summaryrefslogtreecommitdiff
path: root/other/ssharp/ssh.0
diff options
context:
space:
mode:
Diffstat (limited to 'other/ssharp/ssh.0')
-rw-r--r--other/ssharp/ssh.0885
1 files changed, 885 insertions, 0 deletions
diff --git a/other/ssharp/ssh.0 b/other/ssharp/ssh.0
new file mode 100644
index 0000000..98643f4
--- /dev/null
+++ b/other/ssharp/ssh.0
@@ -0,0 +1,885 @@
1
2SSH(1) System Reference Manual SSH(1)
3
4NAME
5 ssh - OpenSSH SSH client (remote login program)
6
7SYNOPSIS
8 ssh [-l login_name] [hostname | user@hostname] [command]
9
10 ssh [-afgknqstvxACNPTX1246] [-c cipher_spec] [-e escape_char] [-i
11 identity_file] [-l login_name] [-m mac_spec] [-o option] [-p port]
12 [-L port:host:hostport] [-R port:host:hostport] [hostname |
13 user@hostname] [command]
14
15DESCRIPTION
16 ssh (SSH client) is a program for logging into a remote machine and for
17 executing commands on a remote machine. It is intended to replace rlogin
18 and rsh, and provide secure encrypted communications between two untrustM--
19 ed hosts over an insecure network. X11 connections and arbitrary TCP/IP
20 ports can also be forwarded over the secure channel.
21
22 ssh connects and logs into the specified hostname. The user must prove
23 his/her identity to the remote machine using one of several methods deM--
24 pending on the protocol version used:
25
26 SSH protocol version 1
27
28 First, if the machine the user logs in from is listed in /etc/hosts.equiv
29 or /etc/shosts.equiv on the remote machine, and the user names are the
30 same on both sides, the user is immediately permitted to log in. Second,
31 if .rhosts or .shosts exists in the user's home directory on the remote
32 machine and contains a line containing the name of the client machine and
33 the name of the user on that machine, the user is permitted to log in.
34 This form of authentication alone is normally not allowed by the server
35 because it is not secure.
36
37 The second authentication method is the rhosts or hosts.equiv method comM--
38 bined with RSA-based host authentication. It means that if the login
39 would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or
40 /etc/shosts.equiv, and if additionally the server can verify the client's
41 host key (see /etc/ssh_known_hosts and $HOME/.ssh/known_hosts in the
42 FILES section), only then login is permitted. This authentication method
43 closes security holes due to IP spoofing, DNS spoofing and routing spoofM--
44 ing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and
45 the rlogin/rsh protocol in general, are inherently insecure and should be
46 disabled if security is desired.]
47
48 As a third authentication method, ssh supports RSA based authentication.
49 The scheme is based on public-key cryptography: there are cryptosystems
50 where encryption and decryption are done using separate keys, and it is
51 not possible to derive the decryption key from the encryption key. RSA
52 is one such system. The idea is that each user creates a public/private
53 key pair for authentication purposes. The server knows the public key,
54 and only the user knows the private key. The file
55 $HOME/.ssh/authorized_keys lists the public keys that are permitted for
56 logging in. When the user logs in, the ssh program tells the server
57 which key pair it would like to use for authentication. The server
58 checks if this key is permitted, and if so, sends the user (actually the
59 ssh program running on behalf of the user) a challenge, a random number,
60 encrypted by the user's public key. The challenge can only be decrypted
61 using the proper private key. The user's client then decrypts the chalM--
62 lenge using the private key, proving that he/she knows the private key
63 but without disclosing it to the server.
64
65
66 ssh implements the RSA authentication protocol automatically. The user
67 creates his/her RSA key pair by running ssh-keygen(1). This stores the
68 private key in $HOME/.ssh/identity and the public key in
69 $HOME/.ssh/identity.pub in the user's home directory. The user should
70 then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home
71 directory on the remote machine (the authorized_keys file corresponds to
72 the conventional $HOME/.rhosts file, and has one key per line, though the
73 lines can be very long). After this, the user can log in without giving
74 the password. RSA authentication is much more secure than rhosts authenM--
75 tication.
76
77 The most convenient way to use RSA authentication may be with an authenM--
78 tication agent. See ssh-agent(1) for more information.
79
80 If other authentication methods fail, ssh prompts the user for a passM--
81 word. The password is sent to the remote host for checking; however,
82 since all communications are encrypted, the password cannot be seen by
83 someone listening on the network.
84
85 SSH protocol version 2
86
87 When a user connects using the protocol version 2 different authenticaM--
88 tion methods are available. Using the default values for
89 PreferredAuthentications, the client will try to authenticate first using
90 the public key method; if this method fails password authentication is
91 attempted, and finally if this method fails keyboard-interactive authenM--
92 tication is attempted. If this method fails password authentication is
93 tried.
