| ssh.1 (128460) | ssh.1 (137019) |
|---|---|
| 1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this --- 20 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" | 1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this --- 20 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" |
| 37.\" $FreeBSD: head/crypto/openssh/ssh.1 128460 2004-04-20 09:46:41Z des $ 38.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $ | 37.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $ 38.\" $FreeBSD: head/crypto/openssh/ssh.1 137019 2004-10-28 16:11:31Z des $ |
| 39.Dd September 25, 1999 40.Dt SSH 1 41.Os 42.Sh NAME 43.Nm ssh 44.Nd OpenSSH SSH client (remote login program) 45.Sh SYNOPSIS 46.Nm ssh | 39.Dd September 25, 1999 40.Dt SSH 1 41.Os 42.Sh NAME 43.Nm ssh 44.Nd OpenSSH SSH client (remote login program) 45.Sh SYNOPSIS 46.Nm ssh |
| 47.Op Fl 1246AaCfgkNnqsTtVvXxY | 47.Op Fl 1246AaCfgkMNnqsTtVvXxY |
| 48.Op Fl b Ar bind_address 49.Op Fl c Ar cipher_spec | 48.Op Fl b Ar bind_address 49.Op Fl c Ar cipher_spec |
| 50.Bk -words |
|
| 50.Op Fl D Ar port 51.Op Fl e Ar escape_char 52.Op Fl F Ar configfile 53.Op Fl i Ar identity_file | 51.Op Fl D Ar port 52.Op Fl e Ar escape_char 53.Op Fl F Ar configfile 54.Op Fl i Ar identity_file |
| 54.Bk -words | |
| 55.Oo Fl L Xo 56.Sm off 57.Ar port : 58.Ar host : 59.Ar hostport 60.Sm on 61.Xc 62.Oc --- 7 unchanged lines hidden (view full) --- 70.Oo Fl R Xo 71.Sm off 72.Ar port : 73.Ar host : 74.Ar hostport 75.Sm on 76.Xc 77.Oc | 55.Oo Fl L Xo 56.Sm off 57.Ar port : 58.Ar host : 59.Ar hostport 60.Sm on 61.Xc 62.Oc --- 7 unchanged lines hidden (view full) --- 70.Oo Fl R Xo 71.Sm off 72.Ar port : 73.Ar host : 74.Ar hostport 75.Sm on 76.Xc 77.Oc |
| 78.Op Fl S Ar ctl |
|
| 78.Oo Ar user Ns @ Oc Ns Ar hostname 79.Op Ar command 80.Sh DESCRIPTION 81.Nm 82(SSH client) is a program for logging into a remote machine and for 83executing commands on a remote machine. 84It is intended to replace rlogin and rsh, 85and provide secure encrypted communications between --- 151 unchanged lines hidden (view full) --- 237If public key authentication fails or is not available, a password 238can be sent encrypted to the remote host to prove the user's identity. 239.Pp 240Additionally, 241.Nm 242supports hostbased or challenge response authentication. 243.Pp 244Protocol 2 provides additional mechanisms for confidentiality | 79.Oo Ar user Ns @ Oc Ns Ar hostname 80.Op Ar command 81.Sh DESCRIPTION 82.Nm 83(SSH client) is a program for logging into a remote machine and for 84executing commands on a remote machine. 85It is intended to replace rlogin and rsh, 86and provide secure encrypted communications between --- 151 unchanged lines hidden (view full) --- 238If public key authentication fails or is not available, a password 239can be sent encrypted to the remote host to prove the user's identity. 240.Pp 241Additionally, 242.Nm 243supports hostbased or challenge response authentication. 244.Pp 245Protocol 2 provides additional mechanisms for confidentiality |
| 245(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) 246and integrity (hmac-md5, hmac-sha1). | 246(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) 247and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). |
| 247Note that protocol 1 lacks a strong mechanism for ensuring the 248integrity of the connection. 249.Ss Login session and remote execution 250When the user's identity has been accepted by the server, the server 251either executes the given command, or logs into the machine and gives 252the user a normal shell on the remote machine. 253All communication with 254the remote command or shell will be automatically encrypted. --- 43 unchanged lines hidden (view full) --- 298.Nm 299at logout when waiting for forwarded connection / X11 sessions to terminate. 300.It Cm ~? 301Display a list of escape characters. 302.It Cm ~B 303Send a BREAK to the remote system 304(only useful for SSH protocol version 2 and if the peer supports it). 305.It Cm ~C | 248Note that protocol 1 lacks a strong mechanism for ensuring the 249integrity of the connection. 