| ssh.1 (5c51cd6437f7c153e2508091f3e7a988ed32be0d) | ssh.1 (a8f6863aa612ce6941e7bad9cf809a8d0608a7ca) |
|---|---|
| 1.\" -*- nroff -*- 2.\" 3.\" ssh.1.in 4.\" 5.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 6.\" 7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8.\" All rights reserved 9.\" 10.\" Created: Sat Apr 22 21:55:14 1995 ylo 11.\" | 1.\" -*- nroff -*- 2.\" 3.\" ssh.1.in 4.\" 5.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 6.\" 7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8.\" All rights reserved 9.\" 10.\" Created: Sat Apr 22 21:55:14 1995 ylo 11.\" |
| 12.\" $Id: ssh.1,v 1.38 2000/02/28 19:51:58 markus Exp $ 13.\" $FreeBSD$ | 12.\" $Id: ssh.1,v 1.43 2000/03/24 03:04:46 brad Exp $ |
| 14.\" 15.Dd September 25, 1999 16.Dt SSH 1 17.Os 18.Sh NAME 19.Nm ssh 20.Nd OpenSSH secure shell client (remote login program) 21.Sh SYNOPSIS --- 23 unchanged lines hidden (view full) --- 45.Ar port : 46.Ar host : 47.Ar hostport 48.Sm on 49.Xc 50.Oc 51.Op Ar hostname | user@hostname 52.Op Ar command | 13.\" 14.Dd September 25, 1999 15.Dt SSH 1 16.Os 17.Sh NAME 18.Nm ssh 19.Nd OpenSSH secure shell client (remote login program) 20.Sh SYNOPSIS --- 23 unchanged lines hidden (view full) --- 44.Ar port : 45.Ar host : 46.Ar hostport 47.Sm on 48.Xc 49.Oc 50.Op Ar hostname | user@hostname 51.Op Ar command |
| 53.Sh DESCRIPTION | 52.Sh DESCRIPTION |
| 54.Nm 55(Secure Shell) is a program for logging into a remote machine and for | 53.Nm 54(Secure Shell) is a program for logging into a remote machine and for |
| 56executing commands on a remote machine. It is intended to replace | 55executing commands on a remote machine. 56It is intended to replace |
| 57rlogin and rsh, and provide secure encrypted communications between | 57rlogin and rsh, and provide secure encrypted communications between |
| 58two untrusted hosts over an insecure network. X11 connections and | 58two untrusted hosts over an insecure network. 59X11 connections and |
| 59arbitrary TCP/IP ports can also be forwarded over the secure channel. 60.Pp 61.Nm | 60arbitrary TCP/IP ports can also be forwarded over the secure channel. 61.Pp 62.Nm |
| 62connects and logs into the specified | 63connects and logs into the specified |
| 63.Ar hostname . 64The user must prove 65his/her identity to the remote machine using one of several methods. 66.Pp 67First, if the machine the user logs in from is listed in 68.Pa /etc/hosts.equiv 69or | 64.Ar hostname . 65The user must prove 66his/her identity to the remote machine using one of several methods. 67.Pp 68First, if the machine the user logs in from is listed in 69.Pa /etc/hosts.equiv 70or |
| 70.Pa /etc/ssh/shosts.equiv | 71.Pa /etc/shosts.equiv |
| 71on the remote machine, and the user names are 72the same on both sides, the user is immediately permitted to log in. | 72on the remote machine, and the user names are 73the same on both sides, the user is immediately permitted to log in. |
| 73Second, if | 74Second, if |
| 74.Pa \&.rhosts 75or 76.Pa \&.shosts 77exists in the user's home directory on the 78remote machine and contains a line containing the name of the client 79machine and the name of the user on that machine, the user is | 75.Pa \&.rhosts 76or 77.Pa \&.shosts 78exists in the user's home directory on the 79remote machine and contains a line containing the name of the client 80machine and the name of the user on that machine, the user is |
| 80permitted to log in. This form of authentication alone is normally not | 81permitted to log in. 82This form of authentication alone is normally not |
| 81allowed by the server because it is not secure. 82.Pp 83The second (and primary) authentication method is the 84.Pa rhosts 85or 86.Pa hosts.equiv | 83allowed by the server because it is not secure. 84.Pp 85The second (and primary) authentication method is the 86.Pa rhosts 87or 88.Pa hosts.equiv |
| 87method combined with RSA-based host authentication. It 88means that if the login would be permitted by | 89method combined with RSA-based host authentication. 90It means that if the login would be permitted by |
| 89.Pa \&.rhosts , 90.Pa \&.shosts , 91.Pa /etc/hosts.equiv , 92or | 91.Pa \&.rhosts , 92.Pa \&.shosts , 93.Pa /etc/hosts.equiv , 94or |
| 93.Pa /etc/ssh/shosts.equiv , | 95.Pa /etc/shosts.equiv , |
| 94and if additionally the server can verify the client's | 96and if additionally the server can verify the client's |
| 95host key (see 96.Pa /etc/ssh/ssh_known_hosts | 97host key (see 98.Pa /etc/ssh_known_hosts |
| 97and 98.Pa $HOME/.ssh/known_hosts 99in the 100.Sx FILES | 99and 100.Pa $HOME/.ssh/known_hosts 101in the 102.Sx FILES |
| 101section), only then login is 102permitted. This authentication method closes security holes due to IP 103spoofing, DNS spoofing and routing spoofing. [Note to the 104administrator: | 103section), only then login is permitted. 104This authentication method closes security holes due to IP 105spoofing, DNS spoofing and routing spoofing. 106[Note to the administrator: |
| 105.Pa /etc/hosts.equiv , 106.Pa \&.rhosts , 107and the rlogin/rsh protocol in general, are inherently insecure and should be 108disabled if security is desired.] 109.Pp | 107.Pa /etc/hosts.equiv , 108.Pa \&.rhosts , 109and the rlogin/rsh protocol in general, are inherently insecure and should be 110disabled if security is desired.] 111.Pp |
| 110As a third authentication method, | 112As a third authentication method, |
| 111.Nm 112supports RSA based authentication. 113The scheme is based on public-key cryptography: there are cryptosystems 114where encryption and decryption are done using separate keys, and it 115is not possible to derive the decryption key from the encryption key. | 113.Nm 114supports RSA based authentication. 115The scheme is based on public-key cryptography: there are cryptosystems 116where encryption and decryption are done using separate keys, and it 117is not possible to derive the decryption key from the encryption key. |
| 116RSA is one such system. The idea is that each user creates a public/private 117key pair for authentication purposes. The 118server knows the public key, and only the user knows the private key. 119The file | 118RSA is one such system. 119The idea is that each user creates a public/private 120key pair for authentication purposes. 121The server knows the public key, and only the user knows the private key. 122The file |
| 120.Pa $HOME/.ssh/authorized_keys 121lists the public keys that are permitted for logging | 123.Pa $HOME/.ssh/authorized_keys 124lists the public keys that are permitted for logging |
| 122in. When the user logs in, the | 125in. 126When the user logs in, the |
| 123.Nm 124program tells the server which key pair it would like to use for | 127.Nm 128program tells the server which key pair it would like to use for |
| 125authentication. The server checks if this key is permitted, and if | 129authentication. 130The server checks if this key is permitted, and if |
| 126so, sends the user (actually the 127.Nm 128program running on behalf of the user) a challenge, a random number, | 131so, sends the user (actually the 132.Nm 133program running on behalf of the user) a challenge, a random number, |
| 129encrypted by the user's public key. The challenge can only be 130decrypted using the proper private key. The user's client then decrypts the | 134encrypted by the user's public key. 135The challenge can only be 136decrypted using the proper private key. 137The user's client then decrypts the |
| 131challenge using the private key, proving that he/she knows the private 132key but without disclosing it to the server. 133.Pp 134.Nm | 138challenge using the private key, proving that he/she knows the private 139key but without disclosing it to the server. 140.Pp 141.Nm |
| 135implements the RSA authentication protocol automatically. The user 136creates his/her RSA key pair by running | 142implements the RSA authentication protocol automatically. 143The user creates his/her RSA key pair by running |
| 137.Xr ssh-keygen 1 . | 144.Xr ssh-keygen 1 . |
| 138This stores the private key in | 145This stores the private key in |
| 139.Pa \&.ssh/identity 140and the public key in 141.Pa \&.ssh/identity.pub | 146.Pa \&.ssh/identity 147and the public key in 148.Pa \&.ssh/identity.pub |
| 142in the user's home directory. The user should then 143copy the | 149in the user's home directory. 150The user should then copy the |
| 144.Pa identity.pub | 151.Pa identity.pub |
| 145to | 152to |
| 146.Pa \&.ssh/authorized_keys | 153.Pa \&.ssh/authorized_keys |
| 147in his/her home directory on the remote machine (the | 154in his/her home directory on the remote machine (the |
| 148.Pa authorized_keys | 155.Pa authorized_keys |
| 149file corresponds to the conventional | 156file corresponds to the conventional |
| 150.Pa \&.rhosts 151file, and has one key | 157.Pa \&.rhosts 158file, and has one key |
| 152per line, though the lines can be very long). After this, the user 153can log in without giving the password. RSA authentication is much | 159per line, though the lines can be very long). 160After this, the user can log in without giving the password. 161RSA authentication is much |
