xref: /freebsd/crypto/openssh/ssh.1 (revision c7046f76c2c027b00c0e6ba57cfd28f1a78f5e23)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: ssh.1,v 1.430 2022/03/31 17:27:27 naddy Exp $
37.Dd $Mdocdate: March 31 2022 $
38.Dt SSH 1
39.Os
40.Sh NAME
41.Nm ssh
42.Nd OpenSSH remote login client
43.Sh SYNOPSIS
44.Nm ssh
45.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
46.Op Fl B Ar bind_interface
47.Op Fl b Ar bind_address
48.Op Fl c Ar cipher_spec
49.Op Fl D Oo Ar bind_address : Oc Ns Ar port
50.Op Fl E Ar log_file
51.Op Fl e Ar escape_char
52.Op Fl F Ar configfile
53.Op Fl I Ar pkcs11
54.Op Fl i Ar identity_file
55.Op Fl J Ar destination
56.Op Fl L Ar address
57.Op Fl l Ar login_name
58.Op Fl m Ar mac_spec
59.Op Fl O Ar ctl_cmd
60.Op Fl o Ar option
61.Op Fl p Ar port
62.Op Fl Q Ar query_option
63.Op Fl R Ar address
64.Op Fl S Ar ctl_path
65.Op Fl W Ar host : Ns Ar port
66.Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
67.Ar destination
68.Op Ar command Op Ar argument ...
69.Sh DESCRIPTION
70.Nm
71(SSH client) is a program for logging into a remote machine and for
72executing commands on a remote machine.
73It is intended to provide secure encrypted communications between
74two untrusted hosts over an insecure network.
75X11 connections, arbitrary TCP ports and
76.Ux Ns -domain
77sockets can also be forwarded over the secure channel.
78.Pp
79.Nm
80connects and logs into the specified
81.Ar destination ,
82which may be specified as either
83.Sm off
84.Oo user @ Oc hostname
85.Sm on
86or a URI of the form
87.Sm off
88.No ssh:// Oo user @ Oc hostname Op : port .
89.Sm on
90The user must prove
91their identity to the remote machine using one of several methods
92(see below).
93.Pp
94If a
95.Ar command
96is specified,
97it will be executed on the remote host instead of a login shell.
98A complete command line may be specified as
99.Ar command ,
100or it may have additional arguments.
101If supplied, the arguments will be appended to the command, separated by
102spaces, before it is sent to the server to be executed.
103.Pp
104The options are as follows:
105.Pp
106.Bl -tag -width Ds -compact
107.It Fl 4
108Forces
109.Nm
110to use IPv4 addresses only.
111.Pp
112.It Fl 6
113Forces
114.Nm
115to use IPv6 addresses only.
116.Pp
117.It Fl A
118Enables forwarding of connections from an authentication agent such as
119.Xr ssh-agent 1 .
120This can also be specified on a per-host basis in a configuration file.
121.Pp
122Agent forwarding should be enabled with caution.
123Users with the ability to bypass file permissions on the remote host
124(for the agent's
125.Ux Ns -domain
126socket) can access the local agent through the forwarded connection.
127An attacker cannot obtain key material from the agent,
128however they can perform operations on the keys that enable them to
129authenticate using the identities loaded into the agent.
130A safer alternative may be to use a jump host
131(see
132.Fl J ) .
133.Pp
134.It Fl a
135Disables forwarding of the authentication agent connection.
136.Pp
137.It Fl B Ar bind_interface
138Bind to the address of
139.Ar bind_interface
140before attempting to connect to the destination host.
141This is only useful on systems with more than one address.
142.Pp
143.It Fl b Ar bind_address
144Use
145.Ar bind_address
146on the local machine as the source address
147of the connection.
148Only useful on systems with more than one address.
149.Pp
150.It Fl C
151Requests compression of all data (including stdin, stdout, stderr, and
152data for forwarded X11, TCP and
153.Ux Ns -domain
154connections).
155The compression algorithm is the same used by
156.Xr gzip 1 .
157Compression is desirable on modem lines and other
158slow connections, but will only slow down things on fast networks.
159The default value can be set on a host-by-host basis in the
160configuration files; see the
161.Cm Compression
162option.
163.Pp
164.It Fl c Ar cipher_spec
165Selects the cipher specification for encrypting the session.
166.Ar cipher_spec
167is a comma-separated list of ciphers
168listed in order of preference.
169See the
170.Cm Ciphers
171keyword in
172.Xr ssh_config 5
173for more information.
174.Pp
175.It Fl D Xo
176.Sm off
177.Oo Ar bind_address : Oc
178.Ar port
179.Sm on
180.Xc
181Specifies a local
182.Dq dynamic
183application-level port forwarding.
184This works by allocating a socket to listen to
185.Ar port
186on the local side, optionally bound to the specified
187.Ar bind_address .
188Whenever a connection is made to this port, the
189connection is forwarded over the secure channel, and the application
190protocol is then used to determine where to connect to from the
191remote machine.
192Currently the SOCKS4 and SOCKS5 protocols are supported, and
193.Nm
194will act as a SOCKS server.
195Only root can forward privileged ports.
196Dynamic port forwardings can also be specified in the configuration file.
197.Pp
198IPv6 addresses can be specified by enclosing the address in square brackets.
199Only the superuser can forward privileged ports.
200By default, the local port is bound in accordance with the
201.Cm GatewayPorts
202setting.
203However, an explicit
204.Ar bind_address
205may be used to bind the connection to a specific address.
206The
207.Ar bind_address
208of
209.Dq localhost
210indicates that the listening port be bound for local use only, while an
211empty address or
212.Sq *
213indicates that the port should be available from all interfaces.
214.Pp
215.It Fl E Ar log_file
216Append debug logs to
217.Ar log_file
218instead of standard error.
219.Pp
220.It Fl e Ar escape_char
221Sets the escape character for sessions with a pty (default:
222.Ql ~ ) .
223The escape character is only recognized at the beginning of a line.
224The escape character followed by a dot
225.Pq Ql \&.
226closes the connection;
227followed by control-Z suspends the connection;
228and followed by itself sends the escape character once.
229Setting the character to
230.Dq none
231disables any escapes and makes the session fully transparent.
232.Pp
233.It Fl F Ar configfile
234Specifies an alternative per-user configuration file.
235If a configuration file is given on the command line,
236the system-wide configuration file
237.Pq Pa /etc/ssh/ssh_config
238will be ignored.
239The default for the per-user configuration file is
240.Pa ~/.ssh/config .
241If set to
242.Dq none ,
243no configuration files will be read.
244.Pp
245.It Fl f
246Requests
247.Nm
248to go to background just before command execution.
