1.\" -*- nroff -*- 2.\" 3.\" ssh.1.in 4.\" 5.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 6.\" 7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8.\" All rights reserved 9.\" 10.\" Created: Sat Apr 22 21:55:14 1995 ylo 11.\" |
12.\" $Id: ssh.1,v 1.43 2000/03/24 03:04:46 brad Exp $ 13.\" $FreeBSD: head/crypto/openssh/ssh.1 58585 2000-03-26 07:37:48Z kris $ |
14.\" 15.Dd September 25, 1999 16.Dt SSH 1 17.Os 18.Sh NAME 19.Nm ssh 20.Nd OpenSSH secure shell client (remote login program) 21.Sh SYNOPSIS --- 26 unchanged lines hidden (view full) --- 48.Sm on 49.Xc 50.Oc 51.Op Ar hostname | user@hostname 52.Op Ar command 53.Sh DESCRIPTION 54.Nm 55(Secure Shell) is a program for logging into a remote machine and for |
56executing commands on a remote machine. 57It is intended to replace |
58rlogin and rsh, and provide secure encrypted communications between |
59two untrusted hosts over an insecure network. 60X11 connections and |
61arbitrary TCP/IP ports can also be forwarded over the secure channel. 62.Pp 63.Nm 64connects and logs into the specified 65.Ar hostname . 66The user must prove 67his/her identity to the remote machine using one of several methods. 68.Pp --- 5 unchanged lines hidden (view full) --- 74the same on both sides, the user is immediately permitted to log in. 75Second, if 76.Pa \&.rhosts 77or 78.Pa \&.shosts 79exists in the user's home directory on the 80remote machine and contains a line containing the name of the client 81machine and the name of the user on that machine, the user is |
82permitted to log in. 83This form of authentication alone is normally not |
84allowed by the server because it is not secure. 85.Pp 86The second (and primary) authentication method is the 87.Pa rhosts 88or 89.Pa hosts.equiv |
90method combined with RSA-based host authentication. 91It means that if the login would be permitted by |
92.Pa \&.rhosts , 93.Pa \&.shosts , 94.Pa /etc/hosts.equiv , 95or 96.Pa /etc/ssh/shosts.equiv , 97and if additionally the server can verify the client's 98host key (see 99.Pa /etc/ssh/ssh_known_hosts 100and 101.Pa $HOME/.ssh/known_hosts 102in the 103.Sx FILES |
104section), only then login is permitted. 105This authentication method closes security holes due to IP 106spoofing, DNS spoofing and routing spoofing. 107[Note to the administrator: |
108.Pa /etc/hosts.equiv , 109.Pa \&.rhosts , 110and the rlogin/rsh protocol in general, are inherently insecure and should be 111disabled if security is desired.] 112.Pp 113As a third authentication method, 114.Nm 115supports RSA based authentication. 116The scheme is based on public-key cryptography: there are cryptosystems 117where encryption and decryption are done using separate keys, and it 118is not possible to derive the decryption key from the encryption key. |
119RSA is one such system. 120The idea is that each user creates a public/private 121key pair for authentication purposes. 122The server knows the public key, and only the user knows the private key. 123The file |
124.Pa $HOME/.ssh/authorized_keys 125lists the public keys that are permitted for logging |
126in. 127When the user logs in, the |
128.Nm 129program tells the server which key pair it would like to use for |
130authentication. 131The server checks if this key is permitted, and if |
132so, sends the user (actually the 133.Nm 134program running on behalf of the user) a challenge, a random number, |
135encrypted by the user's public key. 136The challenge can only be 137decrypted using the proper private key. 138The user's client then decrypts the |
139challenge using the private key, proving that he/she knows the private 140key but without disclosing it to the server. 141.Pp 142.Nm |
143implements the RSA authentication protocol automatically. 144The user creates his/her RSA key pair by running |
145.Xr ssh-keygen 1 . 146This stores the private key in 147.Pa \&.ssh/identity 148and the public key in 149.Pa \&.ssh/identity.pub |
150in the user's home directory. 151The user should then copy the |
152.Pa identity.pub 153to 154.Pa \&.ssh/authorized_keys 155in his/her home directory on the remote machine (the 156.Pa authorized_keys 157file corresponds to the conventional 158.Pa \&.rhosts 159file, and has one key |
160per line, though the lines can be very long). 161After this, the user can log in without giving the password. 162RSA authentication is much |