250.Ss Login session and remote execution 251When the user's identity has been accepted by the server, the server 252either executes the given command, or logs into the machine and gives 253the user a normal shell on the remote machine. 254All communication with 255the remote command or shell will be automatically encrypted. --- 43 unchanged lines hidden (view full) --- 299.Nm 300at logout when waiting for forwarded connection / X11 sessions to terminate. 301.It Cm ~? 302Display a list of escape characters. 303.It Cm ~B 304Send a BREAK to the remote system 305(only useful for SSH protocol version 2 and if the peer supports it). 306.It Cm ~C |
| 306Open command line (only useful for adding port forwardings using the | 307Open command line. 308Currently this allows the addition of port forwardings using the |
| 307.Fl L 308and 309.Fl R | 309.Fl L 310and 311.Fl R |
| 310options). | 312options (see below). 313It also allows the cancellation of existing remote port-forwardings 314using 315.Fl KR Ar hostport . 316Basic help is available, using the 317.Fl h 318option. |
| 311.It Cm ~R 312Request rekeying of the connection 313(only useful for SSH protocol version 2 and if the peer supports it). 314.El 315.Ss X11 and TCP forwarding 316If the 317.Cm ForwardX11 318variable is set to --- 70 unchanged lines hidden (view full) --- 389trojan horse from getting the user's password. 390Another purpose of this mechanism is to prevent man-in-the-middle attacks 391which could otherwise be used to circumvent the encryption. 392The 393.Cm StrictHostKeyChecking 394option can be used to prevent logins to machines whose 395host key is not known or has changed. 396.Pp | 319.It Cm ~R 320Request rekeying of the connection 321(only useful for SSH protocol version 2 and if the peer supports it). 322.El 323.Ss X11 and TCP forwarding 324If the 325.Cm ForwardX11 326variable is set to --- 70 unchanged lines hidden (view full) --- 397trojan horse from getting the user's password. 398Another purpose of this mechanism is to prevent man-in-the-middle attacks 399which could otherwise be used to circumvent the encryption. 400The 401.Cm StrictHostKeyChecking 402option can be used to prevent logins to machines whose 403host key is not known or has changed. 404.Pp |
| 405.Nm 406can be configured to verify host identification using fingerprint resource 407records (SSHFP) published in DNS. 408The 409.Cm VerifyHostKeyDNS 410option can be used to control how DNS lookups are performed. 411SSHFP resource records can be generated using 412.Xr ssh-keygen 1 . 413.Pp |
|
| 397The options are as follows: 398.Bl -tag -width Ds 399.It Fl 1 400Forces 401.Nm 402to try protocol version 1 only. 403.It Fl 2 404Forces --- 34 unchanged lines hidden (view full) --- 439.Cm CompressionLevel 440option for protocol version 1. 441Compression is desirable on modem lines and other 442slow connections, but will only slow down things on fast networks. 443The default value can be set on a host-by-host basis in the 444configuration files; see the 445.Cm Compression 446option. | 414The options are as follows: 415.Bl -tag -width Ds 416.It Fl 1 417Forces 418.Nm 419to try protocol version 1 only. 420.It Fl 2 421Forces --- 34 unchanged lines hidden (view full) --- 456.Cm CompressionLevel 457option for protocol version 1. 458Compression is desirable on modem lines and other 459slow connections, but will only slow down things on fast networks. 460The default value can be set on a host-by-host basis in the 461configuration files; see the 462.Cm Compression 463option. |
| 447.It Fl c Ar blowfish | 3des | des 448Selects the cipher to use for encrypting the session. | 464.It Fl c Ar cipher_spec 465Selects the cipher specification for encrypting the session. 466.Pp 467Protocol version 1 allows specification of a single cipher. 468The suported values are 469.Dq 3des , 470.Dq blowfish 471and 472.Dq des . |
| 449.Ar 3des | 473.Ar 3des |
| 450is used by default. 451It is believed to be secure. 452.Ar 3des | |
