| 1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this --- 20 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" |
| 37.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $ 38.\" $FreeBSD: head/crypto/openssh/ssh.1 137019 2004-10-28 16:11:31Z des $ |
| 39.Dd September 25, 1999 40.Dt SSH 1 41.Os 42.Sh NAME 43.Nm ssh 44.Nd OpenSSH SSH client (remote login program) 45.Sh SYNOPSIS 46.Nm ssh |
| 47.Op Fl 1246AaCfgkMNnqsTtVvXxY |
| 48.Op Fl b Ar bind_address 49.Op Fl c Ar cipher_spec |
| 50.Bk -words |
| 51.Op Fl D Ar port 52.Op Fl e Ar escape_char 53.Op Fl F Ar configfile 54.Op Fl i Ar identity_file |
| 55.Oo Fl L Xo 56.Sm off 57.Ar port : 58.Ar host : 59.Ar hostport 60.Sm on 61.Xc 62.Oc --- 7 unchanged lines hidden (view full) --- 70.Oo Fl R Xo 71.Sm off 72.Ar port : 73.Ar host : 74.Ar hostport 75.Sm on 76.Xc 77.Oc |
| 78.Op Fl S Ar ctl |
| 79.Oo Ar user Ns @ Oc Ns Ar hostname 80.Op Ar command 81.Sh DESCRIPTION 82.Nm 83(SSH client) is a program for logging into a remote machine and for 84executing commands on a remote machine. 85It is intended to replace rlogin and rsh, 86and provide secure encrypted communications between --- 151 unchanged lines hidden (view full) --- 238If public key authentication fails or is not available, a password 239can be sent encrypted to the remote host to prove the user's identity. 240.Pp 241Additionally, 242.Nm 243supports hostbased or challenge response authentication. 244.Pp 245Protocol 2 provides additional mechanisms for confidentiality |
| 246(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) 247and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). |
| 248Note that protocol 1 lacks a strong mechanism for ensuring the 249integrity of the connection. 250.Ss Login session and remote execution 251When the user's identity has been accepted by the server, the server 252either executes the given command, or logs into the machine and gives 253the user a normal shell on the remote machine. 254All communication with 255the remote command or shell will be automatically encrypted. --- 43 unchanged lines hidden (view full) --- 299.Nm 300at logout when waiting for forwarded connection / X11 sessions to terminate. 301.It Cm ~? 302Display a list of escape characters. 303.It Cm ~B 304Send a BREAK to the remote system 305(only useful for SSH protocol version 2 and if the peer supports it). 306.It Cm ~C |
| 307Open command line. 308Currently this allows the addition of port forwardings using the |
| 309.Fl L 310and 311.Fl R |
| 312options (see below). 313It also allows the cancellation of existing remote port-forwardings 314using 315.Fl KR Ar hostport . 316Basic help is available, using the 317.Fl h 318option. |
| 319.It Cm ~R 320Request rekeying of the connection 321(only useful for SSH protocol version 2 and if the peer supports it). 322.El 323.Ss X11 and TCP forwarding 324If the 325.Cm ForwardX11 326variable is set to --- 70 unchanged lines hidden (view full) --- 397trojan horse from getting the user's password. 398Another purpose of this mechanism is to prevent man-in-the-middle attacks 399which could otherwise be used to circumvent the encryption. 400The 401.Cm StrictHostKeyChecking 402option can be used to prevent logins to machines whose 403host key is not known or has changed. 404.Pp |
| 405.Nm 406can be configured to verify host identification using fingerprint resource 407records (SSHFP) published in DNS. 408The 409.Cm VerifyHostKeyDNS 410option can be used to control how DNS lookups are performed. 411SSHFP resource records can be generated using 412.Xr ssh-keygen 1 . 413.Pp |
| 414The options are as follows: 415.Bl -tag -width Ds 416.It Fl 1 417Forces 418.Nm 419to try protocol version 1 only. 420.It Fl 2 421Forces --- 34 unchanged lines hidden (view full) --- 456.Cm CompressionLevel 457option for protocol version 1. 458Compression is desirable on modem lines and other 459slow connections, but will only slow down things on fast networks. 460The default value can be set on a host-by-host basis in the 461configuration files; see the 462.Cm Compression 463option. |
| 464.It Fl c Ar cipher_spec 465Selects the cipher specification for encrypting the session. 466.Pp 467Protocol version 1 allows specification of a single cipher. 468The suported values are 469.Dq 3des , 470.Dq blowfish 471and 472.Dq des . |
| 473.Ar 3des |
| 474(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
| 475It is believed to be secure. |
