diff options
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 34 |
1 files changed, 20 insertions, 14 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -48,6 +48,7 @@ | |||
48 | .Op Ar command | 48 | .Op Ar command |
49 | .Pp | 49 | .Pp |
50 | .Nm ssh | 50 | .Nm ssh |
51 | .Bk -words | ||
51 | .Op Fl afgknqstvxACNTX1246 | 52 | .Op Fl afgknqstvxACNTX1246 |
52 | .Op Fl b Ar bind_address | 53 | .Op Fl b Ar bind_address |
53 | .Op Fl c Ar cipher_spec | 54 | .Op Fl c Ar cipher_spec |
@@ -66,6 +67,8 @@ | |||
66 | .Sm on | 67 | .Sm on |
67 | .Xc | 68 | .Xc |
68 | .Oc | 69 | .Oc |
70 | .Ek | ||
71 | .Bk -words | ||
69 | .Oo Fl R Xo | 72 | .Oo Fl R Xo |
70 | .Sm off | 73 | .Sm off |
71 | .Ar port : | 74 | .Ar port : |
@@ -77,6 +80,7 @@ | |||
77 | .Op Fl D Ar port | 80 | .Op Fl D Ar port |
78 | .Ar hostname | user@hostname | 81 | .Ar hostname | user@hostname |
79 | .Op Ar command | 82 | .Op Ar command |
83 | .Ek | ||
80 | .Sh DESCRIPTION | 84 | .Sh DESCRIPTION |
81 | .Nm | 85 | .Nm |
82 | (SSH client) is a program for logging into a remote machine and for | 86 | (SSH client) is a program for logging into a remote machine and for |
@@ -361,7 +365,7 @@ variable is set to | |||
361 | .Fl A | 365 | .Fl A |
362 | and | 366 | and |
363 | .Fl a | 367 | .Fl a |
364 | options described later) and | 368 | options described later) and |
365 | the user is using an authentication agent, the connection to the agent | 369 | the user is using an authentication agent, the connection to the agent |
366 | is automatically forwarded to the remote side. | 370 | is automatically forwarded to the remote side. |
367 | .Pp | 371 | .Pp |
@@ -403,10 +407,11 @@ Disables forwarding of the authentication agent connection. | |||
403 | Enables forwarding of the authentication agent connection. | 407 | Enables forwarding of the authentication agent connection. |
404 | This can also be specified on a per-host basis in a configuration file. | 408 | This can also be specified on a per-host basis in a configuration file. |
405 | .Pp | 409 | .Pp |
406 | Agent forwarding should be enabled with caution. Users with the | 410 | Agent forwarding should be enabled with caution. |
407 | ability to bypass file permissions on the remote host (for the agent's | 411 | Users with the ability to bypass file permissions on the remote host |
408 | Unix-domain socket) can access the local agent through the forwarded | 412 | (for the agent's Unix-domain socket) |
409 | connection. An attacker cannot obtain key material from the agent, | 413 | can access the local agent through the forwarded connection. |
414 | An attacker cannot obtain key material from the agent, | ||
410 | however they can perform operations on the keys that enable them to | 415 | however they can perform operations on the keys that enable them to |
411 | authenticate using the identities loaded into the agent. | 416 | authenticate using the identities loaded into the agent. |
412 | .It Fl b Ar bind_address | 417 | .It Fl b Ar bind_address |
@@ -428,8 +433,8 @@ is only supported in the | |||
428 | client for interoperability with legacy protocol 1 implementations | 433 | client for interoperability with legacy protocol 1 implementations |
429 | that do not support the | 434 | that do not support the |
430 | .Ar 3des | 435 | .Ar 3des |
431 | cipher. Its use is strongly discouraged due to cryptographic | 436 | cipher. |
432 | weaknesses. | 437 | Its use is strongly discouraged due to cryptographic weaknesses. |
433 | .It Fl c Ar cipher_spec | 438 | .It Fl c Ar cipher_spec |
434 | Additionally, for protocol version 2 a comma-separated list of ciphers can | 439 | Additionally, for protocol version 2 a comma-separated list of ciphers can |
435 | be specified in order of preference. | 440 | be specified in order of preference. |
@@ -570,11 +575,11 @@ Disables X11 forwarding. | |||
570 | Enables X11 forwarding. | 575 | Enables X11 forwarding. |
571 | This can also be specified on a per-host basis in a configuration file. | 576 | This can also be specified on a per-host basis in a configuration file. |
572 | .Pp | 577 | .Pp |
573 | X11 forwarding should be enabled with caution. Users with the ability | 578 | X11 forwarding should be enabled with caution. |
574 | to bypass file permissions on the remote host (for the user's X | 579 | Users with the ability to bypass file permissions on the remote host |
575 | authorization database) can access the local X11 display through the | 580 | (for the user's X authorization database) |
576 | forwarded connection. An attacker may then be able to perform | 581 | can access the local X11 display through the forwarded connection. |
577 | activities such as keystroke monitoring. | 582 | An attacker may then be able to perform activities such as keystroke monitoring. |
578 | .It Fl C | 583 | .It Fl C |
579 | Requests compression of all data (including stdin, stdout, stderr, and | 584 | Requests compression of all data (including stdin, stdout, stderr, and |
580 | data for forwarded X11 and TCP/IP connections). | 585 | data for forwarded X11 and TCP/IP connections). |
@@ -641,7 +646,8 @@ This works by allocating a socket to listen to | |||
641 | on the local side, and whenever a connection is made to this port, the | 646 | on the local side, and whenever a connection is made to this port, the |
642 | connection is forwarded over the secure channel, and the application | 647 | connection is forwarded over the secure channel, and the application |
643 | protocol is then used to determine where to connect to from the | 648 | protocol is then used to determine where to connect to from the |
644 | remote machine. Currently the SOCKS4 protocol is supported, and | 649 | remote machine. |
650 | Currently the SOCKS4 protocol is supported, and | ||
645 | .Nm | 651 | .Nm |
646 | will act as a SOCKS4 server. | 652 | will act as a SOCKS4 server. |
647 | Only root can forward privileged ports. | 653 | Only root can forward privileged ports. |