| ssh.0 (214979) | ssh.0 (218767) |
|---|---|
| 1SSH(1) OpenBSD Reference Manual SSH(1) 2 3NAME 4 ssh - OpenSSH SSH client (remote login program) 5 6SYNOPSIS 7 ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] 8 [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] --- 121 unchanged lines hidden (view full) --- 130 131 -g Allows remote hosts to connect to local forwarded ports. 132 133 -I pkcs11 134 Specify the PKCS#11 shared library ssh should use to communicate 135 with a PKCS#11 token providing the user's private RSA key. 136 137 -i identity_file | 1SSH(1) OpenBSD Reference Manual SSH(1) 2 3NAME 4 ssh - OpenSSH SSH client (remote login program) 5 6SYNOPSIS 7 ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] 8 [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] --- 121 unchanged lines hidden (view full) --- 130 131 -g Allows remote hosts to connect to local forwarded ports. 132 133 -I pkcs11 134 Specify the PKCS#11 shared library ssh should use to communicate 135 with a PKCS#11 token providing the user's private RSA key. 136 137 -i identity_file |
| 138 Selects a file from which the identity (private key) for RSA or 139 DSA authentication is read. The default is ~/.ssh/identity for 140 protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for 141 protocol version 2. Identity files may also be specified on a 142 per-host basis in the configuration file. It is possible to have 143 multiple -i options (and multiple identities specified in 144 configuration files). ssh will also try to load certificate 145 information from the filename obtained by appending -cert.pub to 146 identity filenames. | 138 Selects a file from which the identity (private key) for public 139 key authentication is read. The default is ~/.ssh/identity for 140 protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and 141 ~/.ssh/id_rsa for protocol version 2. Identity files may also be 142 specified on a per-host basis in the configuration file. It is 143 possible to have multiple -i options (and multiple identities 144 specified in configuration files). ssh will also try to load 145 certificate information from the filename obtained by appending 146 -cert.pub to identity filenames. |
| 147 148 -K Enables GSSAPI-based authentication and forwarding (delegation) 149 of GSSAPI credentials to the server. 150 151 -k Disables forwarding (delegation) of GSSAPI credentials to the 152 server. 153 154 -L [bind_address:]port:host:hostport --- 84 unchanged lines hidden (view full) --- 239 HashKnownHosts 240 Host 241 HostbasedAuthentication 242 HostKeyAlgorithms 243 HostKeyAlias 244 HostName 245 IdentityFile 246 IdentitiesOnly | 147 148 -K Enables GSSAPI-based authentication and forwarding (delegation) 149 of GSSAPI credentials to the server. 150 151 -k Disables forwarding (delegation) of GSSAPI credentials to the 152 server. 153 154 -L [bind_address:]port:host:hostport --- 84 unchanged lines hidden (view full) --- 239 HashKnownHosts 240 Host 241 HostbasedAuthentication 242 HostKeyAlgorithms 243 HostKeyAlias 244 HostName 245 IdentityFile 246 IdentitiesOnly |
| 247 IPQoS |
|
| 247 KbdInteractiveDevices | 248 KbdInteractiveDevices |
| 249 KexAlgorithms |
|
| 248 LocalCommand 249 LocalForward 250 LogLevel 251 MACs 252 NoHostAuthenticationForLocalhost 253 NumberOfPasswordPrompts 254 PasswordAuthentication 255 PermitLocalCommand --- 119 unchanged lines hidden (view full) --- 375 376 -y Send log information using the syslog(3) system module. By 377 default this information is sent to stderr. 378 379 ssh may additionally obtain configuration data from a per-user 380 configuration file and a system-wide configuration file. The file format 381 and configuration options are described in ssh_config(5). 382 | 250 LocalCommand 251 LocalForward 252 LogLevel 253 MACs 254 NoHostAuthenticationForLocalhost 255 NumberOfPasswordPrompts 256 PasswordAuthentication 257 PermitLocalCommand --- 119 unchanged lines hidden (view full) --- 377 378 -y Send log information using the syslog(3) system module. By 379 default this information is sent to stderr. 380 381 ssh may additionally obtain configuration data from a per-user 382 configuration file and a system-wide configuration file. The file format 383 and configuration options are described in ssh_config(5). 384 |
| 383 ssh exits with the exit status of the remote command or with 255 if an 384 error occurred. 385 | |
