summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.185
1 files changed, 50 insertions, 35 deletions
diff --git a/ssh.1 b/ssh.1
index 02d28a00b..e3a42b5ad 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1,4 +1,3 @@
1.\" -*- nroff -*-
2.\" 1.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,8 +33,8 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 35.\"
37.\" $OpenBSD: ssh.1,v 1.308 2010/08/04 05:37:01 djm Exp $ 36.\" $OpenBSD: ssh.1,v 1.316 2010/11/18 15:01:00 jmc Exp $
38.Dd $Mdocdate: August 4 2010 $ 37.Dd $Mdocdate: November 18 2010 $
39.Dt SSH 1 38.Dt SSH 1
40.Os 39.Os
41.Sh NAME 40.Sh NAME
@@ -269,13 +268,14 @@ should use to communicate with a PKCS#11 token providing the user's
269private RSA key. 268private RSA key.
270.It Fl i Ar identity_file 269.It Fl i Ar identity_file
271Selects a file from which the identity (private key) for 270Selects a file from which the identity (private key) for
272RSA or DSA authentication is read. 271public key authentication is read.
273The default is 272The default is
274.Pa ~/.ssh/identity 273.Pa ~/.ssh/identity
275for protocol version 1, and 274for protocol version 1, and
276.Pa ~/.ssh/id_rsa 275.Pa ~/.ssh/id_dsa ,
276.Pa ~/.ssh/id_ecdsa
277and 277and
278.Pa ~/.ssh/id_dsa 278.Pa ~/.ssh/id_rsa
279for protocol version 2. 279for protocol version 2.
280Identity files may also be specified on 280Identity files may also be specified on
281a per-host basis in the configuration file. 281a per-host basis in the configuration file.
@@ -435,7 +435,9 @@ For full details of the options listed below, and their possible values, see
435.It HostName 435.It HostName
436.It IdentityFile 436.It IdentityFile
437.It IdentitiesOnly 437.It IdentitiesOnly
438.It IPQoS
438.It KbdInteractiveDevices 439.It KbdInteractiveDevices
440.It KexAlgorithms
439.It LocalCommand 441.It LocalCommand
440.It LocalForward 442.It LocalForward
441.It LogLevel 443.It LogLevel
@@ -646,10 +648,6 @@ may additionally obtain configuration data from
646a per-user configuration file and a system-wide configuration file. 648a per-user configuration file and a system-wide configuration file.
647The file format and configuration options are described in 649The file format and configuration options are described in
648.Xr ssh_config 5 . 650.Xr ssh_config 5 .
649.Pp
650.Nm
651exits with the exit status of the remote command or with 255
652if an error occurred.
653.Sh AUTHENTICATION 651.Sh AUTHENTICATION
654The OpenSSH SSH client supports SSH protocols 1 and 2. 652The OpenSSH SSH client supports SSH protocols 1 and 2.
655The default is to use protocol 2 only, 653The default is to use protocol 2 only,
@@ -721,14 +719,14 @@ key pair for authentication purposes.
721The server knows the public key, and only the user knows the private key. 719The server knows the public key, and only the user knows the private key.
722.Nm 720.Nm
723implements public key authentication protocol automatically, 721implements public key authentication protocol automatically,
724using either the RSA or DSA algorithms. 722using one of the DSA, ECDSA or RSA algorithms.
725Protocol 1 is restricted to using only RSA keys, 723Protocol 1 is restricted to using only RSA keys,
726but protocol 2 may use either. 724but protocol 2 may use any.
727The 725The
728.Sx HISTORY 726.Sx HISTORY
729section of 727section of
730.Xr ssl 8 728.Xr ssl 8
731contains a brief discussion of the two algorithms. 729contains a brief discussion of the DSA and RSA algorithms.
732.Pp 730.Pp
733The file 731The file
734.Pa ~/.ssh/authorized_keys 732.Pa ~/.ssh/authorized_keys
@@ -748,6 +746,8 @@ This stores the private key in
748(protocol 1), 746(protocol 1),
749.Pa ~/.ssh/id_dsa 747.Pa ~/.ssh/id_dsa
750(protocol 2 DSA), 748(protocol 2 DSA),
749.Pa ~/.ssh/id_ecdsa
750(protocol 2 ECDSA),
751or 751or
752.Pa ~/.ssh/id_rsa 752.Pa ~/.ssh/id_rsa
753(protocol 2 RSA) 753(protocol 2 RSA)
@@ -756,6 +756,8 @@ and stores the public key in
756(protocol 1), 756(protocol 1),
757.Pa ~/.ssh/id_dsa.pub 757.Pa ~/.ssh/id_dsa.pub
758(protocol 2 DSA), 758(protocol 2 DSA),
759.Pa ~/.ssh/id_ecdsa.pub
760(protocol 2 ECDSA),
759or 761or
760.Pa ~/.ssh/id_rsa.pub 762.Pa ~/.ssh/id_rsa.pub
761(protocol 2 RSA) 763(protocol 2 RSA)
@@ -1250,7 +1252,7 @@ option in
1250.Xr sshd_config 5 . 1252.Xr sshd_config 5 .