| 453(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. | 474(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. |
| 475It is believed to be secure. |
|
| 454.Ar blowfish 455is a fast block cipher; it appears very secure and is much faster than 456.Ar 3des . 457.Ar des 458is only supported in the 459.Nm 460client for interoperability with legacy protocol 1 implementations 461that do not support the 462.Ar 3des 463cipher. 464Its use is strongly discouraged due to cryptographic weaknesses. | 476.Ar blowfish 477is a fast block cipher; it appears very secure and is much faster than 478.Ar 3des . 479.Ar des 480is only supported in the 481.Nm 482client for interoperability with legacy protocol 1 implementations 483that do not support the 484.Ar 3des 485cipher. 486Its use is strongly discouraged due to cryptographic weaknesses. |
| 465.It Fl c Ar cipher_spec 466Additionally, for protocol version 2 a comma-separated list of ciphers can 467be specified in order of preference. 468See 469.Cm Ciphers 470for more information. | 487The default is 488.Dq 3des . 489.Pp 490For protocol version 2 491.Ar cipher_spec 492is a comma-separated list of ciphers 493listed in order of preference. 494The supported ciphers are 495.Dq 3des-cbc , 496.Dq aes128-cbc , 497.Dq aes192-cbc , 498.Dq aes256-cbc , 499.Dq aes128-ctr , 500.Dq aes192-ctr , 501.Dq aes256-ctr , 502.Dq arcfour , 503.Dq blowfish-cbc , 504and 505.Dq cast128-cbc . 506The default is 507.Bd -literal 508 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 509 aes192-cbc,aes256-cbc'' 510.Ed |
| 471.It Fl D Ar port 472Specifies a local 473.Dq dynamic 474application-level port forwarding. 475This works by allocating a socket to listen to 476.Ar port 477on the local side, and whenever a connection is made to this port, the 478connection is forwarded over the secure channel, and the application --- 86 unchanged lines hidden (view full) --- 565.Xo 566.Ar port No / Ar host No / 567.Ar hostport . 568.Xc 569.Sm on 570.It Fl l Ar login_name 571Specifies the user to log in as on the remote machine. 572This also may be specified on a per-host basis in the configuration file. | 511.It Fl D Ar port 512Specifies a local 513.Dq dynamic 514application-level port forwarding. 515This works by allocating a socket to listen to 516.Ar port 517on the local side, and whenever a connection is made to this port, the 518connection is forwarded over the secure channel, and the application --- 86 unchanged lines hidden (view full) --- 605.Xo 606.Ar port No / Ar host No / 607.Ar hostport . 608.Xc 609.Sm on 610.It Fl l Ar login_name 611Specifies the user to log in as on the remote machine. 612This also may be specified on a per-host basis in the configuration file. |
| 613.It Fl M 614Places the 615.Nm 616client into 617.Dq master 618mode for connection sharing. 619Refer to the description of 620.Cm ControlMaster 621in 622.Xr ssh_config 5 623for details. |
|
| 573.It Fl m Ar mac_spec 574Additionally, for protocol version 2 a comma-separated list of MAC 575(message authentication code) algorithms can 576be specified in order of preference. 577See the 578.Cm MACs 579keyword for more information. 580.It Fl N --- 34 unchanged lines hidden (view full) --- 615.It ChallengeResponseAuthentication 616.It CheckHostIP 617.It Cipher 618.It Ciphers 619.It ClearAllForwardings 620.It Compression 621.It CompressionLevel 622.It ConnectionAttempts | 624.It Fl m Ar mac_spec 625Additionally, for protocol version 2 a comma-separated list of MAC 626(message authentication code) algorithms can 627be specified in order of preference. 628See the 629.Cm MACs 630keyword for more information. 631.It Fl N --- 34 unchanged lines hidden (view full) --- 666.It ChallengeResponseAuthentication 667.It CheckHostIP 668.It Cipher 669.It Ciphers 670.It ClearAllForwardings 671.It Compression 672.It CompressionLevel 673.It ConnectionAttempts |
| 623.It ConnectionTimeout | 674.It ConnectTimeout 675.It ControlMaster 676.It ControlPath |
