1 | .\" -*- nroff -*- |
---|
2 | .\" |
---|
3 | .\" ssh.1.in |
---|
4 | .\" |
---|
5 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
---|
6 | .\" |
---|
7 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
---|
8 | .\" All rights reserved |
---|
9 | .\" |
---|
10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo |
---|
11 | .\" |
---|
12 | .\" $Id: ssh.1.in,v 1.1.1.4 1999-03-08 17:42:58 danw Exp $ |
---|
13 | .\" $Log: not supported by cvs2svn $ |
---|
14 | .\" Revision 1.18 1998/07/08 00:41:03 kivinen |
---|
15 | .\" Changed to do similar commercial #ifdef processing than other |
---|
16 | .\" files. Fixed privileged typo. |
---|
17 | .\" |
---|
18 | .\" Revision 1.17 1998/06/11 00:10:36 kivinen |
---|
19 | .\" Fixed comment characters. |
---|
20 | .\" |
---|
21 | .\" Revision 1.16 1998/04/30 01:56:20 kivinen |
---|
22 | .\" Added PasswordPromptLogin and PasswordPromptHost option |
---|
23 | .\" documentation. |
---|
24 | .\" |
---|
25 | .\" Revision 1.15 1998/03/27 17:27:07 kivinen |
---|
26 | .\" Removed TSS. |
---|
27 | .\" |
---|
28 | .\" Revision 1.14 1998/03/27 17:01:15 kivinen |
---|
29 | .\" Documented -g option and GatewayPorts config option. |
---|
30 | .\" |
---|
31 | .\" Revision 1.13 1998/01/02 06:22:26 kivinen |
---|
32 | .\" Sorted options. Added XAuthLocation option. Renamed |
---|
33 | .\" SSH_AUTHENTICATION_SOCKET to SSH_AUTH_SOCK. |
---|
34 | .\" |
---|
35 | .\" Revision 1.12 1997/05/08 03:05:39 kivinen |
---|
36 | .\" Added \ before all '-characters (it is troff command if it is |
---|
37 | .\" in the beginning of line). |
---|
38 | .\" |
---|
39 | .\" Revision 1.11 1997/04/27 21:50:30 kivinen |
---|
40 | .\" Added F-SECURE stuff. |
---|
41 | .\" |
---|
42 | .\" Revision 1.10 1997/04/23 00:04:36 kivinen |
---|
43 | .\" Documented ClearAllForwardings and NumberOfPasswordPrompts |
---|
44 | .\" options. Sorted options. |
---|
45 | .\" |
---|
46 | .\" Revision 1.9 1997/04/17 04:17:23 kivinen |
---|
47 | .\" Documented StrictHostKeyChecking=ask. |
---|
48 | .\" |
---|
49 | .\" Revision 1.8 1997/03/27 03:16:23 kivinen |
---|
50 | .\" Added kerberos patches from Glenn Machin. |
---|
51 | .\" Added -V and -k options. |
---|
52 | .\" |
---|
53 | .\" Revision 1.7 1997/03/26 05:35:12 kivinen |
---|
54 | .\" Documented UsePriviledgedPort config file option and -P |
---|
55 | .\" option. |
---|
56 | .\" |
---|
57 | .\" Revision 1.6 1997/03/25 05:42:57 kivinen |
---|
58 | .\" Updated. Changed ylo's email to @ssh.fi. |
---|
59 | .\" |
---|
60 | .\" Revision 1.5 1997/03/19 17:43:26 kivinen |
---|
61 | .\" Documented TISAuthentication stuff. |
---|
62 | .\" |
---|
63 | .\" Revision 1.4 1997/01/10 17:47:25 ttsalo |
---|
64 | .\" Updated the enviroment variable descriptions |
---|
65 | .\" |
---|
66 | .\" Revision 1.3 1996/09/29 01:03:36 ylo |
---|
67 | .\" Documented blowfish. |
---|
68 | .\" |
---|
69 | .\" Revision 1.2 1996/09/27 14:31:34 ttsalo |
---|
70 | .\" Socks5 support from David Kågedal <davidk@lysator.liu.se> |
---|
71 | .\" |
---|
72 | .\" Revision 1.1.1.1 1996/02/18 21:38:13 ylo |
---|
73 | .\" Imported ssh-1.2.13. |
---|
74 | .\" |
---|
75 | .\" Revision 1.9 1995/10/02 01:28:11 ylo |
---|
76 | .\" Make substitutions in configure. |
---|
77 | .\" |
---|
78 | .\" Revision 1.8 1995/09/25 00:00:49 ylo |
---|
79 | .\" Added ConnectionAttempts. |
---|
80 | .\" |
---|
81 | .\" Revision 1.7 1995/08/31 09:23:03 ylo |
---|
82 | .\" Minor cleanup. |
---|
83 | .\" |
---|
84 | .\" Revision 1.6 1995/08/29 22:31:11 ylo |
---|
85 | .\" Improved manual pages from Andrew Macpherson. |
---|
86 | .\" |
---|
87 | .\" Revision 1.5 1995/08/21 23:27:44 ylo |
---|
88 | .\" Added -q. |
---|
89 | .\" |
---|
90 | .\" Revision 1.4 1995/07/27 00:40:24 ylo |
---|
91 | .\" Added GlobalKnownHostsFile and UserKnownHostsFile. |
---|
92 | .\" |
---|
93 | .\" Revision 1.3 1995/07/15 22:24:51 ylo |
---|
94 | .\" Added documentation for -o. |
---|
95 | .\" |
---|
96 | .\" Revision 1.2 1995/07/13 01:36:20 ylo |
---|
97 | .\" Removed "Last modified" header. |
---|
98 | .\" Added cvs log. |
---|
99 | .\" |
---|
100 | .\" $Endlog$ |
---|
101 | .\" |
---|
102 | .\" |
---|
103 | .\" |
---|
104 | .\" |
---|
105 | .\" #ifndef F_SECURE_COMMERCIAL |
---|
106 | .TH SSH 1 "November 8, 1995" "SSH" "SSH" |
---|
107 | .\" #endif F_SECURE_COMMERCIAL |
---|
108 | |
---|
109 | .SH NAME |
---|
110 | ssh \- secure shell client (remote login program) |
---|
111 | |
---|
112 | .SH SYNOPSIS |
---|
113 | .B ssh |
---|
114 | [\c |
---|
115 | .BI \-l \ login_name\fR\c |
---|
116 | ] |
---|
117 | .B hostname |
---|
118 | [\c |
---|
119 | .IR command \c |
---|
120 | ] |
---|
121 | |
---|
122 | .B ssh |
---|
123 | [\c |
---|
124 | .BR \-a \c |
---|
125 | ] |
---|
126 | [\c |
---|
127 | .B \-c |
---|
128 | \fIidea\fR\||\|\fIblowfish\fR\||\|\fIdes\fR\||\|\fI3des\c |
---|
129 | \fR\||\|\fIarcfour\fR\||\|\fInone\fR\c |
---|
130 | ] |
---|
131 | [\c |
---|
132 | .BI \-e \ escape_char\fR\c |
---|
133 | ] |
---|
134 | [\c |
---|
135 | .BI \-i \ identity_file\fR\c |
---|
136 | ] |
---|
137 | [\c |
---|
138 | .BI \-l \ login_name\fR\c |
---|
139 | ] |
---|
140 | [\c |
---|
141 | .BR \-n \c |
---|
142 | ] |
---|
143 | [\c |
---|
144 | .BR \-k \c |
---|
145 | ] |
---|
146 | [\c |
---|
147 | .BR \-V \c |
---|
148 | ] |
---|
149 | [\c |
---|
150 | .BI \-o \ option\fR\c |
---|
151 | ] |
---|
152 | [\c |
---|
153 | .BI \-p \ port\fR\c |
---|
154 | ] |
---|
155 | [\c |
---|
156 | .BR \-q \c |
---|
157 | ] |
---|
158 | [\c |
---|
159 | .BR \-P \c |
---|
160 | ] |
---|
161 | [\c |
---|
162 | .BR \-t \c |
---|
163 | ] |
---|
164 | [\c |
---|
165 | .BR \-v \c |
---|
166 | ] |
---|
167 | [\c |
---|
168 | .BR \-x \c |
---|
169 | ] |
---|
170 | [\c |
---|
171 | .BR \-C \c |
---|
172 | ] |
---|
173 | [\c |
---|
174 | .BR \-g \c |
---|
175 | ] |
---|
176 | [\c |
---|
177 | .BI \-L \ port\fB:\fIhost\fB:\fIhostport\fR\c |
---|
178 | ] |
---|
179 | [\c |
---|
180 | .BI \-R \ port\fB:\fIhost\fB:\fIhostport\fR\c |
---|
181 | ] |
---|
182 | .I hostname |
---|
183 | [\c |
---|
184 | .IR command \c |
---|
185 | ] |
---|
186 | |
---|
187 | .SH DESCRIPTION |
---|
188 | .LP |
---|
189 | .B Ssh |
---|
190 | (Secure Shell) a program for logging into a remote machine and for |
---|
191 | executing commands in a remote machine. It is intended to replace |
---|
192 | rlogin and rsh, and provide secure encrypted communications between |
---|
193 | two untrusted hosts over an insecure network. X11 connections and |
---|
194 | arbitrary TCP/IP ports can also be forwarded over the secure channel. |
---|
195 | .LP |
---|
196 | .B Ssh |
---|
197 | connects and logs into the specified |
---|
198 | .IR hostname . |
---|
199 | The user must prove |
---|
200 | his/her identity to the remote machine using one of several methods. |
---|
201 | .LP |