249This is useful if
250.Nm
251is going to ask for passwords or passphrases, but the user
252wants it in the background.
253This implies
254.Fl n .
255The recommended way to start X11 programs at a remote site is with
256something like
257.Ic ssh -f host xterm .
258.Pp
259If the
260.Cm ExitOnForwardFailure
261configuration option is set to
262.Dq yes ,
263then a client started with
264.Fl f
265will wait for all remote port forwards to be successfully established
266before placing itself in the background.
267Refer to the description of
268.Cm ForkAfterAuthentication
269in
270.Xr ssh_config 5
271for details.
272.Pp
273.It Fl G
274Causes
275.Nm
276to print its configuration after evaluating
277.Cm Host
278and
279.Cm Match
280blocks and exit.
281.Pp
282.It Fl g
283Allows remote hosts to connect to local forwarded ports.
284If used on a multiplexed connection, then this option must be specified
285on the master process.
286.Pp
287.It Fl I Ar pkcs11
288Specify the PKCS#11 shared library
289.Nm
290should use to communicate with a PKCS#11 token providing keys for user
291authentication.
292.Pp
293.It Fl i Ar identity_file
294Selects a file from which the identity (private key) for
295public key authentication is read.
296You can also specify a public key file to use the corresponding
297private key that is loaded in
298.Xr ssh-agent 1
299when the private key file is not present locally.
300The default is
301.Pa ~/.ssh/id_rsa ,
302.Pa ~/.ssh/id_ecdsa ,
303.Pa ~/.ssh/id_ecdsa_sk ,
304.Pa ~/.ssh/id_ed25519 ,
305.Pa ~/.ssh/id_ed25519_sk
306and
307.Pa ~/.ssh/id_dsa .
308Identity files may also be specified on
309a per-host basis in the configuration file.
310It is possible to have multiple
311.Fl i
312options (and multiple identities specified in
313configuration files).
314If no certificates have been explicitly specified by the
315.Cm CertificateFile
316directive,
317.Nm
318will also try to load certificate information from the filename obtained
319by appending
320.Pa -cert.pub
321to identity filenames.
322.Pp
323.It Fl J Ar destination
324Connect to the target host by first making a
325.Nm
326connection to the jump host described by
327.Ar destination
328and then establishing a TCP forwarding to the ultimate destination from
329there.
330Multiple jump hops may be specified separated by comma characters.
331This is a shortcut to specify a
332.Cm ProxyJump
333configuration directive.
334Note that configuration directives supplied on the command-line generally
335apply to the destination host and not any specified jump hosts.
336Use
337.Pa ~/.ssh/config
338to specify configuration for jump hosts.
339.Pp
340.It Fl K
341Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
342credentials to the server.
343.Pp
344.It Fl k
345Disables forwarding (delegation) of GSSAPI credentials to the server.
346.Pp
347.It Fl L Xo
348.Sm off
349.Oo Ar bind_address : Oc
350.Ar port : host : hostport
351.Sm on
352.Xc
353.It Fl L Xo
354.Sm off
355.Oo Ar bind_address : Oc
356.Ar port : remote_socket
357.Sm on
358.Xc
359.It Fl L Xo
360.Sm off
361.Ar local_socket : host : hostport
362.Sm on
363.Xc
364.It Fl L Xo
365.Sm off
366.Ar local_socket : remote_socket
367.Sm on
368.Xc
369Specifies that connections to the given TCP port or Unix socket on the local
370(client) host are to be forwarded to the given host and port, or Unix socket,
371on the remote side.
372This works by allocating a socket to listen to either a TCP
373.Ar port
374on the local side, optionally bound to the specified
375.Ar bind_address ,
376or to a Unix socket.
377Whenever a connection is made to the local port or socket, the
378connection is forwarded over the secure channel, and a connection is
379made to either
380.Ar host
381port
382.Ar hostport ,
383or the Unix socket
384.Ar remote_socket ,
385from the remote machine.
386.Pp
387Port forwardings can also be specified in the configuration file.
388Only the superuser can forward privileged ports.
389IPv6 addresses can be specified by enclosing the address in square brackets.
390.Pp
391By default, the local port is bound in accordance with the
392.Cm GatewayPorts
393setting.
394However, an explicit
395.Ar bind_address
396may be used to bind the connection to a specific address.
397The
398.Ar bind_address
399of
400.Dq localhost
401indicates that the listening port be bound for local use only, while an
402empty address or
403.Sq *
404indicates that the port should be available from all interfaces.
405.Pp
406.It Fl l Ar login_name
407Specifies the user to log in as on the remote machine.
408This also may be specified on a per-host basis in the configuration file.
409.Pp
410.It Fl M
411Places the
412.Nm
413client into
414.Dq master
415mode for connection sharing.
416Multiple
417.Fl M
418options places
419.Nm
420into
421.Dq master
422mode but with confirmation required using
423.Xr ssh-askpass 1
424before each operation that changes the multiplexing state
425(e.g. opening a new session).
426Refer to the description of
427.Cm ControlMaster
428in
429.Xr ssh_config 5
430for details.
431.Pp
432.It Fl m Ar mac_spec
433A comma-separated list of MAC (message authentication code) algorithms,
434specified in order of preference.
435See the
436.Cm MACs
437keyword for more information.
438.Pp
439.It Fl N
440Do not execute a remote command.
441This is useful for just forwarding ports.
442Refer to the description of
443.Cm SessionType
444in
445.Xr ssh_config 5
446for details.
447.Pp
448.It Fl n
449Redirects stdin from
450.Pa /dev/null
451(actually, prevents reading from stdin).
452This must be used when
453.Nm
454is run in the background.
455A common trick is to use this to run X11 programs on a remote machine.
456For example,
457.Ic ssh -n shadows.cs.hut.fi emacs &
458will start an emacs on shadows.cs.hut.fi, and the X11
459connection will be automatically forwarded over an encrypted channel.
460The
461.Nm
462program will be put in the background.
463(This does not work if
464.Nm
465needs to ask for a password or passphrase; see also the
466.Fl f
467option.)
468Refer to the description of
469.Cm StdinNull
470in
471.Xr ssh_config 5
472for details.
473.Pp
474.It Fl O Ar ctl_cmd
475Control an active connection multiplexing master process.
476When the
477.Fl O
478option is specified, the
479.Ar ctl_cmd
480argument is interpreted and passed to the master process.
481Valid commands are:
482.Dq check
483(check that the master process is running),
484.Dq forward
485(request forwardings without command execution),
486.Dq cancel
487(cancel forwardings),
488.Dq exit
489(request the master to exit), and
490.Dq stop
491(request the master to stop accepting further multiplexing requests).
492.Pp
493.It Fl o Ar option
494Can be used to give options in the format used in the configuration file.