94
95 The public key method is similar to RSA authentication described in the
96 previous section and allows the RSA or DSA algorithm to be used: The
97 client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, to
98 sign the session identifier and sends the result to the server. The
99 server checks whether the matching public key is listed in
100 $HOME/.ssh/authorized_keys2 and grants access if both the key is found
101 and the signature is correct. The session identifier is derived from a
102 shared Diffie-Hellman value and is only known to the client and the servM--
103 er.
104
105 If public key authentication fails or is not available a password can be
106 sent encrypted to the remote host for proving the user's identity.
107
108 Additionally, ssh supports hostbased or challenge response authenticaM--
109 tion.
110
111 Protocol 2 provides additional mechanisms for confidentiality (the trafM--
112 fic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) and integrity
113 (hmac-md5, hmac-sha1). Note that protocol 1 lacks a strong mechanism for
114 ensuring the integrity of the connection.
115
116 Login session and remote execution
117
118 When the user's identity has been accepted by the server, the server eiM--
119 ther executes the given command, or logs into the machine and gives the
120 user a normal shell on the remote machine. All communication with the
121 remote command or shell will be automatically encrypted.
122
123 If a pseudo-terminal has been allocated (normal login session), the user
124 may use the escape characters noted below.
125
126 If no pseudo tty has been allocated, the session is transparent and can
127 be used to reliably transfer binary data. On most systems, setting the
128 escape character to ``none'' will also make the session transparent even
129 if a tty is used.
130
131
132 The session terminates when the command or shell on the remote machine
133 exits and all X11 and TCP/IP connections have been closed. The exit staM--
134 tus of the remote program is returned as the exit status of ssh.
135
136 Escape Characters
137
138 When a pseudo terminal has been requested, ssh supports a number of funcM--
139 tions through the use of an escape character.
140
141 A single tilde character can be sent as ~~ (or by following the tilde by
142 a character other than those described above). The escape character must
143 always follow a newline to be interpreted as special. The escape characM--
144 ter can be changed in configuration files using the EscapeChar configuraM--
145 tion directive or on the command line by the -e option.
146
147 The supported escapes (assuming the default `~') are:
148
149 ~. Disconnect
150
151 ~^Z Background ssh
152
153 ~# List forwarded connections
154
155 ~& Background ssh at logout when waiting for forwarded connection /
156 X11 sessions to terminate (protocol version 1 only)
157
158 ~? Display a list of escape characters
159
160 ~R Request rekeying of the connection (only useful for SSH protocol
161 version 2 and if the peer supports it)
162
163 X11 and TCP forwarding
164
165 If the user is using X11 (the DISPLAY environment variable is set), the
166 connection to the X11 display is automatically forwarded to the remote
167 side in such a way that any X11 programs started from the shell (or comM--
168 mand) will go through the encrypted channel, and the connection to the
169 real X server will be made from the local machine. The user should not
170 manually set DISPLAY. Forwarding of X11 connections can be configured on
171 the command line or in configuration files.
172
173 The DISPLAY value set by ssh will point to the server machine, but with a
174 display number greater than zero. This is normal, and happens because
175 ssh creates a ``proxy'' X server on the server machine for forwarding the
176 connections over the encrypted channel.
177
178 ssh will also automatically set up Xauthority data on the server machine.
179 For this purpose, it will generate a random authorization cookie, store
180 it in Xauthority on the server, and verify that any forwarded connections
181 carry this cookie and replace it by the real cookie when the connection
182 is opened. The real authentication cookie is never sent to the server
183 machine (and no cookies are sent in the plain).
184
185 If the user is using an authentication agent, the connection to the agent
186 is automatically forwarded to the remote side unless disabled on command
187 line or in a configuration file.
188
189 Forwarding of arbitrary TCP/IP connections over the secure channel can be
190 specified either on command line or in a configuration file. One possiM--
191 ble application of TCP/IP forwarding is a secure connection to an elecM--
192 tronic purse; another is going through firewalls.
193
194 Server authentication
195
196 ssh automatically maintains and checks a database containing identificaM--
197 tions for all hosts it has ever been used with. RSA host keys are stored
198 in $HOME/.ssh/known_hosts and host keys used in the protocol version 2
199 are stored in $HOME/.ssh/known_hosts2 in the user's home directory. AdM--
200 ditionally, the files /etc/ssh_known_hosts and /etc/ssh_known_hosts2 are
201 automatically checked for known hosts. Any new hosts are automatically
202 added to the user's file. If a host's identification ever changes, ssh
203 warns about this and disables password authentication to prevent a trojan
204 horse from getting the user's password. Another purpose of this mechaM--
205 nism is to prevent man-in-the-middle attacks which could otherwise be
206 used to circumvent the encryption. The StrictHostKeyChecking option (see
207 below) can be used to prevent logins to machines whose host key is not
208 known or has changed.
