_rsa |
279 | for protocol version 2. | 279 | for protocol version 2. |
280 | Identity files may also be specified on | 280 | Identity files may also be specified on |
281 | a per-host basis in the configuration file. | 281 | a per-host basis in the configuration file. |
@@ -435,7 +435,9 @@ For full details of the options listed below, and their possible values, see | |||
435 | .It HostName | 435 | .It HostName |
436 | .It IdentityFile | 436 | .It IdentityFile |
437 | .It IdentitiesOnly | 437 | .It IdentitiesOnly |
438 | .It IPQoS | ||
438 | .It KbdInteractiveDevices | 439 | .It KbdInteractiveDevices |
440 | .It KexAlgorithms | ||
439 | .It LocalCommand | 441 | .It LocalCommand |
440 | .It LocalForward | 442 | .It LocalForward |
441 | .It LogLevel | 443 | .It LogLevel |
@@ -646,10 +648,6 @@ may additionally obtain configuration data from | |||
646 | a per-user configuration file and a system-wide configuration file. | 648 | a per-user configuration file and a system-wide configuration file. |
647 | The file format and configuration options are described in | 649 | The file format and configuration options are described in |
648 | .Xr ssh_config 5 . | 650 | .Xr ssh_config 5 . |
649 | .Pp | ||
650 | .Nm | ||
651 | exits with the exit status of the remote command or with 255 | ||
652 | if an error occurred. | ||
653 | .Sh AUTHENTICATION | 651 | .Sh AUTHENTICATION |
654 | The OpenSSH SSH client supports SSH protocols 1 and 2. | 652 | The OpenSSH SSH client supports SSH protocols 1 and 2. |
655 | The default is to use protocol 2 only, | 653 | The default is to use protocol 2 only, |
@@ -721,9 +719,9 @@ key pair for authentication purposes. | |||
721 | The server knows the public key, and only the user knows the private key. | 719 | The server knows the public key, and only the user knows the private key. |
722 | .Nm | 720 | .Nm |
723 | implements public key authentication protocol automatically, | 721 | implements public key authentication protocol automatically, |
724 | using either the RSA or DSA algorithms. | 722 | using one of the DSA, ECDSA or RSA algorithms. |
725 | Protocol 1 is restricted to using only RSA keys, | 723 | Protocol 1 is restricted to using only RSA keys, |
726 | but protocol 2 may use either. | 724 | but protocol 2 may use any. |
727 | The | 725 | The |
728 | .Sx HISTORY | 726 | .Sx HISTORY |
729 | section of | 727 | section of |
@@ -732,7 +730,7 @@ section of | |||
732 | .nh | 730 | .nh |
733 | http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY) | 731 | http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY) |
734 | .hy | 732 | .hy |
735 | contains a brief discussion of the two algorithms. | 733 | contains a brief discussion of the DSA and RSA algorithms. |
736 | .Pp | 734 | .Pp |
737 | The file | 735 | The file |
738 | .Pa ~/.ssh/authorized_keys | 736 | .Pa ~/.ssh/authorized_keys |
@@ -752,6 +750,8 @@ This stores the private key in | |||
752 | (protocol 1), | 750 | (protocol 1), |
753 | .Pa ~/.ssh/id_dsa | 751 | .Pa ~/.ssh/id_dsa |
754 | (protocol 2 DSA), | 752 | (protocol 2 DSA), |
753 | .Pa ~/.ssh/id_ecdsa | ||
754 | (protocol 2 ECDSA), | ||
755 | or | 755 | or |
756 | .Pa ~/.ssh/id_rsa | 756 | .Pa ~/.ssh/id_rsa |
757 | (protocol 2 RSA) | 757 | (protocol 2 RSA) |
@@ -760,6 +760,8 @@ and stores the public key in | |||
760 | (protocol 1), | 760 | (protocol 1), |
761 | .Pa ~/.ssh/id_dsa.pub | 761 | .Pa ~/.ssh/id_dsa.pub |