---|
202 | First, if the machine the user logs in from is listed in |
---|
203 | .I /etc/hosts.equiv |
---|
204 | or |
---|
205 | .I @ETCDIR@/shosts.equiv |
---|
206 | on the remote machine, and the user names are |
---|
207 | the same on both sides, the user is immediately permitted to log in. |
---|
208 | Second, if |
---|
209 | .I \&\s+2.\s0rhosts |
---|
210 | or |
---|
211 | .I \&\s+2.\s0shosts |
---|
212 | exists in the user's home directory on the |
---|
213 | remote machine and contains a line containing the name of the client |
---|
214 | machine and the name of the user on that machine, the user is |
---|
215 | permitted to log in. This form of authentication alone is normally not |
---|
216 | allowed by the server because it is not secure. |
---|
217 | .LP |
---|
218 | The second (and primary) authentication method is the |
---|
219 | .B rhosts |
---|
220 | or |
---|
221 | .B hosts.equiv |
---|
222 | method combined with RSA-based host authentication. It |
---|
223 | means that if the login would be permitted by |
---|
224 | .I \&\s+2.\s0rhosts\c |
---|
225 | \|, |
---|
226 | .I \&\s+2.\s0shosts\c |
---|
227 | \|, |
---|
228 | .IR /etc/hosts.equiv\c |
---|
229 | \|, |
---|
230 | or |
---|
231 | .IR @ETCDIR@/shosts.equiv ", |
---|
232 | and additionally it can verify the client's |
---|
233 | host key (see |
---|
234 | .I \&$HOME/\s+2.\s0ssh/known_hosts |
---|
235 | and |
---|
236 | .I @ETCDIR@/ssh_known_hosts |
---|
237 | in the |
---|
238 | .B \s-1FILES\s0 |
---|
239 | section), only then login is |
---|
240 | permitted. This authentication method closes security holes due to IP |
---|
241 | spoofing, DNS spoofing and routing spoofing. [Note to the |
---|
242 | administrator: |
---|
243 | .IR /etc/hosts.equiv ", |
---|
244 | .IR \&\s+2.\s0rhosts ", |
---|
245 | and the rlogin/rsh protocol in general, are inherently insecure and should be |
---|
246 | disabled if security is desired.] |
---|
247 | .LP |
---|
248 | As a third authentication method, |
---|
249 | .B ssh |
---|
250 | supports RSA based authentication. |
---|
251 | The scheme is based on public-key cryptography: there are cryptosystems |
---|
252 | where encryption and decryption are done using separate keys, and it |
---|
253 | is not possible to derive the decryption key from the encryption key. |
---|
254 | RSA is one such system. The idea is that each user creates a public/private |
---|
255 | key pair for authentication purposes. The |
---|
256 | server knows the public key, and only the user knows the private key. |
---|
257 | The file |
---|
258 | .I \&$HOME/\s+2.\s0ssh/authorized_keys |
---|
259 | lists the public keys that are permitted for logging |
---|
260 | in. When the user logs in, the |
---|
261 | .B ssh |
---|
262 | program tells the server which key pair it would like to use for |
---|
263 | authentication. The server checks if this key is permitted, and if |
---|
264 | so, sends the user (actually the |
---|
265 | .B ssh |
---|
266 | program running on behalf of the user) a challenge, a random number, |
---|
267 | encrypted by the user's public key. The challenge can only be |
---|
268 | decrypted using the proper private key. The user's client then decrypts the |
---|
269 | challenge using the private key, proving that he/she knows the private |
---|
270 | key but without disclosing it to the server. |
---|
271 | .LP |
---|
272 | .B Ssh |
---|
273 | implements the RSA authentication protocol automatically. The user |
---|
274 | creates his/her RSA key pair by running |
---|
275 | .BR ssh-keygen (1). |
---|
276 | This stores the private key in |
---|
277 | .I \&\s+2.\s0ssh/identity |
---|
278 | and the public key in |
---|
279 | .I \&\s+2.\s0ssh/identity.pub |
---|
280 | in the user's home directory. The user should then |
---|
281 | copy the |
---|
282 | .I identity.pub |
---|
283 | to |
---|
284 | .I \&\s+2.\s0ssh/authorized_keys |
---|
285 | in his/her home directory on the remote machine (the |
---|
286 | .I authorized_keys |
---|
287 | file corresponds to the conventional |
---|
288 | .I \&\s+2.\s0rhosts |
---|
289 | file, and has one key |
---|
290 | per line, though the lines can be very long). After this, the user |
---|
291 | can log in without giving the password. RSA authentication is much |
---|
292 | more secure than rhosts authentication. |
---|
293 | .LP |
---|
294 | The most convenient way to use RSA authentication may be with an |
---|
295 | authentication agent. See |
---|
296 | .BR ssh-agent (1) |
---|
297 | for more information. |
---|
298 | .LP |
---|
299 | As a fourth authentication method, |
---|
300 | .B ssh |
---|
301 | supports authentication through TIS authentication server. The idea is |
---|
302 | that |
---|
303 | .B ssh |
---|
304 | asks TIS |
---|
305 | .BR authsrv (8) |
---|
306 | to authenticate the user. Sometime, usernames in the TIS database |
---|
307 | cannot be the same as the local users. This can be the case if the user |
---|
308 | authenticates itself with a smartcard or a Digipass. In that case, the |
---|
309 | username in the database is usually known as the serial number of the |
---|
310 | authentification device. The file |
---|
311 | .I @ETCDIR@/sshd_tis.map |
---|
312 | contains the mapping between local users and their corresponding name |
---|
313 | in the TIS database. If the file does not |
---|
314 | exist or the user is not found, the corresponding name in the TIS |
---|
315 | database is supposed to be the same. |
---|
316 | .LP |
---|
317 | If other authentication methods fail, |
---|
318 | .B ssh |
---|
319 | prompts the user for a password. The password is sent to the remote |
---|
320 | host for checking; however, since all communications are encrypted, |
---|
321 | the password cannot be seen by someone listening on the network. |
---|
322 | .LP |
---|
323 | When the user's identity has been accepted by the server, the server |
---|
324 | either executes the given command, or logs into the machine and gives |
---|
325 | the user a normal shell on the remote machine. All communication with |
---|
326 | the remote command or shell will be automatically encrypted. |
---|
327 | .LP |
---|
328 | If a pseudo-terminal has been allocated (normal login session), the |
---|
329 | user can disconnect with "~.", and suspend |
---|
330 | .B ssh |
---|
331 | with "~^Z". All forwarded connections can be listed with "~#", and if |
---|
332 | the session blocks waiting for forwarded X11 or TCP/IP |
---|
333 | connections to terminate, it can be backgrounded with "~&" (this |
---|
334 | should not be used while the user shell is active, as it can cause the |
---|
335 | shell to hang). All available escapes can be listed with "~?". |
---|
336 | .LP |
---|
337 | A single tilde character can be sent as "~~" (or by |
---|