| 386AUTHENTICATION 387 The OpenSSH SSH client supports SSH protocols 1 and 2. The default is to 388 use protocol 2 only, though this can be changed via the Protocol option 389 in ssh_config(5) or the -1 and -2 options (see above). Both protocols 390 support similar authentication methods, but protocol 2 is the default 391 since it provides additional mechanisms for confidentiality (the traffic 392 is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and 393 integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1 --- 22 unchanged lines hidden (view full) --- 416 417 Public key authentication works as follows: The scheme is based on 418 public-key cryptography, using cryptosystems where encryption and 419 decryption are done using separate keys, and it is unfeasible to derive 420 the decryption key from the encryption key. The idea is that each user 421 creates a public/private key pair for authentication purposes. The 422 server knows the public key, and only the user knows the private key. 423 ssh implements public key authentication protocol automatically, using | 385AUTHENTICATION 386 The OpenSSH SSH client supports SSH protocols 1 and 2. The default is to 387 use protocol 2 only, though this can be changed via the Protocol option 388 in ssh_config(5) or the -1 and -2 options (see above). Both protocols 389 support similar authentication methods, but protocol 2 is the default 390 since it provides additional mechanisms for confidentiality (the traffic 391 is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and 392 integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1 --- 22 unchanged lines hidden (view full) --- 415 416 Public key authentication works as follows: The scheme is based on 417 public-key cryptography, using cryptosystems where encryption and 418 decryption are done using separate keys, and it is unfeasible to derive 419 the decryption key from the encryption key. The idea is that each user 420 creates a public/private key pair for authentication purposes. The 421 server knows the public key, and only the user knows the private key. 422 ssh implements public key authentication protocol automatically, using |
| 424 either the RSA or DSA algorithms. Protocol 1 is restricted to using only 425 RSA keys, but protocol 2 may use either. The HISTORY section of ssl(8) 426 contains a brief discussion of the two algorithms. | 423 one of the DSA, ECDSA or RSA algorithms. Protocol 1 is restricted to 424 using only RSA keys, but protocol 2 may use any. The HISTORY section of 425 ssl(8) contains a brief discussion of the DSA and RSA algorithms. |
| 427 428 The file ~/.ssh/authorized_keys lists the public keys that are permitted 429 for logging in. When the user logs in, the ssh program tells the server 430 which key pair it would like to use for authentication. The client 431 proves that it has access to the private key and the server checks that 432 the corresponding public key is authorized to accept the account. 433 434 The user creates his/her key pair by running ssh-keygen(1). This stores 435 the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol | 426 427 The file ~/.ssh/authorized_keys lists the public keys that are permitted 428 for logging in. When the user logs in, the ssh program tells the server 429 which key pair it would like to use for authentication. The client 430 proves that it has access to the private key and the server checks that 431 the corresponding public key is authorized to accept the account. 432 433 The user creates his/her key pair by running ssh-keygen(1). This stores 434 the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol |
| 436 2 DSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in 437 ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), or 438 ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home directory. The 439 user should then copy the public key to ~/.ssh/authorized_keys in his/her 440 home directory on the remote machine. The authorized_keys file 441 corresponds to the conventional ~/.rhosts file, and has one key per line, 442 though the lines can be very long. After this, the user can log in 443 without giving the password. | 435 2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), or ~/.ssh/id_rsa (protocol 2 436 RSA) and stores the public key in ~/.ssh/identity.pub (protocol 1), 437 ~/.ssh/id_dsa.pub (protocol 2 DSA), ~/.ssh/id_ecdsa.pub (protocol 2 438 ECDSA), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home 439 directory. The user should then copy the public key to 440 ~/.ssh/authorized_keys in his/her home directory on the remote machine. 441 The authorized_keys file corresponds to the conventional ~/.rhosts file, 442 and has one key per line, though the lines can be very long. After this, 443 the user can log in without giving the password. |
