summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.157
1 files changed, 37 insertions, 20 deletions
diff --git a/ssh.1 b/ssh.1
index 1c407c5bd..d8999da48 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.160 2002/06/22 11:51:39 naddy Exp $ 37.\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -48,7 +48,7 @@
48.Op Ar command 48.Op Ar command
49.Pp 49.Pp
50.Nm ssh 50.Nm ssh
51.Op Fl afgknqstvxACNPTX1246 51.Op Fl afgknqstvxACNTX1246
52.Op Fl b Ar bind_address 52.Op Fl b Ar bind_address
53.Op Fl c Ar cipher_spec 53.Op Fl c Ar cipher_spec
54.Op Fl e Ar escape_char 54.Op Fl e Ar escape_char
@@ -353,9 +353,17 @@ the connection is opened.
353The real authentication cookie is never 353The real authentication cookie is never
354sent to the server machine (and no cookies are sent in the plain). 354sent to the server machine (and no cookies are sent in the plain).
355.Pp 355.Pp
356If the user is using an authentication agent, the connection to the agent 356If the
357is automatically forwarded to the remote side unless disabled on 357.Cm ForwardAgent
358the command line or in a configuration file. 358variable is set to
359.Dq yes
360(or, see the description of the
361.Fl A
362and
363.Fl a
364options described later) and
365the user is using an authentication agent, the connection to the agent
366is automatically forwarded to the remote side.
359.Pp 367.Pp
360Forwarding of arbitrary TCP/IP connections over the secure channel can 368Forwarding of arbitrary TCP/IP connections over the secure channel can
361be specified either on the command line or in a configuration file. 369be specified either on the command line or in a configuration file.
@@ -394,6 +402,13 @@ Disables forwarding of the authentication agent connection.
394.It Fl A 402.It Fl A
395Enables forwarding of the authentication agent connection. 403Enables forwarding of the authentication agent connection.
396This can also be specified on a per-host basis in a configuration file. 404This can also be specified on a per-host basis in a configuration file.
405.Pp
406Agent forwarding should be enabled with caution. Users with the
407ability to bypass file permissions on the remote host (for the agent's
408Unix-domain socket) can access the local agent through the forwarded
409connection. An attacker cannot obtain key material from the agent,
410however they can perform operations on the keys that enable them to
411authenticate using the identities loaded into the agent.
397.It Fl b Ar bind_address 412.It Fl b Ar bind_address
398Specify the interface to transmit from on machines with multiple 413Specify the interface to transmit from on machines with multiple
399interfaces or aliased addresses. 414interfaces or aliased addresses.
@@ -515,15 +530,6 @@ command-line flag.
515Port to connect to on the remote host. 530Port to connect to on the remote host.
516This can be specified on a 531This can be specified on a
517per-host basis in the configuration file. 532per-host basis in the configuration file.
518.It Fl P
519Use a non-privileged port for outgoing connections.
520This can be used if a firewall does
521not permit connections from privileged ports.
522Note that this option turns off
523.Cm RhostsAuthentication
524and
525.Cm RhostsRSAAuthentication
526for older servers.
527.It Fl q 533.It Fl q
528Quiet mode. 534Quiet mode.
529Causes all warning and diagnostic messages to be suppressed. 535Causes all warning and diagnostic messages to be suppressed.
@@ -563,6 +569,12 @@ Disables X11 forwarding.
563.It Fl X 569.It Fl X
564Enables X11 forwarding. 570Enables X11 forwarding.
565This can also be specified on a per-host basis in a configuration file. 571This can also be specified on a per-host basis in a configuration file.
572.Pp
573X11 forwarding should be enabled with caution. Users with the ability
574to bypass file permissions on the remote host (for the user's X
575authorization database) can access the local X11 display through the
576forwarded connection. An attacker may then be able to perform
577activities such as keystroke monitoring.
566.It Fl C 578.It Fl C
567Requests compression of all data (including stdin, stdout, stderr, and 579Requests compression of all data (including stdin, stdout, stderr, and
568data for forwarded X11 and TCP/IP connections). 580data for forwarded X11 and TCP/IP connections).
@@ -572,7 +584,7 @@ and the
572.Dq level 584.Dq level
573can be controlled by the 585can be controlled by the
574.Cm CompressionLevel 586.Cm CompressionLevel
575option. 587option for protocol version 1.
576Compression is desirable on modem lines and other 588Compression is desirable on modem lines and other
577slow connections, but will only slow down things on fast networks. 589slow connections, but will only slow down things on fast networks.
578The default value can be set on a host-by-host basis in the 590The default value can be set on a host-by-host basis in the
@@ -718,11 +730,11 @@ to make this work.)
718.It Ev SSH_AUTH_SOCK 730.It Ev SSH_AUTH_SOCK
719Identifies the path of a unix-domain socket used to communicate with the 731Identifies the path of a unix-domain socket used to communicate with the
720agent. 732agent.
721.It Ev SSH_CLIENT 733.It Ev SSH_CONNECTION
722Identifies the client end of the connection. 734Identifies the client and server ends of the connection.
723The variable contains 735The variable contains
724three space-separated values: client ip-address, client port number, 736four space-separated values: client ip-address, client port number,
725and server port number. 737server ip-address and server port number.
726.It Ev SSH_ORIGINAL_COMMAND 738.It Ev SSH_ORIGINAL_COMMAND
727The variable contains the original command line if a forced command 739The variable contains the original command line if a forced command
728is executed. 740is executed.
@@ -746,7 +758,12 @@ reads
746.Pa $HOME/.ssh/environment , 758.Pa $HOME/.ssh/environment ,
747and adds lines of the format 759and adds lines of the format
748.Dq VARNAME=value 760.Dq VARNAME=value
749to the environment. 761to the environment if the file exists and if users are allowed to
762change their environment.
763See the
764.Cm PermitUserEnvironment
765option in
766.Xr sshd_config 5 .
750.Sh FILES 767.Sh FILES
751.Bl -tag -width Ds 768.Bl -tag -width Ds
752.It Pa $HOME/.ssh/known_hosts 769.It Pa $HOME/.ssh/known_hosts