338 | following the tilde by a character other than those described above). |
---|
339 | The escape character must always follow a newline to be interpreted as |
---|
340 | special. The escape character can be changed in configuration files |
---|
341 | or on the command line. |
---|
342 | .LP |
---|
343 | If no pseudo tty has been allocated, the |
---|
344 | session is transparent and can be used to reliably transfer binary |
---|
345 | data. On most systems, setting the escape character to ``none'' will |
---|
346 | also make the session transparent even if a tty is used. |
---|
347 | .LP |
---|
348 | The session terminates when the command or shell in on the remote |
---|
349 | machine exists and all X11 and TCP/IP connections have been closed. |
---|
350 | The exit status of the remote program is returned as the exit status |
---|
351 | of |
---|
352 | .B ssh. |
---|
353 | .LP |
---|
354 | If the user is using X11 (the |
---|
355 | .B \s-1DISPLAY\s0 |
---|
356 | environment variable is set), the connection to the X11 display is |
---|
357 | automatically forwarded to the remote side in such a way that any X11 |
---|
358 | programs started from the shell (or command) will go through the |
---|
359 | encrypted channel, and the connection to the real X server will be made |
---|
360 | from the local machine. The user should not manually set |
---|
361 | .BR \s-1DISPLAY\s0 ". |
---|
362 | Forwarding of X11 connections can be |
---|
363 | configured on the command line or in configuration files. |
---|
364 | .LP |
---|
365 | The DISPLAY value set by |
---|
366 | .B ssh |
---|
367 | will point to the server machine, but with a display number greater |
---|
368 | than zero. This is normal, and happens because |
---|
369 | .B ssh |
---|
370 | creates a "proxy" X server on the server machine for forwarding the |
---|
371 | connections over the encrypted channel. |
---|
372 | .LP |
---|
373 | .B Ssh |
---|
374 | will also automatically set up Xauthority data on the server machine. |
---|
375 | For this purpose, it will generate a random authorization cookie, |
---|
376 | store it in Xauthority on the server, and verify that any forwarded |
---|
377 | connections carry this cookie and replace it by the real cookie when |
---|
378 | the connection is opened. The real authentication cookie is never |
---|
379 | sent to the server machine (and no cookies are sent in the plain). |
---|
380 | .LP |
---|
381 | If the user is using an authentication agent, the connection to the agent |
---|
382 | is automatically forwarded to the remote side unless disabled on |
---|
383 | command line or in a configuration file. |
---|
384 | .LP |
---|
385 | Forwarding of arbitrary TCP/IP connections over the secure channel can |
---|
386 | be specified either on command line or in a configuration file. One |
---|
387 | possible application of TCP/IP forwarding is a secure connection to an |
---|
388 | electronic purse; another is going trough firewalls. |
---|
389 | .LP |
---|
390 | .B Ssh |
---|
391 | automatically maintains and checks a database containing RSA-based |
---|
392 | identifications for all hosts it has ever been used with. The |
---|
393 | database is stored in |
---|
394 | .I \&\s+2.\s0ssh/known_hosts |
---|
395 | in the user's home directory. Additionally, the file |
---|
396 | .I @ETCDIR@/ssh_known_hosts |
---|
397 | is automatically checked for known hosts. Any new hosts are |
---|
398 | automatically added to the user's file. If a host's identification |
---|
399 | ever changes, |
---|
400 | .B ssh |
---|
401 | warns about this and disables password authentication to prevent a |
---|
402 | trojan horse from getting the user's password. Another purpose of |
---|
403 | this mechanism is to prevent man-in-the-middle attacks which could |
---|
404 | otherwise be used to circumvent the encryption. The |
---|
405 | .B StrictHostKeyChecking |
---|
406 | option (see below) can be used to prevent logins to machines whose |
---|
407 | host key is not known or has changed. |
---|
408 | |
---|
409 | |
---|
410 | .ne 5 |
---|
411 | .SH OPTIONS |
---|
412 | .TP |
---|
413 | .B \-a |
---|
414 | Disables forwarding of the authentication agent connection. This may |
---|
415 | also be specified on a per-host basis in the configuration file. |
---|
416 | .ne 3 |
---|
417 | .TP |
---|
418 | .BI \-c \ \fIidea\fR\||\|\fIdes\fR\||\|\fI3des\fR\||\|\fIblowfish\fR\||\|\fIarcfour\fR\||\|\fInone\fR |
---|
419 | Selects the cipher to use for encrypting the session. |
---|
420 | .B \s-1idea\s0 |
---|
421 | is used by default. It is believed to be secure. |
---|
422 | .B \s-1des\s0 |
---|
423 | is the data encryption standard, but is breakable by |
---|
424 | governments, large corporations, and major criminal organizations. |
---|
425 | .B \s-13des\s0 |
---|
426 | (triple-des) is encrypt-decrypt-encrypt triple with three different |
---|
427 | keys. It is presumably more secure than |
---|
428 | DES. It is used as default if both sites do not support IDEA. |
---|
429 | .B \s-1blowfish\s0 |
---|
430 | is an encryption algorithm invented by Bruce Schneier. It uses 128 |
---|
431 | bit keys. |
---|
432 | .B \s-1arcfour\s0 |
---|
433 | is an algorithm published in the Usenet News in 1995. |
---|
434 | This algorithm is believed to be equivalent with the RC4 cipher from |
---|
435 | RSA Data Security (RC4 is a trademark of RSA Data Security). This is |
---|
436 | the fastest algorithm currently supported. |
---|
437 | .B none |
---|
438 | disables encryption entirely; it is only intended for debugging, and |
---|
439 | it renders the connection insecure. |
---|
440 | .ne 3 |
---|
441 | .TP |
---|
442 | .B \-e \fIch\fR\||\|\fI^ch\fR\||\|\fInone\fR |
---|
443 | Sets the escape character for sessions with a pty (default: ~). The |
---|
444 | escape character is only recognized at the beginning of a line. The |
---|
445 | escape character followed by a dot (.) closes the connection, followed |
---|
446 | by control-Z suspends the connection, and followed by itself sends the |
---|
447 | escape character once. Setting the character to \'none\' disables any |
---|
448 | escapes and makes the session fully transparent. |
---|
449 | .ne 3 |
---|
450 | .TP |
---|
451 | .B \-f |
---|
452 | Requests ssh to go to background after authentication is done and |
---|
453 | forwardings have been established. This is useful if ssh is going to |
---|
454 | ask for passwords or passphrases, but the user wants it in the |
---|
455 | background. This may also be useful in scripts. This implies |
---|
456 | .B \-n. |
---|
457 | The recommended way to start X11 programs at a remote site is with |
---|
458 | something like "ssh -f host xterm". |
---|
459 | .ne 3 |
---|
460 | .TP |
---|
461 | .BI \-i \ identity_file |
---|