209
210 The options are as follows:
211
212 -a Disables forwarding of the authentication agent connection.
213
214 -A Enables forwarding of the authentication agent connection. This
215 can also be specified on a per-host basis in a configuration
216 file.
217
218 -c blowfish|3des
219 Selects the cipher to use for encrypting the session. 3des is
220 used by default. It is believed to be secure. 3des (triple-des)
221 is an encrypt-decrypt-encrypt triple with three different keys.
222 It is presumably more secure than the des cipher which is no
223 longer fully supported in ssh. blowfish is a fast block cipher,
224 it appears very secure and is much faster than 3des.
225
226 -c cipher_spec
227 Additionally, for protocol version 2 a comma-separated list of
228 ciphers can be specified in order of preference. See Ciphers for
229 more information.
230
231 -e ch|^ch|none
232 Sets the escape character for sessions with a pty (default: `~').
233 The escape character is only recognized at the beginning of a
234 line. The escape character followed by a dot (`.') closes the
235 connection, followed by control-Z suspends the connection, and
236 followed by itself sends the escape character once. Setting the
237 character to ``none'' disables any escapes and makes the session
238 fully transparent.
239
240 -f Requests ssh to go to background just before command execution.
241 This is useful if ssh is going to ask for passwords or passphrasM--
242 es, but the user wants it in the background. This implies -n.
243 The recommended way to start X11 programs at a remote site is
244 with something like ssh -f host xterm.
245
246 -g Allows remote hosts to connect to local forwarded ports.
247
248 -i identity_file
249 Selects the file from which the identity (private key) for RSA or
250 DSA authentication is read. Default is $HOME/.ssh/identity in
251 the user's home directory. Identity files may also be specified
252 on a per-host basis in the configuration file. It is possible to
253 have multiple -i options (and multiple identities specified in
254 configuration files).
255
256 -k Disables forwarding of Kerberos tickets and AFS tokens. This may
257 also be specified on a per-host basis in the configuration file.
258
259 -l login_name
260 Specifies the user to log in as on the remote machine. This also
261 may be specified on a per-host basis in the configuration file.
262
263 -m mac_spec
264 Additionally, for protocol version 2 a comma-separated list of
265 MAC (message authentication code) algorithms can be specified in
266 order of preference. See the MACs keyword for more information.
267
268 -n Redirects stdin from /dev/null (actually, prevents reading from
269 stdin). This must be used when ssh is run in the background. A
270 common trick is to use this to run X11 programs on a remote maM--
271 chine. For example, ssh -n shadows.cs.hut.fi emacs & will start
272 an emacs on shadows.cs.hut.fi, and the X11 connection will be auM--
273 tomatically forwarded over an encrypted channel. The ssh program
274 will be put in the background. (This does not work if ssh needs
275 to ask for a password or passphrase; see also the -f option.)
276
277 -N Do not execute a remote command. This is useful if you just want
278 to forward ports (protocol version 2 only).
279
280 -o option
281 Can be used to give options in the format used in the config
282 file. This is useful for specifying options for which there is
283 no separate command-line flag. The option has the same format as
284 a line in the configuration file.
285
286 -p port
287 Port to connect to on the remote host. This can be specified on
288 a per-host basis in the configuration file.
289
290 -P Use a non-privileged port for outgoing connections. This can be
291 used if your firewall does not permit connections from privileged
292 ports. Note that this option turns off RhostsAuthentication and
293 RhostsRSAAuthentication for older servers.
294
295 -q Quiet mode. Causes all warning and diagnostic messages to be
296 suppressed. Only fatal errors are displayed.
297
298 -s May be used to request invocation of a subsystem on the remote
299 system. Subsystems are a feature of the SSH2 protocol which faM--
300 cilitate the use of SSH as a secure transport for other applicaM--
301 tion (eg. sftp). The subsystem is specified as the remote comM--
302 mand.
303
304 -t Force pseudo-tty allocation. This can be used to execute arbiM--
305 trary screen-based programs on a remote machine, which can be
306 very useful, e.g., when implementing menu services. Multiple -t
307 options force tty allocation, even if ssh has no local tty.
308
309 -T Disable pseudo-tty allocation.
310
311 -v Verbose mode. Causes ssh to print debugging messages about its
312 progress. This is helpful in debugging connection, authenticaM--
313 tion, and configuration problems. Multiple -v options increases
314 the verbosity. Maximum is 3.