163more secure than rhosts authentication. 164.Pp 165The most convenient way to use RSA authentication may be with an |
166authentication agent. 167See |
168.Xr ssh-agent 1 169for more information. 170.Pp 171If other authentication methods fail, 172.Nm |
173prompts the user for a password. 174The password is sent to the remote |
175host for checking; however, since all communications are encrypted, 176the password cannot be seen by someone listening on the network. 177.Pp 178When the user's identity has been accepted by the server, the server 179either executes the given command, or logs into the machine and gives |
180the user a normal shell on the remote machine. 181All communication with |
182the remote command or shell will be automatically encrypted. 183.Pp 184If a pseudo-terminal has been allocated (normal login session), the 185user can disconnect with 186.Ic ~. , 187and suspend 188.Nm 189with 190.Ic ~^Z . 191All forwarded connections can be listed with 192.Ic ~# 193and if 194the session blocks waiting for forwarded X11 or TCP/IP 195connections to terminate, it can be backgrounded with 196.Ic ~& 197(this should not be used while the user shell is active, as it can cause the |
198shell to hang). 199All available escapes can be listed with |
200.Ic ~? . 201.Pp 202A single tilde character can be sent as 203.Ic ~~ 204(or by following the tilde by a character other than those described above). 205The escape character must always follow a newline to be interpreted as |
206special. 207The escape character can be changed in configuration files |
208or on the command line. 209.Pp 210If no pseudo tty has been allocated, the 211session is transparent and can be used to reliably transfer binary |
212data. 213On most systems, setting the escape character to |
214.Dq none 215will also make the session transparent even if a tty is used. 216.Pp 217The session terminates when the command or shell in on the remote 218machine exists and all X11 and TCP/IP connections have been closed. 219The exit status of the remote program is returned as the exit status 220of 221.Nm ssh . 222.Pp 223If the user is using X11 (the 224.Ev DISPLAY 225environment variable is set), the connection to the X11 display is 226automatically forwarded to the remote side in such a way that any X11 227programs started from the shell (or command) will go through the 228encrypted channel, and the connection to the real X server will be made |
229from the local machine. 230The user should not manually set |
231.Ev DISPLAY . 232Forwarding of X11 connections can be 233configured on the command line or in configuration files. 234.Pp 235The 236.Ev DISPLAY 237value set by 238.Nm 239will point to the server machine, but with a display number greater |
240than zero. 241This is normal, and happens because |
242.Nm 243creates a 244.Dq proxy 245X server on the server machine for forwarding the 246connections over the encrypted channel. 247.Pp 248.Nm 249will also automatically set up Xauthority data on the server machine. 250For this purpose, it will generate a random authorization cookie, 251store it in Xauthority on the server, and verify that any forwarded 252connections carry this cookie and replace it by the real cookie when |
253the connection is opened. 254The real authentication cookie is never |
255sent to the server machine (and no cookies are sent in the plain). 256.Pp 257If the user is using an authentication agent, the connection to the agent 258is automatically forwarded to the remote side unless disabled on 259command line or in a configuration file. 260.Pp 261Forwarding of arbitrary TCP/IP connections over the secure channel can |
262be specified either on command line or in a configuration file. 263One possible application of TCP/IP forwarding is a secure connection to an 264electronic purse; another is going trough firewalls. |
265.Pp 266.Nm 267automatically maintains and checks a database containing RSA-based |
268identifications for all hosts it has ever been used with. 269The database is stored in |
270.Pa \&.ssh/known_hosts |
271in the user's home directory. 272Additionally, the file |
273.Pa /etc/ssh/ssh_known_hosts |
274is automatically checked for known hosts. 275Any new hosts are automatically added to the user's file. 276If a host's identification |
277ever changes, 278.Nm 279warns about this and disables password authentication to prevent a |