| 444 445 A variation on public key authentication is available in the form of 446 certificate authentication: instead of a set of public/private keys, 447 signed certificates are used. This has the advantage that a single 448 trusted certification authority can be used in place of many 449 public/private keys. See the CERTIFICATES section of ssh-keygen(1) for 450 more information. 451 --- 306 unchanged lines hidden (view full) --- 758 ~/.ssh/ 759 This directory is the default location for all user-specific 760 configuration and authentication information. There is no 761 general requirement to keep the entire contents of this directory 762 secret, but the recommended permissions are read/write/execute 763 for the user, and not accessible by others. 764 765 ~/.ssh/authorized_keys | 444 445 A variation on public key authentication is available in the form of 446 certificate authentication: instead of a set of public/private keys, 447 signed certificates are used. This has the advantage that a single 448 trusted certification authority can be used in place of many 449 public/private keys. See the CERTIFICATES section of ssh-keygen(1) for 450 more information. 451 --- 306 unchanged lines hidden (view full) --- 758 ~/.ssh/ 759 This directory is the default location for all user-specific 760 configuration and authentication information. There is no 761 general requirement to keep the entire contents of this directory 762 secret, but the recommended permissions are read/write/execute 763 for the user, and not accessible by others. 764 765 ~/.ssh/authorized_keys |
| 766 Lists the public keys (RSA/DSA) that can be used for logging in 767 as this user. The format of this file is described in the 768 sshd(8) manual page. This file is not highly sensitive, but the 769 recommended permissions are read/write for the user, and not | 766 Lists the public keys (DSA/ECDSA/RSA) that can be used for 767 logging in as this user. The format of this file is described in 768 the sshd(8) manual page. This file is not highly sensitive, but 769 the recommended permissions are read/write for the user, and not |
| 770 accessible by others. 771 772 ~/.ssh/config 773 This is the per-user configuration file. The file format and 774 configuration options are described in ssh_config(5). Because of 775 the potential for abuse, this file must have strict permissions: 776 read/write for the user, and not accessible by others. 777 778 ~/.ssh/environment 779 Contains additional definitions for environment variables; see 780 ENVIRONMENT, above. 781 782 ~/.ssh/identity 783 ~/.ssh/id_dsa | 770 accessible by others. 771 772 ~/.ssh/config 773 This is the per-user configuration file. The file format and 774 configuration options are described in ssh_config(5). Because of 775 the potential for abuse, this file must have strict permissions: 776 read/write for the user, and not accessible by others. 777 778 ~/.ssh/environment 779 Contains additional definitions for environment variables; see 780 ENVIRONMENT, above. 781 782 ~/.ssh/identity 783 ~/.ssh/id_dsa |
| 784 ~/.ssh/id_ecdsa |
|
| 784 ~/.ssh/id_rsa 785 Contains the private key for authentication. These files contain 786 sensitive data and should be readable by the user but not 787 accessible by others (read/write/execute). ssh will simply 788 ignore a private key file if it is accessible by others. It is 789 possible to specify a passphrase when generating the key which 790 will be used to encrypt the sensitive part of this file using 791 3DES. 792 793 ~/.ssh/identity.pub 794 ~/.ssh/id_dsa.pub | 785 ~/.ssh/id_rsa 786 Contains the private key for authentication. These files contain 787 sensitive data and should be readable by the user but not 788 accessible by others (read/write/execute). ssh will simply 789 ignore a private key file if it is accessible by others. It is 790 possible to specify a passphrase when generating the key which 791 will be used to encrypt the sensitive part of this file using 792 3DES. 793 794 ~/.ssh/identity.pub 795 ~/.ssh/id_dsa.pub |
| 796 ~/.ssh/id_ecdsa.pub |
|
| 795 ~/.ssh/id_rsa.pub 796 Contains the public key for authentication. These files are not 797 sensitive and can (but need not) be readable by anyone. 798 799 ~/.ssh/known_hosts 800 Contains a list of host keys for all hosts the user has logged 801 into that are not already in the systemwide list of known host 802 keys. See sshd(8) for further details of the format of this --- 14 unchanged lines hidden (view full) --- 817 rlogin/rsh. 818 819 /etc/ssh/ssh_config 820 Systemwide configuration file. The file format and configuration 821 options are described in ssh_config(5). 822 823 /etc/ssh/ssh_host_key 824 /etc/ssh/ssh_host_dsa_key | 797 ~/.ssh/id_rsa.pub 798 Contains the public key for authentication. These files are not 799 sensitive and can (but need not) be readable by anyone. 800 801 ~/.ssh/known_hosts 802 Contains a list of host keys for all hosts the user has logged 803 into that are not already in the systemwide list of known host 804 keys. See sshd(8) for further details of the format of this --- 14 unchanged lines hidden (view full) --- 819 rlogin/rsh. 820 821 /etc/ssh/ssh_config 822 Systemwide configuration file. The file format and configuration 823 options are described in ssh_config(5). 824 825 /etc/ssh/ssh_host_key 826 /etc/ssh/ssh_host_dsa_key |
