xref: /freebsd/crypto/openssh/ssh.1 (revision 78ee8d1c4cdad7a56dbf50f1c8ade75531ce620c)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: ssh.1,v 1.430 2022/03/31 17:27:27 naddy Exp $
37.Dd $Mdocdate: March 31 2022 $
38.Dt SSH 1
39.Os
40.Sh NAME
41.Nm ssh
42.Nd OpenSSH remote login client
43.Sh SYNOPSIS
44.Nm ssh
45.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
46.Op Fl B Ar bind_interface
47.Op Fl b Ar bind_address
48.Op Fl c Ar cipher_spec
49.Op Fl D Oo Ar bind_address : Oc Ns Ar port
50.Op Fl E Ar log_file
51.Op Fl e Ar escape_char
52.Op Fl F Ar configfile
53.Op Fl I Ar pkcs11
54.Op Fl i Ar identity_file
55.Op Fl J Ar destination
56.Op Fl L Ar address
57.Op Fl l Ar login_name
58.Op Fl m Ar mac_spec
59.Op Fl O Ar ctl_cmd
60.Op Fl o Ar option
61.Op Fl p Ar port
62.Op Fl Q Ar query_option
63.Op Fl R Ar address
64.Op Fl S Ar ctl_path
65.Op Fl W Ar host : Ns Ar port
66.Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
67.Ar destination
68.Op Ar command Op Ar argument ...
69.Sh DESCRIPTION
70.Nm
71(SSH client) is a program for logging into a remote machine and for
72executing commands on a remote machine.
73It is intended to provide secure encrypted communications between
74two untrusted hosts over an insecure network.
75X11 connections, arbitrary TCP ports and
76.Ux Ns -domain
77sockets can also be forwarded over the secure channel.
78.Pp
79.Nm
80connects and logs into the specified
81.Ar destination ,
82which may be specified as either
83.Sm off
84.Oo user @ Oc hostname
85.Sm on
86or a URI of the form
87.Sm off
88.No ssh:// Oo user @ Oc hostname Op : port .
89.Sm on
90The user must prove
91their identity to the remote machine using one of several methods
92(see below).
93.Pp
94If a
95.Ar command
96is specified,
97it will be executed on the remote host instead of a login shell.
98A complete command line may be specified as
99.Ar command ,
100or it may have additional arguments.
101If supplied, the arguments will be appended to the command, separated by
102spaces, before it is sent to the server to be executed.
103.Pp
104The options are as follows:
105.Pp
106.Bl -tag -width Ds -compact
107.It Fl 4
108Forces
109.Nm
110to use IPv4 addresses only.
111.Pp
112.It Fl 6
113Forces
114.Nm
115to use IPv6 addresses only.
116.Pp
117.It Fl A
118Enables forwarding of connections from an authentication agent such as
119.Xr ssh-agent 1 .
120This can also be specified on a per-host basis in a configuration file.
121.Pp
122Agent forwarding should be enabled with caution.
123Users with the ability to bypass file permissions on the remote host
124(for the agent's
125.Ux Ns -domain
126socket) can access the local agent through the forwarded connection.
127An attacker cannot obtain key material from the agent,
128however they can perform operations on the keys that enable them to
129authenticate using the identities loaded into the agent.
130A safer alternative may be to use a jump host
131(see
132.Fl J ) .
133.Pp
134.It Fl a
135Disables forwarding of the authentication agent connection.
136.Pp
137.It Fl B Ar bind_interface
138Bind to the address of
139.Ar bind_interface
140before attempting to connect to the destination host.
141This is only useful on systems with more than one address.
142.Pp
143.It Fl b Ar bind_address
144Use
145.Ar bind_address
146on the local machine as the source address
147of the connection.
148Only useful on systems with more than one address.
149.Pp
150.It Fl C
151Requests compression of all data (including stdin, stdout, stderr, and
152data for forwarded X11, TCP and
153.Ux Ns -domain
154connections).
155The compression algorithm is the same used by
156.Xr gzip 1 .
157Compression is desirable on modem lines and other
158slow connections, but will only slow down things on fast networks.
159The default value can be set on a host-by-host basis in the
160configuration files; see the
161.Cm Compression
162option.
163.Pp
164.It Fl c Ar cipher_spec
165Selects the cipher specification for encrypting the session.
166.Ar cipher_spec
167is a comma-separated list of ciphers
168listed in order of preference.
169See the
170.Cm Ciphers
171keyword in
172.Xr ssh_config 5
173for more information.
174.Pp
175.It Fl D Xo
176.Sm off
177.Oo Ar bind_address : Oc
178.Ar port
179.Sm on
180.Xc
181Specifies a local
182.Dq dynamic
183application-level port forwarding.
184This works by allocating a socket to listen to
185.Ar port
186on the local side, optionally bound to the specified
187.Ar bind_address .
188Whenever a connection is made to this port, the
189connection is forwarded over the secure channel, and the application
190protocol is then used to determine where to connect to from the
191remote machine.
192Currently the SOCKS4 and SOCKS5 protocols are supported, and
193.Nm
194will act as a SOCKS server.
195Only root can forward privileged ports.
196Dynamic port forwardings can also be specified in the configuration file.
197.Pp
198IPv6 addresses can be specified by enclosing the address in square brackets.
199Only the superuser can forward privileged ports.
200By default, the local port is bound in accordance with the
201.Cm GatewayPorts
202setting.
203However, an explicit
204.Ar bind_address
205may be used to bind the connection to a specific address.
206The
207.Ar bind_address
208of
209.Dq localhost
210indicates that the listening port be bound for local use only, while an
211empty address or
212.Sq *
213indicates that the port should be available from all interfaces.
214.Pp
215.It Fl E Ar log_file
216Append debug logs to
217.Ar log_file
218instead of standard error.
219.Pp
220.It Fl e Ar escape_char
221Sets the escape character for sessions with a pty (default:
222.Ql ~ ) .
223The escape character is only recognized at the beginning of a line.
224The escape character followed by a dot
225.Pq Ql \&.
226closes the connection;
227followed by control-Z suspends the connection;
228and followed by itself sends the escape character once.
229Setting the character to
230.Dq none
231disables any escapes and makes the session fully transparent.
232.Pp
233.It Fl F Ar configfile
234Specifies an alternative per-user configuration file.
235If a configuration file is given on the command line,
236the system-wide configuration file
237.Pq Pa /etc/ssh/ssh_config
238will be ignored.
239The default for the per-user configuration file is
240.Pa ~/.ssh/config .
241If set to
242.Dq none ,
243no configuration files will be read.
244.Pp
245.It Fl f
246Requests
247.Nm
248to go to background just before command execution.