315
316 -x Disables X11 forwarding.
317
318 -X Enables X11 forwarding. This can also be specified on a per-host
319 basis in a configuration file.
320
321 -C Requests compression of all data (including stdin, stdout,
322 stderr, and data for forwarded X11 and TCP/IP connections). The
323 compression algorithm is the same used by gzip(1), and the
324 ``level'' can be controlled by the CompressionLevel option (see
325 below). Compression is desirable on modem lines and other slow
326 connections, but will only slow down things on fast networks.
327 The default value can be set on a host-by-host basis in the conM--
328
329
330 figuration files; see the Compress option below.
331
332 -L port:host:hostport
333 Specifies that the given port on the local (client) host is to be
334 forwarded to the given host and port on the remote side. This
335 works by allocating a socket to listen to port on the local side,
336 and whenever a connection is made to this port, the connection is
337 forwarded over the secure channel, and a connection is made to
338 host port hostport from the remote machine. Port forwardings can
339 also be specified in the configuration file. Only root can forM--
340 ward privileged ports. IPv6 addresses can be specified with an
341 alternative syntax: port/host/hostport
342
343 -R port:host:hostport
344 Specifies that the given port on the remote (server) host is to
345 be forwarded to the given host and port on the local side. This
346 works by allocating a socket to listen to port on the remote
347 side, and whenever a connection is made to this port, the connecM--
348 tion is forwarded over the secure channel, and a connection is
349 made to host port hostport from the local machine. Port forwardM--
350 ings can also be specified in the configuration file. Privileged
351 ports can be forwarded only when logging in as root on the remote
352 machine. IPv6 addresses can be specified with an alternative
353 syntax: port/host/hostport
354
355 -1 Forces ssh to try protocol version 1 only.
356
357 -2 Forces ssh to try protocol version 2 only.
358
359 -4 Forces ssh to use IPv4 addresses only.
360
361 -6 Forces ssh to use IPv6 addresses only.
362
363CONFIGURATION FILES
364 ssh obtains configuration data from the following sources (in this orM--
365 der): command line options, user's configuration file
366 ($HOME/.ssh/config), and system-wide configuration file
367 (/etc/ssh_config). For each parameter, the first obtained value will be
368 used. The configuration files contain sections bracketed by ``Host''
369 specifications, and that section is only applied for hosts that match one
370 of the patterns given in the specification. The matched host name is the
371 one given on the command line.
372
373 Since the first obtained value for each parameter is used, more host-speM--
374 cific declarations should be given near the beginning of the file, and
375 general defaults at the end.
376
377 The configuration file has the following format:
378
379 Empty lines and lines starting with `#' are comments.
380
381 Otherwise a line is of the format ``keyword arguments''. The possible
382 keywords and their meanings are as follows (note that the configuration
383 files are case-sensitive):
384
385 Host Restricts the following declarations (up to the next Host keyM--
386 word) to be only for those hosts that match one of the patterns
387 given after the keyword. `*' and `?' can be used as wildcards in
388 the patterns. A single `*' as a pattern can be used to provide
389 global defaults for all hosts. The host is the hostname argument
390 given on the command line (i.e., the name is not converted to a
391 canonicalized host name before matching).
392
393 AFSTokenPassing
394 Specifies whether to pass AFS tokens to remote host. The arguM--
395 ment to this keyword must be ``yes'' or ``no''. This option apM--
396
397 plies to protocol version 1 only.
398
399 BatchMode
400 If set to ``yes'', passphrase/password querying will be disabled.
401 This option is useful in scripts and other batch jobs where you
402 have no user to supply the password. The argument must be
403 ``yes'' or ``no''. The default is ``no''.
404
405 CheckHostIP
406 If this flag is set to ``yes'', ssh will additionally check the
407 host IP address in the known_hosts file. This allows ssh to deM--
408 tect if a host key changed due to DNS spoofing. If the option is
409 set to ``no'', the check will not be executed. The default is
410 ``yes''.
411
412 Cipher Specifies the cipher to use for encrypting the session in protoM--
413 col version 1. Currently, ``blowfish'' and ``3des'' are supportM--
414 ed. The default is ``3des''.
415
416 Ciphers
417 Specifies the ciphers allowed for protocol version 2 in order of
418 preference. Multiple ciphers must be comma-separated. The deM--
419 fault is
420
421 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
422 aes192-cbc,aes256-cbc''
423
424 Compression
425 Specifies whether to use compression. The argument must be
426 ``yes'' or ``no''. The default is ``no''.