495This is useful for specifying options for which there is no separate
496command-line flag.
497For full details of the options listed below, and their possible values, see
498.Xr ssh_config 5 .
499.Pp
500.Bl -tag -width Ds -offset indent -compact
501.It AddKeysToAgent
502.It AddressFamily
503.It BatchMode
504.It BindAddress
505.It CanonicalDomains
506.It CanonicalizeFallbackLocal
507.It CanonicalizeHostname
508.It CanonicalizeMaxDots
509.It CanonicalizePermittedCNAMEs
510.It CASignatureAlgorithms
511.It CertificateFile
512.It CheckHostIP
513.It Ciphers
514.It ClearAllForwardings
515.It Compression
516.It ConnectionAttempts
517.It ConnectTimeout
518.It ControlMaster
519.It ControlPath
520.It ControlPersist
521.It DynamicForward
522.It EscapeChar
523.It ExitOnForwardFailure
524.It FingerprintHash
525.It ForkAfterAuthentication
526.It ForwardAgent
527.It ForwardX11
528.It ForwardX11Timeout
529.It ForwardX11Trusted
530.It GatewayPorts
531.It GlobalKnownHostsFile
532.It GSSAPIAuthentication
533.It GSSAPIDelegateCredentials
534.It HashKnownHosts
535.It Host
536.It HostbasedAcceptedAlgorithms
537.It HostbasedAuthentication
538.It HostKeyAlgorithms
539.It HostKeyAlias
540.It Hostname
541.It IdentitiesOnly
542.It IdentityAgent
543.It IdentityFile
544.It IPQoS
545.It KbdInteractiveAuthentication
546.It KbdInteractiveDevices
547.It KexAlgorithms
548.It KnownHostsCommand
549.It LocalCommand
550.It LocalForward
551.It LogLevel
552.It MACs
553.It Match
554.It NoHostAuthenticationForLocalhost
555.It NumberOfPasswordPrompts
556.It PasswordAuthentication
557.It PermitLocalCommand
558.It PermitRemoteOpen
559.It PKCS11Provider
560.It Port
561.It PreferredAuthentications
562.It ProxyCommand
563.It ProxyJump
564.It ProxyUseFdpass
565.It PubkeyAcceptedAlgorithms
566.It PubkeyAuthentication
567.It RekeyLimit
568.It RemoteCommand
569.It RemoteForward
570.It RequestTTY
571.It SendEnv
572.It ServerAliveInterval
573.It ServerAliveCountMax
574.It SessionType
575.It SetEnv
576.It StdinNull
577.It StreamLocalBindMask
578.It StreamLocalBindUnlink
579.It StrictHostKeyChecking
580.It TCPKeepAlive
581.It Tunnel
582.It TunnelDevice
583.It UpdateHostKeys
584.It User
585.It UserKnownHostsFile
586.It VerifyHostKeyDNS
587.It VisualHostKey
588.It XAuthLocation
589.El
590.Pp
591.It Fl p Ar port
592Port to connect to on the remote host.
593This can be specified on a
594per-host basis in the configuration file.
595.Pp
596.It Fl Q Ar query_option
597Queries for the algorithms supported by one of the following features:
598.Ar cipher
599(supported symmetric ciphers),
600.Ar cipher-auth
601(supported symmetric ciphers that support authenticated encryption),
602.Ar help
603(supported query terms for use with the
604.Fl Q
605flag),
606.Ar mac
607(supported message integrity codes),
608.Ar kex
609(key exchange algorithms),
610.Ar key
611(key types),
612.Ar key-cert
613(certificate key types),
614.Ar key-plain
615(non-certificate key types),
616.Ar key-sig
617(all key types and signature algorithms),
618.Ar protocol-version
619(supported SSH protocol versions), and
620.Ar sig
621(supported signature algorithms).
622Alternatively, any keyword from
623.Xr ssh_config 5
624or
625.Xr sshd_config 5
626that takes an algorithm list may be used as an alias for the corresponding
627query_option.
628.Pp
629.It Fl q
630Quiet mode.
631Causes most warning and diagnostic messages to be suppressed.
632.Pp
633.It Fl R Xo
634.Sm off
635.Oo Ar bind_address : Oc
636.Ar port : host : hostport
637.Sm on
638.Xc
639.It Fl R Xo
640.Sm off
641.Oo Ar bind_address : Oc
642.Ar port : local_socket
643.Sm on
644.Xc
645.It Fl R Xo
646.Sm off
647.Ar remote_socket : host : hostport
648.Sm on
649.Xc
650.It Fl R Xo
651.Sm off
652.Ar remote_socket : local_socket
653.Sm on
654.Xc
655.It Fl R Xo
656.Sm off
657.Oo Ar bind_address : Oc
658.Ar port
659.Sm on
660.Xc
661Specifies that connections to the given TCP port or Unix socket on the remote
662(server) host are to be forwarded to the local side.
663.Pp
664This works by allocating a socket to listen to either a TCP
665.Ar port
666or to a Unix socket on the remote side.
667Whenever a connection is made to this port or Unix socket, the
668connection is forwarded over the secure channel, and a connection
669is made from the local machine to either an explicit destination specified by
670.Ar host
671port
672.Ar hostport ,
673or
674.Ar local_socket ,
675or, if no explicit destination was specified,
676.Nm
677will act as a SOCKS 4/5 proxy and forward connections to the destinations
678requested by the remote SOCKS client.
679.Pp
680Port forwardings can also be specified in the configuration file.
681Privileged ports can be forwarded only when
682logging in as root on the remote machine.
683IPv6 addresses can be specified by enclosing the address in square brackets.
684.Pp
685By default, TCP listening sockets on the server will be bound to the loopback
686interface only.
687This may be overridden by specifying a
688.Ar bind_address .
689An empty
690.Ar bind_address ,
691or the address
692.Ql * ,
693indicates that the remote socket should listen on all interfaces.
694Specifying a remote
695.Ar bind_address
696will only succeed if the server's
697.Cm GatewayPorts
698option is enabled (see
699.Xr sshd_config 5 ) .
700.Pp
701If the
702.Ar port
703argument is
704.Ql 0 ,
705the listen port will be dynamically allocated on the server and reported
706to the client at run time.
707When used together with
708.Ic -O forward ,
709the allocated port will be printed to the standard output.
710.Pp
711.It Fl S Ar ctl_path
712Specifies the location of a control socket for connection sharing,
713or the string
714.Dq none
715to disable connection sharing.
716Refer to the description of
717.Cm ControlPath
718and
719.Cm ControlMaster
720in
721.Xr ssh_config 5
722for details.
723.Pp
724.It Fl s
725May be used to request invocation of a subsystem on the remote system.
