1.\" -*- nroff -*-
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
--- 20 unchanged lines hidden (view full) ---
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\"
37.\" $FreeBSD: head/crypto/openssh/ssh.1 128460 2004-04-20 09:46:41Z des $
38.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $
39.Dd September 25, 1999
40.Dt SSH 1
41.Os
42.Sh NAME
43.Nm ssh
44.Nd OpenSSH SSH client (remote login program)
45.Sh SYNOPSIS
46.Nm ssh
47.Op Fl 1246AaCfgkNnqsTtVvXxY
48.Op Fl b Ar bind_address
49.Op Fl c Ar cipher_spec
50.Op Fl D Ar port
51.Op Fl e Ar escape_char
52.Op Fl F Ar configfile
53.Op Fl i Ar identity_file
54.Bk -words
55.Oo Fl L Xo
56.Sm off
57.Ar port :
58.Ar host :
59.Ar hostport
60.Sm on
61.Xc
62.Oc
--- 7 unchanged lines hidden (view full) ---
70.Oo Fl R Xo
71.Sm off
72.Ar port :
73.Ar host :
74.Ar hostport
75.Sm on
76.Xc
77.Oc
78.Oo Ar user Ns @ Oc Ns Ar hostname
79.Op Ar command
80.Sh DESCRIPTION
81.Nm
82(SSH client) is a program for logging into a remote machine and for
83executing commands on a remote machine.
84It is intended to replace rlogin and rsh,
85and provide secure encrypted communications between
--- 151 unchanged lines hidden (view full) ---
237If public key authentication fails or is not available, a password
238can be sent encrypted to the remote host to prove the user's identity.
239.Pp
240Additionally,
241.Nm
242supports hostbased or challenge response authentication.
243.Pp
244Protocol 2 provides additional mechanisms for confidentiality
245(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour)
246and integrity (hmac-md5, hmac-sha1).
247Note that protocol 1 lacks a strong mechanism for ensuring the
248integrity of the connection.
249.Ss Login session and remote execution
250When the user's identity has been accepted by the server, the server
251either executes the given command, or logs into the machine and gives
252the user a normal shell on the remote machine.
253All communication with
254the remote command or shell will be automatically encrypted.
--- 43 unchanged lines hidden (view full) ---
298.Nm
299at logout when waiting for forwarded connection / X11 sessions to terminate.
300.It Cm ~?
301Display a list of escape characters.
302.It Cm ~B
303Send a BREAK to the remote system
304(only useful for SSH protocol version 2 and if the peer supports it).
305.It Cm ~C
306Open command line (only useful for adding port forwardings using the
307.Fl L
308and
309.Fl R
310options).
311.It Cm ~R
312Request rekeying of the connection
313(only useful for SSH protocol version 2 and if the peer supports it).
314.El
315.Ss X11 and TCP forwarding
316If the
317.Cm ForwardX11
318variable is set to
--- 70 unchanged lines hidden (view full) ---
389trojan horse from getting the user's password.
390Another purpose of this mechanism is to prevent man-in-the-middle attacks
391which could otherwise be used to circumvent the encryption.
392The
393.Cm StrictHostKeyChecking
394option can be used to prevent logins to machines whose
395host key is not known or has changed.
396.Pp
397The options are as follows:
398.Bl -tag -width Ds
399.It Fl 1
400Forces
401.Nm
402to try protocol version 1 only.
403.It Fl 2
404Forces
--- 34 unchanged lines hidden (view full) ---
439.Cm CompressionLevel
440option for protocol version 1.
441Compression is desirable on modem lines and other
442slow connections, but will only slow down things on fast networks.
443The default value can be set on a host-by-host basis in the
444configuration files; see the
445.Cm Compression
446option.
447.It Fl c Ar blowfish | 3des | des
448Selects the cipher to use for encrypting the session.
449.Ar 3des
450is used by default.
451It is believed to be secure.
452.Ar 3des
453(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
454.Ar blowfish
455is a fast block cipher; it appears very secure and is much faster than
456.Ar 3des .
457.Ar des
458is only supported in the
459.Nm
460client for interoperability with legacy protocol 1 implementations
461that do not support the
462.Ar 3des
463cipher.
464Its use is strongly discouraged due to cryptographic weaknesses.
465.It Fl c Ar cipher_spec
466Additionally, for protocol version 2 a comma-separated list of ciphers can
467be specified in order of preference.
468See
469.Cm Ciphers
470for more information.
471.It Fl D Ar port
472Specifies a local
473.Dq dynamic
474application-level port forwarding.
475This works by allocating a socket to listen to
476.Ar port
477on the local side, and whenever a connection is made to this port, the
478connection is forwarded over the secure channel, and the application
--- 86 unchanged lines hidden (view full) ---
565.Xo
566.Ar port No / Ar host No /
567.Ar hostport .
568.Xc
569.Sm on
570.It Fl l Ar login_name
571Specifies the user to log in as on the remote machine.
572This also may be specified on a per-host basis in the configuration file.