249This is useful if
250.Nm
251is going to ask for passwords or passphrases, but the user
252wants it in the background.
253This implies
254.Fl n .
255The recommended way to start X11 programs at a remote site is with
256something like
257.Ic ssh -f host xterm .
258.Pp
259If the
260.Cm ExitOnForwardFailure
261configuration option is set to
262.Dq yes ,
263then a client started with
264.Fl f
265will wait for all remote port forwards to be successfully established
266before placing itself in the background.
267Refer to the description of
268.Cm ForkAfterAuthentication
269in
270.Xr ssh_config 5
271for details.
272.Pp
273.It Fl G
274Causes
275.Nm
276to print its configuration after evaluating
277.Cm Host
278and
279.Cm Match
280blocks and exit.
281.Pp
282.It Fl g
283Allows remote hosts to connect to local forwarded ports.
284If used on a multiplexed connection, then this option must be specified
285on the master process.
286.Pp
287.It Fl I Ar pkcs11
288Specify the PKCS#11 shared library
289.Nm
290should use to communicate with a PKCS#11 token providing keys for user
291authentication.
292.Pp
293.It Fl i Ar identity_file
294Selects a file from which the identity (private key) for
295public key authentication is read.
296You can also specify a public key file to use the corresponding
297private key that is loaded in
298.Xr ssh-agent 1
299when the private key file is not present locally.
300The default is
301.Pa ~/.ssh/id_rsa ,
302.Pa ~/.ssh/id_ecdsa ,
303.Pa ~/.ssh/id_ecdsa_sk ,
304.Pa ~/.ssh/id_ed25519 ,
305.Pa ~/.ssh/id_ed25519_sk
306and
307.Pa ~/.ssh/id_dsa .
308Identity files may also be specified on
309a per-host basis in the configuration file.
310It is possible to have multiple
311.Fl i
312options (and multiple identities specified in
313configuration files).
314If no certificates have been explicitly specified by the
315.Cm CertificateFile
316directive,
317.Nm
318will also try to load certificate information from the filename obtained
319by appending
320.Pa -cert.pub
321to identity filenames.
322.Pp
323.It Fl J Ar destination
324Connect to the target host by first making a
325.Nm
326connection to the jump host described by
327.Ar destination
328and then establishing a TCP forwarding to the ultimate destination from
329there.
330Multiple jump hops may be specified separated by comma characters.
331This is a shortcut to specify a
332.Cm ProxyJump
333configuration directive.
334Note that configuration directives supplied on the command-line generally
335apply to the destination host and not any specified jump hosts.
336Use
337.Pa ~/.ssh/config
338to specify configuration for jump hosts.
339.Pp
340.It Fl K
341Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
342credentials to the server.
343.Pp
344.It Fl k
345Disables forwarding (delegation) of GSSAPI credentials to the server.
346.Pp
347.It Fl L Xo
348.Sm off
349.Oo Ar bind_address : Oc
350.Ar port : host : hostport
351.Sm on
352.Xc
353.It Fl L Xo
354.Sm off
355.Oo Ar bind_address : Oc
356.Ar port : remote_socket
357.Sm on
358.Xc
359.It Fl L Xo
360.Sm off
361.Ar local_socket : host : hostport
362.Sm on
363.Xc
364.It Fl L Xo
365.Sm off
366.Ar local_socket : remote_socket
367.Sm on
368.Xc
369Specifies that connections to the given TCP port or Unix socket on the local
370(client) host are to be forwarded to the given host and port, or Unix socket,
371on the remote side.
372This works by allocating a socket to listen to either a TCP
373.Ar port
374on the local side, optionally bound to the specified
375.Ar bind_address ,
376or to a Unix socket.
377Whenever a connection is made to the local port or socket, the
378connection is forwarded over the secure channel, and a connection is
379made to either
380.Ar host
381port
382.Ar hostport ,
383or the Unix socket
384.Ar remote_socket ,
385from the remote machine.
386.Pp
387Port forwardings can also be specified in the configuration file.
388Only the superuser can forward privileged ports.
389IPv6 addresses can be specified by enclosing the address in square brackets.
390.Pp
391By default, the local port is bound in accordance with the
392.Cm GatewayPorts
393setting.
394However, an explicit
395.Ar bind_address
396may be used to bind the connection to a specific address.
397The
398.Ar bind_address
399of
400.Dq localhost
401indicates that the listening port be bound for local use only, while an
402empty address or
403.Sq *
404indicates that the port should be available from all interfaces.
405.Pp
406.It Fl l Ar login_name
407Specifies the user to log in as on the remote machine.
408This also may be specified on a per-host basis in the configuration file.
409.Pp
410.It Fl M
411Places the
412.Nm
413client into
414.Dq master
415mode for connection sharing.
416Multiple
417.Fl M
418options places
419.Nm
420into
421.Dq master
422mode but with confirmation required using
423.Xr ssh-askpass 1
424before each operation that changes the multiplexing state
425(e.g. opening a new session).
426Refer to the description of
427.Cm ControlMaster
428in
429.Xr ssh_config 5
430for details.
431.Pp
432.It Fl m Ar mac_spec
433A comma-separated list of MAC (message authentication code) algorithms,
434specified in order of preference.
435See the
436.Cm MACs
437keyword for more information.
438.Pp
439.It Fl N
440Do not execute a remote command.
441This is useful for just forwarding ports.
442Refer to the description of
443.Cm SessionType
444in
445.Xr ssh_config 5
446for details.
447.Pp
448.It Fl n
449Redirects stdin from
450.Pa /dev/null
451(actually, prevents reading from stdin).
452This must be used when
453.Nm
454is run in the background.
455A common trick is to use this to run X11 programs on a remote machine.
456For example,
457.Ic ssh -n shadows.cs.hut.fi emacs &
458will start an emacs on shadows.cs.hut.fi, and the X11
459connection will be automatically forwarded over an encrypted channel.
460The
461.Nm
462program will be put in the background.
463(This does not work if
464.Nm
465needs to ask for a password or passphrase; see also the
466.Fl f
467option.)
468Refer to the description of
469.Cm StdinNull
470in
471.Xr ssh_config 5
472for details.
473.Pp
474.It Fl O Ar ctl_cmd
475Control an active connection multiplexing master process.
476When the
477.Fl O
478option is specified, the
479.Ar ctl_cmd
480argument is interpreted and passed to the master process.
481Valid commands are:
482.Dq check
483(check that the master process is running),
484.Dq forward
485(request forwardings without command execution),
486.Dq cancel
487(cancel forwardings),
488.Dq exit
489(request the master to exit), and
490.Dq stop
491(request the master to stop accepting further multiplexing requests).
492.Pp
493.It Fl o Ar option
494Can be used to give options in the format used in the configuration file.
