diff options
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 66 |
1 files changed, 24 insertions, 42 deletions
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh.1,v 1.368 2016/02/16 07:47:54 jmc Exp $ | 36 | .\" $OpenBSD: ssh.1,v 1.369 2016/02/17 07:38:19 jmc Exp $ |
37 | .Dd $Mdocdate: February 16 2016 $ | 37 | .Dd $Mdocdate: February 17 2016 $ |
38 | .Dt SSH 1 | 38 | .Dt SSH 1 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -402,17 +402,15 @@ in | |||
402 | for details. | 402 | for details. |
403 | .Pp | 403 | .Pp |
404 | .It Fl m Ar mac_spec | 404 | .It Fl m Ar mac_spec |
405 | Additionally, for protocol version 2 a comma-separated list of MAC | 405 | A comma-separated list of MAC (message authentication code) algorithms, |
406 | (message authentication code) algorithms can | 406 | specified in order of preference. |
407 | be specified in order of preference. | ||
408 | See the | 407 | See the |
409 | .Cm MACs | 408 | .Cm MACs |
410 | keyword for more information. | 409 | keyword for more information. |
411 | .Pp | 410 | .Pp |
412 | .It Fl N | 411 | .It Fl N |
413 | Do not execute a remote command. | 412 | Do not execute a remote command. |
414 | This is useful for just forwarding ports | 413 | This is useful for just forwarding ports. |
415 | (protocol version 2 only). | ||
416 | .Pp | 414 | .Pp |
417 | .It Fl n | 415 | .It Fl n |
418 | Redirects stdin from | 416 | Redirects stdin from |
@@ -664,8 +662,8 @@ for details. | |||
664 | .Pp | 662 | .Pp |
665 | .It Fl s | 663 | .It Fl s |
666 | May be used to request invocation of a subsystem on the remote system. | 664 | May be used to request invocation of a subsystem on the remote system. |
667 | Subsystems are a feature of the SSH2 protocol which facilitate the use | 665 | Subsystems facilitate the use of SSH |
668 | of SSH as a secure transport for other applications (eg.\& | 666 | as a secure transport for other applications (e.g.\& |
669 | .Xr sftp 1 ) . | 667 | .Xr sftp 1 ) . |
670 | The subsystem is specified as the remote command. | 668 | The subsystem is specified as the remote command. |
671 | .Pp | 669 | .Pp |
@@ -710,7 +708,6 @@ Implies | |||
710 | .Cm ExitOnForwardFailure | 708 | .Cm ExitOnForwardFailure |
711 | and | 709 | and |
712 | .Cm ClearAllForwardings . | 710 | .Cm ClearAllForwardings . |
713 | Works with Protocol version 2 only. | ||
714 | .Pp | 711 | .Pp |
715 | .It Fl w Xo | 712 | .It Fl w Xo |
716 | .Ar local_tun Ns Op : Ns Ar remote_tun | 713 | .Ar local_tun Ns Op : Ns Ar remote_tun |
@@ -795,8 +792,10 @@ or the | |||
795 | and | 792 | and |
796 | .Fl 2 | 793 | .Fl 2 |
797 | options (see above). | 794 | options (see above). |
798 | Protocol 1 should not be used - it suffers from a number of cryptographic | 795 | Protocol 1 should not be used |
799 | weaknesses and is only offered to support legacy devices. | 796 | and is only offered to support legacy devices. |
797 | It suffers from a number of cryptographic weaknesses | ||
798 | and doesn't support many of the advanced features available for protocol 2. | ||
800 | .Pp | 799 | .Pp |
801 | The methods available for authentication are: | 800 | The methods available for authentication are: |
802 | GSSAPI-based authentication, | 801 | GSSAPI-based authentication, |
@@ -805,8 +804,9 @@ public key authentication, | |||
805 | challenge-response authentication, | 804 | challenge-response authentication, |
806 | and password authentication. | 805 | and password authentication. |
807 | Authentication methods are tried in the order specified above, | 806 | Authentication methods are tried in the order specified above, |
808 | though protocol 2 has a configuration option to change the default order: | 807 | though |
809 | .Cm PreferredAuthentications . | 808 | .Cm PreferredAuthentications |
809 | can be used to change the default order. | ||
810 | .Pp | 810 | .Pp |
811 | Host-based authentication works as follows: | 811 | Host-based authentication works as follows: |
812 | If the machine the user logs in from is listed in | 812 | If the machine the user logs in from is listed in |
@@ -850,8 +850,6 @@ The server knows the public key, and only the user knows the private key. | |||
850 | .Nm | 850 | .Nm |
851 | implements public key authentication protocol automatically, | 851 | implements public key authentication protocol automatically, |
852 | using one of the DSA, ECDSA, Ed25519 or RSA algorithms. | 852 | using one of the DSA, ECDSA, Ed25519 or RSA algorithms. |
853 | Protocol 1 is restricted to using only RSA keys, | ||