462 | Selects the file from which the identity (private key) for |
---|
463 | .B \s-1RSA\s0 |
---|
464 | authentication is read. Default is |
---|
465 | .I \&\s+2.\s0ssh/identity |
---|
466 | in the user's home directory. Identity files may also be specified on |
---|
467 | a per-host basis in the configuration file. It is possible to have |
---|
468 | multiple \-i options (and multiple identities specified in |
---|
469 | configuration files). |
---|
470 | .ne 3 |
---|
471 | .TP |
---|
472 | .B \-k |
---|
473 | Disables forwarding of the kerberos tickets. This may |
---|
474 | also be specified on a per-host basis in the configuration file. |
---|
475 | .ne 3 |
---|
476 | .TP |
---|
477 | .BI -l \ login_name |
---|
478 | Specifies the user to log in as on the remote machine. This may also |
---|
479 | be specified on a per-host basis in the configuration file. |
---|
480 | .ne 3 |
---|
481 | .TP |
---|
482 | .B \-n |
---|
483 | Redirects stdin from /dev/null (actually, prevents reading from stdin). |
---|
484 | This must be used when |
---|
485 | .B ssh |
---|
486 | is run in the background. A common trick is to use this to run X11 |
---|
487 | programs in a remote machine. For example, "ssh -n shadows.cs.hut.fi |
---|
488 | emacs &" will start an emacs on shadows.cs.hut.fi, and the X11 |
---|
489 | connection will be automatically forwarded over an encrypted channel. |
---|
490 | The |
---|
491 | .B ssh |
---|
492 | program will be put in the background. |
---|
493 | (This does not work if |
---|
494 | .B ssh |
---|
495 | needs to ask for a password or passphrase; see also the -f option.) |
---|
496 | .ne 3 |
---|
497 | .TP |
---|
498 | .BI \-o "\ 'option' |
---|
499 | Can be used to give options in the format used in the config file. |
---|
500 | This is useful for specifying options for which there is no separate |
---|
501 | command-line flag. The option has the same format as a line in the |
---|
502 | configuration file. |
---|
503 | .ne 3 |
---|
504 | .TP |
---|
505 | .BI \-p "\ port |
---|
506 | Port to connect to on the remote host. This can be specified on a |
---|
507 | per-host basis in the configuration file. |
---|
508 | .ne 3 |
---|
509 | .TP |
---|
510 | .B \-q |
---|
511 | Quiet mode. Causes all warning and diagnostic messages to be |
---|
512 | suppressed. Only fatal errors are displayed. |
---|
513 | .ne 3 |
---|
514 | .TP |
---|
515 | .B \-P |
---|
516 | Use non privileged port. With this you cannot use rhosts or rsarhosts |
---|
517 | authentications, but it can be used to bypass some firewalls that dont |
---|
518 | allow privileged source ports to pass. |
---|
519 | .ne 3 |
---|
520 | .TP |
---|
521 | .B \-t |
---|
522 | Force pseudo-tty allocation. This can be used to execute arbitary |
---|
523 | screen-based programs on a remote machine, which can be very useful |
---|
524 | e.g. when implementing menu services. |
---|
525 | .ne 3 |
---|
526 | .TP |
---|
527 | .B \-v |
---|
528 | Verbose mode. Causes |
---|
529 | .B ssh |
---|
530 | to print debugging messages about its progress. This is helpful in |
---|
531 | debugging connection, authentication, and configuration problems. |
---|
532 | .ne 3 |
---|
533 | .TP |
---|
534 | .B \-V |
---|
535 | Print only version number and exit. |
---|
536 | .ne 3 |
---|
537 | .TP |
---|
538 | .B \-g |
---|
539 | Allows remote hosts to connect local port forwarding ports. The |
---|
540 | default is that only localhost may connect to locally binded ports. |
---|
541 | .ne 3 |
---|
542 | .TP |
---|
543 | .B \-x |
---|
544 | Disables X11 forwarding. This can also be specified on a per-host |
---|
545 | basis in a configuration file. |
---|
546 | .ne 3 |
---|
547 | .TP |
---|
548 | .B \-C |
---|
549 | Requests compression of all data (including stdin, stdout, stderr, and |
---|
550 | data for forwarded X11 and TCP/IP connections). The compression |
---|
551 | algorithm is the same used by gzip, and the "level" can be controlled |
---|
552 | by the |
---|
553 | .B CompressionLevel |
---|
554 | option (see below). Compression is desirable on modem lines and other |
---|
555 | slow connections, but will only slow down things on fast networks. |
---|
556 | The default value can be set on a host-by-host basis in the |
---|
557 | configuration files; see the |
---|
558 | .B Compress |
---|
559 | option below. |
---|
560 | .ne 3 |
---|
561 | .TP |
---|
562 | .BI \-L "\ port:host:hostport |
---|
563 | Specifies that the given port on the local (client) host is to be |
---|
564 | forwarded to the given host and port on the remote side. This works |
---|
565 | by allocating a socket to listen to |
---|
566 | .B port |
---|
567 | on the local side, and whenever a connection is made to this port, the |
---|
568 | connection is forwarded over the secure channel, and a connection is |
---|
569 | made to |
---|
570 | .B host:hostport |
---|
571 | from the remote machine. Port forwardings can also be specified in the |
---|
572 | configuration file. Only root can forward privileged ports. |
---|
573 | .ne 3 |
---|
574 | .TP |
---|
575 | .BI \-R "\ port:host:hostport |
---|
576 | Specifies that the given port on the remote (server) host is to be |
---|
577 | forwarded to the given host and port on the local side. This works |
---|
578 | by allocating a socket to listen to |
---|
579 | .B port |
---|
580 | on the remote side, and whenever a connection is made to this port, the |
---|
581 | connection is forwarded over the secure channel, and a connection is |
---|
582 | made to |
---|
583 | .B host:hostport |
---|
584 | from the local machine. Port forwardings can also be specified in the |
---|
585 | configuration file. Privileged ports can be forwarded only when |
---|
586 | logging in as root on the remote machine. |
---|
587 | |
---|
588 | .SH CONFIGURATION FILES |
---|
589 | .LP |
---|
590 | .B Ssh |
---|
591 | obtains configuration data from the following sources (in this order): |
---|
592 | command line options, user's configuration file |
---|
593 | (\fI\&$HOME/\s+2.\s0ssh/config\fR), and system-wide configuration file |
---|
594 | (\fI@ETCDIR@/ssh_config\fR). For each parameter, the first obtained value |
---|
595 | will be used. The configuration files contain sections bracketed by |
---|
596 | "Host" specifications, and that section is only applied for hosts that |
---|
597 | match one of the patterns given in the specification. The matched |
---|
598 | host name is the one given on the command line. |
---|
599 | .LP |
---|
600 | Since the first obtained value for each parameter is used, more |
---|
601 | host-specific declarations should be given near the beginning of the |
---|
602 | file, and general defaults at the end. |
---|
603 | .LP |
---|
604 | The configuration file has the following format: |
---|
605 | .IP |
---|