495This is useful for specifying options for which there is no separate
496command-line flag.
497For full details of the options listed below, and their possible values, see
498.Xr ssh_config 5 .
499.Pp
500.Bl -tag -width Ds -offset indent -compact
501.It AddKeysToAgent
502.It AddressFamily
503.It BatchMode
504.It BindAddress
505.It CanonicalDomains
506.It CanonicalizeFallbackLocal
507.It CanonicalizeHostname
508.It CanonicalizeMaxDots
509.It CanonicalizePermittedCNAMEs
510.It CASignatureAlgorithms
511.It CertificateFile
512.It CheckHostIP
513.It Ciphers
514.It ClearAllForwardings
515.It Compression
516.It ConnectionAttempts
517.It ConnectTimeout
518.It ControlMaster
519.It ControlPath
520.It ControlPersist
521.It DynamicForward
522.It EscapeChar
523.It ExitOnForwardFailure
524.It FingerprintHash
525.It ForkAfterAuthentication
526.It ForwardAgent
527.It ForwardX11
528.It ForwardX11Timeout
529.It ForwardX11Trusted
530.It GatewayPorts
531.It GlobalKnownHostsFile
532.It GSSAPIAuthentication
533.It GSSAPIDelegateCredentials
534.It HashKnownHosts
535.It Host
536.It HostbasedAcceptedAlgorithms
537.It HostbasedAuthentication
538.It HostKeyAlgorithms
539.It HostKeyAlias
540.It Hostname
541.It IdentitiesOnly
542.It IdentityAgent
543.It IdentityFile
544.It IPQoS
545.It KbdInteractiveAuthentication
546.It KbdInteractiveDevices
547.It KexAlgorithms
548.It KnownHostsCommand
549.It LocalCommand
550.It LocalForward
551.It LogLevel
552.It MACs
553.It Match
554.It NoHostAuthenticationForLocalhost
555.It NumberOfPasswordPrompts
556.It PasswordAuthentication
557.It PermitLocalCommand
558.It PermitRemoteOpen
559.It PKCS11Provider
560.It Port
561.It PreferredAuthentications
562.It ProxyCommand
563.It ProxyJump
564.It ProxyUseFdpass
565.It PubkeyAcceptedAlgorithms
566.It PubkeyAuthentication
567.It RekeyLimit
568.It RemoteCommand
569.It RemoteForward
570.It RequestTTY
571.It SendEnv
572.It ServerAliveInterval
573.It ServerAliveCountMax
574.It SessionType
575.It SetEnv
576.It StdinNull
577.It StreamLocalBindMask
578.It StreamLocalBindUnlink
579.It StrictHostKeyChecking
580.It TCPKeepAlive
581.It Tunnel
582.It TunnelDevice
583.It UpdateHostKeys
584.It User
585.It UserKnownHostsFile
586.It VerifyHostKeyDNS
587.It VersionAddendum
588.It VisualHostKey
589.It XAuthLocation
590.El
591.Pp
592.It Fl p Ar port
593Port to connect to on the remote host.
594This can be specified on a
595per-host basis in the configuration file.
596.Pp
597.It Fl Q Ar query_option
598Queries for the algorithms supported by one of the following features:
599.Ar cipher
600(supported symmetric ciphers),
601.Ar cipher-auth
602(supported symmetric ciphers that support authenticated encryption),
603.Ar help
604(supported query terms for use with the
605.Fl Q
606flag),
607.Ar mac
608(supported message integrity codes),
609.Ar kex
610(key exchange algorithms),
611.Ar key
612(key types),
613.Ar key-cert
614(certificate key types),
615.Ar key-plain
616(non-certificate key types),
617.Ar key-sig
618(all key types and signature algorithms),
619.Ar protocol-version
620(supported SSH protocol versions), and
621.Ar sig
622(supported signature algorithms).
623Alternatively, any keyword from
624.Xr ssh_config 5
625or
626.Xr sshd_config 5
627that takes an algorithm list may be used as an alias for the corresponding
628query_option.
629.Pp
630.It Fl q
631Quiet mode.
632Causes most warning and diagnostic messages to be suppressed.
633.Pp
634.It Fl R Xo
635.Sm off
636.Oo Ar bind_address : Oc
637.Ar port : host : hostport
638.Sm on
639.Xc
640.It Fl R Xo
641.Sm off
642.Oo Ar bind_address : Oc
643.Ar port : local_socket
644.Sm on
645.Xc
646.It Fl R Xo
647.Sm off
648.Ar remote_socket : host : hostport
649.Sm on
650.Xc
651.It Fl R Xo
652.Sm off
653.Ar remote_socket : local_socket
654.Sm on
655.Xc
656.It Fl R Xo
657.Sm off
658.Oo Ar bind_address : Oc
659.Ar port
660.Sm on
661.Xc
662Specifies that connections to the given TCP port or Unix socket on the remote
663(server) host are to be forwarded to the local side.
664.Pp
665This works by allocating a socket to listen to either a TCP
666.Ar port
667or to a Unix socket on the remote side.
668Whenever a connection is made to this port or Unix socket, the
669connection is forwarded over the secure channel, and a connection
670is made from the local machine to either an explicit destination specified by
671.Ar host
672port
673.Ar hostport ,
674or
675.Ar local_socket ,
676or, if no explicit destination was specified,
677.Nm
678will act as a SOCKS 4/5 proxy and forward connections to the destinations
679requested by the remote SOCKS client.
680.Pp
681Port forwardings can also be specified in the configuration file.
682Privileged ports can be forwarded only when
683logging in as root on the remote machine.
684IPv6 addresses can be specified by enclosing the address in square brackets.
685.Pp
686By default, TCP listening sockets on the server will be bound to the loopback
687interface only.
688This may be overridden by specifying a
689.Ar bind_address .
690An empty
691.Ar bind_address ,
692or the address
693.Ql * ,
694indicates that the remote socket should listen on all interfaces.
695Specifying a remote
696.Ar bind_address
697will only succeed if the server's
698.Cm GatewayPorts
699option is enabled (see
700.Xr sshd_config 5 ) .
701.Pp
702If the
703.Ar port
704argument is
705.Ql 0 ,
706the listen port will be dynamically allocated on the server and reported
707to the client at run time.
708When used together with
709.Ic -O forward ,
710the allocated port will be printed to the standard output.
711.Pp
712.It Fl S Ar ctl_path
713Specifies the location of a control socket for connection sharing,
714or the string
715.Dq none
716to disable connection sharing.
717Refer to the description of
718.Cm ControlPath
719and
720.Cm ControlMaster
721in
722.Xr ssh_config 5
723for details.