726Subsystems facilitate the use of SSH
727as a secure transport for other applications (e.g.\&
728.Xr sftp 1 ) .
729The subsystem is specified as the remote command.
730Refer to the description of
731.Cm SessionType
732in
733.Xr ssh_config 5
734for details.
735.Pp
736.It Fl T
737Disable pseudo-terminal allocation.
738.Pp
739.It Fl t
740Force pseudo-terminal allocation.
741This can be used to execute arbitrary
742screen-based programs on a remote machine, which can be very useful,
743e.g. when implementing menu services.
744Multiple
745.Fl t
746options force tty allocation, even if
747.Nm
748has no local tty.
749.Pp
750.It Fl V
751Display the version number and exit.
752.Pp
753.It Fl v
754Verbose mode.
755Causes
756.Nm
757to print debugging messages about its progress.
758This is helpful in
759debugging connection, authentication, and configuration problems.
760Multiple
761.Fl v
762options increase the verbosity.
763The maximum is 3.
764.Pp
765.It Fl W Ar host : Ns Ar port
766Requests that standard input and output on the client be forwarded to
767.Ar host
768on
769.Ar port
770over the secure channel.
771Implies
772.Fl N ,
773.Fl T ,
774.Cm ExitOnForwardFailure
775and
776.Cm ClearAllForwardings ,
777though these can be overridden in the configuration file or using
778.Fl o
779command line options.
780.Pp
781.It Fl w Xo
782.Ar local_tun Ns Op : Ns Ar remote_tun
783.Xc
784Requests
785tunnel
786device forwarding with the specified
787.Xr tun 4
788devices between the client
789.Pq Ar local_tun
790and the server
791.Pq Ar remote_tun .
792.Pp
793The devices may be specified by numerical ID or the keyword
794.Dq any ,
795which uses the next available tunnel device.
796If
797.Ar remote_tun
798is not specified, it defaults to
799.Dq any .
800See also the
801.Cm Tunnel
802and
803.Cm TunnelDevice
804directives in
805.Xr ssh_config 5 .
806.Pp
807If the
808.Cm Tunnel
809directive is unset, it will be set to the default tunnel mode, which is
810.Dq point-to-point .
811If a different
812.Cm Tunnel
813forwarding mode it desired, then it should be specified before
814.Fl w .
815.Pp
816.It Fl X
817Enables X11 forwarding.
818This can also be specified on a per-host basis in a configuration file.
819.Pp
820X11 forwarding should be enabled with caution.
821Users with the ability to bypass file permissions on the remote host
822(for the user's X authorization database)
823can access the local X11 display through the forwarded connection.
824An attacker may then be able to perform activities such as keystroke monitoring.
825.Pp
826For this reason, X11 forwarding is subjected to X11 SECURITY extension
827restrictions by default.
828Refer to the
829.Nm
830.Fl Y
831option and the
832.Cm ForwardX11Trusted
833directive in
834.Xr ssh_config 5
835for more information.
836.Pp
837.It Fl x
838Disables X11 forwarding.
839.Pp
840.It Fl Y
841Enables trusted X11 forwarding.
842Trusted X11 forwardings are not subjected to the X11 SECURITY extension
843controls.
844.Pp
845.It Fl y
846Send log information using the
847.Xr syslog 3
848system module.
849By default this information is sent to stderr.
850.El
851.Pp
852.Nm
853may additionally obtain configuration data from
854a per-user configuration file and a system-wide configuration file.
855The file format and configuration options are described in
856.Xr ssh_config 5 .
857.Sh AUTHENTICATION
858The OpenSSH SSH client supports SSH protocol 2.
859.Pp
860The methods available for authentication are:
861GSSAPI-based authentication,
862host-based authentication,
863public key authentication,
864keyboard-interactive authentication,
865and password authentication.
866Authentication methods are tried in the order specified above,
867though
868.Cm PreferredAuthentications
869can be used to change the default order.
870.Pp
871Host-based authentication works as follows:
872If the machine the user logs in from is listed in
873.Pa /etc/hosts.equiv
874or
875.Pa /etc/shosts.equiv
876on the remote machine, the user is non-root and the user names are
877the same on both sides, or if the files
878.Pa ~/.rhosts
879or
880.Pa ~/.shosts
881exist in the user's home directory on the
882remote machine and contain a line containing the name of the client
883machine and the name of the user on that machine, the user is
884considered for login.
885Additionally, the server
886.Em must
887be able to verify the client's
888host key (see the description of
889.Pa /etc/ssh/ssh_known_hosts
890and
891.Pa ~/.ssh/known_hosts ,
892below)
893for login to be permitted.
894This authentication method closes security holes due to IP
895spoofing, DNS spoofing, and routing spoofing.
896[Note to the administrator:
897.Pa /etc/hosts.equiv ,
898.Pa ~/.rhosts ,
899and the rlogin/rsh protocol in general, are inherently insecure and should be
900disabled if security is desired.]
901.Pp
902Public key authentication works as follows:
903The scheme is based on public-key cryptography,
904using cryptosystems
905where encryption and decryption are done using separate keys,
906and it is unfeasible to derive the decryption key from the encryption key.
907The idea is that each user creates a public/private
908key pair for authentication purposes.
909The server knows the public key, and only the user knows the private key.
910.Nm
911implements public key authentication protocol automatically,
912using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
913The HISTORY section of
914.Xr ssl 8
915contains a brief discussion of the DSA and RSA algorithms.
916.Pp
917The file
918.Pa ~/.ssh/authorized_keys
919lists the public keys that are permitted for logging in.
920When the user logs in, the
921.Nm
922program tells the server which key pair it would like to use for
923authentication.
924The client proves that it has access to the private key
925and the server checks that the corresponding public key
926is authorized to accept the account.
927.Pp
928The server may inform the client of errors that prevented public key
929authentication from succeeding after authentication completes using a
930different method.
931These may be viewed by increasing the
932.Cm LogLevel
933to
934.Cm DEBUG
935or higher (e.g. by using the
936.Fl v
937flag).
938.Pp
939The user creates their key pair by running
940.Xr ssh-keygen 1 .
941This stores the private key in
942.Pa ~/.ssh/id_dsa
943(DSA),
944.Pa ~/.ssh/id_ecdsa
945(ECDSA),
946.Pa ~/.ssh/id_ecdsa_sk
947(authenticator-hosted ECDSA),
948.Pa ~/.ssh/id_ed25519
949(Ed25519),
950.Pa ~/.ssh/id_ed25519_sk
951(authenticator-hosted Ed25519),
952or
953.Pa ~/.ssh/id_rsa
954(RSA)
955and stores the public key in
956.Pa ~/.ssh/id_dsa.pub
957(DSA),
958.Pa ~/.ssh/id_ecdsa.pub
959(ECDSA),
960.Pa ~/.ssh/id_ecdsa_sk.pub
961(authenticator-hosted ECDSA),
962.Pa ~/.ssh/id_ed25519.pub
963(Ed25519),
964.Pa ~/.ssh/id_ed25519_sk.pub
965(authenticator-hosted Ed25519),
966or
967.Pa ~/.ssh/id_rsa.pub
968(RSA)
969in the user's home directory.