| 154more secure than rhosts authentication. 155.Pp 156The most convenient way to use RSA authentication may be with an | 162more secure than rhosts authentication. 163.Pp 164The most convenient way to use RSA authentication may be with an |
| 157authentication agent. See | 165authentication agent. 166See |
| 158.Xr ssh-agent 1 159for more information. 160.Pp | 167.Xr ssh-agent 1 168for more information. 169.Pp |
| 161If other authentication methods fail, | 170If other authentication methods fail, |
| 162.Nm | 171.Nm |
| 163prompts the user for a password. The password is sent to the remote | 172prompts the user for a password. 173The password is sent to the remote |
| 164host for checking; however, since all communications are encrypted, 165the password cannot be seen by someone listening on the network. 166.Pp 167When the user's identity has been accepted by the server, the server 168either executes the given command, or logs into the machine and gives | 174host for checking; however, since all communications are encrypted, 175the password cannot be seen by someone listening on the network. 176.Pp 177When the user's identity has been accepted by the server, the server 178either executes the given command, or logs into the machine and gives |
| 169the user a normal shell on the remote machine. All communication with | 179the user a normal shell on the remote machine. 180All communication with |
| 170the remote command or shell will be automatically encrypted. 171.Pp 172If a pseudo-terminal has been allocated (normal login session), the 173user can disconnect with 174.Ic ~. , 175and suspend 176.Nm 177with 178.Ic ~^Z . 179All forwarded connections can be listed with | 181the remote command or shell will be automatically encrypted. 182.Pp 183If a pseudo-terminal has been allocated (normal login session), the 184user can disconnect with 185.Ic ~. , 186and suspend 187.Nm 188with 189.Ic ~^Z . 190All forwarded connections can be listed with |
| 180.Ic ~# | 191.Ic ~# |
| 181and if 182the session blocks waiting for forwarded X11 or TCP/IP 183connections to terminate, it can be backgrounded with 184.Ic ~& 185(this should not be used while the user shell is active, as it can cause the | 192and if 193the session blocks waiting for forwarded X11 or TCP/IP 194connections to terminate, it can be backgrounded with 195.Ic ~& 196(this should not be used while the user shell is active, as it can cause the |
| 186shell to hang). All available escapes can be listed with | 197shell to hang). 198All available escapes can be listed with |
| 187.Ic ~? . 188.Pp 189A single tilde character can be sent as 190.Ic ~~ 191(or by following the tilde by a character other than those described above). 192The escape character must always follow a newline to be interpreted as | 199.Ic ~? . 200.Pp 201A single tilde character can be sent as 202.Ic ~~ 203(or by following the tilde by a character other than those described above). 204The escape character must always follow a newline to be interpreted as |
| 193special. The escape character can be changed in configuration files | 205special. 206The escape character can be changed in configuration files |
| 194or on the command line. 195.Pp 196If no pseudo tty has been allocated, the 197session is transparent and can be used to reliably transfer binary | 207or on the command line. 208.Pp 209If no pseudo tty has been allocated, the 210session is transparent and can be used to reliably transfer binary |
| 198data. On most systems, setting the escape character to | 211data. 212On most systems, setting the escape character to |
| 199.Dq none 200will also make the session transparent even if a tty is used. 201.Pp 202The session terminates when the command or shell in on the remote 203machine exists and all X11 and TCP/IP connections have been closed. 204The exit status of the remote program is returned as the exit status 205of 206.Nm ssh . 207.Pp 208If the user is using X11 (the 209.Ev DISPLAY 210environment variable is set), the connection to the X11 display is 211automatically forwarded to the remote side in such a way that any X11 212programs started from the shell (or command) will go through the 213encrypted channel, and the connection to the real X server will be made | 213.Dq none 214will also make the session transparent even if a tty is used. 215.Pp 216The session terminates when the command or shell in on the remote 217machine exists and all X11 and TCP/IP connections have been closed. 218The exit status of the remote program is returned as the exit status 219of 220.Nm ssh . 221.Pp 222If the user is using X11 (the 223.Ev DISPLAY 224environment variable is set), the connection to the X11 display is 225automatically forwarded to the remote side in such a way that any X11 226programs started from the shell (or command) will go through the 227encrypted channel, and the connection to the real X server will be made |
| 214from the local machine. The user should not manually set | 228from the local machine. 229The user should not manually set |
| 215.Ev DISPLAY . 216Forwarding of X11 connections can be 217configured on the command line or in configuration files. 218.Pp 219The | 230.Ev DISPLAY . 231Forwarding of X11 connections can be 232configured on the command line or in configuration files. 233.Pp 234The |
| 220.Ev DISPLAY | 235.Ev DISPLAY |
| 221value set by 222.Nm 223will point to the server machine, but with a display number greater | 236value set by 237.Nm 238will point to the server machine, but with a display number greater |
| 224than zero. This is normal, and happens because | 239than zero. 240This is normal, and happens because |
| 225.Nm 226creates a 227.Dq proxy 228X server on the server machine for forwarding the 229connections over the encrypted channel. 230.Pp 231.Nm 232will also automatically set up Xauthority data on the server machine. 233For this purpose, it will generate a random authorization cookie, 234store it in Xauthority on the server, and verify that any forwarded 235connections carry this cookie and replace it by the real cookie when | 241.Nm 242creates a 243.Dq proxy 244X server on the server machine for forwarding the 245connections over the encrypted channel. 246.Pp 247.Nm 248will also automatically set up Xauthority data on the server machine. 249For this purpose, it will generate a random authorization cookie, 250store it in Xauthority on the server, and verify that any forwarded 251connections carry this cookie and replace it by the real cookie when |
| 236the connection is opened. The real authentication cookie is never | 252the connection is opened. 253The real authentication cookie is never |
| 237sent to the server machine (and no cookies are sent in the plain). 238.Pp 239If the user is using an authentication agent, the connection to the agent 240is automatically forwarded to the remote side unless disabled on 241command line or in a configuration file. 242.Pp 243Forwarding of arbitrary TCP/IP connections over the secure channel can | 254sent to the server machine (and no cookies are sent in the plain). 255.Pp 256If the user is using an authentication agent, the connection to the agent 257is automatically forwarded to the remote side unless disabled on 258command line or in a configuration file. 259.Pp 260Forwarding of arbitrary TCP/IP connections over the secure channel can |
| 244be specified either on command line or in a configuration file. One 245possible application of TCP/IP forwarding is a secure connection to an 246electronic purse; another is going through firewalls. | 261be specified either on command line or in a configuration file. 262One possible application of TCP/IP forwarding is a secure connection to an 263electronic purse; another is going trough firewalls. |
| 247.Pp 248.Nm 249automatically maintains and checks a database containing RSA-based | 264.Pp 265.Nm 266automatically maintains and checks a database containing RSA-based |
| 250identifications for all hosts it has ever been used with. The 251database is stored in | 267identifications for all hosts it has ever been used with. 268The database is stored in |
| 252.Pa \&.ssh/known_hosts | 269.Pa \&.ssh/known_hosts |
| 253in the user's home directory. Additionally, the file 254.Pa /etc/ssh/ssh_known_hosts 255is automatically checked for known hosts. Any new hosts are 256automatically added to the user's file. If a host's identification | 270in the user's home directory. 271Additionally, the file 272.Pa /etc/ssh_known_hosts 273is automatically checked for known hosts. 274Any new hosts are automatically added to the user's file. 275If a host's identification |
| 257ever changes, 258.Nm 259warns about this and disables password authentication to prevent a | 276ever changes, 277.Nm 278warns about this and disables password authentication to prevent a |
| 260trojan horse from getting the user's password. Another purpose of | 279trojan horse from getting the user's password. 280Another purpose of |