724.Pp
725.It Fl s
726May be used to request invocation of a subsystem on the remote system.
727Subsystems facilitate the use of SSH
728as a secure transport for other applications (e.g.\&
729.Xr sftp 1 ) .
730The subsystem is specified as the remote command.
731Refer to the description of
732.Cm SessionType
733in
734.Xr ssh_config 5
735for details.
736.Pp
737.It Fl T
738Disable pseudo-terminal allocation.
739.Pp
740.It Fl t
741Force pseudo-terminal allocation.
742This can be used to execute arbitrary
743screen-based programs on a remote machine, which can be very useful,
744e.g. when implementing menu services.
745Multiple
746.Fl t
747options force tty allocation, even if
748.Nm
749has no local tty.
750.Pp
751.It Fl V
752Display the version number and exit.
753.Pp
754.It Fl v
755Verbose mode.
756Causes
757.Nm
758to print debugging messages about its progress.
759This is helpful in
760debugging connection, authentication, and configuration problems.
761Multiple
762.Fl v
763options increase the verbosity.
764The maximum is 3.
765.Pp
766.It Fl W Ar host : Ns Ar port
767Requests that standard input and output on the client be forwarded to
768.Ar host
769on
770.Ar port
771over the secure channel.
772Implies
773.Fl N ,
774.Fl T ,
775.Cm ExitOnForwardFailure
776and
777.Cm ClearAllForwardings ,
778though these can be overridden in the configuration file or using
779.Fl o
780command line options.
781.Pp
782.It Fl w Xo
783.Ar local_tun Ns Op : Ns Ar remote_tun
784.Xc
785Requests
786tunnel
787device forwarding with the specified
788.Xr tun 4
789devices between the client
790.Pq Ar local_tun
791and the server
792.Pq Ar remote_tun .
793.Pp
794The devices may be specified by numerical ID or the keyword
795.Dq any ,
796which uses the next available tunnel device.
797If
798.Ar remote_tun
799is not specified, it defaults to
800.Dq any .
801See also the
802.Cm Tunnel
803and
804.Cm TunnelDevice
805directives in
806.Xr ssh_config 5 .
807.Pp
808If the
809.Cm Tunnel
810directive is unset, it will be set to the default tunnel mode, which is
811.Dq point-to-point .
812If a different
813.Cm Tunnel
814forwarding mode it desired, then it should be specified before
815.Fl w .
816.Pp
817.It Fl X
818Enables X11 forwarding.
819This can also be specified on a per-host basis in a configuration file.
820.Pp
821X11 forwarding should be enabled with caution.
822Users with the ability to bypass file permissions on the remote host
823(for the user's X authorization database)
824can access the local X11 display through the forwarded connection.
825An attacker may then be able to perform activities such as keystroke monitoring.
826.Pp
827For this reason, X11 forwarding is subjected to X11 SECURITY extension
828restrictions by default.
829Refer to the
830.Nm
831.Fl Y
832option and the
833.Cm ForwardX11Trusted
834directive in
835.Xr ssh_config 5
836for more information.
837.Pp
838.It Fl x
839Disables X11 forwarding.
840.Pp
841.It Fl Y
842Enables trusted X11 forwarding.
843Trusted X11 forwardings are not subjected to the X11 SECURITY extension
844controls.
845.Pp
846.It Fl y
847Send log information using the
848.Xr syslog 3
849system module.
850By default this information is sent to stderr.
851.El
852.Pp
853.Nm
854may additionally obtain configuration data from
855a per-user configuration file and a system-wide configuration file.
856The file format and configuration options are described in
857.Xr ssh_config 5 .
858.Sh AUTHENTICATION
859The OpenSSH SSH client supports SSH protocol 2.
860.Pp
861The methods available for authentication are:
862GSSAPI-based authentication,
863host-based authentication,
864public key authentication,
865keyboard-interactive authentication,
866and password authentication.
867Authentication methods are tried in the order specified above,
868though
869.Cm PreferredAuthentications
870can be used to change the default order.
871.Pp
872Host-based authentication works as follows:
873If the machine the user logs in from is listed in
874.Pa /etc/hosts.equiv
875or
876.Pa /etc/shosts.equiv
877on the remote machine, the user is non-root and the user names are
878the same on both sides, or if the files
879.Pa ~/.rhosts
880or
881.Pa ~/.shosts
882exist in the user's home directory on the
883remote machine and contain a line containing the name of the client
884machine and the name of the user on that machine, the user is
885considered for login.
886Additionally, the server
887.Em must
888be able to verify the client's
889host key (see the description of
890.Pa /etc/ssh/ssh_known_hosts
891and
892.Pa ~/.ssh/known_hosts ,
893below)
894for login to be permitted.
895This authentication method closes security holes due to IP
896spoofing, DNS spoofing, and routing spoofing.
897[Note to the administrator:
898.Pa /etc/hosts.equiv ,
899.Pa ~/.rhosts ,
900and the rlogin/rsh protocol in general, are inherently insecure and should be
901disabled if security is desired.]
902.Pp
903Public key authentication works as follows:
904The scheme is based on public-key cryptography,
905using cryptosystems
906where encryption and decryption are done using separate keys,
907and it is unfeasible to derive the decryption key from the encryption key.
908The idea is that each user creates a public/private
909key pair for authentication purposes.
910The server knows the public key, and only the user knows the private key.
911.Nm
912implements public key authentication protocol automatically,
913using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
914The HISTORY section of
915.Xr ssl 8
916contains a brief discussion of the DSA and RSA algorithms.
917.Pp
918The file
919.Pa ~/.ssh/authorized_keys
920lists the public keys that are permitted for logging in.
921When the user logs in, the
922.Nm
923program tells the server which key pair it would like to use for
924authentication.
925The client proves that it has access to the private key
926and the server checks that the corresponding public key
927is authorized to accept the account.
928.Pp
929The server may inform the client of errors that prevented public key
930authentication from succeeding after authentication completes using a
931different method.
932These may be viewed by increasing the
933.Cm LogLevel
934to
935.Cm DEBUG
936or higher (e.g. by using the
937.Fl v
938flag).
939.Pp
940The user creates their key pair by running
941.Xr ssh-keygen 1 .
