summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.169
1 files changed, 48 insertions, 21 deletions
diff --git a/ssh.1 b/ssh.1
index d84063487..48c11c733 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.283 2009/03/19 15:15:09 jmc Exp $ 37.\" $OpenBSD: ssh.1,v 1.302 2010/03/05 10:28:21 djm Exp $
38.Dd $Mdocdate: March 19 2009 $ 38.Dd $Mdocdate: March 5 2010 $
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -54,6 +54,7 @@
54.Oc 54.Oc
55.Op Fl e Ar escape_char 55.Op Fl e Ar escape_char
56.Op Fl F Ar configfile 56.Op Fl F Ar configfile
57.Op Fl I Ar pkcs11
57.Bk -words 58.Bk -words
58.Op Fl i Ar identity_file 59.Op Fl i Ar identity_file
59.Ek 60.Ek
@@ -77,12 +78,11 @@
77.Sm on 78.Sm on
78.Oc 79.Oc
79.Op Fl S Ar ctl_path 80.Op Fl S Ar ctl_path
80.Bk -words 81.Op Fl W Ar host : Ns Ar port
81.Oo Fl w Ar local_tun Ns 82.Oo Fl w Ar local_tun Ns
82.Op : Ns Ar remote_tun Oc 83.Op : Ns Ar remote_tun Oc
83.Oo Ar user Ns @ Oc Ns Ar hostname 84.Oo Ar user Ns @ Oc Ns Ar hostname
84.Op Ar command 85.Op Ar command
85.Ek
86.Sh DESCRIPTION 86.Sh DESCRIPTION
87.Nm 87.Nm
88(SSH client) is a program for logging into a remote machine and for 88(SSH client) is a program for logging into a remote machine and for
@@ -132,8 +132,9 @@ This can also be specified on a per-host basis in a configuration file.
132.Pp 132.Pp
133Agent forwarding should be enabled with caution. 133Agent forwarding should be enabled with caution.
134Users with the ability to bypass file permissions on the remote host 134Users with the ability to bypass file permissions on the remote host
135(for the agent's Unix-domain socket) 135(for the agent's
136can access the local agent through the forwarded connection. 136.Ux Ns -domain
137socket) can access the local agent through the forwarded connection.
137An attacker cannot obtain key material from the agent, 138An attacker cannot obtain key material from the agent,
138however they can perform operations on the keys that enable them to 139however they can perform operations on the keys that enable them to
139authenticate using the identities loaded into the agent. 140authenticate using the identities loaded into the agent.
@@ -284,13 +285,11 @@ will wait for all remote port forwards to be successfully established
284before placing itself in the background. 285before placing itself in the background.
285.It Fl g 286.It Fl g
286Allows remote hosts to connect to local forwarded ports. 287Allows remote hosts to connect to local forwarded ports.
287.It Fl I Ar smartcard_device 288.It Fl I Ar pkcs11
288Specify the device 289Specify the PKCS#11 shared library
289.Nm 290.Nm
290should use to communicate with a smartcard used for storing the user's 291should use to communicate with a PKCS#11 token providing the user's
291private RSA key. 292private RSA key.
292This option is only available if support for smartcard devices
293is compiled in (default is no support).
294.It Fl i Ar identity_file 293.It Fl i Ar identity_file
295Selects a file from which the identity (private key) for 294Selects a file from which the identity (private key) for
296RSA or DSA authentication is read. 295RSA or DSA authentication is read.
@@ -307,6 +306,11 @@ It is possible to have multiple
307.Fl i 306.Fl i
308options (and multiple identities specified in 307options (and multiple identities specified in
309configuration files). 308configuration files).
309.Nm
310will also try to load certificate information from the filename obtained
311by appending
312.Pa -cert.pub
313to identity filenames.
310.It Fl K 314.It Fl K
311Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI 315Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
312credentials to the server. 316credentials to the server.
@@ -469,6 +473,7 @@ For full details of the options listed below, and their possible values, see
469.It NumberOfPasswordPrompts 473.It NumberOfPasswordPrompts
470.It PasswordAuthentication 474.It PasswordAuthentication
471.It PermitLocalCommand 475.It PermitLocalCommand
476.It PKCS11Provider
472.It Port 477.It Port
473.It PreferredAuthentications 478.It PreferredAuthentications
474.It Protocol 479.It Protocol
@@ -481,7 +486,6 @@ For full details of the options listed below, and their possible values, see
481.It SendEnv 486.It SendEnv
482.It ServerAliveInterval 487.It ServerAliveInterval
483.It ServerAliveCountMax 488.It ServerAliveCountMax
484.It SmartcardDevice
485.It StrictHostKeyChecking 489.It StrictHostKeyChecking
486.It TCPKeepAlive 490.It TCPKeepAlive
487.It Tunnel 491.It Tunnel
@@ -601,6 +605,19 @@ Multiple
601.Fl v 605.Fl v
602options increase the verbosity. 606options increase the verbosity.
603The maximum is 3. 607The maximum is 3.
608.It Fl W Ar host : Ns Ar port
609Requests that standard input and output on the client be forwarded to
610.Ar host
611on
612.Ar port
613over the secure channel.
614Implies
615.Fl N ,
616.Fl T ,
617.Cm ExitOnForwardFailure
618and
619.Cm ClearAllForwardings
620and works with Protocol version 2 only.
604.It Fl w Xo 621.It Fl w Xo
605.Ar local_tun Ns Op : Ns Ar remote_tun 622.Ar local_tun Ns Op : Ns Ar remote_tun
606.Xc 623.Xc
@@ -674,20 +691,18 @@ exits with the exit status of the remote command or with 255
674if an error occurred. 691if an error occurred.
675.Sh AUTHENTICATION 692.Sh AUTHENTICATION
676The OpenSSH SSH client supports SSH protocols 1 and 2. 693The OpenSSH SSH client supports SSH protocols 1 and 2.
677Protocol 2 is the default, with 694The default is to use protocol 2 only,
678.Nm 695though this can be changed via the
679falling back to protocol 1 if it detects protocol 2 is unsupported.
680These settings may be altered using the
681.Cm Protocol 696.Cm Protocol
682option in 697option in
683.Xr ssh_config 5 , 698.Xr ssh_config 5
684or enforced using the 699or the
685.Fl 1 700.Fl 1
686and 701and
687.Fl 2 702.Fl 2
688options (see above). 703options (see above).
689Both protocols support similar authentication methods, 704Both protocols support similar authentication methods,
690but protocol 2 is preferred since 705but protocol 2 is the default since
691it provides additional mechanisms for confidentiality 706it provides additional mechanisms for confidentiality
692(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) 707(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
693and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). 708and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
@@ -800,8 +815,20 @@ file, and has one key
800per line, though the lines can be very long. 815per line, though the lines can be very long.
801After this, the user can log in without giving the password. 816After this, the user can log in without giving the password.
802.Pp 817.Pp
803The most convenient way to use public key authentication may be with an 818A variation on public key authentication
804authentication agent. 819is available in the form of certificate authentication:
820instead of a set of public/private keys,
821signed certificates are used.
822This has the advantage that a single trusted certification authority
823can be used in place of many public/private keys.
824See the
825.Sx CERTIFICATES
826section of
827.Xr ssh-keygen 1
828for more information.
829.Pp
830The most convenient way to use public key or certificate authentication
831may be with an authentication agent.
805See 832See
806.Xr ssh-agent 1 833.Xr ssh-agent 1
807for more information. 834for more information.