summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.1103
1 files changed, 84 insertions, 19 deletions
diff --git a/ssh.1 b/ssh.1
index d90951352..d08fb0e01 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.182 2004/03/05 10:53:58 markus Exp $ 37.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -43,14 +43,14 @@
43.Nd OpenSSH SSH client (remote login program) 43.Nd OpenSSH SSH client (remote login program)
44.Sh SYNOPSIS 44.Sh SYNOPSIS
45.Nm ssh 45.Nm ssh
46.Op Fl 1246AaCfgkNnqsTtVvXxY 46.Op Fl 1246AaCfgkMNnqsTtVvXxY
47.Op Fl b Ar bind_address 47.Op Fl b Ar bind_address
48.Op Fl c Ar cipher_spec 48.Op Fl c Ar cipher_spec
49.Bk -words
49.Op Fl D Ar port 50.Op Fl D Ar port
50.Op Fl e Ar escape_char 51.Op Fl e Ar escape_char
51.Op Fl F Ar configfile 52.Op Fl F Ar configfile
52.Op Fl i Ar identity_file 53.Op Fl i Ar identity_file
53.Bk -words
54.Oo Fl L Xo 54.Oo Fl L Xo
55.Sm off 55.Sm off
56.Ar port : 56.Ar port :
@@ -74,6 +74,7 @@
74.Sm on 74.Sm on
75.Xc 75.Xc
76.Oc 76.Oc
77.Op Fl S Ar ctl
77.Oo Ar user Ns @ Oc Ns Ar hostname 78.Oo Ar user Ns @ Oc Ns Ar hostname
78.Op Ar command 79.Op Ar command
79.Sh DESCRIPTION 80.Sh DESCRIPTION
@@ -241,8 +242,8 @@ Additionally,
241supports hostbased or challenge response authentication. 242supports hostbased or challenge response authentication.
242.Pp 243.Pp
243Protocol 2 provides additional mechanisms for confidentiality 244Protocol 2 provides additional mechanisms for confidentiality
244(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) 245(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour)
245and integrity (hmac-md5, hmac-sha1). 246and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
246Note that protocol 1 lacks a strong mechanism for ensuring the 247Note that protocol 1 lacks a strong mechanism for ensuring the
247integrity of the connection. 248integrity of the connection.
248.Ss Login session and remote execution 249.Ss Login session and remote execution
@@ -302,11 +303,18 @@ Display a list of escape characters.
302Send a BREAK to the remote system 303Send a BREAK to the remote system
303(only useful for SSH protocol version 2 and if the peer supports it). 304(only useful for SSH protocol version 2 and if the peer supports it).
304.It Cm ~C 305.It Cm ~C
305Open command line (only useful for adding port forwardings using the 306Open command line.
307Currently this allows the addition of port forwardings using the
306.Fl L 308.Fl L
307and 309and
308.Fl R 310.Fl R
309options). 311options (see below).
312It also allows the cancellation of existing remote port-forwardings
313using
314.Fl KR Ar hostport .
315Basic help is available, using the
316.Fl h
317option.
310.It Cm ~R 318.It Cm ~R
311Request rekeying of the connection 319Request rekeying of the connection
312(only useful for SSH protocol version 2 and if the peer supports it). 320(only useful for SSH protocol version 2 and if the peer supports it).
@@ -392,6 +400,15 @@ The
392option can be used to prevent logins to machines whose 400option can be used to prevent logins to machines whose
393host key is not known or has changed. 401host key is not known or has changed.
394.Pp 402.Pp
403.Nm
404can be configured to verify host identification using fingerprint resource
405records (SSHFP) published in DNS.
406The
407.Cm VerifyHostKeyDNS
408option can be used to control how DNS lookups are performed.
409SSHFP resource records can be generated using
410.Xr ssh-keygen 1 .
411.Pp
395The options are as follows: 412The options are as follows:
396.Bl -tag -width Ds 413.Bl -tag -width Ds
397.It Fl 1 414.It Fl 1
@@ -442,13 +459,18 @@ The default value can be set on a host-by-host basis in the
442configuration files; see the 459configuration files; see the
443.Cm Compression 460.Cm Compression
444option. 461option.
445.It Fl c Ar blowfish | 3des | des 462.It Fl c Ar cipher_spec
446Selects the cipher to use for encrypting the session. 463Selects the cipher specification for encrypting the session.
447.Ar 3des 464.Pp
448is used by default. 465Protocol version 1 allows specification of a single cipher.
449It is believed to be secure. 466The suported values are
467.Dq 3des ,
468.Dq blowfish
469and
470.Dq des .
450.Ar 3des 471.Ar 3des
451(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. 472(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
473It is believed to be secure.