280trojan horse from getting the user's password. 281Another purpose of |
282this mechanism is to prevent man-in-the-middle attacks which could |
283otherwise be used to circumvent the encryption. 284The |
285.Cm StrictHostKeyChecking 286option (see below) can be used to prevent logins to machines whose 287host key is not known or has changed. 288.Sh OPTIONS 289.Bl -tag -width Ds 290.It Fl a |
291Disables forwarding of the authentication agent connection. 292This may also be specified on a per-host basis in the configuration file. |
293.It Fl c Ar blowfish|3des 294Selects the cipher to use for encrypting the session. 295.Ar 3des |
296is used by default. 297It is believed to be secure. |
298.Ar 3des 299(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. 300It is presumably more secure than the 301.Ar des 302cipher which is no longer supported in ssh. 303.Ar blowfish 304is a fast block cipher, it appears very secure and is much faster than 305.Ar 3des . 306.It Fl e Ar ch|^ch|none 307Sets the escape character for sessions with a pty (default: 308.Ql ~ ) . |
309The escape character is only recognized at the beginning of a line. 310The escape character followed by a dot |
311.Pq Ql \&. 312closes the connection, followed 313by control-Z suspends the connection, and followed by itself sends the |
314escape character once. 315Setting the character to |
316.Dq none 317disables any escapes and makes the session fully transparent. 318.It Fl f 319Requests 320.Nm |
321to go to background just before command execution. 322This is useful if |
323.Nm 324is going to ask for passwords or passphrases, but the user |
325wants it in the background. 326This implies |
327.Fl n . 328The recommended way to start X11 programs at a remote site is with 329something like 330.Ic ssh -f host xterm . 331.It Fl g 332Allows remote hosts to connect to local forwarded ports. 333.It Fl i Ar identity_file |
334Selects the file from which the identity (private key) for 335RSA authentication is read. 336Default is |
337.Pa \&.ssh/identity |
338in the user's home directory. 339Identity files may also be specified on 340a per-host basis in the configuration file. 341It is possible to have multiple |
342.Fl i 343options (and multiple identities specified in 344configuration files). 345.It Fl k |
346Disables forwarding of Kerberos tickets and AFS tokens. 347This may also be specified on a per-host basis in the configuration file. |
348.It Fl l Ar login_name |
349Specifies the user to log in as on the remote machine. 350This also may be specified on a per-host basis in the configuration file. |
351.It Fl n 352Redirects stdin from 353.Pa /dev/null 354(actually, prevents reading from stdin). 355This must be used when 356.Nm |
357is run in the background. 358A common trick is to use this to run X11 programs on a remote machine. 359For example, |
360.Ic ssh -n shadows.cs.hut.fi emacs & 361will start an emacs on shadows.cs.hut.fi, and the X11 362connection will be automatically forwarded over an encrypted channel. 363The 364.Nm 365program will be put in the background. 366(This does not work if 367.Nm 368needs to ask for a password or passphrase; see also the 369.Fl f 370option.) 371.It Fl o Ar option 372Can be used to give options in the format used in the config file. 373This is useful for specifying options for which there is no separate |
374command-line flag. 375The option has the same format as a line in the configuration file. |
376.It Fl p Ar port |
377Port to connect to on the remote host. 378This can be specified on a |
379per-host basis in the configuration file. 380.It Fl P 381Use a non-privileged port for outgoing connections. 382This can be used if your firewall does 383not permit connections from privileged ports. 384Note that this option turns off 385.Cm RhostsAuthentication 386and 387.Cm RhostsRSAAuthentication . 388.It Fl q |
389Quiet mode. 390Causes all warning and diagnostic messages to be suppressed. 391Only fatal errors are displayed. |
392.It Fl t |
393Force pseudo-tty allocation. 394This can be used to execute arbitrary 395screen-based programs on a remote machine, which can be very useful, 396e.g., when implementing menu services. |
397.It Fl v |
398Verbose mode. 399Causes |
400.Nm |
401to print debugging messages about its progress. 402This is helpful in |