1251.Sh FILES 1253.Sh FILES
1252.Bl -tag -width Ds -compact 1254.Bl -tag -width Ds -compact
1253.It ~/.rhosts 1255.It Pa ~/.rhosts
1254This file is used for host-based authentication (see above). 1256This file is used for host-based authentication (see above).
1255On some machines this file may need to be 1257On some machines this file may need to be
1256world-readable if the user's home directory is on an NFS partition, 1258world-readable if the user's home directory is on an NFS partition,
@@ -1263,42 +1265,44 @@ The recommended
1263permission for most machines is read/write for the user, and not 1265permission for most machines is read/write for the user, and not
1264accessible by others. 1266accessible by others.
1265.Pp 1267.Pp
1266.It ~/.shosts 1268.It Pa ~/.shosts
1267This file is used in exactly the same way as 1269This file is used in exactly the same way as
1268.Pa .rhosts , 1270.Pa .rhosts ,
1269but allows host-based authentication without permitting login with 1271but allows host-based authentication without permitting login with
1270rlogin/rsh. 1272rlogin/rsh.
1271.Pp 1273.Pp
1272.It ~/.ssh/ 1274.It Pa ~/.ssh/
1273This directory is the default location for all user-specific configuration 1275This directory is the default location for all user-specific configuration
1274and authentication information. 1276and authentication information.
1275There is no general requirement to keep the entire contents of this directory 1277There is no general requirement to keep the entire contents of this directory
1276secret, but the recommended permissions are read/write/execute for the user, 1278secret, but the recommended permissions are read/write/execute for the user,
1277and not accessible by others. 1279and not accessible by others.
1278.Pp 1280.Pp
1279.It ~/.ssh/authorized_keys 1281.It Pa ~/.ssh/authorized_keys
1280Lists the public keys (RSA/DSA) that can be used for logging in as this user. 1282Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in as
1283this user.
1281The format of this file is described in the 1284The format of this file is described in the
1282.Xr sshd 8 1285.Xr sshd 8
1283manual page. 1286manual page.
1284This file is not highly sensitive, but the recommended 1287This file is not highly sensitive, but the recommended
1285permissions are read/write for the user, and not accessible by others. 1288permissions are read/write for the user, and not accessible by others.
1286.Pp 1289.Pp
1287.It ~/.ssh/config 1290.It Pa ~/.ssh/config
1288This is the per-user configuration file. 1291This is the per-user configuration file.
1289The file format and configuration options are described in 1292The file format and configuration options are described in
1290.Xr ssh_config 5 . 1293.Xr ssh_config 5 .
1291Because of the potential for abuse, this file must have strict permissions: 1294Because of the potential for abuse, this file must have strict permissions:
1292read/write for the user, and not accessible by others. 1295read/write for the user, and not accessible by others.
1293.Pp 1296.Pp
1294.It ~/.ssh/environment 1297.It Pa ~/.ssh/environment
1295Contains additional definitions for environment variables; see 1298Contains additional definitions for environment variables; see
1296.Sx ENVIRONMENT , 1299.Sx ENVIRONMENT ,
1297above. 1300above.
1298.Pp 1301.Pp
1299.It ~/.ssh/identity 1302.It Pa ~/.ssh/identity
1300.It ~/.ssh/id_dsa 1303.It Pa ~/.ssh/id_dsa
1301.It ~/.ssh/id_rsa 1304.It Pa ~/.ssh/id_ecdsa
1305.It Pa ~/.ssh/id_rsa
1302Contains the private key for authentication. 1306Contains the private key for authentication.
1303These files 1307These files
1304contain sensitive data and should be readable by the user but not 1308contain sensitive data and should be readable by the user but not
@@ -1309,21 +1313,22 @@ It is possible to specify a passphrase when
1309generating the key which will be used to encrypt the 1313generating the key which will be used to encrypt the
1310sensitive part of this file using 3DES. 1314sensitive part of this file using 3DES.
1311.Pp 1315.Pp
1312.It ~/.ssh/identity.pub 1316.It Pa ~/.ssh/identity.pub
1313.It ~/.ssh/id_dsa.pub 1317.It Pa ~/.ssh/id_dsa.pub
1314.It ~/.ssh/id_rsa.pub 1318.It Pa ~/.ssh/id_ecdsa.pub
1319.It Pa ~/.ssh/id_rsa.pub
1315Contains the public key for authentication. 1320Contains the public key for authentication.