427
428 CompressionLevel
429 Specifies the compression level to use if compression is enabled.
430 The argument must be an integer from 1 (fast) to 9 (slow, best).
431 The default level is 6, which is good for most applications. The
432 meaning of the values is the same as in gzip(1). Note that this
433 option applies to protocol version 1 only.
434
435 ConnectionAttempts
436 Specifies the number of tries (one per second) to make before
437 falling back to rsh or exiting. The argument must be an integer.
438 This may be useful in scripts if the connection sometimes fails.
439 The default is 4.
440
441 EscapeChar
442 Sets the escape character (default: `~'). The escape character
443 can also be set on the command line. The argument should be a
444 single character, `^' followed by a letter, or ``none'' to disM--
445 able the escape character entirely (making the connection transM--
446 parent for binary data).
447
448 FallBackToRsh
449 Specifies that if connecting via ssh fails due to a connection
450 refused error (there is no sshd(8) listening on the remote host),
451 rsh(1) should automatically be used instead (after a suitable
452 warning about the session being unencrypted). The argument must
453 be ``yes'' or ``no''. The default is ``no''.
454
455 ForwardAgent
456 Specifies whether the connection to the authentication agent (if
457 any) will be forwarded to the remote machine. The argument must
458 be ``yes'' or ``no''. The default is ``no''.
459
460 ForwardX11
461 Specifies whether X11 connections will be automatically redirectM--
462 ed over the secure channel and DISPLAY set. The argument must be
463 ``yes'' or ``no''. The default is ``no''.
464
465 GatewayPorts
466 Specifies whether remote hosts are allowed to connect to local
467 forwarded ports. The argument must be ``yes'' or ``no''. The deM--
468 fault is ``no''.
469
470 GlobalKnownHostsFile
471 Specifies a file to use for the protocol version 1 global host
472 key database instead of /etc/ssh_known_hosts.
473
474 GlobalKnownHostsFile2
475 Specifies a file to use for the protocol version 2 global host
476 key database instead of /etc/ssh_known_hosts2.
477
478 HostbasedAuthentication
479 Specifies whether to try rhosts based authentication with public
480 key authentication. The argument must be ``yes'' or ``no''. The
481 default is ``yes''. This option applies to protocol version 2 onM--
482 ly and is similar to RhostsRSAAuthentication.
483
484 HostKeyAlgorithms
485 Specfies the protocol version 2 host key algorithms that the
486 client wants to use in order of preference. The default for this
487 option is: ``ssh-rsa,ssh-dss''
488
489 HostKeyAlias
490 Specifies an alias that should be used instead of the real host
491 name when looking up or saving the host key in the host key
492 database files. This option is useful for tunneling ssh connecM--
493 tions or if you have multiple servers running on a single host.
494
495 HostName
496 Specifies the real host name to log into. This can be used to
497 specify nicknames or abbreviations for hosts. Default is the
498 name given on the command line. Numeric IP addresses are also
499 permitted (both on the command line and in HostName specificaM--
500 tions).
501
502 IdentityFile
503 Specifies the file from which the user's RSA or DSA authenticaM--
504 tion identity is read (default $HOME/.ssh/identity in the user's
505 home directory). Additionally, any identities represented by the
506 authentication agent will be used for authentication. The file
507 name may use the tilde syntax to refer to a user's home directoM--
508 ry. It is possible to have multiple identity files specified in
509 configuration files; all these identities will be tried in seM--
510 quence.
511
512 KeepAlive
513 Specifies whether the system should send keepalive messages to
514 the other side. If they are sent, death of the connection or
515 crash of one of the machines will be properly noticed. However,
516 this means that connections will die if the route is down temM--
517 porarily, and some people find it annoying.
518
519 The default is ``yes'' (to send keepalives), and the client will
520 notice if the network goes down or the remote host dies. This is
521 important in scripts, and many users want it too.
522
523 To disable keepalives, the value should be set to ``no'' in both
524 the server and the client configuration files.
525
526 KerberosAuthentication
527 Specifies whether Kerberos authentication will be used. The arM--
528
529 gument to this keyword must be ``yes'' or ``no''.
530
531 KerberosTgtPassing
532 Specifies whether a Kerberos TGT will be forwarded to the server.
533 This will only work if the Kerberos server is actually an AFS
534 kaserver. The argument to this keyword must be ``yes'' or
535 ``no''.
536
537 LocalForward
538 Specifies that a TCP/IP port on the local machine be forwarded
539 over the secure channel to given host:port from the remote maM--
540 chine. The first argument must be a port number, and the second
541 must be host:port. Multiple forwardings may be specified, and
542 additional forwardings can be given on the command line. Only
543 the superuser can forward privileged ports.
544
545 LogLevel
546 Gives the verbosity level that is used when logging messages from
547 ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE
548 and DEBUG. The default is INFO.