403debugging connection, authentication, and configuration problems. 404The verbose mode is also used to display 405.Xr skey 1 406challenges, if the user entered "s/key" as password. 407.It Fl x |
408Disables X11 forwarding. 409This can also be specified on a per-host basis in a configuration file. |
410.It Fl X 411Enables X11 forwarding. 412.It Fl C 413Requests compression of all data (including stdin, stdout, stderr, and |
414data for forwarded X11 and TCP/IP connections). 415The compression algorithm is the same used by |
416.Xr gzip 1 , 417and the 418.Dq level 419can be controlled by the 420.Cm CompressionLevel |
421option (see below). 422Compression is desirable on modem lines and other |
423slow connections, but will only slow down things on fast networks. 424The default value can be set on a host-by-host basis in the 425configuration files; see the 426.Cm Compress 427option below. 428.It Fl L Ar port:host:hostport 429Specifies that the given port on the local (client) host is to be |
430forwarded to the given host and port on the remote side. 431This works by allocating a socket to listen to |
432.Ar port 433on the local side, and whenever a connection is made to this port, the 434connection is forwarded over the secure channel, and a connection is 435made to 436.Ar host 437port 438.Ar hostport |
439from the remote machine. 440Port forwardings can also be specified in the configuration file. 441Only root can forward privileged ports. |
442IPv6 addresses can be specified with an alternative syntax: 443.Ar port/host/hostport 444.It Fl R Ar port:host:hostport 445Specifies that the given port on the remote (server) host is to be |
446forwarded to the given host and port on the local side. 447This works by allocating a socket to listen to |
448.Ar port 449on the remote side, and whenever a connection is made to this port, the 450connection is forwarded over the secure channel, and a connection is 451made to 452.Ar host 453port 454.Ar hostport |
455from the local machine. 456Port forwardings can also be specified in the configuration file. 457Privileged ports can be forwarded only when |
458logging in as root on the remote machine. 459.It Fl 4 460Forces 461.Nm 462to use IPv4 addresses only. 463.It Fl 6 464Forces 465.Nm 466to use IPv6 addresses only. 467.El 468.Sh CONFIGURATION FILES 469.Nm 470obtains configuration data from the following sources (in this order): 471command line options, user's configuration file 472.Pq Pa $HOME/.ssh/config , 473and system-wide configuration file 474.Pq Pa /etc/ssh/ssh_config . 475For each parameter, the first obtained value |
476will be used. 477The configuration files contain sections bracketed by 478.Dq Host 479specifications, and that section is only applied for hosts that 480match one of the patterns given in the specification. 481The matched host name is the one given on the command line. |
482.Pp 483Since the first obtained value for each parameter is used, more 484host-specific declarations should be given near the beginning of the 485file, and general defaults at the end. 486.Pp 487The configuration file has the following format: 488.Pp 489Empty lines and lines starting with --- 10 unchanged lines hidden (view full) --- 500Restricts the following declarations (up to the next 501.Cm Host 502keyword) to be only for those hosts that match one of the patterns 503given after the keyword. 504.Ql \&* 505and 506.Ql ? 507can be used as wildcards in the |
508patterns. 509A single |
510.Ql \&* 511as a pattern can be used to provide global |
512defaults for all hosts. 513The host is the |
514.Ar hostname 515argument given on the command line (i.e., the name is not converted to 516a canonicalized host name before matching). 517.It Cm AFSTokenPassing |
518Specifies whether to pass AFS tokens to remote host. 519The argument to this keyword must be |
520.Dq yes 521or 522.Dq no . 523.It Cm BatchMode 524If set to 525.Dq yes , |
526passphrase/password querying will be disabled. 527This option is useful in scripts and other batch jobs where you have no 528user to supply the password. 529The argument must be |
530.Dq yes 531or 532.Dq no . 533.It Cm CheckHostIP 534If this flag is set to 535.Dq yes , 536ssh will additionally check the host ip address in the 537.Pa known_hosts |
538file. 539This allows ssh to detect if a host key changed due to DNS spoofing. |
540If the option is set to 541.Dq no , 542the check will not be executed. 543.It Cm Cipher |