606 | Empty lines and lines starting with \'#\' are comments. |
---|
607 | .IP |
---|
608 | Otherwise a line is of the format "keyword arguments" or "keyword = |
---|
609 | arguments". The possible keywords and their meanings are as follows |
---|
610 | (note that the configuration files are case-sensitive, but keywords |
---|
611 | are case-insensitive): |
---|
612 | .ne 3 |
---|
613 | .TP |
---|
614 | .de YN |
---|
615 | "\fByes\fR" or "\fBno\fR". |
---|
616 | .. |
---|
617 | |
---|
618 | .B Host |
---|
619 | Restricts the following declarations (up to the next |
---|
620 | .B Host |
---|
621 | keyword) to be only for those hosts that match one of the patterns |
---|
622 | given after the keyword. \'*\' and \'?\' can be as wildcards in the |
---|
623 | patterns. A single \'*\' as a pattern can be used to provide global |
---|
624 | defaults for all hosts. The host is the |
---|
625 | .IR hostname |
---|
626 | argument given on the command line (i.e., the name is not converted to |
---|
627 | a canonicalized host name before matching). |
---|
628 | .ne 3 |
---|
629 | |
---|
630 | .TP |
---|
631 | .B BatchMode |
---|
632 | If set to "yes", passphrase/password querying will be disabled. This |
---|
633 | option is useful in scripts and other batch jobs where you have no |
---|
634 | user to supply the password. The argument must be |
---|
635 | .YN |
---|
636 | .ne 3 |
---|
637 | |
---|
638 | .TP |
---|
639 | .B Cipher |
---|
640 | Specifies the cipher to use for encrypting the session. Currently, |
---|
641 | .IR idea ", |
---|
642 | .IR des ", |
---|
643 | .IR 3des ", |
---|
644 | .IR blowfish ", |
---|
645 | .IR arcfour ", |
---|
646 | and |
---|
647 | .I none |
---|
648 | are supported. The default is "idea" (or "3des" if "idea" is not |
---|
649 | supported by both hosts). Using "none" (no encryption) is intended |
---|
650 | only for debugging, and will render the connection insecure. |
---|
651 | .ne 3 |
---|
652 | |
---|
653 | .TP |
---|
654 | .B ClearAllForwardings |
---|
655 | Clears all forwardings after reading all config files and parsing |
---|
656 | command line. This is usefull to disable forwardings in config file |
---|
657 | when you want to make second connection to host having forwardings in |
---|
658 | config file. Scp sets this on by default so it will not fail even if |
---|
659 | you have some forwardings set in config file. |
---|
660 | .ne 3 |
---|
661 | |
---|
662 | .TP |
---|
663 | .B Compression |
---|
664 | Specifies whether to use compression. The argument must be |
---|
665 | .YN |
---|
666 | .ne 3 |
---|
667 | |
---|
668 | .TP |
---|
669 | .B CompressionLevel |
---|
670 | Specifies the compression level to use if compression is enable. The |
---|
671 | argument must be an integer from 1 (fast) to 9 (slow, best). The |
---|
672 | default level is 6, which is good for most applications. The meaning |
---|
673 | of the values is the same as in GNU GZIP. |
---|
674 | .ne 3 |
---|
675 | |
---|
676 | .TP |
---|
677 | .B ConnectionAttempts |
---|
678 | Specifies the number of tries (one per second) to make before falling |
---|
679 | back to rsh or exiting. The argument must be an integer. This may be |
---|
680 | useful in scripts if the connection sometimes fails. |
---|
681 | .ne 3 |
---|
682 | |
---|
683 | .TP |
---|
684 | .B EscapeChar |
---|
685 | Sets the escape character (default: ~). The escape character can also |
---|
686 | be set on the command line. The argument should be a single |
---|
687 | character, \'^\' followed by a letter, or ``none'' to disable the escape |
---|
688 | character entirely (making the connection transparent for binary |
---|
689 | data). |
---|
690 | .ne 3 |
---|
691 | |
---|
692 | .TP |
---|
693 | .B FallBackToRsh |
---|
694 | Specifies that if connecting via |
---|
695 | .B ssh |
---|
696 | fails due to a connection refused error (there is no |
---|
697 | .B sshd |
---|
698 | listening on the remote host), |
---|
699 | .B rsh |
---|
700 | should automatically be used instead (after a suitable warning about |
---|
701 | the session being unencrypted). The argument must be |
---|
702 | .YN |
---|
703 | .ne 3 |
---|
704 | |
---|
705 | .TP |
---|
706 | .B ForwardAgent |
---|
707 | Specifies whether the connection to the authentication agent (if any) |
---|
708 | will be forwarded to the remote machine. The argument must be |
---|
709 | .YN |
---|
710 | .ne 3 |
---|
711 | |
---|
712 | .TP |
---|
713 | .B ForwardX11 |
---|
714 | Specifies whether X11 connections will be automatically redirected |
---|
715 | over the secure channel and |
---|
716 | .B \s-1DISPLAY\s0 |
---|
717 | set. The argument must be |
---|
718 | .YN |
---|
719 | .ne 3 |
---|
720 | |
---|
721 | .TP |
---|
722 | .B GatewayPorts |
---|
723 | Specifies that also remote hosts may connect to locally forwarded |
---|
724 | ports. The argument must be |
---|
725 | .YN |
---|
726 | .ne 3 |
---|
727 | |
---|
728 | .TP |
---|
729 | .B GlobalKnownHostsFile |
---|
730 | Specifies a file to use instead of |
---|
731 | .IR @ETCDIR@/ssh_known_hosts ". |
---|
732 | .ne 3 |
---|
733 | |
---|
734 | .TP |
---|
735 | .B HostName |
---|
736 | Specifies the real host name to log into. This can be used to specify |
---|
737 | nicnames or abbreviations for hosts. Default is the name given on the |
---|
738 | command line. Numeric IP addresses are also permitted (both on the |
---|
739 | command line and in |
---|
740 | .B HostName |
---|
741 | specifications). |
---|
742 | .ne 3 |
---|
743 | |
---|
744 | .TP |
---|
745 | .B IdentityFile |
---|
746 | Specifies the file from which the user's RSA authentication identity |
---|
747 | is read (default \fI\s+2.\s0ssh/identity\fR in the user's home directory). |
---|
748 | Additionally, any identities represented by the authentication agent |
---|
749 | will be used for authentication. The file name may use the tilde |
---|
750 | syntax to refer to a user's home directory. It is possible to have |
---|
751 | multiple identity files specified in configuration files; all these |
---|
752 | identities will be tried in sequence. |
---|
753 | .ne 3 |
---|
754 | |
---|
755 | .TP |
---|
756 | .B KeepAlive |
---|
757 | Specifies whether the system should send keepalive messages to the |
---|
758 | other side. If they are sent, death of the connection or crash of one |
---|
759 | of the machines will be properly noticed. However, this means that |
---|
760 | connections will die if the route is down temporarily, and some people |
---|
761 | find it annoying. |
---|
762 | |
---|
763 | The default is "yes" (to send keepalives), and the client will notice |
---|
764 | if the network goes down or the remote host dies. This is important |
---|
765 | in scripts, and many users want it too. |
---|
766 | |
---|