573.It Fl m Ar mac_spec
574Additionally, for protocol version 2 a comma-separated list of MAC
575(message authentication code) algorithms can
576be specified in order of preference.
577See the
578.Cm MACs
579keyword for more information.
580.It Fl N
--- 34 unchanged lines hidden (view full) ---
615.It ChallengeResponseAuthentication
616.It CheckHostIP
617.It Cipher
618.It Ciphers
619.It ClearAllForwardings
620.It Compression
621.It CompressionLevel
622.It ConnectionAttempts
623.It ConnectionTimeout
624.It DynamicForward
625.It EscapeChar
626.It ForwardAgent
627.It ForwardX11
628.It ForwardX11Trusted
629.It GatewayPorts
630.It GlobalKnownHostsFile
631.It GSSAPIAuthentication
--- 14 unchanged lines hidden (view full) ---
646.It Port
647.It PreferredAuthentications
648.It Protocol
649.It ProxyCommand
650.It PubkeyAuthentication
651.It RemoteForward
652.It RhostsRSAAuthentication
653.It RSAAuthentication
654.It ServerAliveInterval
655.It ServerAliveCountMax
656.It SmartcardDevice
657.It StrictHostKeyChecking
658.It TCPKeepAlive
659.It UsePrivilegedPort
660.It User
661.It UserKnownHostsFile
--- 28 unchanged lines hidden (view full) ---
690logging in as root on the remote machine.
691IPv6 addresses can be specified with an alternative syntax:
692.Sm off
693.Xo
694.Ar port No / Ar host No /
695.Ar hostport .
696.Xc
697.Sm on
698.It Fl s
699May be used to request invocation of a subsystem on the remote system.
700Subsystems are a feature of the SSH2 protocol which facilitate the use
701of SSH as a secure transport for other applications (eg.\&
702.Xr sftp 1 ) .
703The subsystem is specified as the remote command.
704.It Fl T
705Disable pseudo-tty allocation.
--- 176 unchanged lines hidden (view full) ---
882sensitive and can (but need not) be readable by anyone.
883These files are
884never used automatically and are not necessary; they are only provided for
885the convenience of the user.
886.It Pa $HOME/.ssh/config
887This is the per-user configuration file.
888The file format and configuration options are described in
889.Xr ssh_config 5 .
890.It Pa $HOME/.ssh/authorized_keys
891Lists the public keys (RSA/DSA) that can be used for logging in as this user.
892The format of this file is described in the
893.Xr sshd 8
894manual page.
895In the simplest form the format is the same as the
896.Pa .pub
897identity files.
--- 174 unchanged lines hidden ---
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
--- 20 unchanged lines hidden (view full) ---
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\"
37.\" $FreeBSD: head/crypto/openssh/ssh.1 128460 2004-04-20 09:46:41Z des $
38.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $
39.Dd September 25, 1999
40.Dt SSH 1
41.Os
42.Sh NAME
43.Nm ssh
44.Nd OpenSSH SSH client (remote login program)
45.Sh SYNOPSIS
46.Nm ssh
47.Op Fl 1246AaCfgkNnqsTtVvXxY
48.Op Fl b Ar bind_address
49.Op Fl c Ar cipher_spec
50.Op Fl D Ar port
51.Op Fl e Ar escape_char
52.Op Fl F Ar configfile
53.Op Fl i Ar identity_file
54.Bk -words
55.Oo Fl L Xo
56.Sm off
57.Ar port :
58.Ar host :
59.Ar hostport
60.Sm on
61.Xc
62.Oc
--- 7 unchanged lines hidden (view full) ---
70.Oo Fl R Xo
71.Sm off
72.Ar port :
73.Ar host :
74.Ar hostport
75.Sm on
76.Xc
77.Oc
78.Oo Ar user Ns @ Oc Ns Ar hostname
79.Op Ar command
80.Sh DESCRIPTION
81.Nm
82(SSH client) is a program for logging into a remote machine and for
83executing commands on a remote machine.
84It is intended to replace rlogin and rsh,
85and provide secure encrypted communications between
--- 151 unchanged lines hidden (view full) ---
237If public key authentication fails or is not available, a password
238can be sent encrypted to the remote host to prove the user's identity.
239.Pp
240Additionally,
241.Nm
242supports hostbased or challenge response authentication.
243.Pp
244Protocol 2 provides additional mechanisms for confidentiality
245(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour)
246and integrity (hmac-md5, hmac-sha1).
247Note that protocol 1 lacks a strong mechanism for ensuring the
248integrity of the connection.
249.Ss Login session and remote execution
250When the user's identity has been accepted by the server, the server
251either executes the given command, or logs into the machine and gives
252the user a normal shell on the remote machine.
253All communication with
254the remote command or shell will be automatically encrypted.
--- 43 unchanged lines hidden (view full) ---
298.Nm
299at logout when waiting for forwarded connection / X11 sessions to terminate.
300.It Cm ~?
301Display a list of escape characters.
302.It Cm ~B
303Send a BREAK to the remote system
304(only useful for SSH protocol version 2 and if the peer supports it).
