diff options
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 92 |
1 files changed, 31 insertions, 61 deletions
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh.1,v 1.376 2016/07/16 06:57:55 jmc Exp $ | 36 | .\" $OpenBSD: ssh.1,v 1.384 2017/09/21 19:16:53 markus Exp $ |
37 | .Dd $Mdocdate: July 16 2016 $ | 37 | .Dd $Mdocdate: September 21 2017 $ |
38 | .Dt SSH 1 | 38 | .Dt SSH 1 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -43,7 +43,7 @@ | |||
43 | .Sh SYNOPSIS | 43 | .Sh SYNOPSIS |
44 | .Nm ssh | 44 | .Nm ssh |
45 | .Bk -words | 45 | .Bk -words |
46 | .Op Fl 1246AaCfGgKkMNnqsTtVvXxYy | 46 | .Op Fl 46AaCfGgKkMNnqsTtVvXxYy |
47 | .Op Fl b Ar bind_address | 47 | .Op Fl b Ar bind_address |
48 | .Op Fl c Ar cipher_spec | 48 | .Op Fl c Ar cipher_spec |
49 | .Op Fl D Oo Ar bind_address : Oc Ns Ar port | 49 | .Op Fl D Oo Ar bind_address : Oc Ns Ar port |
@@ -95,16 +95,6 @@ it is executed on the remote host instead of a login shell. | |||
95 | The options are as follows: | 95 | The options are as follows: |
96 | .Pp | 96 | .Pp |
97 | .Bl -tag -width Ds -compact | 97 | .Bl -tag -width Ds -compact |
98 | .It Fl 1 | ||
99 | Forces | ||
100 | .Nm | ||
101 | to try protocol version 1 only. | ||
102 | .Pp | ||
103 | .It Fl 2 | ||
104 | Forces | ||
105 | .Nm | ||
106 | to try protocol version 2 only. | ||
107 | .Pp | ||
108 | .It Fl 4 | 98 | .It Fl 4 |
109 | Forces | 99 | Forces |
110 | .Nm | 100 | .Nm |
@@ -144,12 +134,7 @@ data for forwarded X11, TCP and | |||
144 | .Ux Ns -domain | 134 | .Ux Ns -domain |
145 | connections). | 135 | connections). |
146 | The compression algorithm is the same used by | 136 | The compression algorithm is the same used by |
147 | .Xr gzip 1 , | 137 | .Xr gzip 1 . |
148 | and the | ||
149 | .Dq level | ||
150 | can be controlled by the | ||
151 | .Cm CompressionLevel | ||
152 | option for protocol version 1. | ||
153 | Compression is desirable on modem lines and other | 138 | Compression is desirable on modem lines and other |
154 | slow connections, but will only slow down things on fast networks. | 139 | slow connections, but will only slow down things on fast networks. |
155 | The default value can be set on a host-by-host basis in the | 140 | The default value can be set on a host-by-host basis in the |
@@ -159,14 +144,6 @@ option. | |||
159 | .Pp | 144 | .Pp |
160 | .It Fl c Ar cipher_spec | 145 | .It Fl c Ar cipher_spec |
161 | Selects the cipher specification for encrypting the session. | 146 | Selects the cipher specification for encrypting the session. |
162 | .Pp | ||
163 | Protocol version 1 allows specification of a single cipher. | ||
164 | The supported values are | ||
165 | .Dq 3des , | ||
166 | .Dq blowfish , | ||
167 | and | ||
168 | .Dq des . | ||
169 | For protocol version 2, | ||
170 | .Ar cipher_spec | 147 | .Ar cipher_spec |
171 | is a comma-separated list of ciphers | 148 | is a comma-separated list of ciphers |
172 | listed in order of preference. | 149 | listed in order of preference. |
@@ -290,14 +267,11 @@ private RSA key. | |||
290 | Selects a file from which the identity (private key) for | 267 | Selects a file from which the identity (private key) for |
291 | public key authentication is read. | 268 | public key authentication is read. |
292 | The default is | 269 | The default is |
293 | .Pa ~/.ssh/identity | ||
294 | for protocol version 1, and | ||
295 | .Pa ~/.ssh/id_dsa , | 270 | .Pa ~/.ssh/id_dsa , |
296 | .Pa ~/.ssh/id_ecdsa , | 271 | .Pa ~/.ssh/id_ecdsa , |
297 | .Pa ~/.ssh/id_ed25519 | 272 | .Pa ~/.ssh/id_ed25519 |
298 | and | 273 | and |
299 | .Pa ~/.ssh/id_rsa | 274 | .Pa ~/.ssh/id_rsa . |
300 | for protocol version 2. | ||
301 | Identity files may also be specified on | 275 | Identity files may also be specified on |
