| ssh.1 (58520) | ssh.1 (58585) |
|---|---|
| 1.\" -*- nroff -*- 2.\" 3.\" ssh.1.in 4.\" 5.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 6.\" 7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8.\" All rights reserved 9.\" 10.\" Created: Sat Apr 22 21:55:14 1995 ylo 11.\" | 1.\" -*- nroff -*- 2.\" 3.\" ssh.1.in 4.\" 5.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 6.\" 7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8.\" All rights reserved 9.\" 10.\" Created: Sat Apr 22 21:55:14 1995 ylo 11.\" |
| 12.\" $Id: ssh.1,v 1.38 2000/02/28 19:51:58 markus Exp $ 13.\" $FreeBSD: head/crypto/openssh/ssh.1 58520 2000-03-24 02:26:54Z mpp $ | 12.\" $Id: ssh.1,v 1.43 2000/03/24 03:04:46 brad Exp $ 13.\" $FreeBSD: head/crypto/openssh/ssh.1 58585 2000-03-26 07:37:48Z kris $ |
| 14.\" 15.Dd September 25, 1999 16.Dt SSH 1 17.Os 18.Sh NAME 19.Nm ssh 20.Nd OpenSSH secure shell client (remote login program) 21.Sh SYNOPSIS --- 26 unchanged lines hidden (view full) --- 48.Sm on 49.Xc 50.Oc 51.Op Ar hostname | user@hostname 52.Op Ar command 53.Sh DESCRIPTION 54.Nm 55(Secure Shell) is a program for logging into a remote machine and for | 14.\" 15.Dd September 25, 1999 16.Dt SSH 1 17.Os 18.Sh NAME 19.Nm ssh 20.Nd OpenSSH secure shell client (remote login program) 21.Sh SYNOPSIS --- 26 unchanged lines hidden (view full) --- 48.Sm on 49.Xc 50.Oc 51.Op Ar hostname | user@hostname 52.Op Ar command 53.Sh DESCRIPTION 54.Nm 55(Secure Shell) is a program for logging into a remote machine and for |
| 56executing commands on a remote machine. It is intended to replace | 56executing commands on a remote machine. 57It is intended to replace |
| 57rlogin and rsh, and provide secure encrypted communications between | 58rlogin and rsh, and provide secure encrypted communications between |
| 58two untrusted hosts over an insecure network. X11 connections and | 59two untrusted hosts over an insecure network. 60X11 connections and |
| 59arbitrary TCP/IP ports can also be forwarded over the secure channel. 60.Pp 61.Nm 62connects and logs into the specified 63.Ar hostname . 64The user must prove 65his/her identity to the remote machine using one of several methods. 66.Pp --- 5 unchanged lines hidden (view full) --- 72the same on both sides, the user is immediately permitted to log in. 73Second, if 74.Pa \&.rhosts 75or 76.Pa \&.shosts 77exists in the user's home directory on the 78remote machine and contains a line containing the name of the client 79machine and the name of the user on that machine, the user is | 61arbitrary TCP/IP ports can also be forwarded over the secure channel. 62.Pp 63.Nm 64connects and logs into the specified 65.Ar hostname . 66The user must prove 67his/her identity to the remote machine using one of several methods. 68.Pp --- 5 unchanged lines hidden (view full) --- 74the same on both sides, the user is immediately permitted to log in. 75Second, if 76.Pa \&.rhosts 77or 78.Pa \&.shosts 79exists in the user's home directory on the 80remote machine and contains a line containing the name of the client 81machine and the name of the user on that machine, the user is |
| 80permitted to log in. This form of authentication alone is normally not | 82permitted to log in. 83This form of authentication alone is normally not |
| 81allowed by the server because it is not secure. 82.Pp 83The second (and primary) authentication method is the 84.Pa rhosts 85or 86.Pa hosts.equiv | 84allowed by the server because it is not secure. 85.Pp 86The second (and primary) authentication method is the 87.Pa rhosts 88or 89.Pa hosts.equiv |
| 87method combined with RSA-based host authentication. It 88means that if the login would be permitted by | 90method combined with RSA-based host authentication. 91It means that if the login would be permitted by |
| 89.Pa \&.rhosts , 90.Pa \&.shosts , 91.Pa /etc/hosts.equiv , 92or 93.Pa /etc/ssh/shosts.equiv , 94and if additionally the server can verify the client's 95host key (see 96.Pa /etc/ssh/ssh_known_hosts 97and 98.Pa $HOME/.ssh/known_hosts 99in the 100.Sx FILES | 92.Pa \&.rhosts , 93.Pa \&.shosts , 94.Pa /etc/hosts.equiv , 95or 96.Pa /etc/ssh/shosts.equiv , 97and if additionally the server can verify the client's 98host key (see 99.Pa /etc/ssh/ssh_known_hosts 100and 101.Pa $HOME/.ssh/known_hosts 102in the 103.Sx FILES |
| 101section), only then login is 102permitted. This authentication method closes security holes due to IP 103spoofing, DNS spoofing and routing spoofing. [Note to the 104administrator: | 104section), only then login is permitted. 105This authentication method closes security holes due to IP 106spoofing, DNS spoofing and routing spoofing. 107[Note to the administrator: |
| 105.Pa /etc/hosts.equiv , 106.Pa \&.rhosts , 107and the rlogin/rsh protocol in general, are inherently insecure and should be 108disabled if security is desired.] 109.Pp 110As a third authentication method, 111.Nm 112supports RSA based authentication. 113The scheme is based on public-key cryptography: there are cryptosystems 114where encryption and decryption are done using separate keys, and it 115is not possible to derive the decryption key from the encryption key. | 108.Pa /etc/hosts.equiv , 109.Pa \&.rhosts , 110and the rlogin/rsh protocol in general, are inherently insecure and should be 111disabled if security is desired.] 112.Pp 113As a third authentication method, 114.Nm 115supports RSA based authentication. 116The scheme is based on public-key cryptography: there are cryptosystems 117where encryption and decryption are done using separate keys, and it 118is not possible to derive the decryption key from the encryption key. |
| 116RSA is one such system. The idea is that each user creates a public/private 117key pair for authentication purposes. The 118server knows the public key, and only the user knows the private key. 119The file | 119RSA is one such system. 120The idea is that each user creates a public/private 121key pair for authentication purposes. 122The server knows the public key, and only the user knows the private key. 123The file |
| 120.Pa $HOME/.ssh/authorized_keys 121lists the public keys that are permitted for logging | 124.Pa $HOME/.ssh/authorized_keys 125lists the public keys that are permitted for logging |
| 122in. When the user logs in, the | 126in. 127When the user logs in, the |
| 123.Nm 124program tells the server which key pair it would like to use for | 128.Nm 129program tells the server which key pair it would like to use for |
| 125authentication. The server checks if this key is permitted, and if | 130authentication. 131The server checks if this key is permitted, and if |
| 126so, sends the user (actually the 127.Nm 128program running on behalf of the user) a challenge, a random number, | 132so, sends the user (actually the 133.Nm 134program running on behalf of the user) a challenge, a random number, |
| 129encrypted by the user's public key. The challenge can only be 130decrypted using the proper private key. The user's client then decrypts the | 135encrypted by the user's public key. 136The challenge can only be 137decrypted using the proper private key. 138The user's client then decrypts the |
| 131challenge using the private key, proving that he/she knows the private 132key but without disclosing it to the server. 133.Pp 134.Nm | 139challenge using the private key, proving that he/she knows the private 140key but without disclosing it to the server. 141.Pp 142.Nm |
| 135implements the RSA authentication protocol automatically. The user 136creates his/her RSA key pair by running | 143implements the RSA authentication protocol automatically. 144The user creates his/her RSA key pair by running |
| 137.Xr ssh-keygen 1 . 138This stores the private key in 139.Pa \&.ssh/identity 140and the public key in 141.Pa \&.ssh/identity.pub | 145.Xr ssh-keygen 1 . 146This stores the private key in 147.Pa \&.ssh/identity 148and the public key in 149.Pa \&.ssh/identity.pub |
| 142in the user's home directory. The user should then 143copy the | 150in the user's home directory. 151The user should then copy the |
| 144.Pa identity.pub 145to 146.Pa \&.ssh/authorized_keys 147in his/her home directory on the remote machine (the 148.Pa authorized_keys 149file corresponds to the conventional 150.Pa \&.rhosts 151file, and has one key | 152.Pa identity.pub 153to 154.Pa \&.ssh/authorized_keys 155in his/her home directory on the remote machine (the 156.Pa authorized_keys 157file corresponds to the conventional 158.Pa \&.rhosts 159file, and has one key |
| 152per line, though the lines can be very long). After this, the user 153can log in without giving the password. RSA authentication is much | 160per line, though the lines can be very long). 161After this, the user can log in without giving the password. 162RSA authentication is much |