767 | To disable keepalives, the value should be set to "no" in both the |
---|
768 | server and the client configuration files. |
---|
769 | .ne 3 |
---|
770 | |
---|
771 | .TP |
---|
772 | .B KerberosAuthentication |
---|
773 | Specifies whether Kerberos V5 authentication will be used. |
---|
774 | |
---|
775 | .TP |
---|
776 | .B KerberosTgtPassing |
---|
777 | Specifies whether a Kerberos V5 TGT will be forwarded to the server. |
---|
778 | |
---|
779 | .TP |
---|
780 | .B LocalForward |
---|
781 | Specifies that a TCP/IP port on the local machine be forwarded over |
---|
782 | the secure channel to given host:port from the remote machine. The |
---|
783 | first argument must be a port number, and the second must be |
---|
784 | host:port. Multiple forwardings may be specified, and additional |
---|
785 | forwardings can be given on the command line. Only the root can |
---|
786 | forward privileged ports. |
---|
787 | .ne 3 |
---|
788 | |
---|
789 | .TP |
---|
790 | .B NumberOfPasswordPrompts |
---|
791 | Specifies number of password prompts before giving up. The argument to |
---|
792 | must be integer. Note that server also limits number of attempts |
---|
793 | (currently 5), so setting this larger doesn't have any effect. Default |
---|
794 | value is one. |
---|
795 | .ne 3 |
---|
796 | |
---|
797 | .TP |
---|
798 | .B PasswordAuthentication |
---|
799 | Specifies whether to use password authentication. The argument to |
---|
800 | this keyword must be |
---|
801 | .YN |
---|
802 | .ne 3 |
---|
803 | |
---|
804 | .TP |
---|
805 | .B PasswordPromptHost |
---|
806 | Specifies whether to include the remote host name in the password prompt. |
---|
807 | The argument to this keyword must be |
---|
808 | .YN |
---|
809 | .ne 3 |
---|
810 | |
---|
811 | .TP |
---|
812 | .B PasswordPromptLogin |
---|
813 | Specifies whether to include the remote login name in the password prompt. |
---|
814 | The argument to this keyword must be |
---|
815 | .YN |
---|
816 | .ne 3 |
---|
817 | |
---|
818 | .TP |
---|
819 | .B Port |
---|
820 | Specifies the port number to connect on the remote host. Default is |
---|
821 | 22. |
---|
822 | .ne 3 |
---|
823 | |
---|
824 | .TP |
---|
825 | .B ProxyCommand |
---|
826 | Specifies the command to use to connect to the server. The command |
---|
827 | string extends to the end of the line, and is executed with /bin/sh. |
---|
828 | In the command string, %h will be substituted by the host name to |
---|
829 | connect and %p by the port. The command can be basically anything, |
---|
830 | and should read from its stdin and write to its stdout. It should |
---|
831 | eventually connect an |
---|
832 | .B sshd |
---|
833 | server running on some machine, or execute |
---|
834 | "sshd -i" somewhere. Host key management will be done using the |
---|
835 | HostName of the host being connected (defaulting to the name typed by |
---|
836 | the user). |
---|
837 | |
---|
838 | Note that |
---|
839 | .B ssh |
---|
840 | can also be configured to support the SOCKS system using the |
---|
841 | --with-socks4 or --with-socks5 compile-time configuration option. |
---|
842 | .ne 3 |
---|
843 | |
---|
844 | .TP |
---|
845 | .B RemoteForward |
---|
846 | Specifies that a TCP/IP port on the remote machine be forwarded over |
---|
847 | the secure channel to given host:port from the local machine. The |
---|
848 | first argument must be a port number, and the second must be |
---|
849 | host:port. Multiple forwardings may be specified, and additional |
---|
850 | forwardings can be given on the command line. Only the root can |
---|
851 | forward privileged ports. |
---|
852 | .ne 3 |
---|
853 | |
---|
854 | .TP |
---|
855 | .B RhostsAuthentication |
---|
856 | Specifies whether to try rhosts based authentication. Note that this |
---|
857 | declaration only affects the client side and has no effect whatsoever |
---|
858 | on security. Disabling rhosts authentication may reduce |
---|
859 | authentication time on slow connections when rhosts authentication is |
---|
860 | not used. Most servers do not permit RhostsAuthentication because it |
---|
861 | is not secure (see RhostsRSAAuthentication). The argument to this |
---|
862 | keyword must be |
---|
863 | .YN |
---|
864 | .ne 3 |
---|
865 | |
---|
866 | .TP |
---|
867 | .B RhostsRSAAuthentication |
---|
868 | Specifies whether to try rhosts based authentication with RSA host |
---|
869 | authentication. This is the primary authentication method for most |
---|
870 | sites. The argument must be |
---|
871 | .YN |
---|
872 | .ne 3 |
---|
873 | |
---|
874 | .TP |
---|
875 | .B RSAAuthentication |
---|
876 | Specifies whether to try RSA authentication. The argument to this |
---|
877 | keyword must be |
---|
878 | .YN |
---|
879 | RSA authentication will only be |
---|
880 | attempted if the identity file exists, or an authentication agent is |
---|
881 | running. |
---|
882 | .ne 3 |
---|
883 | |
---|
884 | .TP |
---|
885 | .B StrictHostKeyChecking |
---|
886 | If this flag is set to "yes", |
---|
887 | .B ssh |
---|
888 | ssh will never automatically add host keys to the |
---|
889 | .I $HOME/.ssh/known_hosts |
---|
890 | file, and refuses to connect hosts whose host key has changed. This |
---|
891 | provides maximum protection against trojan horse attacks. However, it |
---|
892 | can be somewhat annoying if you don't have good |
---|
893 | .I @ETCDIR@/ssh_known_hosts |
---|
894 | files installed and frequently connect new hosts. Basically this |
---|
895 | option forces the user to manually add any new hosts. Normally this |
---|
896 | option is set to "ask", and new hosts will automatically be added to |
---|
897 | the known host files after you have confirmed you really want to do |
---|
898 | that. If this is set to "no" then new host will automatically be added |
---|
899 | to the known host files. The host keys of known hosts will be verified |
---|
900 | automatically in either case. |
---|
901 | |
---|
902 | The argument must be |
---|
903 | "\fByes\fR", "\fBno\fR" or "\fBask\fR". |
---|
904 | .ne 3 |
---|
905 | |
---|
906 | .TP |
---|
907 | .B TISAuthentication |
---|
908 | Specifies whether to try TIS authentication. The argument to this |
---|
909 | keyword must be |
---|
910 | .YN |
---|
911 | .ne 3 |
---|
912 | |
---|
913 | .TP |
---|
914 | .B UsePrivilegedPort |
---|
915 | Specifies whether to use privileged port when connecting to other |
---|
916 | end. The default is yes if rhosts or rsarhosts authentications are |
---|
917 | enabled. |
---|
918 | .ne 3 |
---|
919 | |
---|
920 | .TP |
---|
921 | .B User |
---|
922 | Specifies the user to log in as. This can be useful if you have a |
---|
923 | different user name in different machines. This saves the trouble of |
---|
924 | having to remember to give the user name on the command line. |