970The user should then copy the public key
971to
972.Pa ~/.ssh/authorized_keys
973in their home directory on the remote machine.
974The
975.Pa authorized_keys
976file corresponds to the conventional
977.Pa ~/.rhosts
978file, and has one key
979per line, though the lines can be very long.
980After this, the user can log in without giving the password.
981.Pp
982A variation on public key authentication
983is available in the form of certificate authentication:
984instead of a set of public/private keys,
985signed certificates are used.
986This has the advantage that a single trusted certification authority
987can be used in place of many public/private keys.
988See the CERTIFICATES section of
989.Xr ssh-keygen 1
990for more information.
991.Pp
992The most convenient way to use public key or certificate authentication
993may be with an authentication agent.
994See
995.Xr ssh-agent 1
996and (optionally) the
997.Cm AddKeysToAgent
998directive in
999.Xr ssh_config 5
1000for more information.
1001.Pp
1002Keyboard-interactive authentication works as follows:
1003The server sends an arbitrary
1004.Qq challenge
1005text and prompts for a response, possibly multiple times.
1006Examples of keyboard-interactive authentication include
1007.Bx
1008Authentication (see
1009.Xr login.conf 5 )
1010and PAM (some
1011.Pf non- Ox
1012systems).
1013.Pp
1014Finally, if other authentication methods fail,
1015.Nm
1016prompts the user for a password.
1017The password is sent to the remote
1018host for checking; however, since all communications are encrypted,
1019the password cannot be seen by someone listening on the network.
1020.Pp
1021.Nm
1022automatically maintains and checks a database containing
1023identification for all hosts it has ever been used with.
1024Host keys are stored in
1025.Pa ~/.ssh/known_hosts
1026in the user's home directory.
1027Additionally, the file
1028.Pa /etc/ssh/ssh_known_hosts
1029is automatically checked for known hosts.
1030Any new hosts are automatically added to the user's file.
1031If a host's identification ever changes,
1032.Nm
1033warns about this and disables password authentication to prevent
1034server spoofing or man-in-the-middle attacks,
1035which could otherwise be used to circumvent the encryption.
1036The
1037.Cm StrictHostKeyChecking
1038option can be used to control logins to machines whose
1039host key is not known or has changed.
1040.Pp
1041When the user's identity has been accepted by the server, the server
1042either executes the given command in a non-interactive session or,
1043if no command has been specified, logs into the machine and gives
1044the user a normal shell as an interactive session.
1045All communication with
1046the remote command or shell will be automatically encrypted.
1047.Pp
1048If an interactive session is requested,
1049.Nm
1050by default will only request a pseudo-terminal (pty) for interactive
1051sessions when the client has one.
1052The flags
1053.Fl T
1054and
1055.Fl t
1056can be used to override this behaviour.
1057.Pp
1058If a pseudo-terminal has been allocated, the
1059user may use the escape characters noted below.
1060.Pp
1061If no pseudo-terminal has been allocated,
1062the session is transparent and can be used to reliably transfer binary data.
1063On most systems, setting the escape character to
1064.Dq none
1065will also make the session transparent even if a tty is used.
1066.Pp
1067The session terminates when the command or shell on the remote
1068machine exits and all X11 and TCP connections have been closed.
1069.Sh ESCAPE CHARACTERS
1070When a pseudo-terminal has been requested,
1071.Nm
1072supports a number of functions through the use of an escape character.
1073.Pp
1074A single tilde character can be sent as
1075.Ic ~~
1076or by following the tilde by a character other than those described below.
1077The escape character must always follow a newline to be interpreted as
1078special.
1079The escape character can be changed in configuration files using the
1080.Cm EscapeChar
1081configuration directive or on the command line by the
1082.Fl e
1083option.
1084.Pp
1085The supported escapes (assuming the default
1086.Ql ~ )
1087are:
1088.Bl -tag -width Ds
1089.It Cm ~.
1090Disconnect.
1091.It Cm ~^Z
1092Background
1093.Nm .
1094.It Cm ~#
1095List forwarded connections.
1096.It Cm ~&
1097Background
1098.Nm
1099at logout when waiting for forwarded connection / X11 sessions to terminate.
1100.It Cm ~?
1101Display a list of escape characters.
1102.It Cm ~B
1103Send a BREAK to the remote system
1104(only useful if the peer supports it).
1105.It Cm ~C
1106Open command line.
1107Currently this allows the addition of port forwardings using the
1108.Fl L ,
1109.Fl R
1110and
1111.Fl D
1112options (see above).
1113It also allows the cancellation of existing port-forwardings
1114with
1115.Sm off
1116.Fl KL Oo Ar bind_address : Oc Ar port
1117.Sm on
1118for local,
1119.Sm off
1120.Fl KR Oo Ar bind_address : Oc Ar port
1121.Sm on
1122for remote and
1123.Sm off
1124.Fl KD Oo Ar bind_address : Oc Ar port
1125.Sm on
1126for dynamic port-forwardings.
1127.Ic !\& Ns Ar command
1128allows the user to execute a local command if the
1129.Ic PermitLocalCommand
1130option is enabled in
1131.Xr ssh_config 5 .
1132Basic help is available, using the
1133.Fl h
1134option.
1135.It Cm ~R
1136Request rekeying of the connection
1137(only useful if the peer supports it).
1138.It Cm ~V
1139Decrease the verbosity
1140.Pq Ic LogLevel
1141when errors are being written to stderr.
1142.It Cm ~v
1143Increase the verbosity
1144.Pq Ic LogLevel
1145when errors are being written to stderr.
1146.El
1147.Sh TCP FORWARDING
1148Forwarding of arbitrary TCP connections over a secure channel
1149can be specified either on the command line or in a configuration file.
1150One possible application of TCP forwarding is a secure connection to a
1151mail server; another is going through firewalls.
1152.Pp
1153In the example below, we look at encrypting communication for an IRC client,
1154even though the IRC server it connects to does not directly
1155support encrypted communication.
1156This works as follows:
1157the user connects to the remote host using
1158.Nm ,
1159specifying the ports to be used to forward the connection.
1160After that it is possible to start the program locally,
1161and
1162.Nm
1163will encrypt and forward the connection to the remote server.