| 154more secure than rhosts authentication. 155.Pp 156The most convenient way to use RSA authentication may be with an | 163more secure than rhosts authentication. 164.Pp 165The most convenient way to use RSA authentication may be with an |
| 157authentication agent. See | 166authentication agent. 167See |
| 158.Xr ssh-agent 1 159for more information. 160.Pp 161If other authentication methods fail, 162.Nm | 168.Xr ssh-agent 1 169for more information. 170.Pp 171If other authentication methods fail, 172.Nm |
| 163prompts the user for a password. The password is sent to the remote | 173prompts the user for a password. 174The password is sent to the remote |
| 164host for checking; however, since all communications are encrypted, 165the password cannot be seen by someone listening on the network. 166.Pp 167When the user's identity has been accepted by the server, the server 168either executes the given command, or logs into the machine and gives | 175host for checking; however, since all communications are encrypted, 176the password cannot be seen by someone listening on the network. 177.Pp 178When the user's identity has been accepted by the server, the server 179either executes the given command, or logs into the machine and gives |
| 169the user a normal shell on the remote machine. All communication with | 180the user a normal shell on the remote machine. 181All communication with |
| 170the remote command or shell will be automatically encrypted. 171.Pp 172If a pseudo-terminal has been allocated (normal login session), the 173user can disconnect with 174.Ic ~. , 175and suspend 176.Nm 177with 178.Ic ~^Z . 179All forwarded connections can be listed with 180.Ic ~# 181and if 182the session blocks waiting for forwarded X11 or TCP/IP 183connections to terminate, it can be backgrounded with 184.Ic ~& 185(this should not be used while the user shell is active, as it can cause the | 182the remote command or shell will be automatically encrypted. 183.Pp 184If a pseudo-terminal has been allocated (normal login session), the 185user can disconnect with 186.Ic ~. , 187and suspend 188.Nm 189with 190.Ic ~^Z . 191All forwarded connections can be listed with 192.Ic ~# 193and if 194the session blocks waiting for forwarded X11 or TCP/IP 195connections to terminate, it can be backgrounded with 196.Ic ~& 197(this should not be used while the user shell is active, as it can cause the |
| 186shell to hang). All available escapes can be listed with | 198shell to hang). 199All available escapes can be listed with |
| 187.Ic ~? . 188.Pp 189A single tilde character can be sent as 190.Ic ~~ 191(or by following the tilde by a character other than those described above). 192The escape character must always follow a newline to be interpreted as | 200.Ic ~? . 201.Pp 202A single tilde character can be sent as 203.Ic ~~ 204(or by following the tilde by a character other than those described above). 205The escape character must always follow a newline to be interpreted as |
| 193special. The escape character can be changed in configuration files | 206special. 207The escape character can be changed in configuration files |
| 194or on the command line. 195.Pp 196If no pseudo tty has been allocated, the 197session is transparent and can be used to reliably transfer binary | 208or on the command line. 209.Pp 210If no pseudo tty has been allocated, the 211session is transparent and can be used to reliably transfer binary |
| 198data. On most systems, setting the escape character to | 212data. 213On most systems, setting the escape character to |
| 199.Dq none 200will also make the session transparent even if a tty is used. 201.Pp 202The session terminates when the command or shell in on the remote 203machine exists and all X11 and TCP/IP connections have been closed. 204The exit status of the remote program is returned as the exit status 205of 206.Nm ssh . 207.Pp 208If the user is using X11 (the 209.Ev DISPLAY 210environment variable is set), the connection to the X11 display is 211automatically forwarded to the remote side in such a way that any X11 212programs started from the shell (or command) will go through the 213encrypted channel, and the connection to the real X server will be made | 214.Dq none 215will also make the session transparent even if a tty is used. 216.Pp 217The session terminates when the command or shell in on the remote 218machine exists and all X11 and TCP/IP connections have been closed. 219The exit status of the remote program is returned as the exit status 220of 221.Nm ssh . 222.Pp 223If the user is using X11 (the 224.Ev DISPLAY 225environment variable is set), the connection to the X11 display is 226automatically forwarded to the remote side in such a way that any X11 227programs started from the shell (or command) will go through the 228encrypted channel, and the connection to the real X server will be made |
| 214from the local machine. The user should not manually set | 229from the local machine. 230The user should not manually set |
| 215.Ev DISPLAY . 216Forwarding of X11 connections can be 217configured on the command line or in configuration files. 218.Pp 219The 220.Ev DISPLAY 221value set by 222.Nm 223will point to the server machine, but with a display number greater | 231.Ev DISPLAY . 232Forwarding of X11 connections can be 233configured on the command line or in configuration files. 234.Pp 235The 236.Ev DISPLAY 237value set by 238.Nm 239will point to the server machine, but with a display number greater |
| 224than zero. This is normal, and happens because | 240than zero. 241This is normal, and happens because |
| 225.Nm 226creates a 227.Dq proxy 228X server on the server machine for forwarding the 229connections over the encrypted channel. 230.Pp 231.Nm 232will also automatically set up Xauthority data on the server machine. 233For this purpose, it will generate a random authorization cookie, 234store it in Xauthority on the server, and verify that any forwarded 235connections carry this cookie and replace it by the real cookie when | 242.Nm 243creates a 244.Dq proxy 245X server on the server machine for forwarding the 246connections over the encrypted channel. 247.Pp 248.Nm 249will also automatically set up Xauthority data on the server machine. 250For this purpose, it will generate a random authorization cookie, 251store it in Xauthority on the server, and verify that any forwarded 252connections carry this cookie and replace it by the real cookie when |
| 236the connection is opened. The real authentication cookie is never | 253the connection is opened. 254The real authentication cookie is never |
| 237sent to the server machine (and no cookies are sent in the plain). 238.Pp 239If the user is using an authentication agent, the connection to the agent 240is automatically forwarded to the remote side unless disabled on 241command line or in a configuration file. 242.Pp 243Forwarding of arbitrary TCP/IP connections over the secure channel can | 255sent to the server machine (and no cookies are sent in the plain). 256.Pp 257If the user is using an authentication agent, the connection to the agent 258is automatically forwarded to the remote side unless disabled on 259command line or in a configuration file. 260.Pp 261Forwarding of arbitrary TCP/IP connections over the secure channel can |
| 244be specified either on command line or in a configuration file. One 245possible application of TCP/IP forwarding is a secure connection to an 246electronic purse; another is going through firewalls. | 262be specified either on command line or in a configuration file. 263One possible application of TCP/IP forwarding is a secure connection to an 264electronic purse; another is going trough firewalls. |
| 247.Pp 248.Nm 249automatically maintains and checks a database containing RSA-based | 265.Pp 266.Nm 267automatically maintains and checks a database containing RSA-based |
| 250identifications for all hosts it has ever been used with. The 251database is stored in | 268identifications for all hosts it has ever been used with. 269The database is stored in |
| 252.Pa \&.ssh/known_hosts | 270.Pa \&.ssh/known_hosts |
| 253in the user's home directory. Additionally, the file | 271in the user's home directory. 272Additionally, the file |
| 254.Pa /etc/ssh/ssh_known_hosts | 273.Pa /etc/ssh/ssh_known_hosts |
| 255is automatically checked for known hosts. Any new hosts are 256automatically added to the user's file. If a host's identification | 274is automatically checked for known hosts. 275Any new hosts are automatically added to the user's file. 276If a host's identification |
| 257ever changes, 258.Nm 259warns about this and disables password authentication to prevent a | 277ever changes, 278.Nm 279warns about this and disables password authentication to prevent a |