| 261this mechanism is to prevent man-in-the-middle attacks which could | 281this mechanism is to prevent man-in-the-middle attacks which could |
| 262otherwise be used to circumvent the encryption. The | 282otherwise be used to circumvent the encryption. 283The |
| 263.Cm StrictHostKeyChecking 264option (see below) can be used to prevent logins to machines whose 265host key is not known or has changed. 266.Sh OPTIONS 267.Bl -tag -width Ds 268.It Fl a | 284.Cm StrictHostKeyChecking 285option (see below) can be used to prevent logins to machines whose 286host key is not known or has changed. 287.Sh OPTIONS 288.Bl -tag -width Ds 289.It Fl a |
| 269Disables forwarding of the authentication agent connection. This may 270also be specified on a per-host basis in the configuration file. | 290Disables forwarding of the authentication agent connection. 291This may also be specified on a per-host basis in the configuration file. |
| 271.It Fl c Ar blowfish|3des | 292.It Fl c Ar blowfish|3des |
| 272Selects the cipher to use for encrypting the session. | 293Selects the cipher to use for encrypting the session. |
| 273.Ar 3des | 294.Ar 3des |
| 274is used by default. It is believed to be secure. | 295is used by default. 296It is believed to be secure. |
| 275.Ar 3des 276(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. 277It is presumably more secure than the 278.Ar des 279cipher which is no longer supported in ssh. 280.Ar blowfish 281is a fast block cipher, it appears very secure and is much faster than 282.Ar 3des . 283.It Fl e Ar ch|^ch|none 284Sets the escape character for sessions with a pty (default: 285.Ql ~ ) . | 297.Ar 3des 298(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. 299It is presumably more secure than the 300.Ar des 301cipher which is no longer supported in ssh. 302.Ar blowfish 303is a fast block cipher, it appears very secure and is much faster than 304.Ar 3des . 305.It Fl e Ar ch|^ch|none 306Sets the escape character for sessions with a pty (default: 307.Ql ~ ) . |
| 286The escape character is only recognized at the beginning of a line. The 287escape character followed by a dot | 308The escape character is only recognized at the beginning of a line. 309The escape character followed by a dot |
| 288.Pq Ql \&. 289closes the connection, followed 290by control-Z suspends the connection, and followed by itself sends the | 310.Pq Ql \&. 311closes the connection, followed 312by control-Z suspends the connection, and followed by itself sends the |
| 291escape character once. Setting the character to | 313escape character once. 314Setting the character to |
| 292.Dq none 293disables any escapes and makes the session fully transparent. 294.It Fl f 295Requests 296.Nm | 315.Dq none 316disables any escapes and makes the session fully transparent. 317.It Fl f 318Requests 319.Nm |
| 297to go to background just before command execution. This is useful 298if | 320to go to background just before command execution. 321This is useful if |
| 299.Nm 300is going to ask for passwords or passphrases, but the user | 322.Nm 323is going to ask for passwords or passphrases, but the user |
| 301wants it in the background. This implies | 324wants it in the background. 325This implies |
| 302.Fl n . 303The recommended way to start X11 programs at a remote site is with 304something like 305.Ic ssh -f host xterm . 306.It Fl g 307Allows remote hosts to connect to local forwarded ports. 308.It Fl i Ar identity_file | 326.Fl n . 327The recommended way to start X11 programs at a remote site is with 328something like 329.Ic ssh -f host xterm . 330.It Fl g 331Allows remote hosts to connect to local forwarded ports. 332.It Fl i Ar identity_file |
| 309Selects the file from which the identity (private key) for 310RSA authentication is read. Default is | 333Selects the file from which the identity (private key) for 334RSA authentication is read. 335Default is |
| 311.Pa \&.ssh/identity | 336.Pa \&.ssh/identity |
| 312in the user's home directory. Identity files may also be specified on 313a per-host basis in the configuration file. It is possible to have 314multiple | 337in the user's home directory. 338Identity files may also be specified on 339a per-host basis in the configuration file. 340It is possible to have multiple |
| 315.Fl i 316options (and multiple identities specified in 317configuration files). 318.It Fl k | 341.Fl i 342options (and multiple identities specified in 343configuration files). 344.It Fl k |
| 319Disables forwarding of Kerberos tickets and AFS tokens. This may 320also be specified on a per-host basis in the configuration file. | 345Disables forwarding of Kerberos tickets and AFS tokens. 346This may also be specified on a per-host basis in the configuration file. |
| 321.It Fl l Ar login_name | 347.It Fl l Ar login_name |
| 322Specifies the user to log in as on the remote machine. This may also 323be specified on a per-host basis in the configuration file. | 348Specifies the user to log in as on the remote machine. 349This also may be specified on a per-host basis in the configuration file. |
| 324.It Fl n 325Redirects stdin from 326.Pa /dev/null 327(actually, prevents reading from stdin). 328This must be used when 329.Nm | 350.It Fl n 351Redirects stdin from 352.Pa /dev/null 353(actually, prevents reading from stdin). 354This must be used when 355.Nm |
| 330is run in the background. A common trick is to use this to run X11 331programs in a remote machine. For example, | 356is run in the background. 357A common trick is to use this to run X11 programs on a remote machine. 358For example, |
| 332.Ic ssh -n shadows.cs.hut.fi emacs & 333will start an emacs on shadows.cs.hut.fi, and the X11 334connection will be automatically forwarded over an encrypted channel. 335The 336.Nm 337program will be put in the background. 338(This does not work if 339.Nm 340needs to ask for a password or passphrase; see also the 341.Fl f 342option.) 343.It Fl o Ar option 344Can be used to give options in the format used in the config file. 345This is useful for specifying options for which there is no separate | 359.Ic ssh -n shadows.cs.hut.fi emacs & 360will start an emacs on shadows.cs.hut.fi, and the X11 361connection will be automatically forwarded over an encrypted channel. 362The 363.Nm 364program will be put in the background. 365(This does not work if 366.Nm 367needs to ask for a password or passphrase; see also the 368.Fl f 369option.) 370.It Fl o Ar option 371Can be used to give options in the format used in the config file. 372This is useful for specifying options for which there is no separate |
| 346command-line flag. The option has the same format as a line in the 347configuration file. | 373command-line flag. 374The option has the same format as a line in the configuration file. |
| 348.It Fl p Ar port | 375.It Fl p Ar port |
| 349Port to connect to on the remote host. This can be specified on a | 376Port to connect to on the remote host. 377This can be specified on a |
| 350per-host basis in the configuration file. 351.It Fl P 352Use a non-privileged port for outgoing connections. 353This can be used if your firewall does 354not permit connections from privileged ports. 355Note that this option turns off 356.Cm RhostsAuthentication 357and 358.Cm RhostsRSAAuthentication . 359.It Fl q | 378per-host basis in the configuration file. 379.It Fl P 380Use a non-privileged port for outgoing connections. 381This can be used if your firewall does 382not permit connections from privileged ports. 383Note that this option turns off 384.Cm RhostsAuthentication 385and 386.Cm RhostsRSAAuthentication . 387.It Fl q |
| 360Quiet mode. Causes all warning and diagnostic messages to be 361suppressed. Only fatal errors are displayed. | 388Quiet mode. 389Causes all warning and diagnostic messages to be suppressed. 390Only fatal errors are displayed. |
| 362.It Fl t | 391.It Fl t |
| 363Force pseudo-tty allocation. This can be used to execute arbitrary 364screen-based programs on a remote machine, which can be very useful 365e.g. when implementing menu services. | 392Force pseudo-tty allocation. 393This can be used to execute arbitrary 394screen-based programs on a remote machine, which can be very useful, 395e.g., when implementing menu services. |
| 366.It Fl v | 396.It Fl v |
| 367Verbose mode. Causes | 397Verbose mode. 398Causes |
| 368.Nm | 399.Nm |
| 369to print debugging messages about its progress. This is helpful in | 400to print debugging messages about its progress. 401This is helpful in |
| 370debugging connection, authentication, and configuration problems. 371The verbose mode is also used to display 372.Xr skey 1 373challenges, if the user entered "s/key" as password. 374.It Fl x | 402debugging connection, authentication, and configuration problems. 403The verbose mode is also used to display 404.Xr skey 1 405challenges, if the user entered "s/key" as password. 406.It Fl x |
| 375Disables X11 forwarding. This can also be specified on a per-host 376basis in a configuration file. | 407Disables X11 forwarding. 408This can also be specified on a per-host basis in a configuration file. |