549
550 MACs Specifies the MAC (message authentication code) algorithms in orM--
551 der of preference. The MAC algorithm is used in protocol version
552 2 for data integrity protection. Multiple algorithms must be
553 comma-separated. The default is
554
555 ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,
556 hmac-sha1-96,hmac-md5-96''
557
558 NumberOfPasswordPrompts
559 Specifies the number of password prompts before giving up. The
560 argument to this keyword must be an integer. Default is 3.
561
562 PasswordAuthentication
563 Specifies whether to use password authentication. The argument
564 to this keyword must be ``yes'' or ``no''. The default is
565 ``yes''.
566
567 Port Specifies the port number to connect on the remote host. Default
568 is 22.
569
570 PreferredAuthentications
571 Specifies the order in which the client should try protocol 2 auM--
572 thentication methods. This allows a client to prefer one method
573 (e.g. keyboard-interactive) over another method (e.g. password)
574 The default for this option is: ``publickey, password, keyboard-
575 interactive''
576
577 Protocol
578 Specifies the protocol versions ssh should support in order of
579 preference. The possible values are ``1'' and ``2''. Multiple
580 versions must be comma-separated. The default is ``2,1''. This
581 means that ssh tries version 2 and falls back to version 1 if
582 version 2 is not available.
583
584 ProxyCommand
585 Specifies the command to use to connect to the server. The comM--
586 mand string extends to the end of the line, and is executed with
587 /bin/sh. In the command string, `%h' will be substituted by the
588 host name to connect and `%p' by the port. The command can be
589 basically anything, and should read from its standard input and
590 write to its standard output. It should eventually connect an
591 sshd(8) server running on some machine, or execute sshd -i someM--
592 where. Host key management will be done using the HostName of
593 the host being connected (defaulting to the name typed by the usM--
594 er). Note that CheckHostIP is not available for connects with a
595 proxy command.
596
597 PubkeyAuthentication
598 Specifies whether to try public key authentication. The argument
599 to this keyword must be ``yes'' or ``no''. The default is
600 ``yes''. This option applies to protocol version 2 only.
601
602 RemoteForward
603 Specifies that a TCP/IP port on the remote machine be forwarded
604 over the secure channel to given host:port from the local maM--
605 chine. The first argument must be a port number, and the second
606 must be host:port. Multiple forwardings may be specified, and
607 additional forwardings can be given on the command line. Only
608 the superuser can forward privileged ports.
609
610 RhostsAuthentication
611 Specifies whether to try rhosts based authentication. Note that
612 this declaration only affects the client side and has no effect
613 whatsoever on security. Disabling rhosts authentication may reM--
614 duce authentication time on slow connections when rhosts authenM--
615 tication is not used. Most servers do not permit RhostsAuthentiM--
616 cation because it is not secure (see RhostsRSAAuthentication ).
617 The argument to this keyword must be ``yes'' or ``no''. The deM--
618 fault is ``yes''. This option applies to protocol version 1 only.
619
620 RhostsRSAAuthentication
621 Specifies whether to try rhosts based authentication with RSA
622 host authentication. The argument must be ``yes'' or ``no''. The
623 default is ``yes''. This option applies to protocol version 1 onM--
624 ly.
625
626 RSAAuthentication
627 Specifies whether to try RSA authentication. The argument to
628 this keyword must be ``yes'' or ``no''. RSA authentication will
629 only be attempted if the identity file exists, or an authenticaM--
630 tion agent is running. The default is ``yes''. Note that this
631 option applies to protocol version 1 only.
632
633 ChallengeResponseAuthentication
634 Specifies whether to use challenge response authentication. CurM--
635 rently there is only support for skey(1) authentication. The arM--
636 gument to this keyword must be ``yes'' or ``no''. The default is
637 ``no''.
638
639 StrictHostKeyChecking
640 If this flag is set to ``yes'', ssh will never automatically add
641 host keys to the $HOME/.ssh/known_hosts and
642 $HOME/.ssh/known_hosts2 files, and refuses to connect to hosts
643 whose host key has changed. This provides maximum protection
644 against trojan horse attacks. However, it can be somewhat annoyM--
645 ing if you don't have good /etc/ssh_known_hosts and
646 /etc/ssh_known_hosts2 files installed and frequently connect to
647 new hosts. This option forces the user to manually add all new
648 hosts. If this flag is set to ``no'', ssh will automatically add
649 new host keys to the user known hosts files. If this flag is set
650 to ``ask'', new host keys will be added to the user known host
651 files only after the user has confirmed that is what they really
652 want to do, and ssh will refuse to connect to hosts whose host
653 key has changed. The host keys of known hosts will be verified
654 automatically in all cases. The argument must be ``yes'', ``no''
655 or ``ask''. The default is ``ask''.