452.Ar blowfish 474.Ar blowfish
453is a fast block cipher; it appears very secure and is much faster than 475is a fast block cipher; it appears very secure and is much faster than
454.Ar 3des . 476.Ar 3des .
@@ -460,12 +482,30 @@ that do not support the
460.Ar 3des 482.Ar 3des
461cipher. 483cipher.
462Its use is strongly discouraged due to cryptographic weaknesses. 484Its use is strongly discouraged due to cryptographic weaknesses.
463.It Fl c Ar cipher_spec 485The default is
464Additionally, for protocol version 2 a comma-separated list of ciphers can 486.Dq 3des .
465be specified in order of preference. 487.Pp
466See 488For protocol version 2
467.Cm Ciphers 489.Ar cipher_spec
468for more information. 490is a comma-separated list of ciphers
491listed in order of preference.
492The supported ciphers are
493.Dq 3des-cbc ,
494.Dq aes128-cbc ,
495.Dq aes192-cbc ,
496.Dq aes256-cbc ,
497.Dq aes128-ctr ,
498.Dq aes192-ctr ,
499.Dq aes256-ctr ,
500.Dq arcfour ,
501.Dq blowfish-cbc ,
502and
503.Dq cast128-cbc .
504The default is
505.Bd -literal
506 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
507 aes192-cbc,aes256-cbc''
508.Ed
469.It Fl D Ar port 509.It Fl D Ar port
470Specifies a local 510Specifies a local
471.Dq dynamic 511.Dq dynamic
@@ -568,6 +608,17 @@ IPv6 addresses can be specified with an alternative syntax:
568.It Fl l Ar login_name 608.It Fl l Ar login_name
569Specifies the user to log in as on the remote machine. 609Specifies the user to log in as on the remote machine.
570This also may be specified on a per-host basis in the configuration file. 610This also may be specified on a per-host basis in the configuration file.
611.It Fl M
612Places the
613.Nm
614client into
615.Dq master
616mode for connection sharing.
617Refer to the description of
618.Cm ControlMaster
619in
620.Xr ssh_config 5
621for details.
571.It Fl m Ar mac_spec 622.It Fl m Ar mac_spec
572Additionally, for protocol version 2 a comma-separated list of MAC 623Additionally, for protocol version 2 a comma-separated list of MAC
573(message authentication code) algorithms can 624(message authentication code) algorithms can
@@ -618,7 +669,9 @@ For full details of the options listed below, and their possible values, see
618.It Compression 669.It Compression
619.It CompressionLevel 670.It CompressionLevel
620.It ConnectionAttempts 671.It ConnectionAttempts
621.It ConnectionTimeout 672.It ConnectTimeout
673.It ControlMaster
674.It ControlPath
622.It DynamicForward 675.It DynamicForward
623.It EscapeChar 676.It EscapeChar
624.It ForwardAgent 677.It ForwardAgent
@@ -649,6 +702,7 @@ For full details of the options listed below, and their possible values, see
649.It RemoteForward 702.It RemoteForward
650.It RhostsRSAAuthentication 703.It RhostsRSAAuthentication
651.It RSAAuthentication 704.It RSAAuthentication
705.It SendEnv
652.It ServerAliveInterval 706.It ServerAliveInterval
653.It ServerAliveCountMax 707.It ServerAliveCountMax
654.It SmartcardDevice 708.It SmartcardDevice
@@ -697,6 +751,15 @@ IPv6 addresses can be specified with an alternative syntax:
697.Ar hostport . 751.Ar hostport .
698.Xc 752.Xc
699.Sm on 753.Sm on
754.It Fl S Ar ctl
755Specifies the location of a control socket for connection sharing.
756Refer to the description of
757.Cm ControlPath
758and
759.Cm ControlMaster
760in
761.Xr ssh_config 5
762for details.
700.It Fl s 763.It Fl s
701May be used to request invocation of a subsystem on the remote system. 764May be used to request invocation of a subsystem on the remote system.
702Subsystems are a feature of the SSH2 protocol which facilitate the use 765Subsystems are a feature of the SSH2 protocol which facilitate the use
@@ -889,6 +952,8 @@ the convenience of the user.
889This is the per-user configuration file. 952This is the per-user configuration file.
890The file format and configuration options are described in 953The file format and configuration options are described in
891.Xr ssh_config 5 . 954.Xr ssh_config 5 .
955Because of the potential for abuse, this file must have strict permissions:
956read/write for the user, and not accessible by others.
892.It Pa $HOME/.ssh/authorized_keys 957.It Pa $HOME/.ssh/authorized_keys
893Lists the public keys (RSA/DSA) that can be used for logging in as this user. 958Lists the public keys (RSA/DSA) that can be used for logging in as this user.
894The format of this file is described in the 959The format of this file is described in the