| 827 /etc/ssh/ssh_host_ecdsa_key |
|
| 825 /etc/ssh/ssh_host_rsa_key 826 These three files contain the private parts of the host keys and 827 are used for host-based authentication. If protocol version 1 is 828 used, ssh must be setuid root, since the host key is readable 829 only by root. For protocol version 2, ssh uses ssh-keysign(8) to 830 access the host keys, eliminating the requirement that ssh be 831 setuid root when host-based authentication is used. By default 832 ssh is not setuid root. --- 4 unchanged lines hidden (view full) --- 837 all machines in the organization. It should be world-readable. 838 See sshd(8) for further details of the format of this file. 839 840 /etc/ssh/sshrc 841 Commands in this file are executed by ssh when the user logs in, 842 just before the user's shell (or command) is started. See the 843 sshd(8) manual page for more information. 844 | 828 /etc/ssh/ssh_host_rsa_key 829 These three files contain the private parts of the host keys and 830 are used for host-based authentication. If protocol version 1 is 831 used, ssh must be setuid root, since the host key is readable 832 only by root. For protocol version 2, ssh uses ssh-keysign(8) to 833 access the host keys, eliminating the requirement that ssh be 834 setuid root when host-based authentication is used. By default 835 ssh is not setuid root. --- 4 unchanged lines hidden (view full) --- 840 all machines in the organization. It should be world-readable. 841 See sshd(8) for further details of the format of this file. 842 843 /etc/ssh/sshrc 844 Commands in this file are executed by ssh when the user logs in, 845 just before the user's shell (or command) is started. See the 846 sshd(8) manual page for more information. 847 |
| 848EXIT STATUS 849 ssh exits with the exit status of the remote command or with 255 if an 850 error occurred. 851 |
|
| 845SEE ALSO 846 scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1), 847 tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8) 848 849 The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, 2006. 850 851 The Secure Shell (SSH) Protocol Architecture, RFC 4251, 2006. 852 --- 16 unchanged lines hidden (view full) --- 869 Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer 870 Protocol, RFC 4345, 2006. 871 872 Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer 873 Protocol, RFC 4419, 2006. 874 875 The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006. 876 | 852SEE ALSO 853 scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1), 854 tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8) 855 856 The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, 2006. 857 858 The Secure Shell (SSH) Protocol Architecture, RFC 4251, 2006. 859 --- 16 unchanged lines hidden (view full) --- 876 Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer 877 Protocol, RFC 4345, 2006. 878 879 Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer 880 Protocol, RFC 4419, 2006. 881 882 The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006. 883 |
| 877 A. Perrig, D. Song, Hash Visualization: a New Technique to improve | 884 Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer, 885 RFC 5656, 2009. 886 887 A. Perrig and D. Song, Hash Visualization: a New Technique to improve |
| 878 Real-World Security, 1999, International Workshop on Cryptographic 879 Techniques and E-Commerce (CrypTEC '99). 880 881AUTHORS 882 OpenSSH is a derivative of the original and free ssh 1.2.12 release by 883 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 884 de Raadt and Dug Song removed many bugs, re-added newer features and 885 created OpenSSH. Markus Friedl contributed the support for SSH protocol 886 versions 1.5 and 2.0. 887 | 888 Real-World Security, 1999, International Workshop on Cryptographic 889 Techniques and E-Commerce (CrypTEC '99). 890 891AUTHORS 892 OpenSSH is a derivative of the original and free ssh 1.2.12 release by 893 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 894 de Raadt and Dug Song removed many bugs, re-added newer features and 895 created OpenSSH. Markus Friedl contributed the support for SSH protocol 896 versions 1.5 and 2.0. 897 |
| 888OpenBSD 4.8 August 4, 2010 OpenBSD 4.8 | 898OpenBSD 4.8 November 18, 2010 OpenBSD 4.8 |