summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.185
1 files changed, 50 insertions, 35 deletions
diff --git a/ssh.1 b/ssh.1
index 22ce67530..e0f237966 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1,4 +1,3 @@
1.\" -*- nroff -*-
2.\" 1.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,8 +33,8 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 35.\"
37.\" $OpenBSD: ssh.1,v 1.308 2010/08/04 05:37:01 djm Exp $ 36.\" $OpenBSD: ssh.1,v 1.316 2010/11/18 15:01:00 jmc Exp $
38.Dd $Mdocdate: August 4 2010 $ 37.Dd $Mdocdate: November 18 2010 $
39.Dt SSH 1 38.Dt SSH 1
40.Os 39.Os
41.Sh NAME 40.Sh NAME
@@ -269,13 +268,14 @@ should use to communicate with a PKCS#11 token providing the user's
269private RSA key. 268private RSA key.
270.It Fl i Ar identity_file 269.It Fl i Ar identity_file
271Selects a file from which the identity (private key) for 270Selects a file from which the identity (private key) for
272RSA or DSA authentication is read. 271public key authentication is read.
273The default is 272The default is
274.Pa ~/.ssh/identity 273.Pa ~/.ssh/identity
275for protocol version 1, and 274for protocol version 1, and
276.Pa ~/.ssh/id_rsa 275.Pa ~/.ssh/id_dsa ,
276.Pa ~/.ssh/id_ecdsa
277and 277and
278.Pa ~/.ssh/id_dsa 278.Pa ~/.ssh/id_rsa
279for protocol version 2. 279for protocol version 2.
280Identity files may also be specified on 280Identity files may also be specified on
281a per-host basis in the configuration file. 281a per-host basis in the configuration file.
@@ -435,7 +435,9 @@ For full details of the options listed below, and their possible values, see
435.It HostName 435.It HostName
436.It IdentityFile 436.It IdentityFile
437.It IdentitiesOnly 437.It IdentitiesOnly
438.It IPQoS
438.It KbdInteractiveDevices 439.It KbdInteractiveDevices
440.It KexAlgorithms
439.It LocalCommand 441.It LocalCommand
440.It LocalForward 442.It LocalForward
441.It LogLevel 443.It LogLevel
@@ -646,10 +648,6 @@ may additionally obtain configuration data from
646a per-user configuration file and a system-wide configuration file. 648a per-user configuration file and a system-wide configuration file.
647The file format and configuration options are described in 649The file format and configuration options are described in
648.Xr ssh_config 5 . 650.Xr ssh_config 5 .
649.Pp
650.Nm
651exits with the exit status of the remote command or with 255
652if an error occurred.
653.Sh AUTHENTICATION 651.Sh AUTHENTICATION
654The OpenSSH SSH client supports SSH protocols 1 and 2. 652The OpenSSH SSH client supports SSH protocols 1 and 2.
655The default is to use protocol 2 only, 653The default is to use protocol 2 only,
@@ -721,9 +719,9 @@ key pair for authentication purposes.
721The server knows the public key, and only the user knows the private key. 719The server knows the public key, and only the user knows the private key.
722.Nm 720.Nm
723implements public key authentication protocol automatically, 721implements public key authentication protocol automatically,
724using either the RSA or DSA algorithms. 722using one of the DSA, ECDSA or RSA algorithms.
725Protocol 1 is restricted to using only RSA keys, 723Protocol 1 is restricted to using only RSA keys,
726but protocol 2 may use either. 724but protocol 2 may use any.
727The 725The
728.Sx HISTORY 726.Sx HISTORY
729section of 727section of
@@ -732,7 +730,7 @@ section of
732.nh 730.nh
733http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY) 731http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
734.hy 732.hy
735contains a brief discussion of the two algorithms. 733contains a brief discussion of the DSA and RSA algorithms.
736.Pp 734.Pp
737The file 735The file
738.Pa ~/.ssh/authorized_keys 736.Pa ~/.ssh/authorized_keys
@@ -752,6 +750,8 @@ This stores the private key in
752(protocol 1), 750(protocol 1),
753.Pa ~/.ssh/id_dsa 751.Pa ~/.ssh/id_dsa
754(protocol 2 DSA), 752(protocol 2 DSA),
753.Pa ~/.ssh/id_ecdsa
754(protocol 2 ECDSA),
755or 755or
756.Pa ~/.ssh/id_rsa 756.Pa ~/.ssh/id_rsa
757(protocol 2 RSA) 757(protocol 2 RSA)
@@ -760,6 +760,8 @@ and stores the public key in
760(protocol 1), 760(protocol 1),
761.Pa ~/.ssh/id_dsa.pub 761.Pa ~/.ssh/id_dsa.pub
762(protocol 2 DSA), 762(protocol 2 DSA),
763.Pa ~/.ssh/id_ecdsa.pub
764(protocol 2 ECDSA),
763or 765or
764.Pa ~/.ssh/id_rsa.pub 766.Pa ~/.ssh/id_rsa.pub
765(protocol 2 RSA) 767(protocol 2 RSA)
@@ -1254,7 +1256,7 @@ option in
1254.Xr sshd_config 5 . 1256.Xr sshd_config 5 .