544Specifies the cipher to use for encrypting the session. 545Currently, |
546.Dq blowfish , 547and 548.Dq 3des |
549are supported. 550The default is |
551.Dq 3des . 552.It Cm Compression |
553Specifies whether to use compression. 554The argument must be |
555.Dq yes 556or 557.Dq no . 558.It Cm CompressionLevel |
559Specifies the compression level to use if compression is enable. 560The argument must be an integer from 1 (fast) to 9 (slow, best). 561The default level is 6, which is good for most applications. 562The meaning of the values is the same as in |
563.Xr gzip 1 . 564.It Cm ConnectionAttempts 565Specifies the number of tries (one per second) to make before falling |
566back to rsh or exiting. 567The argument must be an integer. 568This may be useful in scripts if the connection sometimes fails. |
569.It Cm EscapeChar 570Sets the escape character (default: 571.Ql ~ ) . 572The escape character can also |
573be set on the command line. 574The argument should be a single character, |
575.Ql ^ 576followed by a letter, or 577.Dq none 578to disable the escape 579character entirely (making the connection transparent for binary 580data). 581.It Cm FallBackToRsh 582Specifies that if connecting via 583.Nm 584fails due to a connection refused error (there is no 585.Xr sshd 8 586listening on the remote host), 587.Xr rsh 1 588should automatically be used instead (after a suitable warning about |
589the session being unencrypted). 590The argument must be |
591.Dq yes 592or 593.Dq no . 594.It Cm ForwardAgent 595Specifies whether the connection to the authentication agent (if any) |
596will be forwarded to the remote machine. 597The argument must be |
598.Dq yes 599or 600.Dq no . 601.It Cm ForwardX11 602Specifies whether X11 connections will be automatically redirected 603over the secure channel and 604.Ev DISPLAY |
605set. 606The argument must be |
607.Dq yes 608or 609.Dq no . 610The default is 611.Dq no . 612.It Cm GatewayPorts 613Specifies whether remote hosts are allowed to connect to local 614forwarded ports. 615The argument must be 616.Dq yes 617or 618.Dq no . 619The default is 620.Dq no . 621.It Cm GlobalKnownHostsFile 622Specifies a file to use instead of 623.Pa /etc/ssh/ssh_known_hosts . 624.It Cm HostName |
625Specifies the real host name to log into. 626This can be used to specify nicknames or abbreviations for hosts. 627Default is the name given on the command line. 628Numeric IP addresses are also permitted (both on the command line and in |
629.Cm HostName 630specifications). 631.It Cm IdentityFile 632Specifies the file from which the user's RSA authentication identity 633is read (default 634.Pa .ssh/identity 635in the user's home directory). 636Additionally, any identities represented by the authentication agent |
637will be used for authentication. 638The file name may use the tilde 639syntax to refer to a user's home directory. 640It is possible to have |
641multiple identity files specified in configuration files; all these 642identities will be tried in sequence. 643.It Cm KeepAlive 644Specifies whether the system should send keepalive messages to the |
645other side. 646If they are sent, death of the connection or crash of one 647of the machines will be properly noticed. 648However, this means that |
649connections will die if the route is down temporarily, and some people 650find it annoying. 651.Pp 652The default is 653.Dq yes 654(to send keepalives), and the client will notice |
655if the network goes down or the remote host dies. 656This is important in scripts, and many users want it too. |
657.Pp 658To disable keepalives, the value should be set to 659.Dq no 660in both the server and the client configuration files. 661.It Cm KerberosAuthentication |
662Specifies whether Kerberos authentication will be used. 663The argument to this keyword must be |
664.Dq yes 665or 666.Dq no . 667.It Cm KerberosTgtPassing |
668Specifies whether a Kerberos TGT will be forwarded to the server. 669This will only work if the Kerberos server is actually an AFS kaserver. 670The argument to this keyword must be |
671.Dq yes 672or 673.Dq no . 674.It Cm LocalForward 675Specifies that a TCP/IP port on the local machine be forwarded over |
676the secure channel to given host:port from the remote machine. 677The first argument must be a port number, and the second must be 678host:port. 679Multiple forwardings may be specified, and additional 680forwardings can be given on the command line. 681Only the superuser can forward privileged ports. |