942This stores the private key in
943.Pa ~/.ssh/id_dsa
944(DSA),
945.Pa ~/.ssh/id_ecdsa
946(ECDSA),
947.Pa ~/.ssh/id_ecdsa_sk
948(authenticator-hosted ECDSA),
949.Pa ~/.ssh/id_ed25519
950(Ed25519),
951.Pa ~/.ssh/id_ed25519_sk
952(authenticator-hosted Ed25519),
953or
954.Pa ~/.ssh/id_rsa
955(RSA)
956and stores the public key in
957.Pa ~/.ssh/id_dsa.pub
958(DSA),
959.Pa ~/.ssh/id_ecdsa.pub
960(ECDSA),
961.Pa ~/.ssh/id_ecdsa_sk.pub
962(authenticator-hosted ECDSA),
963.Pa ~/.ssh/id_ed25519.pub
964(Ed25519),
965.Pa ~/.ssh/id_ed25519_sk.pub
966(authenticator-hosted Ed25519),
967or
968.Pa ~/.ssh/id_rsa.pub
969(RSA)
970in the user's home directory.
971The user should then copy the public key
972to
973.Pa ~/.ssh/authorized_keys
974in their home directory on the remote machine.
975The
976.Pa authorized_keys
977file corresponds to the conventional
978.Pa ~/.rhosts
979file, and has one key
980per line, though the lines can be very long.
981After this, the user can log in without giving the password.
982.Pp
983A variation on public key authentication
984is available in the form of certificate authentication:
985instead of a set of public/private keys,
986signed certificates are used.
987This has the advantage that a single trusted certification authority
988can be used in place of many public/private keys.
989See the CERTIFICATES section of
990.Xr ssh-keygen 1
991for more information.
992.Pp
993The most convenient way to use public key or certificate authentication
994may be with an authentication agent.
995See
996.Xr ssh-agent 1
997and (optionally) the
998.Cm AddKeysToAgent
999directive in
1000.Xr ssh_config 5
1001for more information.
1002.Pp
1003Keyboard-interactive authentication works as follows:
1004The server sends an arbitrary
1005.Qq challenge
1006text and prompts for a response, possibly multiple times.
1007Examples of keyboard-interactive authentication include
1008.Bx
1009Authentication (see
1010.Xr login.conf 5 )
1011and PAM (some
1012.Pf non- Ox
1013systems).
1014.Pp
1015Finally, if other authentication methods fail,
1016.Nm
1017prompts the user for a password.
1018The password is sent to the remote
1019host for checking; however, since all communications are encrypted,
1020the password cannot be seen by someone listening on the network.
1021.Pp
1022.Nm
1023automatically maintains and checks a database containing
1024identification for all hosts it has ever been used with.
1025Host keys are stored in
1026.Pa ~/.ssh/known_hosts
1027in the user's home directory.
1028Additionally, the file
1029.Pa /etc/ssh/ssh_known_hosts
1030is automatically checked for known hosts.
1031Any new hosts are automatically added to the user's file.
1032If a host's identification ever changes,
1033.Nm
1034warns about this and disables password authentication to prevent
1035server spoofing or man-in-the-middle attacks,
1036which could otherwise be used to circumvent the encryption.
1037The
1038.Cm StrictHostKeyChecking
1039option can be used to control logins to machines whose
1040host key is not known or has changed.
1041.Pp
1042When the user's identity has been accepted by the server, the server
1043either executes the given command in a non-interactive session or,
1044if no command has been specified, logs into the machine and gives
1045the user a normal shell as an interactive session.
1046All communication with
1047the remote command or shell will be automatically encrypted.
1048.Pp
1049If an interactive session is requested,
1050.Nm
1051by default will only request a pseudo-terminal (pty) for interactive
1052sessions when the client has one.
1053The flags
1054.Fl T
1055and
1056.Fl t
1057can be used to override this behaviour.
1058.Pp
1059If a pseudo-terminal has been allocated, the
1060user may use the escape characters noted below.
1061.Pp
1062If no pseudo-terminal has been allocated,
1063the session is transparent and can be used to reliably transfer binary data.
1064On most systems, setting the escape character to
1065.Dq none
1066will also make the session transparent even if a tty is used.
1067.Pp
1068The session terminates when the command or shell on the remote
1069machine exits and all X11 and TCP connections have been closed.
1070.Sh ESCAPE CHARACTERS
1071When a pseudo-terminal has been requested,
1072.Nm
1073supports a number of functions through the use of an escape character.
1074.Pp
1075A single tilde character can be sent as
1076.Ic ~~
1077or by following the tilde by a character other than those described below.
1078The escape character must always follow a newline to be interpreted as
1079special.
1080The escape character can be changed in configuration files using the
1081.Cm EscapeChar
1082configuration directive or on the command line by the
1083.Fl e
1084option.
1085.Pp
1086The supported escapes (assuming the default
1087.Ql ~ )
1088are:
1089.Bl -tag -width Ds
1090.It Cm ~.
1091Disconnect.
1092.It Cm ~^Z
1093Background
1094.Nm .
1095.It Cm ~#
1096List forwarded connections.
1097.It Cm ~&
1098Background
1099.Nm
1100at logout when waiting for forwarded connection / X11 sessions to terminate.
1101.It Cm ~?
1102Display a list of escape characters.
1103.It Cm ~B
1104Send a BREAK to the remote system
1105(only useful if the peer supports it).
1106.It Cm ~C
1107Open command line.
1108Currently this allows the addition of port forwardings using the
1109.Fl L ,
1110.Fl R
1111and
1112.Fl D
1113options (see above).
1114It also allows the cancellation of existing port-forwardings
1115with
1116.Sm off
1117.Fl KL Oo Ar bind_address : Oc Ar port
1118.Sm on
1119for local,
1120.Sm off
1121.Fl KR Oo Ar bind_address : Oc Ar port
1122.Sm on
1123for remote and
1124.Sm off
1125.Fl KD Oo Ar bind_address : Oc Ar port
1126.Sm on
1127for dynamic port-forwardings.
1128.Ic !\& Ns Ar command
1129allows the user to execute a local command if the
1130.Ic PermitLocalCommand
1131option is enabled in
1132.Xr ssh_config 5 .
1133Basic help is available, using the
1134.Fl h
1135option.
1136.It Cm ~R
1137Request rekeying of the connection
1138(only useful if the peer supports it).
1139.It Cm ~V
1140Decrease the verbosity
1141.Pq Ic LogLevel
1142when errors are being written to stderr.
1143.It Cm ~v
1144Increase the verbosity
1145.Pq Ic LogLevel
1146when errors are being written to stderr.
1147.El
1148.Sh TCP FORWARDING
1149Forwarding of arbitrary TCP connections over a secure channel
1150can be specified either on the command line or in a configuration file.
1151One possible application of TCP forwarding is a secure connection to a
1152mail server; another is going through firewalls.
1153.Pp
1154In the example below, we look at encrypting communication for an IRC client,
1155even though the IRC server it connects to does not directly
1156support encrypted communication.
1157This works as follows:
1158the user connects to the remote host using
1159.Nm ,
1160specifying the ports to be used to forward the connection.
1161After that it is possible to start the program locally,
1162and
1163.Nm
1164will encrypt and forward the connection to the remote server.