1255.Sh FILES 1257.Sh FILES
1256.Bl -tag -width Ds -compact 1258.Bl -tag -width Ds -compact
1257.It ~/.rhosts 1259.It Pa ~/.rhosts
1258This file is used for host-based authentication (see above). 1260This file is used for host-based authentication (see above).
1259On some machines this file may need to be 1261On some machines this file may need to be
1260world-readable if the user's home directory is on an NFS partition, 1262world-readable if the user's home directory is on an NFS partition,
@@ -1267,28 +1269,29 @@ The recommended
1267permission for most machines is read/write for the user, and not 1269permission for most machines is read/write for the user, and not
1268accessible by others. 1270accessible by others.
1269.Pp 1271.Pp
1270.It ~/.shosts 1272.It Pa ~/.shosts
1271This file is used in exactly the same way as 1273This file is used in exactly the same way as
1272.Pa .rhosts , 1274.Pa .rhosts ,
1273but allows host-based authentication without permitting login with 1275but allows host-based authentication without permitting login with
1274rlogin/rsh. 1276rlogin/rsh.
1275.Pp 1277.Pp
1276.It ~/.ssh/ 1278.It Pa ~/.ssh/
1277This directory is the default location for all user-specific configuration 1279This directory is the default location for all user-specific configuration
1278and authentication information. 1280and authentication information.
1279There is no general requirement to keep the entire contents of this directory 1281There is no general requirement to keep the entire contents of this directory
1280secret, but the recommended permissions are read/write/execute for the user, 1282secret, but the recommended permissions are read/write/execute for the user,
1281and not accessible by others. 1283and not accessible by others.
1282.Pp 1284.Pp
1283.It ~/.ssh/authorized_keys 1285.It Pa ~/.ssh/authorized_keys
1284Lists the public keys (RSA/DSA) that can be used for logging in as this user. 1286Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in as
1287this user.
1285The format of this file is described in the 1288The format of this file is described in the
1286.Xr sshd 8 1289.Xr sshd 8
1287manual page. 1290manual page.
1288This file is not highly sensitive, but the recommended 1291This file is not highly sensitive, but the recommended
1289permissions are read/write for the user, and not accessible by others. 1292permissions are read/write for the user, and not accessible by others.
1290.Pp 1293.Pp
1291.It ~/.ssh/config 1294.It Pa ~/.ssh/config
1292This is the per-user configuration file. 1295This is the per-user configuration file.
1293The file format and configuration options are described in 1296The file format and configuration options are described in
1294.Xr ssh_config 5 . 1297.Xr ssh_config 5 .
@@ -1297,14 +1300,15 @@ read/write for the user, and not accessible by others.
1297It may be group-writable provided that the group in question contains only 1300It may be group-writable provided that the group in question contains only
1298the user. 1301the user.
1299.Pp 1302.Pp
1300.It ~/.ssh/environment 1303.It Pa ~/.ssh/environment
1301Contains additional definitions for environment variables; see 1304Contains additional definitions for environment variables; see
1302.Sx ENVIRONMENT , 1305.Sx ENVIRONMENT ,
1303above. 1306above.
1304.Pp 1307.Pp
1305.It ~/.ssh/identity 1308.It Pa ~/.ssh/identity
1306.It ~/.ssh/id_dsa 1309.It Pa ~/.ssh/id_dsa
1307.It ~/.ssh/id_rsa 1310.It Pa ~/.ssh/id_ecdsa
1311.It Pa ~/.ssh/id_rsa
1308Contains the private key for authentication. 1312Contains the private key for authentication.
1309These files 1313These files
1310contain sensitive data and should be readable by the user but not 1314contain sensitive data and should be readable by the user but not
@@ -1315,21 +1319,22 @@ It is possible to specify a passphrase when
1315generating the key which will be used to encrypt the 1319generating the key which will be used to encrypt the
1316sensitive part of this file using 3DES. 1320sensitive part of this file using 3DES.
1317.Pp 1321.Pp
1318.It ~/.ssh/identity.pub 1322.It Pa ~/.ssh/identity.pub
1319.It ~/.ssh/id_dsa.pub 1323.It Pa ~/.ssh/id_dsa.pub
1320.It ~/.ssh/id_rsa.pub 1324.It Pa ~/.ssh/id_ecdsa.pub
1325.It Pa ~/.ssh/id_rsa.pub
1321Contains the public key for authentication. 1326Contains the public key for authentication.