| 377.It Fl X 378Enables X11 forwarding. 379.It Fl C 380Requests compression of all data (including stdin, stdout, stderr, and | 409.It Fl X 410Enables X11 forwarding. 411.It Fl C 412Requests compression of all data (including stdin, stdout, stderr, and |
| 381data for forwarded X11 and TCP/IP connections). The compression 382algorithm is the same used by | 413data for forwarded X11 and TCP/IP connections). 414The compression algorithm is the same used by |
| 383.Xr gzip 1 , 384and the 385.Dq level 386can be controlled by the 387.Cm CompressionLevel | 415.Xr gzip 1 , 416and the 417.Dq level 418can be controlled by the 419.Cm CompressionLevel |
| 388option (see below). Compression is desirable on modem lines and other | 420option (see below). 421Compression is desirable on modem lines and other |
| 389slow connections, but will only slow down things on fast networks. 390The default value can be set on a host-by-host basis in the 391configuration files; see the 392.Cm Compress 393option below. 394.It Fl L Ar port:host:hostport 395Specifies that the given port on the local (client) host is to be | 422slow connections, but will only slow down things on fast networks. 423The default value can be set on a host-by-host basis in the 424configuration files; see the 425.Cm Compress 426option below. 427.It Fl L Ar port:host:hostport 428Specifies that the given port on the local (client) host is to be |
| 396forwarded to the given host and port on the remote side. This works 397by allocating a socket to listen to | 429forwarded to the given host and port on the remote side. 430This works by allocating a socket to listen to |
| 398.Ar port 399on the local side, and whenever a connection is made to this port, the 400connection is forwarded over the secure channel, and a connection is 401made to 402.Ar host 403port 404.Ar hostport | 431.Ar port 432on the local side, and whenever a connection is made to this port, the 433connection is forwarded over the secure channel, and a connection is 434made to 435.Ar host 436port 437.Ar hostport |
| 405from the remote machine. Port forwardings can also be specified in the 406configuration file. Only root can forward privileged ports. | 438from the remote machine. 439Port forwardings can also be specified in the configuration file. 440Only root can forward privileged ports. |
| 407IPv6 addresses can be specified with an alternative syntax: 408.Ar port/host/hostport 409.It Fl R Ar port:host:hostport 410Specifies that the given port on the remote (server) host is to be | 441IPv6 addresses can be specified with an alternative syntax: 442.Ar port/host/hostport 443.It Fl R Ar port:host:hostport 444Specifies that the given port on the remote (server) host is to be |
| 411forwarded to the given host and port on the local side. This works 412by allocating a socket to listen to | 445forwarded to the given host and port on the local side. 446This works by allocating a socket to listen to |
| 413.Ar port 414on the remote side, and whenever a connection is made to this port, the 415connection is forwarded over the secure channel, and a connection is 416made to 417.Ar host 418port 419.Ar hostport | 447.Ar port 448on the remote side, and whenever a connection is made to this port, the 449connection is forwarded over the secure channel, and a connection is 450made to 451.Ar host 452port 453.Ar hostport |
| 420from the local machine. Port forwardings can also be specified in the 421configuration file. Privileged ports can be forwarded only when | 454from the local machine. 455Port forwardings can also be specified in the configuration file. 456Privileged ports can be forwarded only when |
| 422logging in as root on the remote machine. 423.It Fl 4 424Forces 425.Nm 426to use IPv4 addresses only. 427.It Fl 6 428Forces 429.Nm 430to use IPv6 addresses only. 431.El 432.Sh CONFIGURATION FILES 433.Nm 434obtains configuration data from the following sources (in this order): 435command line options, user's configuration file 436.Pq Pa $HOME/.ssh/config , 437and system-wide configuration file | 457logging in as root on the remote machine. 458.It Fl 4 459Forces 460.Nm 461to use IPv4 addresses only. 462.It Fl 6 463Forces 464.Nm 465to use IPv6 addresses only. 466.El 467.Sh CONFIGURATION FILES 468.Nm 469obtains configuration data from the following sources (in this order): 470command line options, user's configuration file 471.Pq Pa $HOME/.ssh/config , 472and system-wide configuration file |
| 438.Pq Pa /etc/ssh/ssh_config . | 473.Pq Pa /etc/ssh_config . |
| 439For each parameter, the first obtained value | 474For each parameter, the first obtained value |
| 440will be used. The configuration files contain sections bracketed by 441"Host" specifications, and that section is only applied for hosts that 442match one of the patterns given in the specification. The matched 443host name is the one given on the command line. | 475will be used. 476The configuration files contain sections bracketed by 477.Dq Host 478specifications, and that section is only applied for hosts that 479match one of the patterns given in the specification. 480The matched host name is the one given on the command line. |
| 444.Pp 445Since the first obtained value for each parameter is used, more 446host-specific declarations should be given near the beginning of the 447file, and general defaults at the end. 448.Pp 449The configuration file has the following format: 450.Pp 451Empty lines and lines starting with --- 10 unchanged lines hidden (view full) --- 462Restricts the following declarations (up to the next 463.Cm Host 464keyword) to be only for those hosts that match one of the patterns 465given after the keyword. 466.Ql \&* 467and 468.Ql ? 469can be used as wildcards in the | 481.Pp 482Since the first obtained value for each parameter is used, more 483host-specific declarations should be given near the beginning of the 484file, and general defaults at the end. 485.Pp 486The configuration file has the following format: 487.Pp 488Empty lines and lines starting with --- 10 unchanged lines hidden (view full) --- 499Restricts the following declarations (up to the next 500.Cm Host 501keyword) to be only for those hosts that match one of the patterns 502given after the keyword. 503.Ql \&* 504and 505.Ql ? 506can be used as wildcards in the |
| 470patterns. A single | 507patterns. 508A single |
| 471.Ql \&* 472as a pattern can be used to provide global | 509.Ql \&* 510as a pattern can be used to provide global |
| 473defaults for all hosts. The host is the | 511defaults for all hosts. 512The host is the |
| 474.Ar hostname 475argument given on the command line (i.e., the name is not converted to 476a canonicalized host name before matching). 477.It Cm AFSTokenPassing | 513.Ar hostname 514argument given on the command line (i.e., the name is not converted to 515a canonicalized host name before matching). 516.It Cm AFSTokenPassing |
| 478Specifies whether to pass AFS tokens to remote host. The argument to 479this keyword must be | 517Specifies whether to pass AFS tokens to remote host. 518The argument to this keyword must be |
| 480.Dq yes 481or 482.Dq no . 483.It Cm BatchMode 484If set to 485.Dq yes , | 519.Dq yes 520or 521.Dq no . 522.It Cm BatchMode 523If set to 524.Dq yes , |
| 486passphrase/password querying will be disabled. This 487option is useful in scripts and other batch jobs where you have no 488user to supply the password. The argument must be | 525passphrase/password querying will be disabled. 526This option is useful in scripts and other batch jobs where you have no 527user to supply the password. 528The argument must be |
| 489.Dq yes 490or 491.Dq no . 492.It Cm CheckHostIP 493If this flag is set to 494.Dq yes , 495ssh will additionally check the host ip address in the 496.Pa known_hosts | 529.Dq yes 530or 531.Dq no . 532.It Cm CheckHostIP 533If this flag is set to 534.Dq yes , 535ssh will additionally check the host ip address in the 536.Pa known_hosts |
| 497file. This allows ssh to detect if a host key changed due to DNS spoofing. | 537file. 538This allows ssh to detect if a host key changed due to DNS spoofing. |
| 498If the option is set to 499.Dq no , 500the check will not be executed. 501.It Cm Cipher | 539If the option is set to 540.Dq no , 541the check will not be executed. 542.It Cm Cipher |
| 502Specifies the cipher to use for encrypting the session. Currently, | 543Specifies the cipher to use for encrypting the session. 544Currently, |
| 503.Dq blowfish , 504and 505.Dq 3des | 545.Dq blowfish , 546and 547.Dq 3des |
| 506are supported. The default is | 548are supported. 549The default is |
| 507.Dq 3des . 508.It Cm Compression | 550.Dq 3des . 551.It Cm Compression |
| 509Specifies whether to use compression. The argument must be | 552Specifies whether to use compression. 553The argument must be |
| 510.Dq yes 511or 512.Dq no . 513.It Cm CompressionLevel | 554.Dq yes 555or 556.Dq no . 557.It Cm CompressionLevel |