| 476.Ar blowfish 477is a fast block cipher; it appears very secure and is much faster than 478.Ar 3des . 479.Ar des 480is only supported in the 481.Nm 482client for interoperability with legacy protocol 1 implementations 483that do not support the 484.Ar 3des 485cipher. 486Its use is strongly discouraged due to cryptographic weaknesses. |
| 487The default is 488.Dq 3des . 489.Pp 490For protocol version 2 491.Ar cipher_spec 492is a comma-separated list of ciphers 493listed in order of preference. 494The supported ciphers are 495.Dq 3des-cbc , 496.Dq aes128-cbc , 497.Dq aes192-cbc , 498.Dq aes256-cbc , 499.Dq aes128-ctr , 500.Dq aes192-ctr , 501.Dq aes256-ctr , 502.Dq arcfour , 503.Dq blowfish-cbc , 504and 505.Dq cast128-cbc . 506The default is 507.Bd -literal 508 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 509 aes192-cbc,aes256-cbc'' 510.Ed |
| 511.It Fl D Ar port 512Specifies a local 513.Dq dynamic 514application-level port forwarding. 515This works by allocating a socket to listen to 516.Ar port 517on the local side, and whenever a connection is made to this port, the 518connection is forwarded over the secure channel, and the application --- 86 unchanged lines hidden (view full) --- 605.Xo 606.Ar port No / Ar host No / 607.Ar hostport . 608.Xc 609.Sm on 610.It Fl l Ar login_name 611Specifies the user to log in as on the remote machine. 612This also may be specified on a per-host basis in the configuration file. |
| 613.It Fl M 614Places the 615.Nm 616client into 617.Dq master 618mode for connection sharing. 619Refer to the description of 620.Cm ControlMaster 621in 622.Xr ssh_config 5 623for details. |
| 624.It Fl m Ar mac_spec 625Additionally, for protocol version 2 a comma-separated list of MAC 626(message authentication code) algorithms can 627be specified in order of preference. 628See the 629.Cm MACs 630keyword for more information. 631.It Fl N --- 34 unchanged lines hidden (view full) --- 666.It ChallengeResponseAuthentication 667.It CheckHostIP 668.It Cipher 669.It Ciphers 670.It ClearAllForwardings 671.It Compression 672.It CompressionLevel 673.It ConnectionAttempts |
| 674.It ConnectTimeout 675.It ControlMaster 676.It ControlPath |
| 677.It DynamicForward 678.It EscapeChar 679.It ForwardAgent 680.It ForwardX11 681.It ForwardX11Trusted 682.It GatewayPorts 683.It GlobalKnownHostsFile 684.It GSSAPIAuthentication --- 14 unchanged lines hidden (view full) --- 699.It Port 700.It PreferredAuthentications 701.It Protocol 702.It ProxyCommand 703.It PubkeyAuthentication 704.It RemoteForward 705.It RhostsRSAAuthentication 706.It RSAAuthentication |
| 707.It SendEnv |
| 708.It ServerAliveInterval 709.It ServerAliveCountMax 710.It SmartcardDevice 711.It StrictHostKeyChecking 712.It TCPKeepAlive 713.It UsePrivilegedPort 714.It User 715.It UserKnownHostsFile --- 28 unchanged lines hidden (view full) --- 744logging in as root on the remote machine. 745IPv6 addresses can be specified with an alternative syntax: 746.Sm off 747.Xo 748.Ar port No / Ar host No / 749.Ar hostport . 750.Xc 751.Sm on |
| 752.It Fl S Ar ctl 753Specifies the location of a control socket for connection sharing. 754Refer to the description of 755.Cm ControlPath 756and 757.Cm ControlMaster 758in 759.Xr ssh_config 5 760for details. |
| 761.It Fl s 762May be used to request invocation of a subsystem on the remote system. 763Subsystems are a feature of the SSH2 protocol which facilitate the use 764of SSH as a secure transport for other applications (eg.\& 765.Xr sftp 1 ) . 766The subsystem is specified as the remote command. 767.It Fl T 768Disable pseudo-tty allocation. --- 176 unchanged lines hidden (view full) --- 945sensitive and can (but need not) be readable by anyone. 946These files are 947never used automatically and are not necessary; they are only provided for 948the convenience of the user. 949.It Pa $HOME/.ssh/config 950This is the per-user configuration file. 951The file format and configuration options are described in 952.Xr ssh_config 5 . |
| 953Because of the potential for abuse, this file must have strict permissions: 954read/write for the user, and not accessible by others. |
| 955.It Pa $HOME/.ssh/authorized_keys 956Lists the public keys (RSA/DSA) that can be used for logging in as this user. 957The format of this file is described in the 958.Xr sshd 8 959manual page. 960In the simplest form the format is the same as the 961.Pa .pub 962identity files. --- 174 unchanged lines hidden --- |