| 260trojan horse from getting the user's password. Another purpose of | 280trojan horse from getting the user's password. 281Another purpose of |
| 261this mechanism is to prevent man-in-the-middle attacks which could | 282this mechanism is to prevent man-in-the-middle attacks which could |
| 262otherwise be used to circumvent the encryption. The | 283otherwise be used to circumvent the encryption. 284The |
| 263.Cm StrictHostKeyChecking 264option (see below) can be used to prevent logins to machines whose 265host key is not known or has changed. 266.Sh OPTIONS 267.Bl -tag -width Ds 268.It Fl a | 285.Cm StrictHostKeyChecking 286option (see below) can be used to prevent logins to machines whose 287host key is not known or has changed. 288.Sh OPTIONS 289.Bl -tag -width Ds 290.It Fl a |
| 269Disables forwarding of the authentication agent connection. This may 270also be specified on a per-host basis in the configuration file. | 291Disables forwarding of the authentication agent connection. 292This may also be specified on a per-host basis in the configuration file. |
| 271.It Fl c Ar blowfish|3des 272Selects the cipher to use for encrypting the session. 273.Ar 3des | 293.It Fl c Ar blowfish|3des 294Selects the cipher to use for encrypting the session. 295.Ar 3des |
| 274is used by default. It is believed to be secure. | 296is used by default. 297It is believed to be secure. |
| 275.Ar 3des 276(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. 277It is presumably more secure than the 278.Ar des 279cipher which is no longer supported in ssh. 280.Ar blowfish 281is a fast block cipher, it appears very secure and is much faster than 282.Ar 3des . 283.It Fl e Ar ch|^ch|none 284Sets the escape character for sessions with a pty (default: 285.Ql ~ ) . | 298.Ar 3des 299(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. 300It is presumably more secure than the 301.Ar des 302cipher which is no longer supported in ssh. 303.Ar blowfish 304is a fast block cipher, it appears very secure and is much faster than 305.Ar 3des . 306.It Fl e Ar ch|^ch|none 307Sets the escape character for sessions with a pty (default: 308.Ql ~ ) . |
| 286The escape character is only recognized at the beginning of a line. The 287escape character followed by a dot | 309The escape character is only recognized at the beginning of a line. 310The escape character followed by a dot |
| 288.Pq Ql \&. 289closes the connection, followed 290by control-Z suspends the connection, and followed by itself sends the | 311.Pq Ql \&. 312closes the connection, followed 313by control-Z suspends the connection, and followed by itself sends the |
| 291escape character once. Setting the character to | 314escape character once. 315Setting the character to |
| 292.Dq none 293disables any escapes and makes the session fully transparent. 294.It Fl f 295Requests 296.Nm | 316.Dq none 317disables any escapes and makes the session fully transparent. 318.It Fl f 319Requests 320.Nm |
| 297to go to background just before command execution. This is useful 298if | 321to go to background just before command execution. 322This is useful if |
| 299.Nm 300is going to ask for passwords or passphrases, but the user | 323.Nm 324is going to ask for passwords or passphrases, but the user |
| 301wants it in the background. This implies | 325wants it in the background. 326This implies |
| 302.Fl n . 303The recommended way to start X11 programs at a remote site is with 304something like 305.Ic ssh -f host xterm . 306.It Fl g 307Allows remote hosts to connect to local forwarded ports. 308.It Fl i Ar identity_file | 327.Fl n . 328The recommended way to start X11 programs at a remote site is with 329something like 330.Ic ssh -f host xterm . 331.It Fl g 332Allows remote hosts to connect to local forwarded ports. 333.It Fl i Ar identity_file |
| 309Selects the file from which the identity (private key) for 310RSA authentication is read. Default is | 334Selects the file from which the identity (private key) for 335RSA authentication is read. 336Default is |
| 311.Pa \&.ssh/identity | 337.Pa \&.ssh/identity |
| 312in the user's home directory. Identity files may also be specified on 313a per-host basis in the configuration file. It is possible to have 314multiple | 338in the user's home directory. 339Identity files may also be specified on 340a per-host basis in the configuration file. 341It is possible to have multiple |
| 315.Fl i 316options (and multiple identities specified in 317configuration files). 318.It Fl k | 342.Fl i 343options (and multiple identities specified in 344configuration files). 345.It Fl k |
| 319Disables forwarding of Kerberos tickets and AFS tokens. This may 320also be specified on a per-host basis in the configuration file. | 346Disables forwarding of Kerberos tickets and AFS tokens. 347This may also be specified on a per-host basis in the configuration file. |
| 321.It Fl l Ar login_name | 348.It Fl l Ar login_name |
| 322Specifies the user to log in as on the remote machine. This may also 323be specified on a per-host basis in the configuration file. | 349Specifies the user to log in as on the remote machine. 350This also may be specified on a per-host basis in the configuration file. |
| 324.It Fl n 325Redirects stdin from 326.Pa /dev/null 327(actually, prevents reading from stdin). 328This must be used when 329.Nm | 351.It Fl n 352Redirects stdin from 353.Pa /dev/null 354(actually, prevents reading from stdin). 355This must be used when 356.Nm |
| 330is run in the background. A common trick is to use this to run X11 331programs in a remote machine. For example, | 357is run in the background. 358A common trick is to use this to run X11 programs on a remote machine. 359For example, |
| 332.Ic ssh -n shadows.cs.hut.fi emacs & 333will start an emacs on shadows.cs.hut.fi, and the X11 334connection will be automatically forwarded over an encrypted channel. 335The 336.Nm 337program will be put in the background. 338(This does not work if 339.Nm 340needs to ask for a password or passphrase; see also the 341.Fl f 342option.) 343.It Fl o Ar option 344Can be used to give options in the format used in the config file. 345This is useful for specifying options for which there is no separate | 360.Ic ssh -n shadows.cs.hut.fi emacs & 361will start an emacs on shadows.cs.hut.fi, and the X11 362connection will be automatically forwarded over an encrypted channel. 363The 364.Nm 365program will be put in the background. 366(This does not work if 367.Nm 368needs to ask for a password or passphrase; see also the 369.Fl f 370option.) 371.It Fl o Ar option 372Can be used to give options in the format used in the config file. 373This is useful for specifying options for which there is no separate |
| 346command-line flag. The option has the same format as a line in the 347configuration file. | 374command-line flag. 375The option has the same format as a line in the configuration file. |
| 348.It Fl p Ar port | 376.It Fl p Ar port |
| 349Port to connect to on the remote host. This can be specified on a | 377Port to connect to on the remote host. 378This can be specified on a |
| 350per-host basis in the configuration file. 351.It Fl P 352Use a non-privileged port for outgoing connections. 353This can be used if your firewall does 354not permit connections from privileged ports. 355Note that this option turns off 356.Cm RhostsAuthentication 357and 358.Cm RhostsRSAAuthentication . 359.It Fl q | 379per-host basis in the configuration file. 380.It Fl P 381Use a non-privileged port for outgoing connections. 382This can be used if your firewall does 383not permit connections from privileged ports. 384Note that this option turns off 385.Cm RhostsAuthentication 386and 387.Cm RhostsRSAAuthentication . 388.It Fl q |
| 360Quiet mode. Causes all warning and diagnostic messages to be 361suppressed. Only fatal errors are displayed. | 389Quiet mode. 390Causes all warning and diagnostic messages to be suppressed. 391Only fatal errors are displayed. |
| 362.It Fl t | 392.It Fl t |
| 363Force pseudo-tty allocation. This can be used to execute arbitrary 364screen-based programs on a remote machine, which can be very useful 365e.g. when implementing menu services. | 393Force pseudo-tty allocation. 394This can be used to execute arbitrary 395screen-based programs on a remote machine, which can be very useful, 396e.g., when implementing menu services. |
| 366.It Fl v | 397.It Fl v |
| 367Verbose mode. Causes | 398Verbose mode. 399Causes |
| 368.Nm | 400.Nm |
| 369to print debugging messages about its progress. This is helpful in | 401to print debugging messages about its progress. 402This is helpful in |