302 | a per-host basis in the configuration file. | 276 | a per-host basis in the configuration file. |
303 | It is possible to have multiple | 277 | It is possible to have multiple |
@@ -491,11 +465,9 @@ For full details of the options listed below, and their possible values, see | |||
491 | .It CertificateFile | 465 | .It CertificateFile |
492 | .It ChallengeResponseAuthentication | 466 | .It ChallengeResponseAuthentication |
493 | .It CheckHostIP | 467 | .It CheckHostIP |
494 | .It Cipher | ||
495 | .It Ciphers | 468 | .It Ciphers |
496 | .It ClearAllForwardings | 469 | .It ClearAllForwardings |
497 | .It Compression | 470 | .It Compression |
498 | .It CompressionLevel | ||
499 | .It ConnectionAttempts | 471 | .It ConnectionAttempts |
500 | .It ConnectTimeout | 472 | .It ConnectTimeout |
501 | .It ControlMaster | 473 | .It ControlMaster |
@@ -540,17 +512,15 @@ For full details of the options listed below, and their possible values, see | |||
540 | .It PKCS11Provider | 512 | .It PKCS11Provider |
541 | .It Port | 513 | .It Port |
542 | .It PreferredAuthentications | 514 | .It PreferredAuthentications |
543 | .It Protocol | ||
544 | .It ProxyCommand | 515 | .It ProxyCommand |
545 | .It ProxyJump | 516 | .It ProxyJump |
546 | .It ProxyUseFdpass | 517 | .It ProxyUseFdpass |
547 | .It PubkeyAcceptedKeyTypes | 518 | .It PubkeyAcceptedKeyTypes |
548 | .It PubkeyAuthentication | 519 | .It PubkeyAuthentication |
549 | .It RekeyLimit | 520 | .It RekeyLimit |
521 | .It RemoteCommand | ||
550 | .It RemoteForward | 522 | .It RemoteForward |
551 | .It RequestTTY | 523 | .It RequestTTY |
552 | .It RhostsRSAAuthentication | ||
553 | .It RSAAuthentication | ||
554 | .It SendEnv | 524 | .It SendEnv |
555 | .It ServerAliveInterval | 525 | .It ServerAliveInterval |
556 | .It ServerAliveCountMax | 526 | .It ServerAliveCountMax |
@@ -622,21 +592,30 @@ Causes most warning and diagnostic messages to be suppressed. | |||
622 | .Ar remote_socket : local_socket | 592 | .Ar remote_socket : local_socket |
623 | .Sm on | 593 | .Sm on |
624 | .Xc | 594 | .Xc |
595 | .It Fl R Xo | ||
596 | .Sm off | ||
597 | .Oo Ar bind_address : Oc | ||
598 | .Ar port | ||
599 | .Sm on | ||
600 | .Xc | ||
625 | Specifies that connections to the given TCP port or Unix socket on the remote | 601 | Specifies that connections to the given TCP port or Unix socket on the remote |
626 | (server) host are to be forwarded to the given host and port, or Unix socket, | 602 | (server) host are to be forwarded to the local side. |
627 | on the local side. | 603 | .Pp |
628 | This works by allocating a socket to listen to either a TCP | 604 | This works by allocating a socket to listen to either a TCP |
629 | .Ar port | 605 | .Ar port |
630 | or to a Unix socket on the remote side. | 606 | or to a Unix socket on the remote side. |
631 | Whenever a connection is made to this port or Unix socket, the | 607 | Whenever a connection is made to this port or Unix socket, the |
632 | connection is forwarded over the secure channel, and a connection | 608 | connection is forwarded over the secure channel, and a connection |
633 | is made to either | 609 | is made from the local machine to either an explicit destination specified by |
634 | .Ar host | 610 | .Ar host |
635 | port | 611 | port |
636 | .Ar hostport , | 612 | .Ar hostport , |
637 | or | 613 | or |
638 | .Ar local_socket , | 614 | .Ar local_socket , |
639 | from the local machine. | 615 | or, if no explicit destination was specified, |
616 | .Nm | ||
617 | will act as a SOCKS 4/5 proxy and forward connections to the destinations | ||
618 | requested by the remote SOCKS client. | ||
640 | .Pp | 619 | .Pp |
641 | Port forwardings can also be specified in the configuration file. | 620 | Port forwardings can also be specified in the configuration file. |