1164.Pp
1165The following example tunnels an IRC session from the client
1166to an IRC server at
1167.Dq server.example.com ,
1168joining channel
1169.Dq #users ,
1170nickname
1171.Dq pinky ,
1172using the standard IRC port, 6667:
1173.Bd -literal -offset 4n
1174$ ssh -f -L 6667:localhost:6667 server.example.com sleep 10
1175$ irc -c '#users' pinky IRC/127.0.0.1
1176.Ed
1177.Pp
1178The
1179.Fl f
1180option backgrounds
1181.Nm
1182and the remote command
1183.Dq sleep 10
1184is specified to allow an amount of time
1185(10 seconds, in the example)
1186to start the program which is going to use the tunnel.
1187If no connections are made within the time specified,
1188.Nm
1189will exit.
1190.Sh X11 FORWARDING
1191If the
1192.Cm ForwardX11
1193variable is set to
1194.Dq yes
1195(or see the description of the
1196.Fl X ,
1197.Fl x ,
1198and
1199.Fl Y
1200options above)
1201and the user is using X11 (the
1202.Ev DISPLAY
1203environment variable is set), the connection to the X11 display is
1204automatically forwarded to the remote side in such a way that any X11
1205programs started from the shell (or command) will go through the
1206encrypted channel, and the connection to the real X server will be made
1207from the local machine.
1208The user should not manually set
1209.Ev DISPLAY .
1210Forwarding of X11 connections can be
1211configured on the command line or in configuration files.
1212.Pp
1213The
1214.Ev DISPLAY
1215value set by
1216.Nm
1217will point to the server machine, but with a display number greater than zero.
1218This is normal, and happens because
1219.Nm
1220creates a
1221.Dq proxy
1222X server on the server machine for forwarding the
1223connections over the encrypted channel.
1224.Pp
1225.Nm
1226will also automatically set up Xauthority data on the server machine.
1227For this purpose, it will generate a random authorization cookie,
1228store it in Xauthority on the server, and verify that any forwarded
1229connections carry this cookie and replace it by the real cookie when
1230the connection is opened.
1231The real authentication cookie is never
1232sent to the server machine (and no cookies are sent in the plain).
1233.Pp
1234If the
1235.Cm ForwardAgent
1236variable is set to
1237.Dq yes
1238(or see the description of the
1239.Fl A
1240and
1241.Fl a
1242options above) and
1243the user is using an authentication agent, the connection to the agent
1244is automatically forwarded to the remote side.
1245.Sh VERIFYING HOST KEYS
1246When connecting to a server for the first time,
1247a fingerprint of the server's public key is presented to the user
1248(unless the option
1249.Cm StrictHostKeyChecking
1250has been disabled).
1251Fingerprints can be determined using
1252.Xr ssh-keygen 1 :
1253.Pp
1254.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1255.Pp
1256If the fingerprint is already known, it can be matched
1257and the key can be accepted or rejected.
1258If only legacy (MD5) fingerprints for the server are available, the
1259.Xr ssh-keygen 1
1260.Fl E
1261option may be used to downgrade the fingerprint algorithm to match.
1262.Pp
1263Because of the difficulty of comparing host keys
1264just by looking at fingerprint strings,
1265there is also support to compare host keys visually,
1266using
1267.Em random art .
1268By setting the
1269.Cm VisualHostKey
1270option to
1271.Dq yes ,
1272a small ASCII graphic gets displayed on every login to a server, no matter
1273if the session itself is interactive or not.
1274By learning the pattern a known server produces, a user can easily
1275find out that the host key has changed when a completely different pattern
1276is displayed.
1277Because these patterns are not unambiguous however, a pattern that looks
1278similar to the pattern remembered only gives a good probability that the
1279host key is the same, not guaranteed proof.
1280.Pp
1281To get a listing of the fingerprints along with their random art for
1282all known hosts, the following command line can be used:
1283.Pp
1284.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
1285.Pp
1286If the fingerprint is unknown,
1287an alternative method of verification is available:
1288SSH fingerprints verified by DNS.
1289An additional resource record (RR),
1290SSHFP,
1291is added to a zonefile
1292and the connecting client is able to match the fingerprint
1293with that of the key presented.
1294.Pp
1295In this example, we are connecting a client to a server,
1296.Dq host.example.com .
1297The SSHFP resource records should first be added to the zonefile for
1298host.example.com:
1299.Bd -literal -offset indent
1300$ ssh-keygen -r host.example.com.
1301.Ed
1302.Pp
1303The output lines will have to be added to the zonefile.
1304To check that the zone is answering fingerprint queries:
1305.Pp
1306.Dl $ dig -t SSHFP host.example.com
1307.Pp
1308Finally the client connects:
1309.Bd -literal -offset indent
1310$ ssh -o "VerifyHostKeyDNS ask" host.example.com
1311[...]
1312Matching host key fingerprint found in DNS.
1313Are you sure you want to continue connecting (yes/no)?
1314.Ed
1315.Pp
1316See the
1317.Cm VerifyHostKeyDNS
1318option in
1319.Xr ssh_config 5
1320for more information.
1321.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
1322.Nm
1323contains support for Virtual Private Network (VPN) tunnelling
1324using the
1325.Xr tun 4
1326network pseudo-device,
1327allowing two networks to be joined securely.
1328The
1329.Xr sshd_config 5
1330configuration option
1331.Cm PermitTunnel
1332controls whether the server supports this,
1333and at what level (layer 2 or 3 traffic).
1334.Pp
1335The following example would connect client network 10.0.50.0/24
1336with remote network 10.0.99.0/24 using a point-to-point connection
1337from 10.1.1.1 to 10.1.1.2,
1338provided that the SSH server running on the gateway to the remote network,
1339at 192.168.1.15, allows it.
1340.Pp
1341On the client:
1342.Bd -literal -offset indent
1343# ssh -f -w 0:1 192.168.1.15 true
1344# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
1345# route add 10.0.99.0/24 10.1.1.2
1346.Ed
1347.Pp
1348On the server:
1349.Bd -literal -offset indent
1350# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
1351# route add 10.0.50.0/24 10.1.1.1
1352.Ed
1353.Pp
1354Client access may be more finely tuned via the
1355.Pa /root/.ssh/authorized_keys
1356file (see below) and the
1357.Cm PermitRootLogin
1358server option.
1359The following entry would permit connections on
1360.Xr tun 4
1361device 1 from user
1362.Dq jane
1363and on tun device 2 from user
1364.Dq john ,
1365if
1366.Cm PermitRootLogin
1367is set to
1368.Dq forced-commands-only :
1369.Bd -literal -offset 2n
1370tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
1371tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
1372.Ed
1373.Pp
1374Since an SSH-based setup entails a fair amount of overhead,
1375it may be more suited to temporary setups,
1376such as for wireless VPNs.