---|
925 | .ne 3 |
---|
926 | |
---|
927 | .TP |
---|
928 | .B UserKnownHostsFile |
---|
929 | Specifies a file to use instead of \fI$HOME/\s+2.\s0ssh/known_hosts\fR. |
---|
930 | .ne 3 |
---|
931 | |
---|
932 | .TP |
---|
933 | .B UseRsh |
---|
934 | Specifies that rlogin/rsh should be used for this host. It is |
---|
935 | possible that the host does not at all support the |
---|
936 | .B ssh |
---|
937 | protocol. This causes |
---|
938 | .B ssh |
---|
939 | to immediately exec |
---|
940 | .B rsh. |
---|
941 | All other options (except |
---|
942 | .BR HostName ) |
---|
943 | are ignored if this has been specified. The argument must be |
---|
944 | .YN |
---|
945 | .ne 3 |
---|
946 | |
---|
947 | .TP |
---|
948 | .B XAuthLocation |
---|
949 | Specifies the path to xauth program. |
---|
950 | .ne 3 |
---|
951 | |
---|
952 | .SH ENVIRONMENT |
---|
953 | .LP |
---|
954 | .B Ssh |
---|
955 | will normally set the following environment variables: |
---|
956 | .TP |
---|
957 | .B DISPLAY |
---|
958 | The DISPLAY variable indicates the location of the X11 server. It is |
---|
959 | automatically set by |
---|
960 | .B ssh |
---|
961 | to point to a value of the form "hostname:n" where hostname indicates |
---|
962 | the host where the shell runs, and n is an integer >= 1. Ssh uses |
---|
963 | this special value to forward X11 connections over the secure |
---|
964 | channel. The user should normally not set DISPLAY explicitly, as that |
---|
965 | will render the X11 connection insecure (and will require the user to |
---|
966 | manually copy any required authorization cookies). |
---|
967 | .ne 3 |
---|
968 | .TP |
---|
969 | .B HOME |
---|
970 | Set to the path of the user's home directory. |
---|
971 | .ne 3 |
---|
972 | .TP |
---|
973 | .B LOGNAME |
---|
974 | Synonym for USER; set for compatibility with systems that use |
---|
975 | this variable. |
---|
976 | .ne 3 |
---|
977 | .TP |
---|
978 | .B MAIL |
---|
979 | Set to point the user's mailbox. |
---|
980 | .ne 3 |
---|
981 | .TP |
---|
982 | .B PATH |
---|
983 | Set to the default PATH, as specified when compiling |
---|
984 | .B ssh |
---|
985 | or, on some systems, |
---|
986 | .I /etc/environment |
---|
987 | or |
---|
988 | .IR /etc/default/login ". |
---|
989 | .ne 3 |
---|
990 | .TP |
---|
991 | .B SSH_AUTH_SOCK |
---|
992 | if exists, is used to indicate the path of a unix-domain socket used |
---|
993 | to communicate with the authentication agent (or its local |
---|
994 | representative). |
---|
995 | .ne 3 |
---|
996 | .TP |
---|
997 | .B SSH_CLIENT |
---|
998 | Identifies the client end of the connection. The variable contains |
---|
999 | three space-separated values: client ip-address, client port number, |
---|
1000 | and server port number. |
---|
1001 | .ne 3 |
---|
1002 | .TP |
---|
1003 | .B SSH_ORIGINAL_COMMAND |
---|
1004 | This will be the original command line of given by protocol if forced |
---|
1005 | command is run. It can be used to fetch arguments etc from the other |
---|
1006 | end. |
---|
1007 | .ne 3 |
---|
1008 | .TP |
---|
1009 | .B SSH_TTY |
---|
1010 | This is set to the name of the tty (path to the device) associated |
---|
1011 | with the current shell or command. If the current session has no tty, |
---|
1012 | this variable is not set. |
---|
1013 | .ne 3 |
---|
1014 | .TP |
---|
1015 | .B TZ |
---|
1016 | The timezone variable is set to indicate the present timezone if it |
---|
1017 | was set when the daemon was started (e.i., the daemon passes the value |
---|
1018 | on to new connections). |
---|
1019 | .ne 3 |
---|
1020 | .TP |
---|
1021 | .B USER |
---|
1022 | Set to the name of the user logging in. |
---|
1023 | .LP |
---|
1024 | .RT |
---|
1025 | Additionally, |
---|
1026 | .B ssh |
---|
1027 | reads |
---|
1028 | .I /etc/environment |
---|
1029 | and |
---|
1030 | .IR $HOME/.ssh/environment ", |
---|
1031 | and adds lines of |
---|
1032 | the format |
---|
1033 | .I VARNAME=value |
---|
1034 | to the environment. Some systems may have |
---|
1035 | still additional mechanisms for setting up the environment, such as |
---|
1036 | .I /etc/default/login |
---|
1037 | on Solaris. |
---|
1038 | |
---|
1039 | .ne 3 |
---|
1040 | .SH FILES |
---|
1041 | .TP |
---|
1042 | .I \&$HOME/\s+2.\s0ssh/known_hosts |
---|
1043 | Records host keys for all hosts the user has logged into (that are not |
---|
1044 | in \fI@ETCDIR@/ssh_known_hosts\fR). See |
---|
1045 | .B sshd |
---|
1046 | manual page. |
---|
1047 | .ne 3 |
---|
1048 | .TP |
---|
1049 | .I \&$HOME/\s+2.\s0ssh/random_seed |
---|
1050 | Used for seeding the random number generator. This file contains |
---|
1051 | sensitive data and should read/write for the user and not accessible |
---|
1052 | for others. This file is created the first time the program is run |
---|
1053 | and updated automatically. The user should never need to read or |
---|
1054 | modify this file. |
---|
1055 | .ne 5 |
---|
1056 | .TP |
---|
1057 | .I \&$HOME/\s+2.\s0ssh/identity |
---|
1058 | Contains the RSA authentication identity of the user. This file |
---|
1059 | contains sensitive data and should be readable by the user but not |
---|
1060 | accessible by others. It is possible to specify a passphrase when |
---|
1061 | generating the key; the passphrase will be used to encrypt the |
---|
1062 | sensitive part of this file using |
---|
1063 | .BR \s-1IDEA\s0 ". |
---|
1064 | .ne 3 |
---|
1065 | .TP |
---|
1066 | .I \&$HOME/\s+2.\s0ssh/identity.pub |
---|
1067 | Contains the public key for authentication (public part of the |
---|
1068 | identity file in human-readable form). The contents of this file |
---|
1069 | should be added to \fI$HOME/\s+2.\s0ssh/authorized_keys\fR on all machines |
---|
1070 | where you wish to log in using RSA authentication. This file is not |
---|
1071 | sensitive and can (but need not) be readable by anyone. This file is |
---|
1072 | never used automatically and is not necessary; it is only provided for |
---|
1073 | the convenience of the user. |
---|
1074 | .ne 3 |
---|
1075 | .TP |
---|
1076 | .I \&$HOME/\s+2.\s0ssh/config |
---|
1077 | This is the per-user configuration file. The format of this file is |
---|
1078 | described above. This file is used by the |
---|
1079 | .B ssh |
---|
1080 | client. This file does not usually contain any sensitive information, |
---|
1081 | but the recommended permissions are read/write for the user, and not |
---|
1082 | accessible by others. |
---|
1083 | .ne 3 |
---|
1084 | .TP |
---|
1085 | .I \&$HOME/\s+2.\s0ssh/authorized_keys |
---|
1086 | Lists the RSA keys that can be used for logging in as this user. The |
---|
1087 | format of this file is described in the |
---|
1088 | .B sshd |
---|
1089 | manual page. In the simplest form the format is the same as the .pub |