762 | (protocol 2 DSA), | 762 | (protocol 2 DSA), |
763 | .Pa ~/.ssh/id_ecdsa.pub | ||
764 | (protocol 2 ECDSA), | ||
763 | or | 765 | or |
764 | .Pa ~/.ssh/id_rsa.pub | 766 | .Pa ~/.ssh/id_rsa.pub |
765 | (protocol 2 RSA) | 767 | (protocol 2 RSA) |
@@ -1254,7 +1256,7 @@ option in | |||
1254 | .Xr sshd_config 5 . | 1256 | .Xr sshd_config 5 . |
1255 | .Sh FILES | 1257 | .Sh FILES |
1256 | .Bl -tag -width Ds -compact | 1258 | .Bl -tag -width Ds -compact |
1257 | .It ~/.rhosts | 1259 | .It Pa ~/.rhosts |
1258 | This file is used for host-based authentication (see above). | 1260 | This file is used for host-based authentication (see above). |
1259 | On some machines this file may need to be | 1261 | On some machines this file may need to be |
1260 | world-readable if the user's home directory is on an NFS partition, | 1262 | world-readable if the user's home directory is on an NFS partition, |
@@ -1267,28 +1269,29 @@ The recommended | |||
1267 | permission for most machines is read/write for the user, and not | 1269 | permission for most machines is read/write for the user, and not |
1268 | accessible by others. | 1270 | accessible by others. |
1269 | .Pp | 1271 | .Pp |
1270 | .It ~/.shosts | 1272 | .It Pa ~/.shosts |
1271 | This file is used in exactly the same way as | 1273 | This file is used in exactly the same way as |
1272 | .Pa .rhosts , | 1274 | .Pa .rhosts , |
1273 | but allows host-based authentication without permitting login with | 1275 | but allows host-based authentication without permitting login with |
1274 | rlogin/rsh. | 1276 | rlogin/rsh. |
1275 | .Pp | 1277 | .Pp |
1276 | .It ~/.ssh/ | 1278 | .It Pa ~/.ssh/ |
1277 | This directory is the default location for all user-specific configuration | 1279 | This directory is the default location for all user-specific configuration |
1278 | and authentication information. | 1280 | and authentication information. |
1279 | There is no general requirement to keep the entire contents of this directory | 1281 | There is no general requirement to keep the entire contents of this directory |
1280 | secret, but the recommended permissions are read/write/execute for the user, | 1282 | secret, but the recommended permissions are read/write/execute for the user, |
1281 | and not accessible by others. | 1283 | and not accessible by others. |
1282 | .Pp | 1284 | .Pp |
1283 | .It ~/.ssh/authorized_keys | 1285 | .It Pa ~/.ssh/authorized_keys |
1284 | Lists the public keys (RSA/DSA) that can be used for logging in as this user. | 1286 | Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in as |
1287 | this user. | ||
1285 | The format of this file is described in the | 1288 | The format of this file is described in the |
1286 | .Xr sshd 8 | 1289 | .Xr sshd 8 |
1287 | manual page. | 1290 | manual page. |
1288 | This file is not highly sensitive, but the recommended | 1291 | This file is not highly sensitive, but the recommended |
1289 | permissions are read/write for the user, and not accessible by others. | 1292 | permissions are read/write for the user, and not accessible by others. |
1290 | .Pp | 1293 | .Pp |
1291 | .It ~/.ssh/config | 1294 | .It Pa ~/.ssh/config |
1292 | This is the per-user configuration file. | 1295 | This is the per-user configuration file. |
1293 | The file format and configuration options are described in | 1296 | The file format and configuration options are described in |
1294 | .Xr ssh_config 5 . | 1297 | .Xr ssh_config 5 . |