1377More permanent VPNs are better provided by tools such as
1378.Xr ipsecctl 8
1379and
1380.Xr isakmpd 8 .
1381.Sh ENVIRONMENT
1382.Nm
1383will normally set the following environment variables:
1384.Bl -tag -width "SSH_ORIGINAL_COMMAND"
1385.It Ev DISPLAY
1386The
1387.Ev DISPLAY
1388variable indicates the location of the X11 server.
1389It is automatically set by
1390.Nm
1391to point to a value of the form
1392.Dq hostname:n ,
1393where
1394.Dq hostname
1395indicates the host where the shell runs, and
1396.Sq n
1397is an integer \*(Ge 1.
1398.Nm
1399uses this special value to forward X11 connections over the secure
1400channel.
1401The user should normally not set
1402.Ev DISPLAY
1403explicitly, as that
1404will render the X11 connection insecure (and will require the user to
1405manually copy any required authorization cookies).
1406.It Ev HOME
1407Set to the path of the user's home directory.
1408.It Ev LOGNAME
1409Synonym for
1410.Ev USER ;
1411set for compatibility with systems that use this variable.
1412.It Ev MAIL
1413Set to the path of the user's mailbox.
1414.It Ev PATH
1415Set to the default
1416.Ev PATH ,
1417as specified when compiling
1418.Nm .
1419.It Ev SSH_ASKPASS
1420If
1421.Nm
1422needs a passphrase, it will read the passphrase from the current
1423terminal if it was run from a terminal.
1424If
1425.Nm
1426does not have a terminal associated with it but
1427.Ev DISPLAY
1428and
1429.Ev SSH_ASKPASS
1430are set, it will execute the program specified by
1431.Ev SSH_ASKPASS
1432and open an X11 window to read the passphrase.
1433This is particularly useful when calling
1434.Nm
1435from a
1436.Pa .xsession
1437or related script.
1438(Note that on some machines it
1439may be necessary to redirect the input from
1440.Pa /dev/null
1441to make this work.)
1442.It Ev SSH_ASKPASS_REQUIRE
1443Allows further control over the use of an askpass program.
1444If this variable is set to
1445.Dq never
1446then
1447.Nm
1448will never attempt to use one.
1449If it is set to
1450.Dq prefer ,
1451then
1452.Nm
1453will prefer to use the askpass program instead of the TTY when requesting
1454passwords.
1455Finally, if the variable is set to
1456.Dq force ,
1457then the askpass program will be used for all passphrase input regardless
1458of whether
1459.Ev DISPLAY
1460is set.
1461.It Ev SSH_AUTH_SOCK
1462Identifies the path of a
1463.Ux Ns -domain
1464socket used to communicate with the agent.
1465.It Ev SSH_CONNECTION
1466Identifies the client and server ends of the connection.
1467The variable contains
1468four space-separated values: client IP address, client port number,
1469server IP address, and server port number.
1470.It Ev SSH_ORIGINAL_COMMAND
1471This variable contains the original command line if a forced command
1472is executed.
1473It can be used to extract the original arguments.
1474.It Ev SSH_TTY
1475This is set to the name of the tty (path to the device) associated
1476with the current shell or command.
1477If the current session has no tty,
1478this variable is not set.
1479.It Ev SSH_TUNNEL
1480Optionally set by
1481.Xr sshd 8
1482to contain the interface names assigned if tunnel forwarding was
1483requested by the client.
1484.It Ev SSH_USER_AUTH
1485Optionally set by
1486.Xr sshd 8 ,
1487this variable may contain a pathname to a file that lists the authentication
1488methods successfully used when the session was established, including any
1489public keys that were used.
1490.It Ev TZ
1491This variable is set to indicate the present time zone if it
1492was set when the daemon was started (i.e. the daemon passes the value
1493on to new connections).
1494.It Ev USER
1495Set to the name of the user logging in.
1496.El
1497.Pp
1498Additionally,
1499.Nm
1500reads
1501.Pa ~/.ssh/environment ,
1502and adds lines of the format
1503.Dq VARNAME=value
1504to the environment if the file exists and users are allowed to
1505change their environment.
1506For more information, see the
1507.Cm PermitUserEnvironment
1508option in
1509.Xr sshd_config 5 .
1510.Sh FILES
1511.Bl -tag -width Ds -compact
1512.It Pa ~/.rhosts
1513This file is used for host-based authentication (see above).
1514On some machines this file may need to be
1515world-readable if the user's home directory is on an NFS partition,
1516because
1517.Xr sshd 8
1518reads it as root.
1519Additionally, this file must be owned by the user,
1520and must not have write permissions for anyone else.
1521The recommended
1522permission for most machines is read/write for the user, and not
1523accessible by others.
1524.Pp
1525.It Pa ~/.shosts
1526This file is used in exactly the same way as
1527.Pa .rhosts ,
1528but allows host-based authentication without permitting login with
1529rlogin/rsh.
1530.Pp
1531.It Pa ~/.ssh/
1532This directory is the default location for all user-specific configuration
1533and authentication information.
1534There is no general requirement to keep the entire contents of this directory
1535secret, but the recommended permissions are read/write/execute for the user,
1536and not accessible by others.
1537.Pp
1538.It Pa ~/.ssh/authorized_keys
1539Lists the public keys (DSA, ECDSA, Ed25519, RSA)
1540that can be used for logging in as this user.
1541The format of this file is described in the
1542.Xr sshd 8
1543manual page.
1544This file is not highly sensitive, but the recommended
1545permissions are read/write for the user, and not accessible by others.
1546.Pp
1547.It Pa ~/.ssh/config
1548This is the per-user configuration file.
1549The file format and configuration options are described in
1550.Xr ssh_config 5 .
1551Because of the potential for abuse, this file must have strict permissions:
1552read/write for the user, and not writable by others.
1553.Pp
1554.It Pa ~/.ssh/environment
1555Contains additional definitions for environment variables; see
1556.Sx ENVIRONMENT ,
1557above.
1558.Pp
1559.It Pa ~/.ssh/id_dsa
1560.It Pa ~/.ssh/id_ecdsa
1561.It Pa ~/.ssh/id_ecdsa_sk
1562.It Pa ~/.ssh/id_ed25519
1563.It Pa ~/.ssh/id_ed25519_sk
1564.It Pa ~/.ssh/id_rsa
1565Contains the private key for authentication.
1566These files
1567contain sensitive data and should be readable by the user but not
1568accessible by others (read/write/execute).
1569.Nm
1570will simply ignore a private key file if it is accessible by others.