| 370debugging connection, authentication, and configuration problems. 371The verbose mode is also used to display 372.Xr skey 1 373challenges, if the user entered "s/key" as password. 374.It Fl x | 403debugging connection, authentication, and configuration problems. 404The verbose mode is also used to display 405.Xr skey 1 406challenges, if the user entered "s/key" as password. 407.It Fl x |
| 375Disables X11 forwarding. This can also be specified on a per-host 376basis in a configuration file. | 408Disables X11 forwarding. 409This can also be specified on a per-host basis in a configuration file. |
| 377.It Fl X 378Enables X11 forwarding. 379.It Fl C 380Requests compression of all data (including stdin, stdout, stderr, and | 410.It Fl X 411Enables X11 forwarding. 412.It Fl C 413Requests compression of all data (including stdin, stdout, stderr, and |
| 381data for forwarded X11 and TCP/IP connections). The compression 382algorithm is the same used by | 414data for forwarded X11 and TCP/IP connections). 415The compression algorithm is the same used by |
| 383.Xr gzip 1 , 384and the 385.Dq level 386can be controlled by the 387.Cm CompressionLevel | 416.Xr gzip 1 , 417and the 418.Dq level 419can be controlled by the 420.Cm CompressionLevel |
| 388option (see below). Compression is desirable on modem lines and other | 421option (see below). 422Compression is desirable on modem lines and other |
| 389slow connections, but will only slow down things on fast networks. 390The default value can be set on a host-by-host basis in the 391configuration files; see the 392.Cm Compress 393option below. 394.It Fl L Ar port:host:hostport 395Specifies that the given port on the local (client) host is to be | 423slow connections, but will only slow down things on fast networks. 424The default value can be set on a host-by-host basis in the 425configuration files; see the 426.Cm Compress 427option below. 428.It Fl L Ar port:host:hostport 429Specifies that the given port on the local (client) host is to be |
| 396forwarded to the given host and port on the remote side. This works 397by allocating a socket to listen to | 430forwarded to the given host and port on the remote side. 431This works by allocating a socket to listen to |
| 398.Ar port 399on the local side, and whenever a connection is made to this port, the 400connection is forwarded over the secure channel, and a connection is 401made to 402.Ar host 403port 404.Ar hostport | 432.Ar port 433on the local side, and whenever a connection is made to this port, the 434connection is forwarded over the secure channel, and a connection is 435made to 436.Ar host 437port 438.Ar hostport |
| 405from the remote machine. Port forwardings can also be specified in the 406configuration file. Only root can forward privileged ports. | 439from the remote machine. 440Port forwardings can also be specified in the configuration file. 441Only root can forward privileged ports. |
| 407IPv6 addresses can be specified with an alternative syntax: 408.Ar port/host/hostport 409.It Fl R Ar port:host:hostport 410Specifies that the given port on the remote (server) host is to be | 442IPv6 addresses can be specified with an alternative syntax: 443.Ar port/host/hostport 444.It Fl R Ar port:host:hostport 445Specifies that the given port on the remote (server) host is to be |
| 411forwarded to the given host and port on the local side. This works 412by allocating a socket to listen to | 446forwarded to the given host and port on the local side. 447This works by allocating a socket to listen to |
| 413.Ar port 414on the remote side, and whenever a connection is made to this port, the 415connection is forwarded over the secure channel, and a connection is 416made to 417.Ar host 418port 419.Ar hostport | 448.Ar port 449on the remote side, and whenever a connection is made to this port, the 450connection is forwarded over the secure channel, and a connection is 451made to 452.Ar host 453port 454.Ar hostport |
| 420from the local machine. Port forwardings can also be specified in the 421configuration file. Privileged ports can be forwarded only when | 455from the local machine. 456Port forwardings can also be specified in the configuration file. 457Privileged ports can be forwarded only when |
| 422logging in as root on the remote machine. 423.It Fl 4 424Forces 425.Nm 426to use IPv4 addresses only. 427.It Fl 6 428Forces 429.Nm 430to use IPv6 addresses only. 431.El 432.Sh CONFIGURATION FILES 433.Nm 434obtains configuration data from the following sources (in this order): 435command line options, user's configuration file 436.Pq Pa $HOME/.ssh/config , 437and system-wide configuration file 438.Pq Pa /etc/ssh/ssh_config . 439For each parameter, the first obtained value | 458logging in as root on the remote machine. 459.It Fl 4 460Forces 461.Nm 462to use IPv4 addresses only. 463.It Fl 6 464Forces 465.Nm 466to use IPv6 addresses only. 467.El 468.Sh CONFIGURATION FILES 469.Nm 470obtains configuration data from the following sources (in this order): 471command line options, user's configuration file 472.Pq Pa $HOME/.ssh/config , 473and system-wide configuration file 474.Pq Pa /etc/ssh/ssh_config . 475For each parameter, the first obtained value |
| 440will be used. The configuration files contain sections bracketed by 441"Host" specifications, and that section is only applied for hosts that 442match one of the patterns given in the specification. The matched 443host name is the one given on the command line. | 476will be used. 477The configuration files contain sections bracketed by 478.Dq Host 479specifications, and that section is only applied for hosts that 480match one of the patterns given in the specification. 481The matched host name is the one given on the command line. |
| 444.Pp 445Since the first obtained value for each parameter is used, more 446host-specific declarations should be given near the beginning of the 447file, and general defaults at the end. 448.Pp 449The configuration file has the following format: 450.Pp 451Empty lines and lines starting with --- 10 unchanged lines hidden (view full) --- 462Restricts the following declarations (up to the next 463.Cm Host 464keyword) to be only for those hosts that match one of the patterns 465given after the keyword. 466.Ql \&* 467and 468.Ql ? 469can be used as wildcards in the | 482.Pp 483Since the first obtained value for each parameter is used, more 484host-specific declarations should be given near the beginning of the 485file, and general defaults at the end. 486.Pp 487The configuration file has the following format: 488.Pp 489Empty lines and lines starting with --- 10 unchanged lines hidden (view full) --- 500Restricts the following declarations (up to the next 501.Cm Host 502keyword) to be only for those hosts that match one of the patterns 503given after the keyword. 504.Ql \&* 505and 506.Ql ? 507can be used as wildcards in the |
| 470patterns. A single | 508patterns. 509A single |
| 471.Ql \&* 472as a pattern can be used to provide global | 510.Ql \&* 511as a pattern can be used to provide global |
| 473defaults for all hosts. The host is the | 512defaults for all hosts. 513The host is the |
| 474.Ar hostname 475argument given on the command line (i.e., the name is not converted to 476a canonicalized host name before matching). 477.It Cm AFSTokenPassing | 514.Ar hostname 515argument given on the command line (i.e., the name is not converted to 516a canonicalized host name before matching). 517.It Cm AFSTokenPassing |
| 478Specifies whether to pass AFS tokens to remote host. The argument to 479this keyword must be | 518Specifies whether to pass AFS tokens to remote host. 519The argument to this keyword must be |
| 480.Dq yes 481or 482.Dq no . 483.It Cm BatchMode 484If set to 485.Dq yes , | 520.Dq yes 521or 522.Dq no . 523.It Cm BatchMode 524If set to 525.Dq yes , |
| 486passphrase/password querying will be disabled. This 487option is useful in scripts and other batch jobs where you have no 488user to supply the password. The argument must be | 526passphrase/password querying will be disabled. 527This option is useful in scripts and other batch jobs where you have no 528user to supply the password. 529The argument must be |
| 489.Dq yes 490or 491.Dq no . 492.It Cm CheckHostIP 493If this flag is set to 494.Dq yes , 495ssh will additionally check the host ip address in the 496.Pa known_hosts | 530.Dq yes 531or 532.Dq no . 533.It Cm CheckHostIP 534If this flag is set to 535.Dq yes , 536ssh will additionally check the host ip address in the 537.Pa known_hosts |
| 497file. This allows ssh to detect if a host key changed due to DNS spoofing. | 538file. 539This allows ssh to detect if a host key changed due to DNS spoofing. |
| 498If the option is set to 499.Dq no , 500the check will not be executed. 501.It Cm Cipher | 540If the option is set to 541.Dq no , 542the check will not be executed. 543.It Cm Cipher |