@@ -1297,14 +1300,15 @@ read/write for the user, and not accessible by others. | |||
1297 | It may be group-writable provided that the group in question contains only | 1300 | It may be group-writable provided that the group in question contains only |
1298 | the user. | 1301 | the user. |
1299 | .Pp | 1302 | .Pp |
1300 | .It ~/.ssh/environment | 1303 | .It Pa ~/.ssh/environment |
1301 | Contains additional definitions for environment variables; see | 1304 | Contains additional definitions for environment variables; see |
1302 | .Sx ENVIRONMENT , | 1305 | .Sx ENVIRONMENT , |
1303 | above. | 1306 | above. |
1304 | .Pp | 1307 | .Pp |
1305 | .It ~/.ssh/identity | 1308 | .It Pa ~/.ssh/identity |
1306 | .It ~/.ssh/id_dsa | 1309 | .It Pa ~/.ssh/id_dsa |
1307 | .It ~/.ssh/id_rsa | 1310 | .It Pa ~/.ssh/id_ecdsa |
1311 | .It Pa ~/.ssh/id_rsa | ||
1308 | Contains the private key for authentication. | 1312 | Contains the private key for authentication. |
1309 | These files | 1313 | These files |
1310 | contain sensitive data and should be readable by the user but not | 1314 | contain sensitive data and should be readable by the user but not |
@@ -1315,21 +1319,22 @@ It is possible to specify a passphrase when | |||
1315 | generating the key which will be used to encrypt the | 1319 | generating the key which will be used to encrypt the |
1316 | sensitive part of this file using 3DES. | 1320 | sensitive part of this file using 3DES. |
1317 | .Pp | 1321 | .Pp |
1318 | .It ~/.ssh/identity.pub | 1322 | .It Pa ~/.ssh/identity.pub |
1319 | .It ~/.ssh/id_dsa.pub | 1323 | .It Pa ~/.ssh/id_dsa.pub |
1320 | .It ~/.ssh/id_rsa.pub | 1324 | .It Pa ~/.ssh/id_ecdsa.pub |
1325 | .It Pa ~/.ssh/id_rsa.pub | ||
1321 | Contains the public key for authentication. | 1326 | Contains the public key for authentication. |
1322 | These files are not | 1327 | These files are not |
1323 | sensitive and can (but need not) be readable by anyone. | 1328 | sensitive and can (but need not) be readable by anyone. |
1324 | .Pp | 1329 | .Pp |
1325 | .It ~/.ssh/known_hosts | 1330 | .It Pa ~/.ssh/known_hosts |
1326 | Contains a list of host keys for all hosts the user has logged into | 1331 | Contains a list of host keys for all hosts the user has logged into |
1327 | that are not already in the systemwide list of known host keys. | 1332 | that are not already in the systemwide list of known host keys. |
1328 | See | 1333 | See |
1329 | .Xr sshd 8 | 1334 | .Xr sshd 8 |
1330 | for further details of the format of this file. | 1335 | for further details of the format of this file. |
1331 | .Pp | 1336 | .Pp |
1332 | .It ~/.ssh/rc | 1337 | .It Pa ~/.ssh/rc |
1333 | Commands in this file are executed by | 1338 | Commands in this file are executed by |
1334 | .Nm | 1339 | .Nm |
1335 | when the user logs in, just before the user's shell (or command) is | 1340 | when the user logs in, just before the user's shell (or command) is |
@@ -1338,11 +1343,11 @@ See the | |||
1338 | .Xr sshd 8 | 1343 | .Xr sshd 8 |
1339 | manual page for more information. | 1344 | manual page for more information. |
1340 | .Pp | 1345 | .Pp |
1341 | .It /etc/hosts.equiv | 1346 | .It Pa /etc/hosts.equiv |
1342 | This file is for host-based authentication (see above). | 1347 | This file is for host-based authentication (see above). |
1343 | It should only be writable by root. | 1348 | It should only be writable by root. |
1344 | .Pp | 1349 | .Pp |