---|
1090 | identity files (that is, each line contains the number of bits in |
---|
1091 | modulus, public exponent, modulus, and comment fields, separated by |
---|
1092 | spaces). This file is not highly sensitive, but the recommended |
---|
1093 | permissions are read/write for the user, and not accessible by others. |
---|
1094 | .ne 3 |
---|
1095 | .TP |
---|
1096 | .I @ETCDIR@/ssh_known_hosts |
---|
1097 | Systemwide list of known host keys. This file should be prepared by the |
---|
1098 | system administrator to contain the public host keys of all machines in the |
---|
1099 | organization. This file should be world-readable. This file contains |
---|
1100 | public keys, one per line, in the following format (fields separated |
---|
1101 | by spaces): system name, number of bits in modulus, public exponent, |
---|
1102 | modulus, and optional comment field. When different names are used |
---|
1103 | for the same machine, all such names should be listed, separated by |
---|
1104 | commas. The format is described on the |
---|
1105 | .B sshd |
---|
1106 | manual page. |
---|
1107 | .IP |
---|
1108 | The canonical system name (as returned by name servers) is used by |
---|
1109 | .B sshd |
---|
1110 | to verify the client host when logging in; other names are needed because |
---|
1111 | .B ssh |
---|
1112 | does not convert the user-supplied name to a canonical name before |
---|
1113 | checking the key, because someone with access to the name servers |
---|
1114 | would then be able to fool host authentication. |
---|
1115 | .ne 3 |
---|
1116 | .TP |
---|
1117 | .I @ETCDIR@/ssh_config |
---|
1118 | Systemwide configuration file. This file provides defaults for those |
---|
1119 | values that are not specified in the user's configuration file, and |
---|
1120 | for those users who do not have a configuration file. This file must |
---|
1121 | be world-readable. |
---|
1122 | .ne 3 |
---|
1123 | .TP |
---|
1124 | .I $HOME/\s+2.\s0rhosts |
---|
1125 | This file is used in \s+2.\s0rhosts authentication to list the |
---|
1126 | host/user pairs that are permitted to log in. (Note that this file is |
---|
1127 | also used by rlogin and rsh, which makes using this file insecure.) |
---|
1128 | Each line of the file contains a host name (in the canonical form |
---|
1129 | returned by name servers), and then a user name on that host, |
---|
1130 | separated by a space. This file must be owned by the user, |
---|
1131 | and must not have write permissions for anyone else. The recommended |
---|
1132 | permission is read/write for the user, and not accessible by others. |
---|
1133 | .IP |
---|
1134 | Note that by default |
---|
1135 | .B sshd |
---|
1136 | will be installed so that it requires successful RSA host |
---|
1137 | authentication before permitting \s+2.\s0rhosts authentication. If your |
---|
1138 | server machine does not have the client's host key in |
---|
1139 | \fI@ETCDIR@/ssh_known_hosts\fR, you can store it in |
---|
1140 | \fI$HOME/\s+2.\s0ssh/known_hosts\fR. The easiest way to do this is to |
---|
1141 | connect back to the client from the server machine using ssh; this |
---|
1142 | will automatically add the host key in \fI$HOME/\s+2.\s0ssh/known_hosts\fR. |
---|
1143 | .ne 3 |
---|
1144 | .TP |
---|
1145 | .I $HOME/\s+2.\s0shosts |
---|
1146 | This file is used exactly the same way as \s+2.\s0rhosts. The purpose for |
---|
1147 | having this file is to be able to use rhosts authentication with |
---|
1148 | .B ssh |
---|
1149 | without permitting login with rlogin or rsh. |
---|
1150 | .ne 3 |
---|
1151 | .TP |
---|
1152 | .I /etc/hosts.equiv |
---|
1153 | This file is used during \s+2.\s0rhosts authentication. It contains |
---|
1154 | canonical hosts names, one per line (the full format is described on |
---|
1155 | the |
---|
1156 | .B sshd |
---|
1157 | manual page). If the client host is found in this file, login is |
---|
1158 | automatically permitted provided client and server user names are the |
---|
1159 | same. Additionally, successful RSA host authentication is normally |
---|
1160 | required. This file should only be writable by root. |
---|
1161 | .TP |
---|
1162 | .I @ETCDIR@/shosts.equiv |
---|
1163 | This file is processed exactly as |
---|
1164 | .IR /etc/hosts.equiv ". |
---|
1165 | This file may be useful to permit logins using |
---|
1166 | .B ssh |
---|
1167 | but not using rsh/rlogin. |
---|
1168 | .ne 3 |
---|
1169 | .TP |
---|
1170 | .I @ETCDIR@/sshrc |
---|
1171 | Commands in this file are executed by |
---|
1172 | .B ssh |
---|
1173 | when the user logs in just before the user's shell (or command) is started. |
---|
1174 | See the |
---|
1175 | .B sshd |
---|
1176 | manual page for more information. |
---|
1177 | .ne 3 |
---|
1178 | .TP |
---|
1179 | .I $HOME/.ssh/rc |
---|
1180 | Commands in this file are executed by |
---|
1181 | .B ssh |
---|
1182 | when the user logs in just before the user's shell (or command) is |
---|
1183 | started. |
---|
1184 | See the |
---|
1185 | .B sshd |
---|
1186 | manual page for more information. |
---|
1187 | |
---|
1188 | .SH INSTALLATION |
---|
1189 | .LP |
---|
1190 | .B Ssh |
---|
1191 | is normally installed as suid root. It needs root privileges only for |
---|
1192 | rhosts authentication (rhosts authentication requires that the |
---|
1193 | connection must come from a privileged port, and allocating such a |
---|
1194 | port requires root privileges). It also needs to be able to read |
---|
1195 | \fI@ETCDIR@/ssh_host_key\fR to perform |
---|
1196 | .B \s-1RSA\s0 |
---|
1197 | host authentication. It is possible to use |
---|
1198 | .B ssh |
---|
1199 | without root privileges, but rhosts authentication will then be |
---|
1200 | disabled. |
---|
1201 | .B Ssh |
---|
1202 | drops any extra privileges immediately after the connection to the |
---|
1203 | remote host has been made. |
---|
1204 | .LP |
---|
1205 | Considerable work has been put into making |
---|
1206 | .B ssh |
---|
1207 | secure. However, if you find a security problem, please report it |
---|
1208 | immediately to <ssh-bugs@cs.hut.fi>. |
---|
1209 | |
---|
1210 | |
---|
1211 | .SH AUTHOR |
---|
1212 | .LP |
---|
1213 | Tatu Ylonen <ylo@ssh.fi> |
---|
1214 | .LP |
---|
1215 | Information about new releases, mailing lists, and other related |
---|
1216 | issues can be found from the ssh WWW home page at |
---|
1217 | http://www.cs.hut.fi/ssh. |
---|
1218 | |
---|
1219 | .SH SEE ALSO |
---|
1220 | .BR sshd (8), |
---|
1221 | .BR ssh-keygen (1), |
---|
1222 | .BR ssh-agent (1), |
---|
1223 | .BR ssh-add (1), |
---|
1224 | .BR scp (1), |
---|
1225 | .BR make-ssh-known-hosts (1), |
---|
1226 | .BR rlogin (1), |
---|
1227 | .BR rsh (1), |
---|
1228 | .BR telnet (1) |
---|