diff options
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 57 |
1 files changed, 37 insertions, 20 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.160 2002/06/22 11:51:39 naddy Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -48,7 +48,7 @@ | |||
48 | .Op Ar command | 48 | .Op Ar command |
49 | .Pp | 49 | .Pp |
50 | .Nm ssh | 50 | .Nm ssh |
51 | .Op Fl afgknqstvxACNPTX1246 | 51 | .Op Fl afgknqstvxACNTX1246 |
52 | .Op Fl b Ar bind_address | 52 | .Op Fl b Ar bind_address |
53 | .Op Fl c Ar cipher_spec | 53 | .Op Fl c Ar cipher_spec |
54 | .Op Fl e Ar escape_char | 54 | .Op Fl e Ar escape_char |
@@ -353,9 +353,17 @@ the connection is opened. | |||
353 | The real authentication cookie is never | 353 | The real authentication cookie is never |
354 | sent to the server machine (and no cookies are sent in the plain). | 354 | sent to the server machine (and no cookies are sent in the plain). |
355 | .Pp | 355 | .Pp |
356 | If the user is using an authentication agent, the connection to the agent | 356 | If the |
357 | is automatically forwarded to the remote side unless disabled on | 357 | .Cm ForwardAgent |
358 | the command line or in a configuration file. | 358 | variable is set to |
359 | .Dq yes | ||
360 | (or, see the description of the | ||
361 | .Fl A | ||
362 | and | ||
363 | .Fl a | ||
364 | options described later) and | ||
365 | the user is using an authentication agent, the connection to the agent | ||
366 | is automatically forwarded to the remote side. | ||
359 | .Pp | 367 | .Pp |
360 | Forwarding of arbitrary TCP/IP connections over the secure channel can | 368 | Forwarding of arbitrary TCP/IP connections over the secure channel can |
361 | be specified either on the command line or in a configuration file. | 369 | be specified either on the command line or in a configuration file. |
@@ -394,6 +402,13 @@ Disables forwarding of the authentication agent connection. | |||
394 | .It Fl A | 402 | .It Fl A |
395 | Enables forwarding of the authentication agent connection. | 403 | Enables forwarding of the authentication agent connection. |
396 | This can also be specified on a per-host basis in a configuration file. | 404 | This can also be specified on a per-host basis in a configuration file. |
405 | .Pp | ||
406 | Agent forwarding should be enabled with caution. Users with the | ||
407 | ability to bypass file permissions on the remote host (for the agent's | ||
408 | Unix-domain socket) can access the local agent through the forwarded | ||
409 | connection. An attacker cannot obtain key material from the agent, | ||
410 | however they can perform operations on the keys that enable them to | ||
411 | authenticate using the identities loaded into the agent. | ||
397 | .It Fl b Ar bind_address | 412 | .It Fl b Ar bind_address |
398 | Specify the interface to transmit from on machines with multiple | 413 | Specify the interface to transmit from on machines with multiple |
399 | interfaces or aliased addresses. | 414 | interfaces or aliased addresses. |
@@ -515,15 +530,6 @@ command-line flag. | |||
515 | Port to connect to on the remote host. | 530 | Port to connect to on the remote host. |
516 | This can be specified on a | 531 | This can be specified on a |
517 | per-host basis in the configuration file. | 532 | per-host basis in the configuration file. |
518 | .It Fl P | ||
519 | Use a non-privileged port for outgoing connections. | ||
520 | This can be used if a firewall does | ||
521 | not permit connections from privileged ports. | ||
522 | Note that this option turns off | ||
523 | .Cm RhostsAuthentication | ||
524 | and | ||
525 | .Cm RhostsRSAAuthentication | ||
526 | for older servers. | ||
527 | .It Fl q | 533 | .It Fl q |
528 | Quiet mode. | 534 | Quiet mode. |
529 | Causes all warning and diagnostic messages to be suppressed. | 535 | Causes all warning and diagnostic messages to be suppressed. |
@@ -563,6 +569,12 @@ Disables X11 forwarding. | |||
563 | .It Fl X | 569 | .It Fl X |
564 | Enables X11 forwarding. | 570 | Enables X11 forwarding. |
565 | This can also be specified on a per-host basis in a configuration file. | 571 | This can also be specified on a per-host basis in a configuration file. |
572 | .Pp | ||
573 | X11 forwarding should be enabled with caution. Users with the ability | ||
574 | to bypass file permissions on the remote host (for the user's X | ||
575 | authorization database) can access the local X11 display through the | ||
576 | forwarded connection. An attacker may then be able to perform | ||
577 | activities such as keystroke monitoring. | ||
566 | .It Fl C | 578 | .It Fl C |
567 | Requests compression of all data (including stdin, stdout, stderr, and | 579 | Requests compression of all data (including stdin, stdout, stderr, and |
568 | data for forwarded X11 and TCP/IP connections). | 580 | data for forwarded X11 and TCP/IP connections). |
@@ -572,7 +584,7 @@ and the | |||
572 | .Dq level | 584 | .Dq level |
573 | can be controlled by the | 585 | can be controlled by the |
574 | .Cm CompressionLevel | 586 | .Cm CompressionLevel |
575 | option. | 587 | option for protocol version 1. |
576 | Compression is desirable on modem lines and other | 588 | Compression is desirable on modem lines and other |
577 | slow connections, but will only slow down things on fast networks. | 589 | slow connections, but will only slow down things on fast networks. |
578 | The default value can be set on a host-by-host basis in the | 590 | The default value can be set on a host-by-host basis in the |
@@ -718,11 +730,11 @@ to make this work.) | |||
718 | .It Ev SSH_AUTH_SOCK | 730 | .It Ev SSH_AUTH_SOCK |
719 | Identifies the path of a unix-domain socket used to communicate with the | 731 | Identifies the path of a unix-domain socket used to communicate with the |
720 | agent. | 732 | agent. |
721 | .It Ev SSH_CLIENT | 733 | .It Ev SSH_CONNECTION |
722 | Identifies the client end of the connection. | 734 | Identifies the client and server ends of the connection. |
723 | The variable contains | 735 | The variable contains |
724 | three space-separated values: client ip-address, client port number, | 736 | four space-separated values: client ip-address, client port number, |
725 | and server port number. | 737 | server ip-address and server port number. |
726 | .It Ev SSH_ORIGINAL_COMMAND | 738 | .It Ev SSH_ORIGINAL_COMMAND |
727 | The variable contains the original command line if a forced command | 739 | The variable contains the original command line if a forced command |
728 | is executed. | 740 | is executed. |
@@ -746,7 +758,12 @@ reads | |||
746 | .Pa $HOME/.ssh/environment , | 758 | .Pa $HOME/.ssh/environment , |
747 | and adds lines of the format | 759 | and adds lines of the format |
748 | .Dq VARNAME=value | 760 | .Dq VARNAME=value |
749 | to the environment. | 761 | to the environment if the file exists and if users are allowed to |
762 | change their environment. | ||
763 | See the | ||
764 | .Cm PermitUserEnvironment | ||
765 | option in | ||
766 | .Xr sshd_config 5 . | ||
750 | .Sh FILES | 767 | .Sh FILES |
751 | .Bl -tag -width Ds | 768 | .Bl -tag -width Ds |
752 | .It Pa $HOME/.ssh/known_hosts | 769 | .It Pa $HOME/.ssh/known_hosts |