1165.Pp
1166The following example tunnels an IRC session from the client
1167to an IRC server at
1168.Dq server.example.com ,
1169joining channel
1170.Dq #users ,
1171nickname
1172.Dq pinky ,
1173using the standard IRC port, 6667:
1174.Bd -literal -offset 4n
1175$ ssh -f -L 6667:localhost:6667 server.example.com sleep 10
1176$ irc -c '#users' pinky IRC/127.0.0.1
1177.Ed
1178.Pp
1179The
1180.Fl f
1181option backgrounds
1182.Nm
1183and the remote command
1184.Dq sleep 10
1185is specified to allow an amount of time
1186(10 seconds, in the example)
1187to start the program which is going to use the tunnel.
1188If no connections are made within the time specified,
1189.Nm
1190will exit.
1191.Sh X11 FORWARDING
1192If the
1193.Cm ForwardX11
1194variable is set to
1195.Dq yes
1196(or see the description of the
1197.Fl X ,
1198.Fl x ,
1199and
1200.Fl Y
1201options above)
1202and the user is using X11 (the
1203.Ev DISPLAY
1204environment variable is set), the connection to the X11 display is
1205automatically forwarded to the remote side in such a way that any X11
1206programs started from the shell (or command) will go through the
1207encrypted channel, and the connection to the real X server will be made
1208from the local machine.
1209The user should not manually set
1210.Ev DISPLAY .
1211Forwarding of X11 connections can be
1212configured on the command line or in configuration files.
1213.Pp
1214The
1215.Ev DISPLAY
1216value set by
1217.Nm
1218will point to the server machine, but with a display number greater than zero.
1219This is normal, and happens because
1220.Nm
1221creates a
1222.Dq proxy
1223X server on the server machine for forwarding the
1224connections over the encrypted channel.
1225.Pp
1226.Nm
1227will also automatically set up Xauthority data on the server machine.
1228For this purpose, it will generate a random authorization cookie,
1229store it in Xauthority on the server, and verify that any forwarded
1230connections carry this cookie and replace it by the real cookie when
1231the connection is opened.
1232The real authentication cookie is never
1233sent to the server machine (and no cookies are sent in the plain).
1234.Pp
1235If the
1236.Cm ForwardAgent
1237variable is set to
1238.Dq yes
1239(or see the description of the
1240.Fl A
1241and
1242.Fl a
1243options above) and
1244the user is using an authentication agent, the connection to the agent
1245is automatically forwarded to the remote side.
1246.Sh VERIFYING HOST KEYS
1247When connecting to a server for the first time,
1248a fingerprint of the server's public key is presented to the user
1249(unless the option
1250.Cm StrictHostKeyChecking
1251has been disabled).
1252Fingerprints can be determined using
1253.Xr ssh-keygen 1 :
1254.Pp
1255.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1256.Pp
1257If the fingerprint is already known, it can be matched
1258and the key can be accepted or rejected.
1259If only legacy (MD5) fingerprints for the server are available, the
1260.Xr ssh-keygen 1
1261.Fl E
1262option may be used to downgrade the fingerprint algorithm to match.
1263.Pp
1264Because of the difficulty of comparing host keys
1265just by looking at fingerprint strings,
1266there is also support to compare host keys visually,
1267using
1268.Em random art .
1269By setting the
1270.Cm VisualHostKey
1271option to
1272.Dq yes ,
1273a small ASCII graphic gets displayed on every login to a server, no matter
1274if the session itself is interactive or not.
1275By learning the pattern a known server produces, a user can easily
1276find out that the host key has changed when a completely different pattern
1277is displayed.
1278Because these patterns are not unambiguous however, a pattern that looks
1279similar to the pattern remembered only gives a good probability that the
1280host key is the same, not guaranteed proof.
1281.Pp
1282To get a listing of the fingerprints along with their random art for
1283all known hosts, the following command line can be used:
1284.Pp
1285.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
1286.Pp
1287If the fingerprint is unknown,
1288an alternative method of verification is available:
1289SSH fingerprints verified by DNS.
1290An additional resource record (RR),
1291SSHFP,
1292is added to a zonefile
1293and the connecting client is able to match the fingerprint
1294with that of the key presented.
1295.Pp
1296In this example, we are connecting a client to a server,
1297.Dq host.example.com .
1298The SSHFP resource records should first be added to the zonefile for
1299host.example.com:
1300.Bd -literal -offset indent
1301$ ssh-keygen -r host.example.com.
1302.Ed
1303.Pp
1304The output lines will have to be added to the zonefile.
1305To check that the zone is answering fingerprint queries:
1306.Pp
1307.Dl $ dig -t SSHFP host.example.com
1308.Pp
1309Finally the client connects:
1310.Bd -literal -offset indent
1311$ ssh -o "VerifyHostKeyDNS ask" host.example.com
1312[...]
1313Matching host key fingerprint found in DNS.
1314Are you sure you want to continue connecting (yes/no)?
1315.Ed
1316.Pp
1317See the
1318.Cm VerifyHostKeyDNS
1319option in
1320.Xr ssh_config 5
1321for more information.
1322.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
1323.Nm
1324contains support for Virtual Private Network (VPN) tunnelling
1325using the
1326.Xr tun 4
1327network pseudo-device,
1328allowing two networks to be joined securely.
1329The
1330.Xr sshd_config 5
1331configuration option
1332.Cm PermitTunnel
1333controls whether the server supports this,
1334and at what level (layer 2 or 3 traffic).
1335.Pp
1336The following example would connect client network 10.0.50.0/24
1337with remote network 10.0.99.0/24 using a point-to-point connection
1338from 10.1.1.1 to 10.1.1.2,
1339provided that the SSH server running on the gateway to the remote network,
1340at 192.168.1.15, allows it.
1341.Pp
1342On the client:
1343.Bd -literal -offset indent
1344# ssh -f -w 0:1 192.168.1.15 true
1345# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
1346# route add 10.0.99.0/24 10.1.1.2
1347.Ed
1348.Pp
1349On the server:
1350.Bd -literal -offset indent
1351# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
1352# route add 10.0.50.0/24 10.1.1.1
1353.Ed
1354.Pp
1355Client access may be more finely tuned via the
1356.Pa /root/.ssh/authorized_keys
1357file (see below) and the
1358.Cm PermitRootLogin
1359server option.
1360The following entry would permit connections on
1361.Xr tun 4
1362device 1 from user
1363.Dq jane
1364and on tun device 2 from user
1365.Dq john ,
1366if
1367.Cm PermitRootLogin
1368is set to
1369.Dq forced-commands-only :
1370.Bd -literal -offset 2n
1371tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
1372tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
1373.Ed
1374.Pp
1375Since an SSH-based setup entails a fair amount of overhead,
1376it may be more suited to temporary setups,
1377such as for wireless VPNs.