642 | Privileged ports can be forwarded only when | 621 | Privileged ports can be forwarded only when |
@@ -806,21 +785,7 @@ a per-user configuration file and a system-wide configuration file. | |||
806 | The file format and configuration options are described in | 785 | The file format and configuration options are described in |
807 | .Xr ssh_config 5 . | 786 | .Xr ssh_config 5 . |
808 | .Sh AUTHENTICATION | 787 | .Sh AUTHENTICATION |
809 | The OpenSSH SSH client supports SSH protocols 1 and 2. | 788 | The OpenSSH SSH client supports SSH protocol 2. |
810 | The default is to use protocol 2 only, | ||
811 | though this can be changed via the | ||
812 | .Cm Protocol | ||
813 | option in | ||
814 | .Xr ssh_config 5 | ||
815 | or the | ||
816 | .Fl 1 | ||
817 | and | ||
818 | .Fl 2 | ||
819 | options (see above). | ||
820 | Protocol 1 should not be used | ||
821 | and is only offered to support legacy devices. | ||
822 | It suffers from a number of cryptographic weaknesses | ||
823 | and doesn't support many of the advanced features available for protocol 2. | ||
824 | .Pp | 789 | .Pp |
825 | The methods available for authentication are: | 790 | The methods available for authentication are: |
826 | GSSAPI-based authentication, | 791 | GSSAPI-based authentication, |
@@ -890,11 +855,20 @@ The client proves that it has access to the private key | |||
890 | and the server checks that the corresponding public key | 855 | and the server checks that the corresponding public key |
891 | is authorized to accept the account. | 856 | is authorized to accept the account. |
892 | .Pp | 857 | .Pp |
858 | The server may inform the client of errors that prevented public key | ||
859 | authentication from succeeding after authentication completes using a | ||
860 | different method. | ||
861 | These may be viewed by increasing the | ||
862 | .Cm LogLevel | ||
863 | to | ||
864 | .Cm DEBUG | ||
865 | or higher (e.g. by using the | ||
866 | .Fl v | ||
867 | flag). | ||
868 | .Pp | ||
893 | The user creates his/her key pair by running | 869 | The user creates his/her key pair by running |
894 | .Xr ssh-keygen 1 . | 870 | .Xr ssh-keygen 1 . |
895 | This stores the private key in | 871 | This stores the private key in |
896 | .Pa ~/.ssh/identity | ||
897 | (protocol 1), | ||
898 | .Pa ~/.ssh/id_dsa | 872 | .Pa ~/.ssh/id_dsa |
899 | (DSA), | 873 | (DSA), |
900 | .Pa ~/.ssh/id_ecdsa | 874 | .Pa ~/.ssh/id_ecdsa |
@@ -905,8 +879,6 @@ or | |||
905 | .Pa ~/.ssh/id_rsa | 879 | .Pa ~/.ssh/id_rsa |
906 | (RSA) | 880 | (RSA) |
907 | and stores the public key in | 881 | and stores the public key in |
908 | .Pa ~/.ssh/identity.pub | ||
909 | (protocol 1), | ||
910 | .Pa ~/.ssh/id_dsa.pub | 882 | .Pa ~/.ssh/id_dsa.pub |
911 | (DSA), | 883 | (DSA), |
912 | .Pa ~/.ssh/id_ecdsa.pub | 884 | .Pa ~/.ssh/id_ecdsa.pub |
@@ -1490,7 +1462,6 @@ Contains additional definitions for environment variables; see | |||
1490 | .Sx ENVIRONMENT , | 1462 | .Sx ENVIRONMENT , |
1491 | above. | 1463 | above. |
1492 | .Pp | 1464 | .Pp |
1493 | .It Pa ~/.ssh/identity | ||
1494 | .It Pa ~/.ssh/id_dsa | 1465 | .It Pa ~/.ssh/id_dsa |
1495 | .It Pa ~/.ssh/id_ecdsa | 1466 | .It Pa ~/.ssh/id_ecdsa |
1496 | .It Pa ~/.ssh/id_ed25519 | 1467 | .It Pa ~/.ssh/id_ed25519 |
@@ -1505,7 +1476,6 @@ It is possible to specify a passphrase when | |||
1505 | generating the key which will be used to encrypt the | 1476 | generating the key which will be used to encrypt the |
1506 | sensitive part of this file using 3DES. | 1477 | sensitive part of this file using 3DES. |
1507 | .Pp | 1478 | .Pp |
1508 | .It Pa ~/.ssh/identity.pub | ||
1509 | .It Pa ~/.ssh/id_dsa.pub | 1479 | .It Pa ~/.ssh/id_dsa.pub |
1510 | .It Pa ~/.ssh/id_ecdsa.pub | 1480 | .It Pa ~/.ssh/id_ecdsa.pub |
1511 | .It Pa ~/.ssh/id_ed25519.pub | 1481 | .It Pa ~/.ssh/id_ed25519.pub |