| 514Specifies the compression level to use if compression is enable. The 515argument must be an integer from 1 (fast) to 9 (slow, best). The 516default level is 6, which is good for most applications. The meaning 517of the values is the same as in | 558Specifies the compression level to use if compression is enable. 559The argument must be an integer from 1 (fast) to 9 (slow, best). 560The default level is 6, which is good for most applications. 561The meaning of the values is the same as in |
| 518.Xr gzip 1 . 519.It Cm ConnectionAttempts 520Specifies the number of tries (one per second) to make before falling | 562.Xr gzip 1 . 563.It Cm ConnectionAttempts 564Specifies the number of tries (one per second) to make before falling |
| 521back to rsh or exiting. The argument must be an integer. This may be 522useful in scripts if the connection sometimes fails. | 565back to rsh or exiting. 566The argument must be an integer. 567This may be useful in scripts if the connection sometimes fails. |
| 523.It Cm EscapeChar 524Sets the escape character (default: 525.Ql ~ ) . 526The escape character can also | 568.It Cm EscapeChar 569Sets the escape character (default: 570.Ql ~ ) . 571The escape character can also |
| 527be set on the command line. The argument should be a single 528character, | 572be set on the command line. 573The argument should be a single character, |
| 529.Ql ^ 530followed by a letter, or 531.Dq none 532to disable the escape 533character entirely (making the connection transparent for binary 534data). | 574.Ql ^ 575followed by a letter, or 576.Dq none 577to disable the escape 578character entirely (making the connection transparent for binary 579data). |
| 535.It Cm FallBackToRsh | 580.It Cm FallBackToRsh |
| 536Specifies that if connecting via 537.Nm 538fails due to a connection refused error (there is no 539.Xr sshd 8 | 581Specifies that if connecting via 582.Nm 583fails due to a connection refused error (there is no 584.Xr sshd 8 |
| 540listening on the remote host), | 585listening on the remote host), |
| 541.Xr rsh 1 542should automatically be used instead (after a suitable warning about | 586.Xr rsh 1 587should automatically be used instead (after a suitable warning about |
| 543the session being unencrypted). The argument must be | 588the session being unencrypted). 589The argument must be |
| 544.Dq yes 545or 546.Dq no . 547.It Cm ForwardAgent 548Specifies whether the connection to the authentication agent (if any) | 590.Dq yes 591or 592.Dq no . 593.It Cm ForwardAgent 594Specifies whether the connection to the authentication agent (if any) |
| 549will be forwarded to the remote machine. The argument must be | 595will be forwarded to the remote machine. 596The argument must be |
| 550.Dq yes 551or 552.Dq no . 553.It Cm ForwardX11 554Specifies whether X11 connections will be automatically redirected | 597.Dq yes 598or 599.Dq no . 600.It Cm ForwardX11 601Specifies whether X11 connections will be automatically redirected |
| 555over the secure channel and | 602over the secure channel and |
| 556.Ev DISPLAY | 603.Ev DISPLAY |
| 557set. The argument must be | 604set. 605The argument must be |
| 558.Dq yes 559or 560.Dq no . 561The default is 562.Dq no . 563.It Cm GatewayPorts 564Specifies whether remote hosts are allowed to connect to local 565forwarded ports. 566The argument must be 567.Dq yes 568or 569.Dq no . 570The default is 571.Dq no . 572.It Cm GlobalKnownHostsFile | 606.Dq yes 607or 608.Dq no . 609The default is 610.Dq no . 611.It Cm GatewayPorts 612Specifies whether remote hosts are allowed to connect to local 613forwarded ports. 614The argument must be 615.Dq yes 616or 617.Dq no . 618The default is 619.Dq no . 620.It Cm GlobalKnownHostsFile |
| 573Specifies a file to use instead of 574.Pa /etc/ssh/ssh_known_hosts . | 621Specifies a file to use instead of 622.Pa /etc/ssh_known_hosts . |
| 575.It Cm HostName | 623.It Cm HostName |
| 576Specifies the real host name to log into. This can be used to specify 577nicknames or abbreviations for hosts. Default is the name given on the 578command line. Numeric IP addresses are also permitted (both on the 579command line and in | 624Specifies the real host name to log into. 625This can be used to specify nicknames or abbreviations for hosts. 626Default is the name given on the command line. 627Numeric IP addresses are also permitted (both on the command line and in |
| 580.Cm HostName 581specifications). 582.It Cm IdentityFile 583Specifies the file from which the user's RSA authentication identity 584is read (default 585.Pa .ssh/identity 586in the user's home directory). 587Additionally, any identities represented by the authentication agent | 628.Cm HostName 629specifications). 630.It Cm IdentityFile 631Specifies the file from which the user's RSA authentication identity 632is read (default 633.Pa .ssh/identity 634in the user's home directory). 635Additionally, any identities represented by the authentication agent |
| 588will be used for authentication. The file name may use the tilde 589syntax to refer to a user's home directory. It is possible to have | 636will be used for authentication. 637The file name may use the tilde 638syntax to refer to a user's home directory. 639It is possible to have |
| 590multiple identity files specified in configuration files; all these 591identities will be tried in sequence. 592.It Cm KeepAlive 593Specifies whether the system should send keepalive messages to the | 640multiple identity files specified in configuration files; all these 641identities will be tried in sequence. 642.It Cm KeepAlive 643Specifies whether the system should send keepalive messages to the |
| 594other side. If they are sent, death of the connection or crash of one 595of the machines will be properly noticed. However, this means that | 644other side. 645If they are sent, death of the connection or crash of one 646of the machines will be properly noticed. 647However, this means that |
| 596connections will die if the route is down temporarily, and some people 597find it annoying. 598.Pp 599The default is 600.Dq yes 601(to send keepalives), and the client will notice | 648connections will die if the route is down temporarily, and some people 649find it annoying. 650.Pp 651The default is 652.Dq yes 653(to send keepalives), and the client will notice |
| 602if the network goes down or the remote host dies. This is important 603in scripts, and many users want it too. | 654if the network goes down or the remote host dies. 655This is important in scripts, and many users want it too. |
| 604.Pp 605To disable keepalives, the value should be set to 606.Dq no 607in both the server and the client configuration files. 608.It Cm KerberosAuthentication | 656.Pp 657To disable keepalives, the value should be set to 658.Dq no 659in both the server and the client configuration files. 660.It Cm KerberosAuthentication |
| 609Specifies whether Kerberos authentication will be used. The argument to 610this keyword must be | 661Specifies whether Kerberos authentication will be used. 662The argument to this keyword must be |
| 611.Dq yes 612or 613.Dq no . 614.It Cm KerberosTgtPassing | 663.Dq yes 664or 665.Dq no . 666.It Cm KerberosTgtPassing |
| 615Specifies whether a Kerberos TGT will be forwarded to the server. This 616will only work if the Kerberos server is actually an AFS kaserver. The 617argument to this keyword must be | 667Specifies whether a Kerberos TGT will be forwarded to the server. 668This will only work if the Kerberos server is actually an AFS kaserver. 669The argument to this keyword must be |
| 618.Dq yes 619or 620.Dq no . 621.It Cm LocalForward 622Specifies that a TCP/IP port on the local machine be forwarded over | 670.Dq yes 671or 672.Dq no . 673.It Cm LocalForward 674Specifies that a TCP/IP port on the local machine be forwarded over |
| 623the secure channel to given host:port from the remote machine. The 624first argument must be a port number, and the second must be 625host:port. Multiple forwardings may be specified, and additional 626forwardings can be given on the command line. Only the root can 627forward privileged ports. | 675the secure channel to given host:port from the remote machine. 676The first argument must be a port number, and the second must be 677host:port. 678Multiple forwardings may be specified, and additional 679forwardings can be given on the command line. 680Only the superuser can forward privileged ports. |
| 628.It Cm LogLevel 629Gives the verbosity level that is used when logging messages from 630.Nm ssh . 631The possible values are: | 681.It Cm LogLevel 682Gives the verbosity level that is used when logging messages from 683.Nm ssh . 684The possible values are: |
| 632QUIET, FATAL, ERROR, INFO, CHAT and DEBUG. | 685QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. |
| 633The default is INFO. 634.It Cm NumberOfPasswordPrompts | 686The default is INFO. 687.It Cm NumberOfPasswordPrompts |
| 635Specifies the number of password prompts before giving up. The 636argument to this keyword must be an integer. Default is 3. | 688Specifies the number of password prompts before giving up. 689The argument to this keyword must be an integer. 690Default is 3. |