682.It Cm LogLevel 683Gives the verbosity level that is used when logging messages from 684.Nm ssh . 685The possible values are: |
686QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. |
687The default is INFO. 688.It Cm NumberOfPasswordPrompts |
689Specifies the number of password prompts before giving up. 690The argument to this keyword must be an integer. 691Default is 3. |
692.It Cm PasswordAuthentication |
693Specifies whether to use password authentication. 694The argument to this keyword must be |
695.Dq yes 696or 697.Dq no . 698.It Cm Port |
699Specifies the port number to connect on the remote host. 700Default is 22. |
701.It Cm ProxyCommand |
702Specifies the command to use to connect to the server. 703The command |
704string extends to the end of the line, and is executed with 705.Pa /bin/sh . 706In the command string, |
707.Ql %h |
708will be substituted by the host name to 709connect and |
710.Ql %p 711by the port. 712The command can be basically anything, 713and should read from its standard input and write to its standard output. 714It should eventually connect an |
715.Xr sshd 8 716server running on some machine, or execute 717.Ic sshd -i |
718somewhere. 719Host key management will be done using the |
720HostName of the host being connected (defaulting to the name typed by 721the user). 722Note that 723.Cm CheckHostIP 724is not available for connects with a proxy command. 725.Pp 726.It Cm RemoteForward 727Specifies that a TCP/IP port on the remote machine be forwarded over |
728the secure channel to given host:port from the local machine. 729The first argument must be a port number, and the second must be 730host:port. 731Multiple forwardings may be specified, and additional 732forwardings can be given on the command line. 733Only the superuser can forward privileged ports. |
734.It Cm RhostsAuthentication |
735Specifies whether to try rhosts based authentication. 736Note that this |
737declaration only affects the client side and has no effect whatsoever |
738on security. 739Disabling rhosts authentication may reduce |
740authentication time on slow connections when rhosts authentication is |
741not used. 742Most servers do not permit RhostsAuthentication because it 743is not secure (see RhostsRSAAuthentication). 744The argument to this keyword must be |
745.Dq yes 746or 747.Dq no . 748.It Cm RhostsRSAAuthentication 749Specifies whether to try rhosts based authentication with RSA host |
750authentication. 751This is the primary authentication method for most sites. 752The argument must be |
753.Dq yes 754or 755.Dq no . 756.It Cm RSAAuthentication |
757Specifies whether to try RSA authentication. 758The argument to this keyword must be |
759.Dq yes 760or 761.Dq no . 762RSA authentication will only be 763attempted if the identity file exists, or an authentication agent is 764running. 765.It Cm SkeyAuthentication 766Specifies whether to use 767.Xr skey 1 |
768authentication. 769The argument to this keyword must be |
770.Dq yes 771or 772.Dq no . 773The default is 774.Dq no . 775.It Cm StrictHostKeyChecking 776If this flag is set to 777.Dq yes , 778.Nm 779ssh will never automatically add host keys to the 780.Pa $HOME/.ssh/known_hosts |
781file, and refuses to connect hosts whose host key has changed. 782This provides maximum protection against trojan horse attacks. 783However, it can be somewhat annoying if you don't have good |
784.Pa /etc/ssh/ssh_known_hosts 785files installed and frequently |
786connect new hosts. 787Basically this option forces the user to manually 788add any new hosts. 789Normally this option is disabled, and new hosts 790will automatically be added to the known host files. 791The host keys of 792known hosts will be verified automatically in either case. 793The argument must be |
794.Dq yes 795or 796.Dq no . 797.It Cm UsePrivilegedPort 798Specifies whether to use a privileged port for outgoing connections. 799The argument must be 800.Dq yes 801or 802.Dq no . 803The default is 804.Dq yes . 805Note that setting this option to 806.Dq no 807turns off 808.Cm RhostsAuthentication 809and 810.Cm RhostsRSAAuthentication . 811.It Cm User |
812Specifies the user to log in as. 813This can be useful if you have a different user name on different machines. 814This saves the trouble of |