| 502Specifies the cipher to use for encrypting the session. Currently, | 544Specifies the cipher to use for encrypting the session. 545Currently, |
| 503.Dq blowfish , 504and 505.Dq 3des | 546.Dq blowfish , 547and 548.Dq 3des |
| 506are supported. The default is | 549are supported. 550The default is |
| 507.Dq 3des . 508.It Cm Compression | 551.Dq 3des . 552.It Cm Compression |
| 509Specifies whether to use compression. The argument must be | 553Specifies whether to use compression. 554The argument must be |
| 510.Dq yes 511or 512.Dq no . 513.It Cm CompressionLevel | 555.Dq yes 556or 557.Dq no . 558.It Cm CompressionLevel |
| 514Specifies the compression level to use if compression is enable. The 515argument must be an integer from 1 (fast) to 9 (slow, best). The 516default level is 6, which is good for most applications. The meaning 517of the values is the same as in | 559Specifies the compression level to use if compression is enable. 560The argument must be an integer from 1 (fast) to 9 (slow, best). 561The default level is 6, which is good for most applications. 562The meaning of the values is the same as in |
| 518.Xr gzip 1 . 519.It Cm ConnectionAttempts 520Specifies the number of tries (one per second) to make before falling | 563.Xr gzip 1 . 564.It Cm ConnectionAttempts 565Specifies the number of tries (one per second) to make before falling |
| 521back to rsh or exiting. The argument must be an integer. This may be 522useful in scripts if the connection sometimes fails. | 566back to rsh or exiting. 567The argument must be an integer. 568This may be useful in scripts if the connection sometimes fails. |
| 523.It Cm EscapeChar 524Sets the escape character (default: 525.Ql ~ ) . 526The escape character can also | 569.It Cm EscapeChar 570Sets the escape character (default: 571.Ql ~ ) . 572The escape character can also |
| 527be set on the command line. The argument should be a single 528character, | 573be set on the command line. 574The argument should be a single character, |
| 529.Ql ^ 530followed by a letter, or 531.Dq none 532to disable the escape 533character entirely (making the connection transparent for binary 534data). 535.It Cm FallBackToRsh 536Specifies that if connecting via 537.Nm 538fails due to a connection refused error (there is no 539.Xr sshd 8 540listening on the remote host), 541.Xr rsh 1 542should automatically be used instead (after a suitable warning about | 575.Ql ^ 576followed by a letter, or 577.Dq none 578to disable the escape 579character entirely (making the connection transparent for binary 580data). 581.It Cm FallBackToRsh 582Specifies that if connecting via 583.Nm 584fails due to a connection refused error (there is no 585.Xr sshd 8 586listening on the remote host), 587.Xr rsh 1 588should automatically be used instead (after a suitable warning about |
| 543the session being unencrypted). The argument must be | 589the session being unencrypted). 590The argument must be |
| 544.Dq yes 545or 546.Dq no . 547.It Cm ForwardAgent 548Specifies whether the connection to the authentication agent (if any) | 591.Dq yes 592or 593.Dq no . 594.It Cm ForwardAgent 595Specifies whether the connection to the authentication agent (if any) |
| 549will be forwarded to the remote machine. The argument must be | 596will be forwarded to the remote machine. 597The argument must be |
| 550.Dq yes 551or 552.Dq no . 553.It Cm ForwardX11 554Specifies whether X11 connections will be automatically redirected 555over the secure channel and 556.Ev DISPLAY | 598.Dq yes 599or 600.Dq no . 601.It Cm ForwardX11 602Specifies whether X11 connections will be automatically redirected 603over the secure channel and 604.Ev DISPLAY |
| 557set. The argument must be | 605set. 606The argument must be |
| 558.Dq yes 559or 560.Dq no . 561The default is 562.Dq no . 563.It Cm GatewayPorts 564Specifies whether remote hosts are allowed to connect to local 565forwarded ports. 566The argument must be 567.Dq yes 568or 569.Dq no . 570The default is 571.Dq no . 572.It Cm GlobalKnownHostsFile 573Specifies a file to use instead of 574.Pa /etc/ssh/ssh_known_hosts . 575.It Cm HostName | 607.Dq yes 608or 609.Dq no . 610The default is 611.Dq no . 612.It Cm GatewayPorts 613Specifies whether remote hosts are allowed to connect to local 614forwarded ports. 615The argument must be 616.Dq yes 617or 618.Dq no . 619The default is 620.Dq no . 621.It Cm GlobalKnownHostsFile 622Specifies a file to use instead of 623.Pa /etc/ssh/ssh_known_hosts . 624.It Cm HostName |
| 576Specifies the real host name to log into. This can be used to specify 577nicknames or abbreviations for hosts. Default is the name given on the 578command line. Numeric IP addresses are also permitted (both on the 579command line and in | 625Specifies the real host name to log into. 626This can be used to specify nicknames or abbreviations for hosts. 627Default is the name given on the command line. 628Numeric IP addresses are also permitted (both on the command line and in |
| 580.Cm HostName 581specifications). 582.It Cm IdentityFile 583Specifies the file from which the user's RSA authentication identity 584is read (default 585.Pa .ssh/identity 586in the user's home directory). 587Additionally, any identities represented by the authentication agent | 629.Cm HostName 630specifications). 631.It Cm IdentityFile 632Specifies the file from which the user's RSA authentication identity 633is read (default 634.Pa .ssh/identity 635in the user's home directory). 636Additionally, any identities represented by the authentication agent |
| 588will be used for authentication. The file name may use the tilde 589syntax to refer to a user's home directory. It is possible to have | 637will be used for authentication. 638The file name may use the tilde 639syntax to refer to a user's home directory. 640It is possible to have |
| 590multiple identity files specified in configuration files; all these 591identities will be tried in sequence. 592.It Cm KeepAlive 593Specifies whether the system should send keepalive messages to the | 641multiple identity files specified in configuration files; all these 642identities will be tried in sequence. 643.It Cm KeepAlive 644Specifies whether the system should send keepalive messages to the |
| 594other side. If they are sent, death of the connection or crash of one 595of the machines will be properly noticed. However, this means that | 645other side. 646If they are sent, death of the connection or crash of one 647of the machines will be properly noticed. 648However, this means that |
| 596connections will die if the route is down temporarily, and some people 597find it annoying. 598.Pp 599The default is 600.Dq yes 601(to send keepalives), and the client will notice | 649connections will die if the route is down temporarily, and some people 650find it annoying. 651.Pp 652The default is 653.Dq yes 654(to send keepalives), and the client will notice |
| 602if the network goes down or the remote host dies. This is important 603in scripts, and many users want it too. | 655if the network goes down or the remote host dies. 656This is important in scripts, and many users want it too. |
| 604.Pp 605To disable keepalives, the value should be set to 606.Dq no 607in both the server and the client configuration files. 608.It Cm KerberosAuthentication | 657.Pp 658To disable keepalives, the value should be set to 659.Dq no 660in both the server and the client configuration files. 661.It Cm KerberosAuthentication |
| 609Specifies whether Kerberos authentication will be used. The argument to 610this keyword must be | 662Specifies whether Kerberos authentication will be used. 663The argument to this keyword must be |
| 611.Dq yes 612or 613.Dq no . 614.It Cm KerberosTgtPassing | 664.Dq yes 665or 666.Dq no . 667.It Cm KerberosTgtPassing |
| 615Specifies whether a Kerberos TGT will be forwarded to the server. This 616will only work if the Kerberos server is actually an AFS kaserver. The 617argument to this keyword must be | 668Specifies whether a Kerberos TGT will be forwarded to the server. 669This will only work if the Kerberos server is actually an AFS kaserver. 670The argument to this keyword must be |
| 618.Dq yes 619or 620.Dq no . 621.It Cm LocalForward 622Specifies that a TCP/IP port on the local machine be forwarded over | 671.Dq yes 672or 673.Dq no . 674.It Cm LocalForward 675Specifies that a TCP/IP port on the local machine be forwarded over |