| 637.It Cm PasswordAuthentication | 691.It Cm PasswordAuthentication |
| 638Specifies whether to use password authentication. The argument to 639this keyword must be | 692Specifies whether to use password authentication. 693The argument to this keyword must be |
| 640.Dq yes 641or 642.Dq no . 643.It Cm Port | 694.Dq yes 695or 696.Dq no . 697.It Cm Port |
| 644Specifies the port number to connect on the remote host. Default is 64522. | 698Specifies the port number to connect on the remote host. 699Default is 22. |
| 646.It Cm ProxyCommand | 700.It Cm ProxyCommand |
| 647Specifies the command to use to connect to the server. The command | 701Specifies the command to use to connect to the server. 702The command |
| 648string extends to the end of the line, and is executed with 649.Pa /bin/sh . 650In the command string, | 703string extends to the end of the line, and is executed with 704.Pa /bin/sh . 705In the command string, |
| 651.Dq %h | 706.Ql %h |
| 652will be substituted by the host name to 653connect and | 707will be substituted by the host name to 708connect and |
| 654.Dq %p 655by the port. The command can be basically anything, 656and should read from its stdin and write to its stdout. It should 657eventually connect an | 709.Ql %p 710by the port. 711The command can be basically anything, 712and should read from its standard input and write to its standard output. 713It should eventually connect an |
| 658.Xr sshd 8 659server running on some machine, or execute 660.Ic sshd -i | 714.Xr sshd 8 715server running on some machine, or execute 716.Ic sshd -i |
| 661somewhere. Host key management will be done using the | 717somewhere. 718Host key management will be done using the |
| 662HostName of the host being connected (defaulting to the name typed by 663the user). 664Note that 665.Cm CheckHostIP 666is not available for connects with a proxy command. 667.Pp 668.It Cm RemoteForward 669Specifies that a TCP/IP port on the remote machine be forwarded over | 719HostName of the host being connected (defaulting to the name typed by 720the user). 721Note that 722.Cm CheckHostIP 723is not available for connects with a proxy command. 724.Pp 725.It Cm RemoteForward 726Specifies that a TCP/IP port on the remote machine be forwarded over |
| 670the secure channel to given host:port from the local machine. The 671first argument must be a port number, and the second must be 672host:port. Multiple forwardings may be specified, and additional 673forwardings can be given on the command line. Only the root can 674forward privileged ports. | 727the secure channel to given host:port from the local machine. 728The first argument must be a port number, and the second must be 729host:port. 730Multiple forwardings may be specified, and additional 731forwardings can be given on the command line. 732Only the superuser can forward privileged ports. |
| 675.It Cm RhostsAuthentication | 733.It Cm RhostsAuthentication |
| 676Specifies whether to try rhosts based authentication. Note that this | 734Specifies whether to try rhosts based authentication. 735Note that this |
| 677declaration only affects the client side and has no effect whatsoever | 736declaration only affects the client side and has no effect whatsoever |
| 678on security. Disabling rhosts authentication may reduce | 737on security. 738Disabling rhosts authentication may reduce |
| 679authentication time on slow connections when rhosts authentication is | 739authentication time on slow connections when rhosts authentication is |
| 680not used. Most servers do not permit RhostsAuthentication because it 681is not secure (see RhostsRSAAuthentication). The argument to this 682keyword must be | 740not used. 741Most servers do not permit RhostsAuthentication because it 742is not secure (see RhostsRSAAuthentication). 743The argument to this keyword must be |
| 683.Dq yes 684or 685.Dq no . 686.It Cm RhostsRSAAuthentication 687Specifies whether to try rhosts based authentication with RSA host | 744.Dq yes 745or 746.Dq no . 747.It Cm RhostsRSAAuthentication 748Specifies whether to try rhosts based authentication with RSA host |
| 688authentication. This is the primary authentication method for most 689sites. The argument must be | 749authentication. 750This is the primary authentication method for most sites. 751The argument must be |
| 690.Dq yes 691or 692.Dq no . 693.It Cm RSAAuthentication | 752.Dq yes 753or 754.Dq no . 755.It Cm RSAAuthentication |
| 694Specifies whether to try RSA authentication. The argument to this 695keyword must be | 756Specifies whether to try RSA authentication. 757The argument to this keyword must be |
| 696.Dq yes 697or 698.Dq no . 699RSA authentication will only be 700attempted if the identity file exists, or an authentication agent is 701running. 702.It Cm SkeyAuthentication 703Specifies whether to use 704.Xr skey 1 | 758.Dq yes 759or 760.Dq no . 761RSA authentication will only be 762attempted if the identity file exists, or an authentication agent is 763running. 764.It Cm SkeyAuthentication 765Specifies whether to use 766.Xr skey 1 |
| 705authentication. The argument to 706this keyword must be | 767authentication. 768The argument to this keyword must be |
| 707.Dq yes 708or 709.Dq no . 710The default is 711.Dq no . 712.It Cm StrictHostKeyChecking 713If this flag is set to | 769.Dq yes 770or 771.Dq no . 772The default is 773.Dq no . 774.It Cm StrictHostKeyChecking 775If this flag is set to |
| 714.Dq yes , | 776.Dq yes , |
| 715.Nm 716ssh will never automatically add host keys to the 717.Pa $HOME/.ssh/known_hosts | 777.Nm 778ssh will never automatically add host keys to the 779.Pa $HOME/.ssh/known_hosts |
| 718file, and refuses to connect hosts whose host key has changed. This 719provides maximum protection against trojan horse attacks. However, it 720can be somewhat annoying if you don't have good 721.Pa /etc/ssh/ssh_known_hosts | 780file, and refuses to connect hosts whose host key has changed. 781This provides maximum protection against trojan horse attacks. 782However, it can be somewhat annoying if you don't have good 783.Pa /etc/ssh_known_hosts |
| 722files installed and frequently | 784files installed and frequently |
| 723connect new hosts. Basically this option forces the user to manually 724add any new hosts. Normally this option is disabled, and new hosts 725will automatically be added to the known host files. The host keys of 726known hosts will be verified automatically in either case. The 727argument must be | 785connect new hosts. 786Basically this option forces the user to manually 787add any new hosts. 788Normally this option is disabled, and new hosts 789will automatically be added to the known host files. 790The host keys of 791known hosts will be verified automatically in either case. 792The argument must be |
| 728.Dq yes 729or 730.Dq no . 731.It Cm UsePrivilegedPort 732Specifies whether to use a privileged port for outgoing connections. 733The argument must be 734.Dq yes 735or 736.Dq no . 737The default is 738.Dq yes . 739Note that setting this option to 740.Dq no 741turns off 742.Cm RhostsAuthentication 743and 744.Cm RhostsRSAAuthentication . 745.It Cm User | 793.Dq yes 794or 795.Dq no . 796.It Cm UsePrivilegedPort 797Specifies whether to use a privileged port for outgoing connections. 798The argument must be 799.Dq yes 800or 801.Dq no . 802The default is 803.Dq yes . 804Note that setting this option to 805.Dq no 806turns off 807.Cm RhostsAuthentication 808and 809.Cm RhostsRSAAuthentication . 810.It Cm User |
| 746Specifies the user to log in as. This can be useful if you have a 747different user name in different machines. This saves the trouble of | 811Specifies the user to log in as. 812This can be useful if you have a different user name on different machines. 813This saves the trouble of |
| 748having to remember to give the user name on the command line. 749.It Cm UserKnownHostsFile 750Specifies a file to use instead of 751.Pa $HOME/.ssh/known_hosts . 752.It Cm UseRsh | 814having to remember to give the user name on the command line. 815.It Cm UserKnownHostsFile 816Specifies a file to use instead of 817.Pa $HOME/.ssh/known_hosts . 818.It Cm UseRsh |
| 753Specifies that rlogin/rsh should be used for this host. It is 754possible that the host does not at all support the | 819Specifies that rlogin/rsh should be used for this host. 820It is possible that the host does not at all support the |
| 755.Nm | 821.Nm |
| 756protocol. This causes | 822protocol. 823This causes |
| 757.Nm | 824.Nm |
| 758to immediately exec | 825to immediately execute |
| 759.Xr rsh 1 . 760All other options (except 761.Cm HostName ) | 826.Xr rsh 1 . 827All other options (except 828.Cm HostName ) |
| 762are ignored if this has been specified. The argument must be | 829are ignored if this has been specified. 830The argument must be |
| 763.Dq yes 764or 765.Dq no . 766.Sh ENVIRONMENT 767.Nm 768will normally set the following environment variables: 769.Bl -tag -width Ds 770.It Ev DISPLAY 771The 772.Ev DISPLAY | 831.Dq yes 832or 833.Dq no . 834.Sh ENVIRONMENT 835.Nm 836will normally set the following environment variables: 837.Bl -tag -width Ds 838.It Ev DISPLAY 839The 840.Ev DISPLAY |