815having to remember to give the user name on the command line. 816.It Cm UserKnownHostsFile 817Specifies a file to use instead of 818.Pa $HOME/.ssh/known_hosts . 819.It Cm UseRsh |
820Specifies that rlogin/rsh should be used for this host. 821It is possible that the host does not at all support the |
822.Nm |
823protocol. 824This causes |
825.Nm |
826to immediately execute |
827.Xr rsh 1 . 828All other options (except 829.Cm HostName ) |
830are ignored if this has been specified. 831The argument must be |
832.Dq yes 833or 834.Dq no . 835.Sh ENVIRONMENT 836.Nm 837will normally set the following environment variables: 838.Bl -tag -width Ds 839.It Ev DISPLAY 840The 841.Ev DISPLAY |
842variable indicates the location of the X11 server. 843It is automatically set by |
844.Nm 845to point to a value of the form 846.Dq hostname:n 847where hostname indicates |
848the host where the shell runs, and n is an integer \*(>= 1. 849.Nm 850uses this special value to forward X11 connections over the secure 851channel. 852The user should normally not set DISPLAY explicitly, as that |
853will render the X11 connection insecure (and will require the user to 854manually copy any required authorization cookies). 855.It Ev HOME 856Set to the path of the user's home directory. 857.It Ev LOGNAME 858Synonym for 859.Ev USER ; 860set for compatibility with systems that use this variable. 861.It Ev MAIL 862Set to point the user's mailbox. |
863.It Ev PATH |
864Set to the default 865.Ev PATH , 866as specified when compiling 867.Nm ssh . 868.It Ev SSH_AUTH_SOCK 869indicates the path of a unix-domain socket used to communicate with the 870agent. 871.It Ev SSH_CLIENT |
872Identifies the client end of the connection. 873The variable contains |
874three space-separated values: client ip-address, client port number, 875and server port number. 876.It Ev SSH_TTY 877This is set to the name of the tty (path to the device) associated |
878with the current shell or command. 879If the current session has no tty, |
880this variable is not set. 881.It Ev TZ 882The timezone variable is set to indicate the present timezone if it 883was set when the daemon was started (e.i., the daemon passes the value 884on to new connections). 885.It Ev USER 886Set to the name of the user logging in. 887.El --- 9 unchanged lines hidden (view full) --- 897.Bl -tag -width Ds 898.It Pa $HOME/.ssh/known_hosts 899Records host keys for all hosts the user has logged into (that are not 900in 901.Pa /etc/ssh/ssh_known_hosts ) . 902See 903.Xr sshd 8 . 904.It Pa $HOME/.ssh/identity |
905Contains the RSA authentication identity of the user. 906This file |
907contains sensitive data and should be readable by the user but not 908accessible by others (read/write/execute). 909Note that 910.Nm 911ignores this file if it is accessible by others. 912It is possible to specify a passphrase when 913generating the key; the passphrase will be used to encrypt the 914sensitive part of this file using 3DES. 915.It Pa $HOME/.ssh/identity.pub 916Contains the public key for authentication (public part of the |
917identity file in human-readable form). 918The contents of this file should be added to |
919.Pa $HOME/.ssh/authorized_keys 920on all machines |
921where you wish to log in using RSA authentication. 922This file is not 923sensitive and can (but need not) be readable by anyone. 924This file is |
925never used automatically and is not necessary; it is only provided for 926the convenience of the user. 927.It Pa $HOME/.ssh/config |
928This is the per-user configuration file. 929The format of this file is described above. 930This file is used by the |
931.Nm |
932client. 933This file does not usually contain any sensitive information, |
934but the recommended permissions are read/write for the user, and not 935accessible by others. 936.It Pa $HOME/.ssh/authorized_keys |
937Lists the RSA keys that can be used for logging in as this user. 938The format of this file is described in the |
939.Xr sshd 8 |
940manual page. 941In the simplest form the format is the same as the .pub |
942identity files (that is, each line contains the number of bits in 943modulus, public exponent, modulus, and comment fields, separated by |
944spaces). 945This file is not highly sensitive, but the recommended |
946permissions are read/write for the user, and not accessible by others. 947.It Pa /etc/ssh/ssh_known_hosts |