1345 | .It /etc/shosts.equiv | 1350 | .It Pa /etc/shosts.equiv |
1346 | This file is used in exactly the same way as | 1351 | This file is used in exactly the same way as |
1347 | .Pa hosts.equiv , | 1352 | .Pa hosts.equiv , |
1348 | but allows host-based authentication without permitting login with | 1353 | but allows host-based authentication without permitting login with |
@@ -1353,9 +1358,10 @@ Systemwide configuration file. | |||
1353 | The file format and configuration options are described in | 1358 | The file format and configuration options are described in |
1354 | .Xr ssh_config 5 . | 1359 | .Xr ssh_config 5 . |
1355 | .Pp | 1360 | .Pp |
1356 | .It /etc/ssh/ssh_host_key | 1361 | .It Pa /etc/ssh/ssh_host_key |
1357 | .It /etc/ssh/ssh_host_dsa_key | 1362 | .It Pa /etc/ssh/ssh_host_dsa_key |
1358 | .It /etc/ssh/ssh_host_rsa_key | 1363 | .It Pa /etc/ssh/ssh_host_ecdsa_key |
1364 | .It Pa /etc/ssh/ssh_host_rsa_key | ||
1359 | These three files contain the private parts of the host keys | 1365 | These three files contain the private parts of the host keys |
1360 | and are used for host-based authentication. | 1366 | and are used for host-based authentication. |
1361 | If protocol version 1 is used, | 1367 | If protocol version 1 is used, |
@@ -1373,7 +1379,7 @@ By default | |||
1373 | .Nm | 1379 | .Nm |
1374 | is not setuid root. | 1380 | is not setuid root. |
1375 | .Pp | 1381 | .Pp |
1376 | .It /etc/ssh/ssh_known_hosts | 1382 | .It Pa /etc/ssh/ssh_known_hosts |
1377 | Systemwide list of known host keys. | 1383 | Systemwide list of known host keys. |
1378 | This file should be prepared by the | 1384 | This file should be prepared by the |
1379 | system administrator to contain the public host keys of all machines in the | 1385 | system administrator to contain the public host keys of all machines in the |
@@ -1383,7 +1389,7 @@ See | |||
1383 | .Xr sshd 8 | 1389 | .Xr sshd 8 |
1384 | for further details of the format of this file. | 1390 | for further details of the format of this file. |
1385 | .Pp | 1391 | .Pp |
1386 | .It /etc/ssh/sshrc | 1392 | .It Pa /etc/ssh/sshrc |
1387 | Commands in this file are executed by | 1393 | Commands in this file are executed by |
1388 | .Nm | 1394 | .Nm |
1389 | when the user logs in, just before the user's shell (or command) is started. | 1395 | when the user logs in, just before the user's shell (or command) is started. |
@@ -1391,6 +1397,10 @@ See the | |||
1391 | .Xr sshd 8 | 1397 | .Xr sshd 8 |
1392 | manual page for more information. | 1398 | manual page for more information. |
1393 | .El | 1399 | .El |
1400 | .Sh EXIT STATUS | ||
1401 | .Nm | ||
1402 | exits with the exit status of the remote command or with 255 | ||
1403 | if an error occurred. | ||
1394 | .Sh SEE ALSO | 1404 | .Sh SEE ALSO |
1395 | .Xr scp 1 , | 1405 | .Xr scp 1 , |
1396 | .Xr sftp 1 , | 1406 | .Xr sftp 1 , |
@@ -1466,6 +1476,11 @@ manual page for more information. | |||
1466 | .%D 2006 | 1476 | .%D 2006 |
1467 | .Re | 1477 | .Re |
1468 | .Rs | 1478 | .Rs |
1479 | .%R RFC 5656 | ||
1480 | .%T "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer" | ||
1481 | .%D 2009 | ||
1482 | .Re | ||
1483 | .Rs | ||
1469 | .%T "Hash Visualization: a New Technique to improve Real-World Security" | 1484 | .%T "Hash Visualization: a New Technique to improve Real-World Security" |
1470 | .%A A. Perrig | 1485 | .%A A. Perrig |
1471 | .%A D. Song | 1486 | .%A D. Song |