| 623the secure channel to given host:port from the remote machine. The 624first argument must be a port number, and the second must be 625host:port. Multiple forwardings may be specified, and additional 626forwardings can be given on the command line. Only the root can 627forward privileged ports. | 676the secure channel to given host:port from the remote machine. 677The first argument must be a port number, and the second must be 678host:port. 679Multiple forwardings may be specified, and additional 680forwardings can be given on the command line. 681Only the superuser can forward privileged ports. |
| 628.It Cm LogLevel 629Gives the verbosity level that is used when logging messages from 630.Nm ssh . 631The possible values are: | 682.It Cm LogLevel 683Gives the verbosity level that is used when logging messages from 684.Nm ssh . 685The possible values are: |
| 632QUIET, FATAL, ERROR, INFO, CHAT and DEBUG. | 686QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. |
| 633The default is INFO. 634.It Cm NumberOfPasswordPrompts | 687The default is INFO. 688.It Cm NumberOfPasswordPrompts |
| 635Specifies the number of password prompts before giving up. The 636argument to this keyword must be an integer. Default is 3. | 689Specifies the number of password prompts before giving up. 690The argument to this keyword must be an integer. 691Default is 3. |
| 637.It Cm PasswordAuthentication | 692.It Cm PasswordAuthentication |
| 638Specifies whether to use password authentication. The argument to 639this keyword must be | 693Specifies whether to use password authentication. 694The argument to this keyword must be |
| 640.Dq yes 641or 642.Dq no . 643.It Cm Port | 695.Dq yes 696or 697.Dq no . 698.It Cm Port |
| 644Specifies the port number to connect on the remote host. Default is 64522. | 699Specifies the port number to connect on the remote host. 700Default is 22. |
| 646.It Cm ProxyCommand | 701.It Cm ProxyCommand |
| 647Specifies the command to use to connect to the server. The command | 702Specifies the command to use to connect to the server. 703The command |
| 648string extends to the end of the line, and is executed with 649.Pa /bin/sh . 650In the command string, | 704string extends to the end of the line, and is executed with 705.Pa /bin/sh . 706In the command string, |
| 651.Dq %h | 707.Ql %h |
| 652will be substituted by the host name to 653connect and | 708will be substituted by the host name to 709connect and |
| 654.Dq %p 655by the port. The command can be basically anything, 656and should read from its stdin and write to its stdout. It should 657eventually connect an | 710.Ql %p 711by the port. 712The command can be basically anything, 713and should read from its standard input and write to its standard output. 714It should eventually connect an |
| 658.Xr sshd 8 659server running on some machine, or execute 660.Ic sshd -i | 715.Xr sshd 8 716server running on some machine, or execute 717.Ic sshd -i |
| 661somewhere. Host key management will be done using the | 718somewhere. 719Host key management will be done using the |
| 662HostName of the host being connected (defaulting to the name typed by 663the user). 664Note that 665.Cm CheckHostIP 666is not available for connects with a proxy command. 667.Pp 668.It Cm RemoteForward 669Specifies that a TCP/IP port on the remote machine be forwarded over | 720HostName of the host being connected (defaulting to the name typed by 721the user). 722Note that 723.Cm CheckHostIP 724is not available for connects with a proxy command. 725.Pp 726.It Cm RemoteForward 727Specifies that a TCP/IP port on the remote machine be forwarded over |
| 670the secure channel to given host:port from the local machine. The 671first argument must be a port number, and the second must be 672host:port. Multiple forwardings may be specified, and additional 673forwardings can be given on the command line. Only the root can 674forward privileged ports. | 728the secure channel to given host:port from the local machine. 729The first argument must be a port number, and the second must be 730host:port. 731Multiple forwardings may be specified, and additional 732forwardings can be given on the command line. 733Only the superuser can forward privileged ports. |
| 675.It Cm RhostsAuthentication | 734.It Cm RhostsAuthentication |
| 676Specifies whether to try rhosts based authentication. Note that this | 735Specifies whether to try rhosts based authentication. 736Note that this |
| 677declaration only affects the client side and has no effect whatsoever | 737declaration only affects the client side and has no effect whatsoever |
| 678on security. Disabling rhosts authentication may reduce | 738on security. 739Disabling rhosts authentication may reduce |
| 679authentication time on slow connections when rhosts authentication is | 740authentication time on slow connections when rhosts authentication is |
| 680not used. Most servers do not permit RhostsAuthentication because it 681is not secure (see RhostsRSAAuthentication). The argument to this 682keyword must be | 741not used. 742Most servers do not permit RhostsAuthentication because it 743is not secure (see RhostsRSAAuthentication). 744The argument to this keyword must be |
| 683.Dq yes 684or 685.Dq no . 686.It Cm RhostsRSAAuthentication 687Specifies whether to try rhosts based authentication with RSA host | 745.Dq yes 746or 747.Dq no . 748.It Cm RhostsRSAAuthentication 749Specifies whether to try rhosts based authentication with RSA host |
| 688authentication. This is the primary authentication method for most 689sites. The argument must be | 750authentication. 751This is the primary authentication method for most sites. 752The argument must be |
| 690.Dq yes 691or 692.Dq no . 693.It Cm RSAAuthentication | 753.Dq yes 754or 755.Dq no . 756.It Cm RSAAuthentication |
| 694Specifies whether to try RSA authentication. The argument to this 695keyword must be | 757Specifies whether to try RSA authentication. 758The argument to this keyword must be |
| 696.Dq yes 697or 698.Dq no . 699RSA authentication will only be 700attempted if the identity file exists, or an authentication agent is 701running. 702.It Cm SkeyAuthentication 703Specifies whether to use 704.Xr skey 1 | 759.Dq yes 760or 761.Dq no . 762RSA authentication will only be 763attempted if the identity file exists, or an authentication agent is 764running. 765.It Cm SkeyAuthentication 766Specifies whether to use 767.Xr skey 1 |
| 705authentication. The argument to 706this keyword must be | 768authentication. 769The argument to this keyword must be |
| 707.Dq yes 708or 709.Dq no . 710The default is 711.Dq no . 712.It Cm StrictHostKeyChecking 713If this flag is set to 714.Dq yes , 715.Nm 716ssh will never automatically add host keys to the 717.Pa $HOME/.ssh/known_hosts | 770.Dq yes 771or 772.Dq no . 773The default is 774.Dq no . 775.It Cm StrictHostKeyChecking 776If this flag is set to 777.Dq yes , 778.Nm 779ssh will never automatically add host keys to the 780.Pa $HOME/.ssh/known_hosts |
| 718file, and refuses to connect hosts whose host key has changed. This 719provides maximum protection against trojan horse attacks. However, it 720can be somewhat annoying if you don't have good | 781file, and refuses to connect hosts whose host key has changed. 782This provides maximum protection against trojan horse attacks. 783However, it can be somewhat annoying if you don't have good |
| 721.Pa /etc/ssh/ssh_known_hosts 722files installed and frequently | 784.Pa /etc/ssh/ssh_known_hosts 785files installed and frequently |
| 723connect new hosts. Basically this option forces the user to manually 724add any new hosts. Normally this option is disabled, and new hosts 725will automatically be added to the known host files. The host keys of 726known hosts will be verified automatically in either case. The 727argument must be | 786connect new hosts. 787Basically this option forces the user to manually 788add any new hosts. 789Normally this option is disabled, and new hosts 790will automatically be added to the known host files. 791The host keys of 792known hosts will be verified automatically in either case. 793The argument must be |
| 728.Dq yes 729or 730.Dq no . 731.It Cm UsePrivilegedPort 732Specifies whether to use a privileged port for outgoing connections. 733The argument must be 734.Dq yes 735or 736.Dq no . 737The default is 738.Dq yes . 739Note that setting this option to 740.Dq no 741turns off 742.Cm RhostsAuthentication 743and 744.Cm RhostsRSAAuthentication . 745.It Cm User | 794.Dq yes 795or 796.Dq no . 797.It Cm UsePrivilegedPort 798Specifies whether to use a privileged port for outgoing connections. 799The argument must be 800.Dq yes 801or 802.Dq no . 803The default is 804.Dq yes . 805Note that setting this option to 806.Dq no 807turns off 808.Cm RhostsAuthentication 809and 810.Cm RhostsRSAAuthentication . 811.It Cm User |
| 746Specifies the user to log in as. This can be useful if you have a 747different user name in different machines. This saves the trouble of | 812Specifies the user to log in as. 813This can be useful if you have a different user name on different machines. 814This saves the trouble of |