948Systemwide list of known host keys. 949This file should be prepared by the |
950system administrator to contain the public host keys of all machines in the |
951organization. 952This file should be world-readable. 953This file contains |
954public keys, one per line, in the following format (fields separated 955by spaces): system name, number of bits in modulus, public exponent, |
956modulus, and optional comment field. 957When different names are used |
958for the same machine, all such names should be listed, separated by |
959commas. 960The format is described on the |
961.Xr sshd 8 962manual page. 963.Pp 964The canonical system name (as returned by name servers) is used by 965.Xr sshd 8 966to verify the client host when logging in; other names are needed because 967.Nm 968does not convert the user-supplied name to a canonical name before 969checking the key, because someone with access to the name servers 970would then be able to fool host authentication. 971.It Pa /etc/ssh/ssh_config |
972Systemwide configuration file. 973This file provides defaults for those |
974values that are not specified in the user's configuration file, and |
975for those users who do not have a configuration file. 976This file must be world-readable. |
977.It Pa $HOME/.rhosts 978This file is used in 979.Pa \&.rhosts 980authentication to list the |
981host/user pairs that are permitted to log in. 982(Note that this file is |
983also used by rlogin and rsh, which makes using this file insecure.) 984Each line of the file contains a host name (in the canonical form 985returned by name servers), and then a user name on that host, |
986separated by a space. 987One some machines this file may need to be |
988world-readable if the user's home directory is on a NFS partition, 989because 990.Xr sshd 8 |
991reads it as root. 992Additionally, this file must be owned by the user, 993and must not have write permissions for anyone else. 994The recommended |
995permission for most machines is read/write for the user, and not 996accessible by others. 997.Pp 998Note that by default 999.Xr sshd 8 1000will be installed so that it requires successful RSA host |
1001authentication before permitting \s+2.\s0rhosts authentication. 1002If your server machine does not have the client's host key in |
1003.Pa /etc/ssh/ssh_known_hosts , 1004you can store it in 1005.Pa $HOME/.ssh/known_hosts . 1006The easiest way to do this is to 1007connect back to the client from the server machine using ssh; this 1008will automatically add the host key inxi 1009.Pa $HOME/.ssh/known_hosts . 1010.It Pa $HOME/.shosts --- 4 unchanged lines hidden (view full) --- 1015.Nm 1016without permitting login with 1017.Xr rlogin 1 1018or 1019.Xr rsh 1 . 1020.It Pa /etc/hosts.equiv 1021This file is used during 1022.Pa \&.rhosts |
1023authentication. 1024It contains |
1025canonical hosts names, one per line (the full format is described on 1026the 1027.Xr sshd 8 |
1028manual page). 1029If the client host is found in this file, login is |
1030automatically permitted provided client and server user names are the |
1031same. 1032Additionally, successful RSA host authentication is normally 1033required. 1034This file should only be writable by root. |
1035.It Pa /etc/ssh/shosts.equiv |
1036This file is processed exactly as |
1037.Pa /etc/hosts.equiv . 1038This file may be useful to permit logins using 1039.Nm 1040but not using rsh/rlogin. 1041.It Pa /etc/ssh/sshrc 1042Commands in this file are executed by 1043.Nm 1044when the user logs in just before the user's shell (or command) is started. --- 13 unchanged lines hidden (view full) --- 1058.Sx ENVIRONMENT 1059above. 1060.It Pa libcrypto.so.X.1 1061A version of this library which includes support for the RSA algorithm 1062is required for proper operation. 1063.Sh AUTHOR 1064OpenSSH 1065is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, |
1066but with bugs removed and newer features re-added. 1067Rapidly after the |
10681.2.12 release, newer versions of the original ssh bore successively 1069more restrictive licenses, and thus demand for a free version was born. 1070This version of OpenSSH 1071.Bl -bullet 1072.It 1073has all components of a restrictive nature (i.e., patents, see 1074.Xr ssl 8 ) 1075directly removed from the source code; any licensed or patented components --- 30 unchanged lines hidden --- |