| 773variable indicates the location of the X11 server. It is 774automatically set by | 841variable indicates the location of the X11 server. 842It is automatically set by |
| 775.Nm 776to point to a value of the form 777.Dq hostname:n 778where hostname indicates | 843.Nm 844to point to a value of the form 845.Dq hostname:n 846where hostname indicates |
| 779the host where the shell runs, and n is an integer \*(>= 1. Ssh uses 780this special value to forward X11 connections over the secure 781channel. The user should normally not set DISPLAY explicitly, as that | 847the host where the shell runs, and n is an integer >= 1. 848.Nm 849uses this special value to forward X11 connections over the secure 850channel. 851The user should normally not set DISPLAY explicitly, as that |
| 782will render the X11 connection insecure (and will require the user to 783manually copy any required authorization cookies). 784.It Ev HOME 785Set to the path of the user's home directory. 786.It Ev LOGNAME 787Synonym for 788.Ev USER ; 789set for compatibility with systems that use this variable. 790.It Ev MAIL 791Set to point the user's mailbox. | 852will render the X11 connection insecure (and will require the user to 853manually copy any required authorization cookies). 854.It Ev HOME 855Set to the path of the user's home directory. 856.It Ev LOGNAME 857Synonym for 858.Ev USER ; 859set for compatibility with systems that use this variable. 860.It Ev MAIL 861Set to point the user's mailbox. |
| 792.It Ev PATH | 862.It Ev PATH |
| 793Set to the default 794.Ev PATH , 795as specified when compiling 796.Nm ssh . 797.It Ev SSH_AUTH_SOCK 798indicates the path of a unix-domain socket used to communicate with the 799agent. 800.It Ev SSH_CLIENT | 863Set to the default 864.Ev PATH , 865as specified when compiling 866.Nm ssh . 867.It Ev SSH_AUTH_SOCK 868indicates the path of a unix-domain socket used to communicate with the 869agent. 870.It Ev SSH_CLIENT |
| 801Identifies the client end of the connection. The variable contains | 871Identifies the client end of the connection. 872The variable contains |
| 802three space-separated values: client ip-address, client port number, 803and server port number. 804.It Ev SSH_TTY 805This is set to the name of the tty (path to the device) associated | 873three space-separated values: client ip-address, client port number, 874and server port number. 875.It Ev SSH_TTY 876This is set to the name of the tty (path to the device) associated |
| 806with the current shell or command. If the current session has no tty, | 877with the current shell or command. 878If the current session has no tty, |
| 807this variable is not set. 808.It Ev TZ 809The timezone variable is set to indicate the present timezone if it 810was set when the daemon was started (e.i., the daemon passes the value 811on to new connections). 812.It Ev USER 813Set to the name of the user logging in. 814.El 815.Pp | 879this variable is not set. 880.It Ev TZ 881The timezone variable is set to indicate the present timezone if it 882was set when the daemon was started (e.i., the daemon passes the value 883on to new connections). 884.It Ev USER 885Set to the name of the user logging in. 886.El 887.Pp |
| 816Additionally, | 888Additionally, |
| 817.Nm | 889.Nm |
| 818reads 819.Pa $HOME/.ssh/environment , | 890reads 891.Pa $HOME/.ssh/environment , |
| 820and adds lines of the format 821.Dq VARNAME=value 822to the environment. 823.Sh FILES 824.Bl -tag -width Ds 825.It Pa $HOME/.ssh/known_hosts 826Records host keys for all hosts the user has logged into (that are not 827in | 892and adds lines of the format 893.Dq VARNAME=value 894to the environment. 895.Sh FILES 896.Bl -tag -width Ds 897.It Pa $HOME/.ssh/known_hosts 898Records host keys for all hosts the user has logged into (that are not 899in |
| 828.Pa /etc/ssh/ssh_known_hosts ) . | 900.Pa /etc/ssh_known_hosts ) . |
| 829See 830.Xr sshd 8 . 831.It Pa $HOME/.ssh/identity | 901See 902.Xr sshd 8 . 903.It Pa $HOME/.ssh/identity |
| 832Contains the RSA authentication identity of the user. This file | 904Contains the RSA authentication identity of the user. 905This file |
| 833contains sensitive data and should be readable by the user but not 834accessible by others (read/write/execute). 835Note that 836.Nm 837ignores this file if it is accessible by others. 838It is possible to specify a passphrase when 839generating the key; the passphrase will be used to encrypt the 840sensitive part of this file using 3DES. | 906contains sensitive data and should be readable by the user but not 907accessible by others (read/write/execute). 908Note that 909.Nm 910ignores this file if it is accessible by others. 911It is possible to specify a passphrase when 912generating the key; the passphrase will be used to encrypt the 913sensitive part of this file using 3DES. |
| 841.It Pa $HOME/.ssh/identity.pub | 914.It Pa $HOME/.ssh/identity.pub |
| 842Contains the public key for authentication (public part of the | 915Contains the public key for authentication (public part of the |
| 843identity file in human-readable form). The contents of this file 844should be added to | 916identity file in human-readable form). 917The contents of this file should be added to |
| 845.Pa $HOME/.ssh/authorized_keys 846on all machines | 918.Pa $HOME/.ssh/authorized_keys 919on all machines |
| 847where you wish to log in using RSA authentication. This file is not 848sensitive and can (but need not) be readable by anyone. This file is | 920where you wish to log in using RSA authentication. 921This file is not 922sensitive and can (but need not) be readable by anyone. 923This file is |
| 849never used automatically and is not necessary; it is only provided for 850the convenience of the user. 851.It Pa $HOME/.ssh/config | 924never used automatically and is not necessary; it is only provided for 925the convenience of the user. 926.It Pa $HOME/.ssh/config |
| 852This is the per-user configuration file. The format of this file is 853described above. This file is used by the | 927This is the per-user configuration file. 928The format of this file is described above. 929This file is used by the |
| 854.Nm | 930.Nm |
| 855client. This file does not usually contain any sensitive information, | 931client. 932This file does not usually contain any sensitive information, |
| 856but the recommended permissions are read/write for the user, and not 857accessible by others. 858.It Pa $HOME/.ssh/authorized_keys | 933but the recommended permissions are read/write for the user, and not 934accessible by others. 935.It Pa $HOME/.ssh/authorized_keys |
| 859Lists the RSA keys that can be used for logging in as this user. The 860format of this file is described in the | 936Lists the RSA keys that can be used for logging in as this user. 937The format of this file is described in the |
| 861.Xr sshd 8 | 938.Xr sshd 8 |
| 862manual page. In the simplest form the format is the same as the .pub | 939manual page. 940In the simplest form the format is the same as the .pub |
| 863identity files (that is, each line contains the number of bits in 864modulus, public exponent, modulus, and comment fields, separated by | 941identity files (that is, each line contains the number of bits in 942modulus, public exponent, modulus, and comment fields, separated by |
| 865spaces). This file is not highly sensitive, but the recommended | 943spaces). 944This file is not highly sensitive, but the recommended |
| 866permissions are read/write for the user, and not accessible by others. | 945permissions are read/write for the user, and not accessible by others. |
| 867.It Pa /etc/ssh/ssh_known_hosts 868Systemwide list of known host keys. This file should be prepared by the | 946.It Pa /etc/ssh_known_hosts 947Systemwide list of known host keys. 948This file should be prepared by the |
| 869system administrator to contain the public host keys of all machines in the | 949system administrator to contain the public host keys of all machines in the |
| 870organization. This file should be world-readable. This file contains | 950organization. 951This file should be world-readable. 952This file contains |
| 871public keys, one per line, in the following format (fields separated 872by spaces): system name, number of bits in modulus, public exponent, | 953public keys, one per line, in the following format (fields separated 954by spaces): system name, number of bits in modulus, public exponent, |
| 873modulus, and optional comment field. When different names are used | 955modulus, and optional comment field. 956When different names are used |
| 874for the same machine, all such names should be listed, separated by | 957for the same machine, all such names should be listed, separated by |
| 875commas. The format is described on the | 958commas. 959The format is described on the |