| 748having to remember to give the user name on the command line. 749.It Cm UserKnownHostsFile 750Specifies a file to use instead of 751.Pa $HOME/.ssh/known_hosts . 752.It Cm UseRsh | 815having to remember to give the user name on the command line. 816.It Cm UserKnownHostsFile 817Specifies a file to use instead of 818.Pa $HOME/.ssh/known_hosts . 819.It Cm UseRsh |
| 753Specifies that rlogin/rsh should be used for this host. It is 754possible that the host does not at all support the | 820Specifies that rlogin/rsh should be used for this host. 821It is possible that the host does not at all support the |
| 755.Nm | 822.Nm |
| 756protocol. This causes | 823protocol. 824This causes |
| 757.Nm | 825.Nm |
| 758to immediately exec | 826to immediately execute |
| 759.Xr rsh 1 . 760All other options (except 761.Cm HostName ) | 827.Xr rsh 1 . 828All other options (except 829.Cm HostName ) |
| 762are ignored if this has been specified. The argument must be | 830are ignored if this has been specified. 831The argument must be |
| 763.Dq yes 764or 765.Dq no . 766.Sh ENVIRONMENT 767.Nm 768will normally set the following environment variables: 769.Bl -tag -width Ds 770.It Ev DISPLAY 771The 772.Ev DISPLAY | 832.Dq yes 833or 834.Dq no . 835.Sh ENVIRONMENT 836.Nm 837will normally set the following environment variables: 838.Bl -tag -width Ds 839.It Ev DISPLAY 840The 841.Ev DISPLAY |
| 773variable indicates the location of the X11 server. It is 774automatically set by | 842variable indicates the location of the X11 server. 843It is automatically set by |
| 775.Nm 776to point to a value of the form 777.Dq hostname:n 778where hostname indicates | 844.Nm 845to point to a value of the form 846.Dq hostname:n 847where hostname indicates |
| 779the host where the shell runs, and n is an integer \*(>= 1. Ssh uses 780this special value to forward X11 connections over the secure 781channel. The user should normally not set DISPLAY explicitly, as that | 848the host where the shell runs, and n is an integer \*(>= 1. 849.Nm 850uses this special value to forward X11 connections over the secure 851channel. 852The user should normally not set DISPLAY explicitly, as that |
| 782will render the X11 connection insecure (and will require the user to 783manually copy any required authorization cookies). 784.It Ev HOME 785Set to the path of the user's home directory. 786.It Ev LOGNAME 787Synonym for 788.Ev USER ; 789set for compatibility with systems that use this variable. 790.It Ev MAIL 791Set to point the user's mailbox. | 853will render the X11 connection insecure (and will require the user to 854manually copy any required authorization cookies). 855.It Ev HOME 856Set to the path of the user's home directory. 857.It Ev LOGNAME 858Synonym for 859.Ev USER ; 860set for compatibility with systems that use this variable. 861.It Ev MAIL 862Set to point the user's mailbox. |
| 792.It Ev PATH | 863.It Ev PATH |
| 793Set to the default 794.Ev PATH , 795as specified when compiling 796.Nm ssh . 797.It Ev SSH_AUTH_SOCK 798indicates the path of a unix-domain socket used to communicate with the 799agent. 800.It Ev SSH_CLIENT | 864Set to the default 865.Ev PATH , 866as specified when compiling 867.Nm ssh . 868.It Ev SSH_AUTH_SOCK 869indicates the path of a unix-domain socket used to communicate with the 870agent. 871.It Ev SSH_CLIENT |
| 801Identifies the client end of the connection. The variable contains | 872Identifies the client end of the connection. 873The variable contains |
| 802three space-separated values: client ip-address, client port number, 803and server port number. 804.It Ev SSH_TTY 805This is set to the name of the tty (path to the device) associated | 874three space-separated values: client ip-address, client port number, 875and server port number. 876.It Ev SSH_TTY 877This is set to the name of the tty (path to the device) associated |
| 806with the current shell or command. If the current session has no tty, | 878with the current shell or command. 879If the current session has no tty, |
| 807this variable is not set. 808.It Ev TZ 809The timezone variable is set to indicate the present timezone if it 810was set when the daemon was started (e.i., the daemon passes the value 811on to new connections). 812.It Ev USER 813Set to the name of the user logging in. 814.El --- 9 unchanged lines hidden (view full) --- 824.Bl -tag -width Ds 825.It Pa $HOME/.ssh/known_hosts 826Records host keys for all hosts the user has logged into (that are not 827in 828.Pa /etc/ssh/ssh_known_hosts ) . 829See 830.Xr sshd 8 . 831.It Pa $HOME/.ssh/identity | 880this variable is not set. 881.It Ev TZ 882The timezone variable is set to indicate the present timezone if it 883was set when the daemon was started (e.i., the daemon passes the value 884on to new connections). 885.It Ev USER 886Set to the name of the user logging in. 887.El --- 9 unchanged lines hidden (view full) --- 897.Bl -tag -width Ds 898.It Pa $HOME/.ssh/known_hosts 899Records host keys for all hosts the user has logged into (that are not 900in 901.Pa /etc/ssh/ssh_known_hosts ) . 902See 903.Xr sshd 8 . 904.It Pa $HOME/.ssh/identity |
| 832Contains the RSA authentication identity of the user. This file | 905Contains the RSA authentication identity of the user. 906This file |
| 833contains sensitive data and should be readable by the user but not 834accessible by others (read/write/execute). 835Note that 836.Nm 837ignores this file if it is accessible by others. 838It is possible to specify a passphrase when 839generating the key; the passphrase will be used to encrypt the 840sensitive part of this file using 3DES. 841.It Pa $HOME/.ssh/identity.pub 842Contains the public key for authentication (public part of the | 907contains sensitive data and should be readable by the user but not 908accessible by others (read/write/execute). 909Note that 910.Nm 911ignores this file if it is accessible by others. 912It is possible to specify a passphrase when 913generating the key; the passphrase will be used to encrypt the 914sensitive part of this file using 3DES. 915.It Pa $HOME/.ssh/identity.pub 916Contains the public key for authentication (public part of the |
| 843identity file in human-readable form). The contents of this file 844should be added to | 917identity file in human-readable form). 918The contents of this file should be added to |
| 845.Pa $HOME/.ssh/authorized_keys 846on all machines | 919.Pa $HOME/.ssh/authorized_keys 920on all machines |
| 847where you wish to log in using RSA authentication. This file is not 848sensitive and can (but need not) be readable by anyone. This file is | 921where you wish to log in using RSA authentication. 922This file is not 923sensitive and can (but need not) be readable by anyone. 924This file is |
| 849never used automatically and is not necessary; it is only provided for 850the convenience of the user. 851.It Pa $HOME/.ssh/config | 925never used automatically and is not necessary; it is only provided for 926the convenience of the user. 927.It Pa $HOME/.ssh/config |
| 852This is the per-user configuration file. The format of this file is 853described above. This file is used by the | 928This is the per-user configuration file. 929The format of this file is described above. 930This file is used by the |
| 854.Nm | 931.Nm |
| 855client. This file does not usually contain any sensitive information, | 932client. 933This file does not usually contain any sensitive information, |
| 856but the recommended permissions are read/write for the user, and not 857accessible by others. 858.It Pa $HOME/.ssh/authorized_keys | 934but the recommended permissions are read/write for the user, and not 935accessible by others. 936.It Pa $HOME/.ssh/authorized_keys |
| 859Lists the RSA keys that can be used for logging in as this user. The 860format of this file is described in the | 937Lists the RSA keys that can be used for logging in as this user. 938The format of this file is described in the |
| 861.Xr sshd 8 | 939.Xr sshd 8 |
| 862manual page. In the simplest form the format is the same as the .pub | 940manual page. 941In the simplest form the format is the same as the .pub |
| 863identity files (that is, each line contains the number of bits in 864modulus, public exponent, modulus, and comment fields, separated by | 942identity files (that is, each line contains the number of bits in 943modulus, public exponent, modulus, and comment fields, separated by |
| 865spaces). This file is not highly sensitive, but the recommended | 944spaces). 945This file is not highly sensitive, but the recommended |