1378More permanent VPNs are better provided by tools such as
1379.Xr ipsecctl 8
1380and
1381.Xr isakmpd 8 .
1382.Sh ENVIRONMENT
1383.Nm
1384will normally set the following environment variables:
1385.Bl -tag -width "SSH_ORIGINAL_COMMAND"
1386.It Ev DISPLAY
1387The
1388.Ev DISPLAY
1389variable indicates the location of the X11 server.
1390It is automatically set by
1391.Nm
1392to point to a value of the form
1393.Dq hostname:n ,
1394where
1395.Dq hostname
1396indicates the host where the shell runs, and
1397.Sq n
1398is an integer \*(Ge 1.
1399.Nm
1400uses this special value to forward X11 connections over the secure
1401channel.
1402The user should normally not set
1403.Ev DISPLAY
1404explicitly, as that
1405will render the X11 connection insecure (and will require the user to
1406manually copy any required authorization cookies).
1407.It Ev HOME
1408Set to the path of the user's home directory.
1409.It Ev LOGNAME
1410Synonym for
1411.Ev USER ;
1412set for compatibility with systems that use this variable.
1413.It Ev MAIL
1414Set to the path of the user's mailbox.
1415.It Ev PATH
1416Set to the default
1417.Ev PATH ,
1418as specified when compiling
1419.Nm .
1420.It Ev SSH_ASKPASS
1421If
1422.Nm
1423needs a passphrase, it will read the passphrase from the current
1424terminal if it was run from a terminal.
1425If
1426.Nm
1427does not have a terminal associated with it but
1428.Ev DISPLAY
1429and
1430.Ev SSH_ASKPASS
1431are set, it will execute the program specified by
1432.Ev SSH_ASKPASS
1433and open an X11 window to read the passphrase.
1434This is particularly useful when calling
1435.Nm
1436from a
1437.Pa .xsession
1438or related script.
1439(Note that on some machines it
1440may be necessary to redirect the input from
1441.Pa /dev/null
1442to make this work.)
1443.It Ev SSH_ASKPASS_REQUIRE
1444Allows further control over the use of an askpass program.
1445If this variable is set to
1446.Dq never
1447then
1448.Nm
1449will never attempt to use one.
1450If it is set to
1451.Dq prefer ,
1452then
1453.Nm
1454will prefer to use the askpass program instead of the TTY when requesting
1455passwords.
1456Finally, if the variable is set to
1457.Dq force ,
1458then the askpass program will be used for all passphrase input regardless
1459of whether
1460.Ev DISPLAY
1461is set.
1462.It Ev SSH_AUTH_SOCK
1463Identifies the path of a
1464.Ux Ns -domain
1465socket used to communicate with the agent.
1466.It Ev SSH_CONNECTION
1467Identifies the client and server ends of the connection.
1468The variable contains
1469four space-separated values: client IP address, client port number,
1470server IP address, and server port number.
1471.It Ev SSH_ORIGINAL_COMMAND
1472This variable contains the original command line if a forced command
1473is executed.
1474It can be used to extract the original arguments.
1475.It Ev SSH_TTY
1476This is set to the name of the tty (path to the device) associated
1477with the current shell or command.
1478If the current session has no tty,
1479this variable is not set.
1480.It Ev SSH_TUNNEL
1481Optionally set by
1482.Xr sshd 8
1483to contain the interface names assigned if tunnel forwarding was
1484requested by the client.
1485.It Ev SSH_USER_AUTH
1486Optionally set by
1487.Xr sshd 8 ,
1488this variable may contain a pathname to a file that lists the authentication
1489methods successfully used when the session was established, including any
1490public keys that were used.
1491.It Ev TZ
1492This variable is set to indicate the present time zone if it
1493was set when the daemon was started (i.e. the daemon passes the value
1494on to new connections).
1495.It Ev USER
1496Set to the name of the user logging in.
1497.El
1498.Pp
1499Additionally,
1500.Nm
1501reads
1502.Pa ~/.ssh/environment ,
1503and adds lines of the format
1504.Dq VARNAME=value
1505to the environment if the file exists and users are allowed to
1506change their environment.
1507For more information, see the
1508.Cm PermitUserEnvironment
1509option in
1510.Xr sshd_config 5 .
1511.Sh FILES
1512.Bl -tag -width Ds -compact
1513.It Pa ~/.rhosts
1514This file is used for host-based authentication (see above).
1515On some machines this file may need to be
1516world-readable if the user's home directory is on an NFS partition,
1517because
1518.Xr sshd 8
1519reads it as root.
1520Additionally, this file must be owned by the user,
1521and must not have write permissions for anyone else.
1522The recommended
1523permission for most machines is read/write for the user, and not
1524accessible by others.
1525.Pp
1526.It Pa ~/.shosts
1527This file is used in exactly the same way as
1528.Pa .rhosts ,
1529but allows host-based authentication without permitting login with
1530rlogin/rsh.
1531.Pp
1532.It Pa ~/.ssh/
1533This directory is the default location for all user-specific configuration
1534and authentication information.
1535There is no general requirement to keep the entire contents of this directory
1536secret, but the recommended permissions are read/write/execute for the user,
1537and not accessible by others.
1538.Pp
1539.It Pa ~/.ssh/authorized_keys
1540Lists the public keys (DSA, ECDSA, Ed25519, RSA)
1541that can be used for logging in as this user.
1542The format of this file is described in the
1543.Xr sshd 8
1544manual page.
1545This file is not highly sensitive, but the recommended
1546permissions are read/write for the user, and not accessible by others.
1547.Pp
1548.It Pa ~/.ssh/config
1549This is the per-user configuration file.
1550The file format and configuration options are described in
1551.Xr ssh_config 5 .
1552Because of the potential for abuse, this file must have strict permissions:
1553read/write for the user, and not writable by others.
1554.Pp
1555.It Pa ~/.ssh/environment
1556Contains additional definitions for environment variables; see
1557.Sx ENVIRONMENT ,
1558above.
1559.Pp
1560.It Pa ~/.ssh/id_dsa
1561.It Pa ~/.ssh/id_ecdsa
1562.It Pa ~/.ssh/id_ecdsa_sk
1563.It Pa ~/.ssh/id_ed25519
1564.It Pa ~/.ssh/id_ed25519_sk
1565.It Pa ~/.ssh/id_rsa
1566Contains the private key for authentication.
1567These files
1568contain sensitive data and should be readable by the user but not
1569accessible by others (read/write/execute).
1570.Nm
1571will simply ignore a private key file if it is accessible by others.