1322These files are not 1327These files are not
1323sensitive and can (but need not) be readable by anyone. 1328sensitive and can (but need not) be readable by anyone.
1324.Pp 1329.Pp
1325.It ~/.ssh/known_hosts 1330.It Pa ~/.ssh/known_hosts
1326Contains a list of host keys for all hosts the user has logged into 1331Contains a list of host keys for all hosts the user has logged into
1327that are not already in the systemwide list of known host keys. 1332that are not already in the systemwide list of known host keys.
1328See 1333See
1329.Xr sshd 8 1334.Xr sshd 8
1330for further details of the format of this file. 1335for further details of the format of this file.
1331.Pp 1336.Pp
1332.It ~/.ssh/rc 1337.It Pa ~/.ssh/rc
1333Commands in this file are executed by 1338Commands in this file are executed by
1334.Nm 1339.Nm
1335when the user logs in, just before the user's shell (or command) is 1340when the user logs in, just before the user's shell (or command) is
@@ -1338,11 +1343,11 @@ See the
1338.Xr sshd 8 1343.Xr sshd 8
1339manual page for more information. 1344manual page for more information.
1340.Pp 1345.Pp
1341.It /etc/hosts.equiv 1346.It Pa /etc/hosts.equiv
1342This file is for host-based authentication (see above). 1347This file is for host-based authentication (see above).
1343It should only be writable by root. 1348It should only be writable by root.
1344.Pp 1349.Pp
1345.It /etc/shosts.equiv 1350.It Pa /etc/shosts.equiv
1346This file is used in exactly the same way as 1351This file is used in exactly the same way as
1347.Pa hosts.equiv , 1352.Pa hosts.equiv ,
1348but allows host-based authentication without permitting login with 1353but allows host-based authentication without permitting login with
@@ -1353,9 +1358,10 @@ Systemwide configuration file.
1353The file format and configuration options are described in 1358The file format and configuration options are described in
1354.Xr ssh_config 5 . 1359.Xr ssh_config 5 .
1355.Pp 1360.Pp
1356.It /etc/ssh/ssh_host_key 1361.It Pa /etc/ssh/ssh_host_key
1357.It /etc/ssh/ssh_host_dsa_key 1362.It Pa /etc/ssh/ssh_host_dsa_key
1358.It /etc/ssh/ssh_host_rsa_key 1363.It Pa /etc/ssh/ssh_host_ecdsa_key
1364.It Pa /etc/ssh/ssh_host_rsa_key
1359These three files contain the private parts of the host keys 1365These three files contain the private parts of the host keys
1360and are used for host-based authentication. 1366and are used for host-based authentication.
1361If protocol version 1 is used, 1367If protocol version 1 is used,
@@ -1373,7 +1379,7 @@ By default
1373.Nm 1379.Nm
1374is not setuid root. 1380is not setuid root.
1375.Pp 1381.Pp
1376.It /etc/ssh/ssh_known_hosts 1382.It Pa /etc/ssh/ssh_known_hosts
1377Systemwide list of known host keys. 1383Systemwide list of known host keys.
1378This file should be prepared by the 1384This file should be prepared by the
1379system administrator to contain the public host keys of all machines in the 1385system administrator to contain the public host keys of all machines in the
@@ -1383,7 +1389,7 @@ See
1383.Xr sshd 8 1389.Xr sshd 8
1384for further details of the format of this file. 1390for further details of the format of this file.
1385.Pp 1391.Pp
1386.It /etc/ssh/sshrc 1392.It Pa /etc/ssh/sshrc
1387Commands in this file are executed by 1393Commands in this file are executed by
1388.Nm 1394.Nm
1389when the user logs in, just before the user's shell (or command) is started. 1395when the user logs in, just before the user's shell (or command) is started.
@@ -1391,6 +1397,10 @@ See the
1391.Xr sshd 8 1397.Xr sshd 8
1392manual page for more information. 1398manual page for more information.
1393.El 1399.El
1400.Sh EXIT STATUS
1401.Nm
1402exits with the exit status of the remote command or with 255
1403if an error occurred.
1394.Sh SEE ALSO 1404.Sh SEE ALSO
1395.Xr scp 1 , 1405.Xr scp 1 ,
1396.Xr sftp 1 , 1406.Xr sftp 1 ,
@@ -1466,6 +1476,11 @@ manual page for more information.
1466.%D 2006 1476.%D 2006
1467.Re 1477.Re
1468.Rs 1478.Rs
1479.%R RFC 5656
1480.%T "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer"
1481.%D 2009
1482.Re
1483.Rs
1469.%T "Hash Visualization: a New Technique to improve Real-World Security" 1484.%T "Hash Visualization: a New Technique to improve Real-World Security"
1470.%A A. Perrig 1485.%A A. Perrig
1471.%A D. Song 1486.%A D. Song