| 876.Xr sshd 8 877manual page. 878.Pp 879The canonical system name (as returned by name servers) is used by 880.Xr sshd 8 881to verify the client host when logging in; other names are needed because 882.Nm 883does not convert the user-supplied name to a canonical name before 884checking the key, because someone with access to the name servers 885would then be able to fool host authentication. | 960.Xr sshd 8 961manual page. 962.Pp 963The canonical system name (as returned by name servers) is used by 964.Xr sshd 8 965to verify the client host when logging in; other names are needed because 966.Nm 967does not convert the user-supplied name to a canonical name before 968checking the key, because someone with access to the name servers 969would then be able to fool host authentication. |
| 886.It Pa /etc/ssh/ssh_config 887Systemwide configuration file. This file provides defaults for those | 970.It Pa /etc/ssh_config 971Systemwide configuration file. 972This file provides defaults for those |
| 888values that are not specified in the user's configuration file, and | 973values that are not specified in the user's configuration file, and |
| 889for those users who do not have a configuration file. This file must 890be world-readable. | 974for those users who do not have a configuration file. 975This file must be world-readable. |
| 891.It Pa $HOME/.rhosts 892This file is used in 893.Pa \&.rhosts 894authentication to list the | 976.It Pa $HOME/.rhosts 977This file is used in 978.Pa \&.rhosts 979authentication to list the |
| 895host/user pairs that are permitted to log in. (Note that this file is | 980host/user pairs that are permitted to log in. 981(Note that this file is |
| 896also used by rlogin and rsh, which makes using this file insecure.) 897Each line of the file contains a host name (in the canonical form 898returned by name servers), and then a user name on that host, | 982also used by rlogin and rsh, which makes using this file insecure.) 983Each line of the file contains a host name (in the canonical form 984returned by name servers), and then a user name on that host, |
| 899separated by a space. One some machines this file may need to be | 985separated by a space. 986One some machines this file may need to be |
| 900world-readable if the user's home directory is on a NFS partition, 901because 902.Xr sshd 8 | 987world-readable if the user's home directory is on a NFS partition, 988because 989.Xr sshd 8 |
| 903reads it as root. Additionally, this file must be owned by the user, 904and must not have write permissions for anyone else. The recommended | 990reads it as root. 991Additionally, this file must be owned by the user, 992and must not have write permissions for anyone else. 993The recommended |
| 905permission for most machines is read/write for the user, and not 906accessible by others. 907.Pp 908Note that by default 909.Xr sshd 8 910will be installed so that it requires successful RSA host | 994permission for most machines is read/write for the user, and not 995accessible by others. 996.Pp 997Note that by default 998.Xr sshd 8 999will be installed so that it requires successful RSA host |
| 911authentication before permitting \s+2.\s0rhosts authentication. If your 912server machine does not have the client's host key in 913.Pa /etc/ssh/ssh_known_hosts , | 1000authentication before permitting \s+2.\s0rhosts authentication. 1001If your server machine does not have the client's host key in 1002.Pa /etc/ssh_known_hosts , |
| 914you can store it in 915.Pa $HOME/.ssh/known_hosts . 916The easiest way to do this is to 917connect back to the client from the server machine using ssh; this 918will automatically add the host key inxi 919.Pa $HOME/.ssh/known_hosts . 920.It Pa $HOME/.shosts 921This file is used exactly the same way as 922.Pa \&.rhosts . 923The purpose for 924having this file is to be able to use rhosts authentication with 925.Nm 926without permitting login with 927.Xr rlogin 1 928or 929.Xr rsh 1 . 930.It Pa /etc/hosts.equiv 931This file is used during | 1003you can store it in 1004.Pa $HOME/.ssh/known_hosts . 1005The easiest way to do this is to 1006connect back to the client from the server machine using ssh; this 1007will automatically add the host key inxi 1008.Pa $HOME/.ssh/known_hosts . 1009.It Pa $HOME/.shosts 1010This file is used exactly the same way as 1011.Pa \&.rhosts . 1012The purpose for 1013having this file is to be able to use rhosts authentication with 1014.Nm 1015without permitting login with 1016.Xr rlogin 1 1017or 1018.Xr rsh 1 . 1019.It Pa /etc/hosts.equiv 1020This file is used during |
| 932.Pa \&.rhosts 933authentication. It contains | 1021.Pa \&.rhosts authentication. 1022It contains |
| 934canonical hosts names, one per line (the full format is described on 935the 936.Xr sshd 8 | 1023canonical hosts names, one per line (the full format is described on 1024the 1025.Xr sshd 8 |
| 937manual page). If the client host is found in this file, login is | 1026manual page). 1027If the client host is found in this file, login is |
| 938automatically permitted provided client and server user names are the | 1028automatically permitted provided client and server user names are the |
| 939same. Additionally, successful RSA host authentication is normally 940required. This file should only be writable by root. 941.It Pa /etc/ssh/shosts.equiv 942This file is processed exactly as | 1029same. 1030Additionally, successful RSA host authentication is normally 1031required. 1032This file should only be writable by root. 1033.It Pa /etc/shosts.equiv 1034This file is processed exactly as |
| 943.Pa /etc/hosts.equiv . 944This file may be useful to permit logins using 945.Nm 946but not using rsh/rlogin. | 1035.Pa /etc/hosts.equiv . 1036This file may be useful to permit logins using 1037.Nm 1038but not using rsh/rlogin. |
| 947.It Pa /etc/ssh/sshrc | 1039.It Pa /etc/sshrc |
| 948Commands in this file are executed by 949.Nm 950when the user logs in just before the user's shell (or command) is started. 951See the 952.Xr sshd 8 953manual page for more information. 954.It Pa $HOME/.ssh/rc 955Commands in this file are executed by 956.Nm 957when the user logs in just before the user's shell (or command) is 958started. | 1040Commands in this file are executed by 1041.Nm 1042when the user logs in just before the user's shell (or command) is started. 1043See the 1044.Xr sshd 8 1045manual page for more information. 1046.It Pa $HOME/.ssh/rc 1047Commands in this file are executed by 1048.Nm 1049when the user logs in just before the user's shell (or command) is 1050started. |
| 959See the | 1051See the |
| 960.Xr sshd 8 961manual page for more information. 962.It Pa $HOME/.ssh/environment 963Contains additional definitions for environment variables, see section 964.Sx ENVIRONMENT 965above. 966.It Pa libcrypto.so.X.1 967A version of this library which includes support for the RSA algorithm 968is required for proper operation. 969.Sh AUTHOR 970OpenSSH 971is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, | 1052.Xr sshd 8 1053manual page for more information. 1054.It Pa $HOME/.ssh/environment 1055Contains additional definitions for environment variables, see section 1056.Sx ENVIRONMENT 1057above. 1058.It Pa libcrypto.so.X.1 1059A version of this library which includes support for the RSA algorithm 1060is required for proper operation. 1061.Sh AUTHOR 1062OpenSSH 1063is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen, |
| 972but with bugs removed and newer features re-added. Rapidly after the | 1064but with bugs removed and newer features re-added. 1065Rapidly after the |
| 9731.2.12 release, newer versions of the original ssh bore successively 974more restrictive licenses, and thus demand for a free version was born. 975This version of OpenSSH 976.Bl -bullet 977.It 978has all components of a restrictive nature (i.e., patents, see 979.Xr ssl 8 ) 980directly removed from the source code; any licensed or patented components 981are chosen from 982external libraries. 983.It 984has been updated to support ssh protocol 1.5, making it compatible with 985all other ssh protocol 1 clients and servers. 986.It | 10661.2.12 release, newer versions of the original ssh bore successively 1067more restrictive licenses, and thus demand for a free version was born. 1068This version of OpenSSH 1069.Bl -bullet 1070.It 1071has all components of a restrictive nature (i.e., patents, see 1072.Xr ssl 8 ) 1073directly removed from the source code; any licensed or patented components 1074are chosen from 1075external libraries. 1076.It 1077has been updated to support ssh protocol 1.5, making it compatible with 1078all other ssh protocol 1 clients and servers. 1079.It |
| 987contains added support for | 1080contains added support for |
| 988.Xr kerberos 8 989authentication and ticket passing. 990.It 991supports one-time password authentication with 992.Xr skey 1 . 993.El 994.Pp 995The libraries described in --- 15 unchanged lines hidden --- | 1081.Xr kerberos 8 1082authentication and ticket passing. 1083.It 1084supports one-time password authentication with 1085.Xr skey 1 . 1086.El 1087.Pp 1088The libraries described in --- 15 unchanged lines hidden --- |