| 866permissions are read/write for the user, and not accessible by others. 867.It Pa /etc/ssh/ssh_known_hosts | 946permissions are read/write for the user, and not accessible by others. 947.It Pa /etc/ssh/ssh_known_hosts |
| 868Systemwide list of known host keys. This file should be prepared by the | 948Systemwide list of known host keys. 949This file should be prepared by the |
| 869system administrator to contain the public host keys of all machines in the | 950system administrator to contain the public host keys of all machines in the |
| 870organization. This file should be world-readable. This file contains | 951organization. 952This file should be world-readable. 953This file contains |
| 871public keys, one per line, in the following format (fields separated 872by spaces): system name, number of bits in modulus, public exponent, | 954public keys, one per line, in the following format (fields separated 955by spaces): system name, number of bits in modulus, public exponent, |
| 873modulus, and optional comment field. When different names are used | 956modulus, and optional comment field. 957When different names are used |
| 874for the same machine, all such names should be listed, separated by | 958for the same machine, all such names should be listed, separated by |
| 875commas. The format is described on the | 959commas. 960The format is described on the |
| 876.Xr sshd 8 877manual page. 878.Pp 879The canonical system name (as returned by name servers) is used by 880.Xr sshd 8 881to verify the client host when logging in; other names are needed because 882.Nm 883does not convert the user-supplied name to a canonical name before 884checking the key, because someone with access to the name servers 885would then be able to fool host authentication. 886.It Pa /etc/ssh/ssh_config | 961.Xr sshd 8 962manual page. 963.Pp 964The canonical system name (as returned by name servers) is used by 965.Xr sshd 8 966to verify the client host when logging in; other names are needed because 967.Nm 968does not convert the user-supplied name to a canonical name before 969checking the key, because someone with access to the name servers 970would then be able to fool host authentication. 971.It Pa /etc/ssh/ssh_config |
| 887Systemwide configuration file. This file provides defaults for those | 972Systemwide configuration file. 973This file provides defaults for those |
| 888values that are not specified in the user's configuration file, and | 974values that are not specified in the user's configuration file, and |
| 889for those users who do not have a configuration file. This file must 890be world-readable. | 975for those users who do not have a configuration file. 976This file must be world-readable. |
| 891.It Pa $HOME/.rhosts 892This file is used in 893.Pa \&.rhosts 894authentication to list the | 977.It Pa $HOME/.rhosts 978This file is used in 979.Pa \&.rhosts 980authentication to list the |
| 895host/user pairs that are permitted to log in. (Note that this file is | 981host/user pairs that are permitted to log in. 982(Note that this file is |
| 896also used by rlogin and rsh, which makes using this file insecure.) 897Each line of the file contains a host name (in the canonical form 898returned by name servers), and then a user name on that host, | 983also used by rlogin and rsh, which makes using this file insecure.) 984Each line of the file contains a host name (in the canonical form 985returned by name servers), and then a user name on that host, |
| 899separated by a space. One some machines this file may need to be | 986separated by a space. 987One some machines this file may need to be |
| 900world-readable if the user's home directory is on a NFS partition, 901because 902.Xr sshd 8 | 988world-readable if the user's home directory is on a NFS partition, 989because 990.Xr sshd 8 |
| 903reads it as root. Additionally, this file must be owned by the user, 904and must not have write permissions for anyone else. The recommended | 991reads it as root. 992Additionally, this file must be owned by the user, 993and must not have write permissions for anyone else. 994The recommended |
| 905permission for most machines is read/write for the user, and not 906accessible by others. 907.Pp 908Note that by default 909.Xr sshd 8 910will be installed so that it requires successful RSA host | 995permission for most machines is read/write for the user, and not 996accessible by others. 997.Pp 998Note that by default 999.Xr sshd 8 1000will be installed so that it requires successful RSA host |
| 911authentication before permitting \s+2.\s0rhosts authentication. If your 912server machine does not have the client's host key in | 1001authentication before permitting \s+2.\s0rhosts authentication. 1002If your server machine does not have the client's host key in |
| 913.Pa /etc/ssh/ssh_known_hosts , 914you can store it in 915.Pa $HOME/.ssh/known_hosts . 916The easiest way to do this is to 917connect back to the client from the server machine using ssh; this 918will automatically add the host key inxi 919.Pa $HOME/.ssh/known_hosts . 920.It Pa $HOME/.shosts --- 4 unchanged lines hidden (view full) --- 925.Nm 926without permitting login with 927.Xr rlogin 1 928or 929.Xr rsh 1 . 930.It Pa /etc/hosts.equiv 931This file is used during 932.Pa \&.rhosts | 1003.Pa /etc/ssh/ssh_known_hosts , 1004you can store it in 1005.Pa $HOME/.ssh/known_hosts . 1006The easiest way to do this is to 1007connect back to the client from the server machine using ssh; this 1008will automatically add the host key inxi 1009.Pa $HOME/.ssh/known_hosts . 1010.It Pa $HOME/.shosts --- 4 unchanged lines hidden (view full) --- 1015.Nm 1016without permitting login with 1017.Xr rlogin 1 1018or 1019.Xr rsh 1 . 1020.It Pa /etc/hosts.equiv 1021This file is used during 1022.Pa \&.rhosts |
| 933authentication. It contains | 1023authentication. 1024It contains |
| 934canonical hosts names, one per line (the full format is described on 935the 936.Xr sshd 8 | 1025canonical hosts names, one per line (the full format is described on 1026the 1027.Xr sshd 8 |
| 937manual page). If the client host is found in this file, login is | 1028manual page). 1029If the client host is found in this file, login is |
| 938automatically permitted provided client and server user names are the | 1030automatically permitted provided client and server user names are the |
| 939same. Additionally, successful RSA host authentication is normally 940required. This file should only be writable by root. | 1031same. 1032Additionally, successful RSA host authentication is normally 1033required. 1034This file should only be writable by root. |
| 941.It Pa /etc/ssh/shosts.equiv | 1035.It Pa /etc/ssh/shosts.equiv |
| 942This file is processed exactly as | 1036This file is processed exactly as |
| 943.Pa /etc/hosts.equiv . 944This file may be useful to permit logins using 945.Nm 946but not using rsh/rlogin. 947.It Pa /etc/ssh/sshrc 948Commands in this file are executed by 949.Nm 950when the user logs in just before the user's shell (or command) is started. --- 13 unchanged lines hidden (view full) --- 964.Sx ENVIRONMENT 965above. 966.It Pa libcrypto.so.X.1 967A version of this library which includes support for the RSA algorithm 968is required for proper operation. 969.Sh AUTHOR 970OpenSSH 971is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, | 1037.Pa /etc/hosts.equiv . 1038This file may be useful to permit logins using 1039.Nm 1040but not using rsh/rlogin. 1041.It Pa /etc/ssh/sshrc 1042Commands in this file are executed by 1043.Nm 1044when the user logs in just before the user's shell (or command) is started. --- 13 unchanged lines hidden (view full) --- 1058.Sx ENVIRONMENT 1059above. 1060.It Pa libcrypto.so.X.1 1061A version of this library which includes support for the RSA algorithm 1062is required for proper operation. 1063.Sh AUTHOR 1064OpenSSH 1065is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, |
| 972but with bugs removed and newer features re-added. Rapidly after the | 1066but with bugs removed and newer features re-added. 1067Rapidly after the |
| 9731.2.12 release, newer versions of the original ssh bore successively 974more restrictive licenses, and thus demand for a free version was born. 975This version of OpenSSH 976.Bl -bullet 977.It 978has all components of a restrictive nature (i.e., patents, see 979.Xr ssl 8 ) 980directly removed from the source code; any licensed or patented components --- 30 unchanged lines hidden --- | 10681.2.12 release, newer versions of the original ssh bore successively 1069more restrictive licenses, and thus demand for a free version was born. 1070This version of OpenSSH 1071.Bl -bullet 1072.It 1073has all components of a restrictive nature (i.e., patents, see 1074.Xr ssl 8 ) 1075directly removed from the source code; any licensed or patented components --- 30 unchanged lines hidden --- |