| 624.It DynamicForward 625.It EscapeChar 626.It ForwardAgent 627.It ForwardX11 628.It ForwardX11Trusted 629.It GatewayPorts 630.It GlobalKnownHostsFile 631.It GSSAPIAuthentication --- 14 unchanged lines hidden (view full) --- 646.It Port 647.It PreferredAuthentications 648.It Protocol 649.It ProxyCommand 650.It PubkeyAuthentication 651.It RemoteForward 652.It RhostsRSAAuthentication 653.It RSAAuthentication | 677.It DynamicForward 678.It EscapeChar 679.It ForwardAgent 680.It ForwardX11 681.It ForwardX11Trusted 682.It GatewayPorts 683.It GlobalKnownHostsFile 684.It GSSAPIAuthentication --- 14 unchanged lines hidden (view full) --- 699.It Port 700.It PreferredAuthentications 701.It Protocol 702.It ProxyCommand 703.It PubkeyAuthentication 704.It RemoteForward 705.It RhostsRSAAuthentication 706.It RSAAuthentication |
| 707.It SendEnv |
|
| 654.It ServerAliveInterval 655.It ServerAliveCountMax 656.It SmartcardDevice 657.It StrictHostKeyChecking 658.It TCPKeepAlive 659.It UsePrivilegedPort 660.It User 661.It UserKnownHostsFile --- 28 unchanged lines hidden (view full) --- 690logging in as root on the remote machine. 691IPv6 addresses can be specified with an alternative syntax: 692.Sm off 693.Xo 694.Ar port No / Ar host No / 695.Ar hostport . 696.Xc 697.Sm on | 708.It ServerAliveInterval 709.It ServerAliveCountMax 710.It SmartcardDevice 711.It StrictHostKeyChecking 712.It TCPKeepAlive 713.It UsePrivilegedPort 714.It User 715.It UserKnownHostsFile --- 28 unchanged lines hidden (view full) --- 744logging in as root on the remote machine. 745IPv6 addresses can be specified with an alternative syntax: 746.Sm off 747.Xo 748.Ar port No / Ar host No / 749.Ar hostport . 750.Xc 751.Sm on |
| 752.It Fl S Ar ctl 753Specifies the location of a control socket for connection sharing. 754Refer to the description of 755.Cm ControlPath 756and 757.Cm ControlMaster 758in 759.Xr ssh_config 5 760for details. |
|
| 698.It Fl s 699May be used to request invocation of a subsystem on the remote system. 700Subsystems are a feature of the SSH2 protocol which facilitate the use 701of SSH as a secure transport for other applications (eg.\& 702.Xr sftp 1 ) . 703The subsystem is specified as the remote command. 704.It Fl T 705Disable pseudo-tty allocation. --- 176 unchanged lines hidden (view full) --- 882sensitive and can (but need not) be readable by anyone. 883These files are 884never used automatically and are not necessary; they are only provided for 885the convenience of the user. 886.It Pa $HOME/.ssh/config 887This is the per-user configuration file. 888The file format and configuration options are described in 889.Xr ssh_config 5 . | 761.It Fl s 762May be used to request invocation of a subsystem on the remote system. 763Subsystems are a feature of the SSH2 protocol which facilitate the use 764of SSH as a secure transport for other applications (eg.\& 765.Xr sftp 1 ) . 766The subsystem is specified as the remote command. 767.It Fl T 768Disable pseudo-tty allocation. --- 176 unchanged lines hidden (view full) --- 945sensitive and can (but need not) be readable by anyone. 946These files are 947never used automatically and are not necessary; they are only provided for 948the convenience of the user. 949.It Pa $HOME/.ssh/config 950This is the per-user configuration file. 951The file format and configuration options are described in 952.Xr ssh_config 5 . |
| 953Because of the potential for abuse, this file must have strict permissions: 954read/write for the user, and not accessible by others. |
|
| 890.It Pa $HOME/.ssh/authorized_keys 891Lists the public keys (RSA/DSA) that can be used for logging in as this user. 892The format of this file is described in the 893.Xr sshd 8 894manual page. 895In the simplest form the format is the same as the 896.Pa .pub 897identity files. --- 174 unchanged lines hidden --- | 955.It Pa $HOME/.ssh/authorized_keys 956Lists the public keys (RSA/DSA) that can be used for logging in as this user. 957The format of this file is described in the 958.Xr sshd 8 959manual page. 960In the simplest form the format is the same as the 961.Pa .pub 962identity files. --- 174 unchanged lines hidden --- |