1571It is possible to specify a passphrase when
1572generating the key which will be used to encrypt the
1573sensitive part of this file using AES-128.
1574.Pp
1575.It Pa ~/.ssh/id_dsa.pub
1576.It Pa ~/.ssh/id_ecdsa.pub
1577.It Pa ~/.ssh/id_ecdsa_sk.pub
1578.It Pa ~/.ssh/id_ed25519.pub
1579.It Pa ~/.ssh/id_ed25519_sk.pub
1580.It Pa ~/.ssh/id_rsa.pub
1581Contains the public key for authentication.
1582These files are not
1583sensitive and can (but need not) be readable by anyone.
1584.Pp
1585.It Pa ~/.ssh/known_hosts
1586Contains a list of host keys for all hosts the user has logged into
1587that are not already in the systemwide list of known host keys.
1588See
1589.Xr sshd 8
1590for further details of the format of this file.
1591.Pp
1592.It Pa ~/.ssh/rc
1593Commands in this file are executed by
1594.Nm
1595when the user logs in, just before the user's shell (or command) is
1596started.
1597See the
1598.Xr sshd 8
1599manual page for more information.
1600.Pp
1601.It Pa /etc/hosts.equiv
1602This file is for host-based authentication (see above).
1603It should only be writable by root.
1604.Pp
1605.It Pa /etc/shosts.equiv
1606This file is used in exactly the same way as
1607.Pa hosts.equiv ,
1608but allows host-based authentication without permitting login with
1609rlogin/rsh.
1610.Pp
1611.It Pa /etc/ssh/ssh_config
1612Systemwide configuration file.
1613The file format and configuration options are described in
1614.Xr ssh_config 5 .
1615.Pp
1616.It Pa /etc/ssh/ssh_host_key
1617.It Pa /etc/ssh/ssh_host_dsa_key
1618.It Pa /etc/ssh/ssh_host_ecdsa_key
1619.It Pa /etc/ssh/ssh_host_ed25519_key
1620.It Pa /etc/ssh/ssh_host_rsa_key
1621These files contain the private parts of the host keys
1622and are used for host-based authentication.
1623.Pp
1624.It Pa /etc/ssh/ssh_known_hosts
1625Systemwide list of known host keys.
1626This file should be prepared by the
1627system administrator to contain the public host keys of all machines in the
1628organization.
1629It should be world-readable.
1630See
1631.Xr sshd 8
1632for further details of the format of this file.
1633.Pp
1634.It Pa /etc/ssh/sshrc
1635Commands in this file are executed by
1636.Nm
1637when the user logs in, just before the user's shell (or command) is started.
1638See the
1639.Xr sshd 8
1640manual page for more information.
1641.El
1642.Sh EXIT STATUS
1643.Nm
1644exits with the exit status of the remote command or with 255
1645if an error occurred.
1646.Sh SEE ALSO
1647.Xr scp 1 ,
1648.Xr sftp 1 ,
1649.Xr ssh-add 1 ,
1650.Xr ssh-agent 1 ,
1651.Xr ssh-keygen 1 ,
1652.Xr ssh-keyscan 1 ,
1653.Xr tun 4 ,
1654.Xr ssh_config 5 ,
1655.Xr ssh-keysign 8 ,
1656.Xr sshd 8
1657.Sh STANDARDS
1658.Rs
1659.%A S. Lehtinen
1660.%A C. Lonvick
1661.%D January 2006
1662.%R RFC 4250
1663.%T The Secure Shell (SSH) Protocol Assigned Numbers
1664.Re
1665.Pp
1666.Rs
1667.%A T. Ylonen
1668.%A C. Lonvick
1669.%D January 2006
1670.%R RFC 4251
1671.%T The Secure Shell (SSH) Protocol Architecture
1672.Re
1673.Pp
1674.Rs
1675.%A T. Ylonen
1676.%A C. Lonvick
1677.%D January 2006
1678.%R RFC 4252
1679.%T The Secure Shell (SSH) Authentication Protocol
1680.Re
1681.Pp
1682.Rs
1683.%A T. Ylonen
1684.%A C. Lonvick
1685.%D January 2006
1686.%R RFC 4253
1687.%T The Secure Shell (SSH) Transport Layer Protocol
1688.Re
1689.Pp
1690.Rs
1691.%A T. Ylonen
1692.%A C. Lonvick
1693.%D January 2006
1694.%R RFC 4254
1695.%T The Secure Shell (SSH) Connection Protocol
1696.Re
1697.Pp
1698.Rs
1699.%A J. Schlyter
1700.%A W. Griffin
1701.%D January 2006
1702.%R RFC 4255
1703.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
1704.Re
1705.Pp
1706.Rs
1707.%A F. Cusack
1708.%A M. Forssen
1709.%D January 2006
1710.%R RFC 4256
1711.%T Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)
1712.Re
1713.Pp
1714.Rs
1715.%A J. Galbraith
1716.%A P. Remaker
1717.%D January 2006
1718.%R RFC 4335
1719.%T The Secure Shell (SSH) Session Channel Break Extension
1720.Re
1721.Pp
1722.Rs
1723.%A M. Bellare
1724.%A T. Kohno
1725.%A C. Namprempre
1726.%D January 2006
1727.%R RFC 4344
1728.%T The Secure Shell (SSH) Transport Layer Encryption Modes
1729.Re
1730.Pp
1731.Rs
1732.%A B. Harris
1733.%D January 2006
1734.%R RFC 4345
1735.%T Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol
1736.Re
1737.Pp
1738.Rs
1739.%A M. Friedl
1740.%A N. Provos
1741.%A W. Simpson
1742.%D March 2006
1743.%R RFC 4419
1744.%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol
1745.Re
1746.Pp
1747.Rs
1748.%A J. Galbraith
1749.%A R. Thayer
1750.%D November 2006
1751.%R RFC 4716
1752.%T The Secure Shell (SSH) Public Key File Format
1753.Re
1754.Pp
1755.Rs
1756.%A D. Stebila
1757.%A J. Green
1758.%D December 2009
1759.%R RFC 5656
1760.%T Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer
1761.Re
1762.Pp
1763.Rs
1764.%A A. Perrig
1765.%A D. Song
1766.%D 1999
1767.%O International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)
1768.%T Hash Visualization: a New Technique to improve Real-World Security
1769.Re
1770.Sh AUTHORS
1771OpenSSH is a derivative of the original and free
1772ssh 1.2.12 release by Tatu Ylonen.
1773Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1774Theo de Raadt and Dug Song
1775removed many bugs, re-added newer features and
1776created OpenSSH.
1777Markus Friedl contributed the support for SSH
1778protocol versions 1.5 and 2.0.
1779