656
657 UsePrivilegedPort
658 Specifies whether to use a privileged port for outgoing connecM--
659 tions. The argument must be ``yes'' or ``no''. The default is
660 ``no''. Note that you need to set this option to ``yes'' if you
661 want to use RhostsAuthentication and RhostsRSAAuthentication with
662 older servers.
663
664 User Specifies the user to log in as. This can be useful if you have
665 a different user name on different machines. This saves the
666 trouble of having to remember to give the user name on the comM--
667 mand line.
668
669 UserKnownHostsFile
670 Specifies a file to use for the protocol version 1 user host key
671 database instead of $HOME/.ssh/known_hosts.
672
673 UserKnownHostsFile2
674 Specifies a file to use for the protocol version 2 user host key
675 database instead of $HOME/.ssh/known_hosts2.
676
677 UseRsh Specifies that rlogin/rsh should be used for this host. It is
678 possible that the host does not at all support the ssh protocol.
679 This causes ssh to immediately execute rsh(1). All other options
680 (except HostName) are ignored if this has been specified. The
681 argument must be ``yes'' or ``no''.
682
683 XAuthLocation
684 Specifies the location of the xauth(1) program. The default is
685 /usr/X11R6/bin/xauth.
686
687ENVIRONMENT
688 ssh will normally set the following environment variables:
689
690 DISPLAY
691 The DISPLAY variable indicates the location of the X11 server.
692 It is automatically set by ssh to point to a value of the form
693 ``hostname:n'' where hostname indicates the host where the shell
694 runs, and n is an integer >= 1. ssh uses this special value to
695 forward X11 connections over the secure channel. The user should
696 normally not set DISPLAY explicitly, as that will render the X11
697 connection insecure (and will require the user to manually copy
698 any required authorization cookies).
699
700 HOME Set to the path of the user's home directory.
701
702 LOGNAME
703 Synonym for USER; set for compatibility with systems that use
704 this variable.
705
706 MAIL Set to point the user's mailbox.
707
708 PATH Set to the default PATH, as specified when compiling ssh.
709
710 SSH_AUTH_SOCK
711 indicates the path of a unix-domain socket used to communicate
712 with the agent.
713
714 SSH_CLIENT
715 Identifies the client end of the connection. The variable conM--
716 tains three space-separated values: client ip-address, client
717 port number, and server port number.
718
719 SSH_ORIGINAL_COMMAND
720 The variable contains the original command line if a forced comM--
721 mand is executed. It can be used to extract the original arguM--
722 ments.
723
724 SSH_TTY
725 This is set to the name of the tty (path to the device) associatM--
726 ed with the current shell or command. If the current session has
727 no tty, this variable is not set.
728
729 TZ The timezone variable is set to indicate the present timezone if
730 it was set when the daemon was started (i.e., the daemon passes
731 the value on to new connections).
732
733 USER Set to the name of the user logging in.
734
735 Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the
736 format ``VARNAME=value'' to the environment.
737
738FILES
739 $HOME/.ssh/known_hosts, $HOME/.ssh/known_hosts2
740 Records host keys for all hosts the user has logged into (that
741 are not in /etc/ssh_known_hosts for protocol version 1 or
742 /etc/ssh_known_hosts2 for protocol version 2). See sshd(8).
743
744 $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa
745 Contains the authentication identity of the user. They are for
746 protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
747 These files contain sensitive data and should be readable by the
748 user but not accessible by others (read/write/execute). Note
749 that ssh ignores a private key file if it is accessible by othM--
750 ers. It is possible to specify a passphrase when generating the
751 key; the passphrase will be used to encrypt the sensitive part of
752 this file using 3DES.
753
754 $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub
755 Contains the public key for authentication (public part of the
756 identity file in human-readable form). The contents of the
757 $HOME/.ssh/identity.pub file should be added to
758 $HOME/.ssh/authorized_keys on all machines where you wish to log
759 in using protocol version 1 RSA authentication. The contents of
760 the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file should
761 be added to $HOME/.ssh/authorized_keys2 on all machines where you
762 wish to log in using protocol version 2 DSA/RSA authentication.
763 These files are not sensitive and can (but need not) be readable
764 by anyone. These files are never used automatically and are not
765 necessary; they are only provided for the convenience of the usM--
766 er.
767
768 $HOME/.ssh/config
769 This is the per-user configuration file. The format of this file
770 is described above. This file is used by the ssh client. This
771 file does not usually contain any sensitive information, but the
772 recommended permissions are read/write for the user, and not acM--
773 cessible by others.