305.It Cm ~C
306Open command line (only useful for adding port forwardings using the
307.Fl L
308and
309.Fl R
310options).
311.It Cm ~R
312Request rekeying of the connection
313(only useful for SSH protocol version 2 and if the peer supports it).
314.El
315.Ss X11 and TCP forwarding
316If the
317.Cm ForwardX11
318variable is set to
--- 70 unchanged lines hidden (view full) ---
389trojan horse from getting the user's password.
390Another purpose of this mechanism is to prevent man-in-the-middle attacks
391which could otherwise be used to circumvent the encryption.
392The
393.Cm StrictHostKeyChecking
394option can be used to prevent logins to machines whose
395host key is not known or has changed.
396.Pp
397The options are as follows:
398.Bl -tag -width Ds
399.It Fl 1
400Forces
401.Nm
402to try protocol version 1 only.
403.It Fl 2
404Forces
--- 34 unchanged lines hidden (view full) ---
439.Cm CompressionLevel
440option for protocol version 1.
441Compression is desirable on modem lines and other
442slow connections, but will only slow down things on fast networks.
443The default value can be set on a host-by-host basis in the
444configuration files; see the
445.Cm Compression
446option.
447.It Fl c Ar blowfish | 3des | des
448Selects the cipher to use for encrypting the session.
449.Ar 3des
450is used by default.
451It is believed to be secure.
452.Ar 3des
453(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
454.Ar blowfish
455is a fast block cipher; it appears very secure and is much faster than
456.Ar 3des .
457.Ar des
458is only supported in the
459.Nm
460client for interoperability with legacy protocol 1 implementations
461that do not support the
462.Ar 3des
463cipher.
464Its use is strongly discouraged due to cryptographic weaknesses.
465.It Fl c Ar cipher_spec
466Additionally, for protocol version 2 a comma-separated list of ciphers can
467be specified in order of preference.
468See
469.Cm Ciphers
470for more information.
471.It Fl D Ar port
472Specifies a local
473.Dq dynamic
474application-level port forwarding.
475This works by allocating a socket to listen to
476.Ar port
477on the local side, and whenever a connection is made to this port, the
478connection is forwarded over the secure channel, and the application
--- 86 unchanged lines hidden (view full) ---
565.Xo
566.Ar port No / Ar host No /
567.Ar hostport .
568.Xc
569.Sm on
570.It Fl l Ar login_name
571Specifies the user to log in as on the remote machine.
572This also may be specified on a per-host basis in the configuration file.
573.It Fl m Ar mac_spec
574Additionally, for protocol version 2 a comma-separated list of MAC
575(message authentication code) algorithms can
576be specified in order of preference.
577See the
578.Cm MACs
579keyword for more information.
580.It Fl N
--- 34 unchanged lines hidden (view full) ---
615.It ChallengeResponseAuthentication
616.It CheckHostIP
617.It Cipher
618.It Ciphers
619.It ClearAllForwardings
620.It Compression
621.It CompressionLevel
622.It ConnectionAttempts
623.It ConnectionTimeout
624.It DynamicForward
625.It EscapeChar
626.It ForwardAgent
627.It ForwardX11
628.It ForwardX11Trusted
629.It GatewayPorts
630.It GlobalKnownHostsFile
631.It GSSAPIAuthentication
--- 14 unchanged lines hidden (view full) ---
646.It Port
647.It PreferredAuthentications
648.It Protocol
649.It ProxyCommand
650.It PubkeyAuthentication
651.It RemoteForward
652.It RhostsRSAAuthentication
653.It RSAAuthentication
654.It ServerAliveInterval
655.It ServerAliveCountMax
656.It SmartcardDevice
657.It StrictHostKeyChecking
658.It TCPKeepAlive
659.It UsePrivilegedPort
660.It User
661.It UserKnownHostsFile
--- 28 unchanged lines hidden (view full) ---
690logging in as root on the remote machine.
691IPv6 addresses can be specified with an alternative syntax:
692.Sm off
693.Xo
694.Ar port No / Ar host No /
695.Ar hostport .
696.Xc
697.Sm on
698.It Fl s
699May be used to request invocation of a subsystem on the remote system.
700Subsystems are a feature of the SSH2 protocol which facilitate the use
701of SSH as a secure transport for other applications (eg.\&
702.Xr sftp 1 ) .
703The subsystem is specified as the remote command.
704.It Fl T
705Disable pseudo-tty allocation.
--- 176 unchanged lines hidden (view full) ---
882sensitive and can (but need not) be readable by anyone.
883These files are
884never used automatically and are not necessary; they are only provided for
885the convenience of the user.
886.It Pa $HOME/.ssh/config
887This is the per-user configuration file.
888The file format and configuration options are described in
889.Xr ssh_config 5 .
890.It Pa $HOME/.ssh/authorized_keys
891Lists the public keys (RSA/DSA) that can be used for logging in as this user.
892The format of this file is described in the
893.Xr sshd 8
894manual page.
895In the simplest form the format is the same as the
896.Pa .pub
897identity files.
--- 174 unchanged lines hidden ---