1572It is possible to specify a passphrase when
1573generating the key which will be used to encrypt the
1574sensitive part of this file using AES-128.
1575.Pp
1576.It Pa ~/.ssh/id_dsa.pub
1577.It Pa ~/.ssh/id_ecdsa.pub
1578.It Pa ~/.ssh/id_ecdsa_sk.pub
1579.It Pa ~/.ssh/id_ed25519.pub
1580.It Pa ~/.ssh/id_ed25519_sk.pub
1581.It Pa ~/.ssh/id_rsa.pub
1582Contains the public key for authentication.
1583These files are not
1584sensitive and can (but need not) be readable by anyone.
1585.Pp
1586.It Pa ~/.ssh/known_hosts
1587Contains a list of host keys for all hosts the user has logged into
1588that are not already in the systemwide list of known host keys.
1589See
1590.Xr sshd 8
1591for further details of the format of this file.
1592.Pp
1593.It Pa ~/.ssh/rc
1594Commands in this file are executed by
1595.Nm
1596when the user logs in, just before the user's shell (or command) is
1597started.
1598See the
1599.Xr sshd 8
1600manual page for more information.
1601.Pp
1602.It Pa /etc/hosts.equiv
1603This file is for host-based authentication (see above).
1604It should only be writable by root.
1605.Pp
1606.It Pa /etc/shosts.equiv
1607This file is used in exactly the same way as
1608.Pa hosts.equiv ,
1609but allows host-based authentication without permitting login with
1610rlogin/rsh.
1611.Pp
1612.It Pa /etc/ssh/ssh_config
1613Systemwide configuration file.
1614The file format and configuration options are described in
1615.Xr ssh_config 5 .
1616.Pp
1617.It Pa /etc/ssh/ssh_host_key
1618.It Pa /etc/ssh/ssh_host_dsa_key
1619.It Pa /etc/ssh/ssh_host_ecdsa_key
1620.It Pa /etc/ssh/ssh_host_ed25519_key
1621.It Pa /etc/ssh/ssh_host_rsa_key
1622These files contain the private parts of the host keys
1623and are used for host-based authentication.
1624.Pp
1625.It Pa /etc/ssh/ssh_known_hosts
1626Systemwide list of known host keys.
1627This file should be prepared by the
1628system administrator to contain the public host keys of all machines in the
1629organization.
1630It should be world-readable.
1631See
1632.Xr sshd 8
1633for further details of the format of this file.
1634.Pp
1635.It Pa /etc/ssh/sshrc
1636Commands in this file are executed by
1637.Nm
1638when the user logs in, just before the user's shell (or command) is started.
1639See the
1640.Xr sshd 8
1641manual page for more information.
1642.El
1643.Sh EXIT STATUS
1644.Nm
1645exits with the exit status of the remote command or with 255
1646if an error occurred.
1647.Sh SEE ALSO
1648.Xr scp 1 ,
1649.Xr sftp 1 ,
1650.Xr ssh-add 1 ,
1651.Xr ssh-agent 1 ,
1652.Xr ssh-keygen 1 ,
1653.Xr ssh-keyscan 1 ,
1654.Xr tun 4 ,
1655.Xr ssh_config 5 ,
1656.Xr ssh-keysign 8 ,
1657.Xr sshd 8
1658.Sh STANDARDS
1659.Rs
1660.%A S. Lehtinen
1661.%A C. Lonvick
1662.%D January 2006
1663.%R RFC 4250
1664.%T The Secure Shell (SSH) Protocol Assigned Numbers
1665.Re
1666.Pp
1667.Rs
1668.%A T. Ylonen
1669.%A C. Lonvick
1670.%D January 2006
1671.%R RFC 4251
1672.%T The Secure Shell (SSH) Protocol Architecture
1673.Re
1674.Pp
1675.Rs
1676.%A T. Ylonen
1677.%A C. Lonvick
1678.%D January 2006
1679.%R RFC 4252
1680.%T The Secure Shell (SSH) Authentication Protocol
1681.Re
1682.Pp
1683.Rs
1684.%A T. Ylonen
1685.%A C. Lonvick
1686.%D January 2006
1687.%R RFC 4253
1688.%T The Secure Shell (SSH) Transport Layer Protocol
1689.Re
1690.Pp
1691.Rs
1692.%A T. Ylonen
1693.%A C. Lonvick
1694.%D January 2006
1695.%R RFC 4254
1696.%T The Secure Shell (SSH) Connection Protocol
1697.Re
1698.Pp
1699.Rs
1700.%A J. Schlyter
1701.%A W. Griffin
1702.%D January 2006
1703.%R RFC 4255
1704.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
1705.Re
1706.Pp
1707.Rs
1708.%A F. Cusack
1709.%A M. Forssen
1710.%D January 2006
1711.%R RFC 4256
1712.%T Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)
1713.Re
1714.Pp
1715.Rs
1716.%A J. Galbraith
1717.%A P. Remaker
1718.%D January 2006
1719.%R RFC 4335
1720.%T The Secure Shell (SSH) Session Channel Break Extension
1721.Re
1722.Pp
1723.Rs
1724.%A M. Bellare
1725.%A T. Kohno
1726.%A C. Namprempre
1727.%D January 2006
1728.%R RFC 4344
1729.%T The Secure Shell (SSH) Transport Layer Encryption Modes
1730.Re
1731.Pp
1732.Rs
1733.%A B. Harris
1734.%D January 2006
1735.%R RFC 4345
1736.%T Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol
1737.Re
1738.Pp
1739.Rs
1740.%A M. Friedl
1741.%A N. Provos
1742.%A W. Simpson
1743.%D March 2006
1744.%R RFC 4419
1745.%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol
1746.Re
1747.Pp
1748.Rs
1749.%A J. Galbraith
1750.%A R. Thayer
1751.%D November 2006
1752.%R RFC 4716
1753.%T The Secure Shell (SSH) Public Key File Format
1754.Re
1755.Pp
1756.Rs
1757.%A D. Stebila
1758.%A J. Green
1759.%D December 2009
1760.%R RFC 5656
1761.%T Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer
1762.Re
1763.Pp
1764.Rs
1765.%A A. Perrig
1766.%A D. Song
1767.%D 1999
1768.%O International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)
1769.%T Hash Visualization: a New Technique to improve Real-World Security
1770.Re
1771.Sh AUTHORS
1772OpenSSH is a derivative of the original and free
1773ssh 1.2.12 release by Tatu Ylonen.
1774Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1775Theo de Raadt and Dug Song
1776removed many bugs, re-added newer features and
1777created OpenSSH.
1778Markus Friedl contributed the support for SSH
1779protocol versions 1.5 and 2.0.
1780