774
775 $HOME/.ssh/authorized_keys
776 Lists the RSA keys that can be used for logging in as this user.
777 The format of this file is described in the sshd(8) manual page.
778 In the simplest form the format is the same as the .pub identity
779 files (that is, each line contains the number of bits in modulus,
780 public exponent, modulus, and comment fields, separated by
781 spaces). This file is not highly sensitive, but the recommended
782 permissions are read/write for the user, and not accessible by
783 others.
784
785 $HOME/.ssh/authorized_keys2
786 Lists the public keys (RSA/DSA) that can be used for logging in
787 as this user. This file is not highly sensitive, but the recomM--
788 mended permissions are read/write for the user, and not accessiM--
789 ble by others.
790
791 /etc/ssh_known_hosts, /etc/ssh_known_hosts2
792 Systemwide list of known host keys. /etc/ssh_known_hosts conM--
793 tains RSA and /etc/ssh_known_hosts2 contains RSA or DSA keys for
794 protocol version 2. These files should be prepared by the system
795 administrator to contain the public host keys of all machines in
796 the organization. This file should be world-readable. This file
797 contains public keys, one per line, in the following format
798 (fields separated by spaces): system name, number of bits in modM--
799 ulus, public exponent, modulus, and optional comment field. When
800 different names are used for the same machine, all such names
801 should be listed, separated by commas. The format is described
802 on the sshd(8) manual page.
803
804 The canonical system name (as returned by name servers) is used
805 by sshd(8) to verify the client host when logging in; other names
806 are needed because ssh does not convert the user-supplied name to
807 a canonical name before checking the key, because someone with
808 access to the name servers would then be able to fool host auM--
809 thentication.
810
811 /etc/ssh_config
812 Systemwide configuration file. This file provides defaults for
813 those values that are not specified in the user's configuration
814 file, and for those users who do not have a configuration file.
815 This file must be world-readable.
816
817 $HOME/.rhosts
818 This file is used in .rhosts authentication to list the host/user
819 pairs that are permitted to log in. (Note that this file is also
820 used by rlogin and rsh, which makes using this file insecure.)
821 Each line of the file contains a host name (in the canonical form
822 returned by name servers), and then a user name on that host,
823 separated by a space. On some machines this file may need to be
824 world-readable if the user's home directory is on a NFS partiM--
825 tion, because sshd(8) reads it as root. Additionally, this file
826 must be owned by the user, and must not have write permissions
827 for anyone else. The recommended permission for most machines is
828 read/write for the user, and not accessible by others.
829
830 Note that by default sshd(8) will be installed so that it reM--
831 quires successful RSA host authentication before permitting
832 .rhosts authentication. If your server machine does not have the
833 client's host key in /etc/ssh_known_hosts, you can store it in
834 $HOME/.ssh/known_hosts. The easiest way to do this is to connect
835 back to the client from the server machine using ssh; this will
836 automatically add the host key to $HOME/.ssh/known_hosts.
837
838 $HOME/.shosts
839 This file is used exactly the same way as .rhosts. The purpose
840 for having this file is to be able to use rhosts authentication
841 with ssh without permitting login with rlogin(1) or rsh(1).
842
843 /etc/hosts.equiv
844 This file is used during .rhosts authentication. It contains
845 canonical hosts names, one per line (the full format is described
846 on the sshd(8) manual page). If the client host is found in this
847 file, login is automatically permitted provided client and server
848 user names are the same. Additionally, successful RSA host auM--
849 thentication is normally required. This file should only be
850 writable by root.
851
852 /etc/shosts.equiv
853 This file is processed exactly as /etc/hosts.equiv. This file may
854 be useful to permit logins using ssh but not using rsh/rlogin.
855
856 /etc/sshrc
857 Commands in this file are executed by ssh when the user logs in
858 just before the user's shell (or command) is started. See the
859 sshd(8) manual page for more information.
860
861 $HOME/.ssh/rc
862 Commands in this file are executed by ssh when the user logs in
863 just before the user's shell (or command) is started. See the
864 sshd(8) manual page for more information.
865
866 $HOME/.ssh/environment
867 Contains additional definitions for environment variables, see
868 section ENVIRONMENT above.
869
870AUTHORS
871 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
872 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
873 de Raadt and Dug Song removed many bugs, re-added newer features and creM--
874 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
875 versions 1.5 and 2.0.
876
877SEE ALSO
878 rlogin(1), rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-
879 keygen(1), telnet(1), sshd(8)
880
881 T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH
882 Protocol Architecture, draft-ietf-secsh-architecture-07.txt, January
883 2001, work in progress material.
884
885BSD Experimental September 25, 1999 14