854 | but protocol 2 may use any. | ||
855 | The HISTORY section of | 853 | The HISTORY section of |
856 | .Xr ssl 8 | 854 | .Xr ssl 8 |
857 | contains a brief discussion of the DSA and RSA algorithms. | 855 | contains a brief discussion of the DSA and RSA algorithms. |
@@ -873,26 +871,26 @@ This stores the private key in | |||
873 | .Pa ~/.ssh/identity | 871 | .Pa ~/.ssh/identity |
874 | (protocol 1), | 872 | (protocol 1), |
875 | .Pa ~/.ssh/id_dsa | 873 | .Pa ~/.ssh/id_dsa |
876 | (protocol 2 DSA), | 874 | (DSA), |
877 | .Pa ~/.ssh/id_ecdsa | 875 | .Pa ~/.ssh/id_ecdsa |
878 | (protocol 2 ECDSA), | 876 | (ECDSA), |
879 | .Pa ~/.ssh/id_ed25519 | 877 | .Pa ~/.ssh/id_ed25519 |
880 | (protocol 2 Ed25519), | 878 | (Ed25519), |
881 | or | 879 | or |
882 | .Pa ~/.ssh/id_rsa | 880 | .Pa ~/.ssh/id_rsa |
883 | (protocol 2 RSA) | 881 | (RSA) |
884 | and stores the public key in | 882 | and stores the public key in |
885 | .Pa ~/.ssh/identity.pub | 883 | .Pa ~/.ssh/identity.pub |
886 | (protocol 1), | 884 | (protocol 1), |
887 | .Pa ~/.ssh/id_dsa.pub | 885 | .Pa ~/.ssh/id_dsa.pub |
888 | (protocol 2 DSA), | 886 | (DSA), |
889 | .Pa ~/.ssh/id_ecdsa.pub | 887 | .Pa ~/.ssh/id_ecdsa.pub |
890 | (protocol 2 ECDSA), | 888 | (ECDSA), |
891 | .Pa ~/.ssh/id_ed25519.pub | 889 | .Pa ~/.ssh/id_ed25519.pub |
892 | (protocol 2 Ed25519), | 890 | (Ed25519), |
893 | or | 891 | or |
894 | .Pa ~/.ssh/id_rsa.pub | 892 | .Pa ~/.ssh/id_rsa.pub |
895 | (protocol 2 RSA) | 893 | (RSA) |
896 | in the user's home directory. | 894 | in the user's home directory. |
897 | The user should then copy the public key | 895 | The user should then copy the public key |
898 | to | 896 | to |
@@ -930,8 +928,6 @@ Challenge-response authentication works as follows: | |||
930 | The server sends an arbitrary | 928 | The server sends an arbitrary |
931 | .Qq challenge | 929 | .Qq challenge |
932 | text, and prompts for a response. | 930 | text, and prompts for a response. |
933 | Protocol 2 allows multiple challenges and responses; | ||
934 | protocol 1 is restricted to just one challenge/response. | ||
935 | Examples of challenge-response authentication include | 931 | Examples of challenge-response authentication include |
936 | .Bx | 932 | .Bx |
937 | Authentication (see | 933 | Authentication (see |
@@ -1030,7 +1026,7 @@ at logout when waiting for forwarded connection / X11 sessions to terminate. | |||
1030 | Display a list of escape characters. | 1026 | Display a list of escape characters. |
1031 | .It Cm ~B | 1027 | .It Cm ~B |
1032 | Send a BREAK to the remote system | 1028 | Send a BREAK to the remote system |
1033 | (only useful for SSH protocol version 2 and if the peer supports it). | 1029 | (only useful if the peer supports it). |
1034 | .It Cm ~C | 1030 | .It Cm ~C |
1035 | Open command line. | 1031 | Open command line. |
1036 | Currently this allows the addition of port forwardings using the | 1032 | Currently this allows the addition of port forwardings using the |
@@ -1063,7 +1059,7 @@ Basic help is available, using the | |||
1063 | option. | 1059 | option. |
1064 | .It Cm ~R | 1060 | .It Cm ~R |
1065 | Request rekeying of the connection | 1061 | Request rekeying of the connection |
1066 | (only useful for SSH protocol version 2 and if the peer supports it). | 1062 | (only useful if the peer supports it). |
1067 | .It Cm ~V | 1063 | .It Cm ~V |
1068 | Decrease the verbosity | 1064 | Decrease the verbosity |
1069 | .Pq Ic LogLevel | 1065 | .Pq Ic LogLevel |
@@ -1531,20 +1527,6 @@ The file format and configuration options are described in | |||
1531 | .It Pa /etc/ssh/ssh_host_rsa_key | 1527 | .It Pa /etc/ssh/ssh_host_rsa_key |
1532 | These files contain the private parts of the host keys | 1528 | These files contain the private parts of the host keys |
1533 | and are used for host-based authentication. | 1529 | and are used for host-based authentication. |
1534 | If protocol version 1 is used, | ||
1535 | .Nm | ||
1536 | must be setuid root, since the host key is readable only by root. | ||
1537 | For protocol version 2, | ||
1538 | .Nm | ||
1539 | uses | ||
1540 | .Xr ssh-keysign 8 | ||
1541 | to access the host keys, | ||
1542 | eliminating the requirement that | ||
1543 | .Nm | ||
1544 | be setuid root when host-based authentication is used. | ||
1545 | By default | ||
1546 | .Nm | ||
1547 | is not setuid root. | ||
1548 | .Pp | 1530 | .Pp |
1549 | .It Pa /etc/ssh/ssh_known_hosts | 1531 | .It Pa /etc/ssh/ssh_known_hosts |
1550 | Systemwide list of known host keys. | 1532 | Systemwide list of known host keys. |