diff options
Diffstat (limited to 'ssh.1')
| -rw-r--r-- | ssh.1 | 89 |
1 files changed, 53 insertions, 36 deletions
@@ -9,7 +9,7 @@ .\" .\" Created: Sat Apr 22 21:55:14 1995 ylo .\" -.\" $Id: ssh.1,v 1.20 2000/03/26 03:04:54 damien Exp $ +.\" $Id: ssh.1,v 1.21 2000/04/13 02:26:37 damien Exp $ .\" .Dd September 25, 1999 .Dt SSH 1 @@ -49,7 +49,7 @@ .Oc .Op Ar hostname | user@hostname .Op Ar command -.Sh DESCRIPTION +.Sh DESCRIPTION .Nm (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. @@ -60,7 +60,7 @@ X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. .Pp .Nm -connects and logs into the specified +connects and logs into the specified .Ar hostname . The user must prove his/her identity to the remote machine using one of several methods. @@ -71,7 +71,7 @@ or .Pa /etc/shosts.equiv on the remote machine, and the user names are the same on both sides, the user is immediately permitted to log in. -Second, if +Second, if .Pa \&.rhosts or .Pa \&.shosts @@ -94,7 +94,7 @@ It means that if the login would be permitted by or .Pa /etc/shosts.equiv , and if additionally the server can verify the client's -host key (see +host key (see .Pa /etc/ssh_known_hosts and .Pa $HOME/.ssh/known_hosts @@ -109,17 +109,17 @@ spoofing, DNS spoofing and routing spoofing. and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] .Pp -As a third authentication method, +As a third authentication method, .Nm supports RSA based authentication. The scheme is based on public-key cryptography: there are cryptosystems where encryption and decryption are done using separate keys, and it is not possible to derive the decryption key from the encryption key. RSA is one such system. -The idea is that each user creates a public/private +The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. -The file +The file .Pa $HOME/.ssh/authorized_keys lists the public keys that are permitted for logging in. @@ -142,18 +142,18 @@ key but without disclosing it to the server. implements the RSA authentication protocol automatically. The user creates his/her RSA key pair by running .Xr ssh-keygen 1 . -This stores the private key in +This stores the private key in .Pa \&.ssh/identity and the public key in .Pa \&.ssh/identity.pub in the user's home directory. The user should then copy the .Pa identity.pub -to +to .Pa \&.ssh/authorized_keys -in his/her home directory on the remote machine (the +in his/her home directory on the remote machine (the .Pa authorized_keys -file corresponds to the conventional +file corresponds to the conventional .Pa \&.rhosts file, and has one key per line, though the lines can be very long). @@ -167,7 +167,7 @@ See .Xr ssh-agent 1 for more information. .Pp -If other authentication methods fail, +If other authentication methods fail, .Nm prompts the user for a password. The password is sent to the remote @@ -188,7 +188,7 @@ and suspend with .Ic ~^Z . All forwarded connections can be listed with -.Ic ~# +.Ic ~# and if the session blocks waiting for forwarded X11 or TCP/IP connections to terminate, it can be backgrounded with @@ -232,7 +232,7 @@ Forwarding of X11 connections can be configured on the command line or in configuration files. .Pp The -.Ev DISPLAY +.Ev DISPLAY value set by .Nm will point to the server machine, but with a display number greater @@ -265,10 +265,10 @@ electronic purse; another is going trough firewalls. .Nm automatically maintains and checks a database containing RSA-based identifications for all hosts it has ever been used with. -The database is stored in +The database is stored in .Pa \&.ssh/known_hosts in the user's home directory. -Additionally, the file +Additionally, the file .Pa /etc/ssh_known_hosts is automatically checked for known hosts. Any new hosts are automatically added to the user's file. @@ -290,10 +290,10 @@ host key is not known or has changed. Disables forwarding of the authentication agent connection. This may also be specified on a per-host basis in the configuration file. .It Fl c Ar blowfish|3des -Selects the cipher to use for encrypting the session. +Selects the cipher to use for encrypting the session. .Ar 3des is used by default. -It is believed to be secure. +It is believed to be secure. .Ar 3des (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. It is presumably more secure than the @@ -322,7 +322,7 @@ This is useful if .Nm is going to ask for passwords or passphrases, but the user wants it in the background. -This implies +This implies .Fl n . The recommended way to start X11 programs at a remote site is with something like @@ -330,9 +330,9 @@ something like .It Fl g Allows remote hosts to connect to local forwarded ports. .It Fl i Ar identity_file -Selects the file from which the identity (private key) for +Selects the file from which the identity (private key) for RSA authentication is read. -Default is +Default is .Pa \&.ssh/identity in the user's home directory. Identity files may also be specified on @@ -548,6 +548,12 @@ and are supported. The default is .Dq 3des . +.It Cm Ciphers +Specifies the ciphers allowed for protocol version 2 +in order of preference. +Multiple ciphers must be comma-separated. +The default is +.Dq blowfish-cbc,3des-cbc,arcfour,cast128-cbc . .It Cm Compression Specifies whether to use compression. The argument must be @@ -577,12 +583,12 @@ followed by a letter, or to disable the escape character entirely (making the connection transparent for binary data). -.It Cm FallBackToRsh +.It Cm FallBackToRsh Specifies that if connecting via .Nm fails due to a connection refused error (there is no .Xr sshd 8 -listening on the remote host), +listening on the remote host), .Xr rsh 1 should automatically be used instead (after a suitable warning about the session being unencrypted). @@ -599,10 +605,10 @@ or .Dq no . .It Cm ForwardX11 Specifies whether X11 connections will be automatically redirected -over the secure channel and +over the secure channel and .Ev DISPLAY set. -The argument must be +The argument must be .Dq yes or .Dq no . @@ -618,7 +624,7 @@ or The default is .Dq no . .It Cm GlobalKnownHostsFile -Specifies a file to use instead of +Specifies a file to use instead of .Pa /etc/ssh_known_hosts . .It Cm HostName Specifies the real host name to log into. @@ -697,6 +703,17 @@ or .It Cm Port Specifies the port number to connect on the remote host. Default is 22. +.It Cm Protocol +Specifies the protocol versions +.Nm +should support in order of preference. +The possible values are +.Dq 1 +and +.Dq 2 . +Multiple versions must be comma-separated. +The default is +.Dq 1 . .It Cm ProxyCommand Specifies the command to use to connect to the server. The command @@ -773,7 +790,7 @@ The default is .Dq no . .It Cm StrictHostKeyChecking If this flag is set to -.Dq yes , +.Dq yes , .Nm ssh will never automatically add host keys to the .Pa $HOME/.ssh/known_hosts @@ -839,7 +856,7 @@ will normally set the following environment variables: The .Ev DISPLAY variable indicates the location of the X11 server. -It is automatically set by +It is automatically set by .Nm to point to a value of the form .Dq hostname:n @@ -885,10 +902,10 @@ on to new connections). Set to the name of the user logging in. .El .Pp -Additionally, +Additionally, .Nm -reads -.Pa $HOME/.ssh/environment , +reads +.Pa $HOME/.ssh/environment , and adds lines of the format .Dq VARNAME=value to the environment. @@ -911,7 +928,7 @@ ignores this file if it is accessible by others. It is possible to specify a passphrase when generating the key; the passphrase will be used to encrypt the sensitive part of this file using 3DES. -.It Pa $HOME/.ssh/identity.pub +.It Pa $HOME/.ssh/identity.pub Contains the public key for authentication (public part of the identity file in human-readable form). The contents of this file should be added to @@ -1031,7 +1048,7 @@ Additionally, successful RSA host authentication is normally required. This file should only be writable by root. .It Pa /etc/shosts.equiv -This file is processed exactly as +This file is processed exactly as .Pa /etc/hosts.equiv . This file may be useful to permit logins using .Nm @@ -1048,7 +1065,7 @@ Commands in this file are executed by .Nm when the user logs in just before the user's shell (or command) is started. -See the +See the .Xr sshd 8 manual page for more information. .It Pa $HOME/.ssh/environment @@ -1077,7 +1094,7 @@ external libraries. has been updated to support ssh protocol 1.5, making it compatible with all other ssh protocol 1 clients and servers. .It -contains added support for +contains added support for .Xr kerberos 8 authentication and ticket passing. .It |