1316These files are not 1321These files are not
1317sensitive and can (but need not) be readable by anyone. 1322sensitive and can (but need not) be readable by anyone.
1318.Pp 1323.Pp
1319.It ~/.ssh/known_hosts 1324.It Pa ~/.ssh/known_hosts
1320Contains a list of host keys for all hosts the user has logged into 1325Contains a list of host keys for all hosts the user has logged into
1321that are not already in the systemwide list of known host keys. 1326that are not already in the systemwide list of known host keys.
1322See 1327See
1323.Xr sshd 8 1328.Xr sshd 8
1324for further details of the format of this file. 1329for further details of the format of this file.
1325.Pp 1330.Pp
1326.It ~/.ssh/rc 1331.It Pa ~/.ssh/rc
1327Commands in this file are executed by 1332Commands in this file are executed by
1328.Nm 1333.Nm
1329when the user logs in, just before the user's shell (or command) is 1334when the user logs in, just before the user's shell (or command) is
@@ -1332,11 +1337,11 @@ See the
1332.Xr sshd 8 1337.Xr sshd 8
1333manual page for more information. 1338manual page for more information.
1334.Pp 1339.Pp
1335.It /etc/hosts.equiv 1340.It Pa /etc/hosts.equiv
1336This file is for host-based authentication (see above). 1341This file is for host-based authentication (see above).
1337It should only be writable by root. 1342It should only be writable by root.
1338.Pp 1343.Pp
1339.It /etc/shosts.equiv 1344.It Pa /etc/shosts.equiv
1340This file is used in exactly the same way as 1345This file is used in exactly the same way as
1341.Pa hosts.equiv , 1346.Pa hosts.equiv ,
1342but allows host-based authentication without permitting login with 1347but allows host-based authentication without permitting login with
@@ -1347,9 +1352,10 @@ Systemwide configuration file.
1347The file format and configuration options are described in 1352The file format and configuration options are described in
1348.Xr ssh_config 5 . 1353.Xr ssh_config 5 .
1349.Pp 1354.Pp
1350.It /etc/ssh/ssh_host_key 1355.It Pa /etc/ssh/ssh_host_key
1351.It /etc/ssh/ssh_host_dsa_key 1356.It Pa /etc/ssh/ssh_host_dsa_key
1352.It /etc/ssh/ssh_host_rsa_key 1357.It Pa /etc/ssh/ssh_host_ecdsa_key
1358.It Pa /etc/ssh/ssh_host_rsa_key
1353These three files contain the private parts of the host keys 1359These three files contain the private parts of the host keys
1354and are used for host-based authentication. 1360and are used for host-based authentication.
1355If protocol version 1 is used, 1361If protocol version 1 is used,
@@ -1367,7 +1373,7 @@ By default
1367.Nm 1373.Nm
1368is not setuid root. 1374is not setuid root.
1369.Pp 1375.Pp
1370.It /etc/ssh/ssh_known_hosts 1376.It Pa /etc/ssh/ssh_known_hosts
1371Systemwide list of known host keys. 1377Systemwide list of known host keys.
1372This file should be prepared by the 1378This file should be prepared by the
1373system administrator to contain the public host keys of all machines in the 1379system administrator to contain the public host keys of all machines in the
@@ -1377,7 +1383,7 @@ See
1377.Xr sshd 8 1383.Xr sshd 8
1378for further details of the format of this file. 1384for further details of the format of this file.
1379.Pp 1385.Pp
1380.It /etc/ssh/sshrc 1386.It Pa /etc/ssh/sshrc
1381Commands in this file are executed by 1387Commands in this file are executed by
1382.Nm 1388.Nm
1383when the user logs in, just before the user's shell (or command) is started. 1389when the user logs in, just before the user's shell (or command) is started.
@@ -1385,6 +1391,10 @@ See the
1385.Xr sshd 8 1391.Xr sshd 8
1386manual page for more information. 1392manual page for more information.
1387.El 1393.El
1394.Sh EXIT STATUS
1395.Nm
1396exits with the exit status of the remote command or with 255
1397if an error occurred.
1388.Sh SEE ALSO 1398.Sh SEE ALSO
1389.Xr scp 1 , 1399.Xr scp 1 ,
1390.Xr sftp 1 , 1400.Xr sftp 1 ,
@@ -1458,6 +1468,11 @@ manual page for more information.
1458.%D 2006 1468.%D 2006
1459.Re 1469.Re
1460.Rs 1470.Rs
1471.%R RFC 5656
1472.%T "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer"
1473.%D 2009
1474.Re
1475.Rs
1461.%T "Hash Visualization: a New Technique to improve Real-World Security" 1476.%T "Hash Visualization: a New Technique to improve Real-World Security"
1462.%A A. Perrig 1477.%A A. Perrig
1463.%A D. Song 1478.%A D. Song