diff options
Diffstat (limited to 'crypto/openssh/ssh.0')
-rw-r--r-- | crypto/openssh/ssh.0 | 169 |
1 files changed, 88 insertions, 81 deletions
diff --git a/crypto/openssh/ssh.0 b/crypto/openssh/ssh.0 index 70ea377..5e5f3b5 100644 --- a/crypto/openssh/ssh.0 +++ b/crypto/openssh/ssh.0 @@ -1,15 +1,15 @@ SSH(1) General Commands Manual SSH(1) NAME - ssh - OpenSSH SSH client (remote login program) + ssh M-bM-^@M-^S OpenSSH SSH client (remote login program) SYNOPSIS - ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] + ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] - [-Q cipher | cipher-auth | mac | kex | key] + [-Q cipher | cipher-auth | mac | kex | key | protocol-version] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command] @@ -61,7 +61,7 @@ DESCRIPTION -C Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11, TCP and UNIX-domain connections). The compression algorithm is the same used by - gzip(1), and the ``level'' can be controlled by the + gzip(1), and the M-bM-^@M-^\levelM-bM-^@M-^] can be controlled by the CompressionLevel option for protocol version 1. Compression is desirable on modem lines and other slow connections, but will only slow down things on fast networks. The default value can be @@ -72,13 +72,13 @@ DESCRIPTION Selects the cipher specification for encrypting the session. Protocol version 1 allows specification of a single cipher. The - supported values are ``3des'', ``blowfish'', and ``des''. For - protocol version 2, cipher_spec is a comma-separated list of - ciphers listed in order of preference. See the Ciphers keyword - in ssh_config(5) for more information. + supported values are M-bM-^@M-^\3desM-bM-^@M-^], M-bM-^@M-^\blowfishM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^]. For protocol + version 2, cipher_spec is a comma-separated list of ciphers + listed in order of preference. See the Ciphers keyword in + ssh_config(5) for more information. -D [bind_address:]port - Specifies a local ``dynamic'' application-level port forwarding. + Specifies a local M-bM-^@M-^\dynamicM-bM-^@M-^] application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over @@ -94,20 +94,20 @@ DESCRIPTION ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The - bind_address of ``localhost'' indicates that the listening port - be bound for local use only, while an empty address or `*' - indicates that the port should be available from all interfaces. + bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be + bound for local use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates + that the port should be available from all interfaces. -E log_file Append debug logs to log_file instead of standard error. -e escape_char - Sets the escape character for sessions with a pty (default: `~'). + Sets the escape character for sessions with a pty (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character is only recognized at the beginning of a - line. The escape character followed by a dot (`.') closes the + line. The escape character followed by a dot (M-bM-^@M-^X.M-bM-^@M-^Y) closes the connection; followed by control-Z suspends the connection; and followed by itself sends the escape character once. Setting the - character to ``none'' disables any escapes and makes the session + character to M-bM-^@M-^\noneM-bM-^@M-^] disables any escapes and makes the session fully transparent. -F configfile @@ -122,10 +122,13 @@ DESCRIPTION implies -n. The recommended way to start X11 programs at a remote site is with something like ssh -f host xterm. - If the ExitOnForwardFailure configuration option is set to - ``yes'', then a client started with -f will wait for all remote - port forwards to be successfully established before placing - itself in the background. + If the ExitOnForwardFailure configuration option is set to M-bM-^@M-^\yesM-bM-^@M-^], + then a client started with -f will wait for all remote port + forwards to be successfully established before placing itself in + the background. + + -G Causes ssh to print its configuration after evaluating Host and + Match blocks and exit. -g Allows remote hosts to connect to local forwarded ports. If used on a multiplexed connection, then this option must be specified @@ -166,17 +169,17 @@ DESCRIPTION port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of - ``localhost'' indicates that the listening port be bound for - local use only, while an empty address or `*' indicates that the - port should be available from all interfaces. + M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local + use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port + should be available from all interfaces. -l login_name Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file. - -M Places the ssh client into ``master'' mode for connection - sharing. Multiple -M options places ssh into ``master'' mode - with confirmation required before slave connections are accepted. + -M Places the ssh client into M-bM-^@M-^\masterM-bM-^@M-^] mode for connection sharing. + Multiple -M options places ssh into M-bM-^@M-^\masterM-bM-^@M-^] mode with + confirmation required before slave connections are accepted. Refer to the description of ControlMaster in ssh_config(5) for details. @@ -201,10 +204,10 @@ DESCRIPTION -O ctl_cmd Control an active connection multiplexing master process. When the -O option is specified, the ctl_cmd argument is interpreted - and passed to the master process. Valid commands are: ``check'' - (check that the master process is running), ``forward'' (request - forwardings without command execution), ``cancel'' (cancel - forwardings), ``exit'' (request the master to exit), and ``stop'' + and passed to the master process. Valid commands are: M-bM-^@M-^\checkM-bM-^@M-^] + (check that the master process is running), M-bM-^@M-^\forwardM-bM-^@M-^] (request + forwardings without command execution), M-bM-^@M-^\cancelM-bM-^@M-^] (cancel + forwardings), M-bM-^@M-^\exitM-bM-^@M-^] (request the master to exit), and M-bM-^@M-^\stopM-bM-^@M-^] (request the master to stop accepting further multiplexing requests). @@ -238,6 +241,7 @@ DESCRIPTION DynamicForward EscapeChar ExitOnForwardFailure + FingerprintHash ForwardAgent ForwardX11 ForwardX11Timeout @@ -249,6 +253,7 @@ DESCRIPTION HashKnownHosts Host HostbasedAuthentication + HostbasedKeyTypes HostKeyAlgorithms HostKeyAlias HostName @@ -288,6 +293,7 @@ DESCRIPTION TCPKeepAlive Tunnel TunnelDevice + UpdateHostKeys UsePrivilegedPort User UserKnownHostsFile @@ -299,12 +305,13 @@ DESCRIPTION Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file. - -Q cipher | cipher-auth | mac | kex | key + -Q cipher | cipher-auth | mac | kex | key | protocol-version Queries ssh for the algorithms supported for the specified version 2. The available features are: cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers that support authenticated encryption), mac (supported message - integrity codes), kex (key exchange algorithms), key (key types). + integrity codes), kex (key exchange algorithms), key (key types) + and protocol-version (supported SSH protocol versions). -q Quiet mode. Causes most warning and diagnostic messages to be suppressed. @@ -325,19 +332,19 @@ DESCRIPTION By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address - `*', indicates that the remote socket should listen on all + M-bM-^@M-^X*M-bM-^@M-^Y, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)). - If the port argument is `0', the listen port will be dynamically + If the port argument is M-bM-^@M-^X0M-bM-^@M-^Y, the listen port will be dynamically allocated on the server and reported to the client at run time. When used together with -O forward the allocated port will be printed to the standard output. -S ctl_path Specifies the location of a control socket for connection - sharing, or the string ``none'' to disable connection sharing. + sharing, or the string M-bM-^@M-^\noneM-bM-^@M-^] to disable connection sharing. Refer to the description of ControlPath and ControlMaster in ssh_config(5) for details. @@ -373,11 +380,11 @@ DESCRIPTION (remote_tun). The devices may be specified by numerical ID or the keyword - ``any'', which uses the next available tunnel device. If - remote_tun is not specified, it defaults to ``any''. See also - the Tunnel and TunnelDevice directives in ssh_config(5). If the + M-bM-^@M-^\anyM-bM-^@M-^], which uses the next available tunnel device. If + remote_tun is not specified, it defaults to M-bM-^@M-^\anyM-bM-^@M-^]. See also the + Tunnel and TunnelDevice directives in ssh_config(5). If the Tunnel directive is unset, it is set to the default tunnel mode, - which is ``point-to-point''. + which is M-bM-^@M-^\point-to-pointM-bM-^@M-^]. -X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file. @@ -444,7 +451,7 @@ AUTHENTICATION creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. ssh implements public key authentication protocol automatically, using - one of the DSA, ECDSA, ED25519 or RSA algorithms. Protocol 1 is + one of the DSA, ECDSA, Ed25519 or RSA algorithms. Protocol 1 is restricted to using only RSA keys, but protocol 2 may use any. The HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA algorithms. @@ -458,10 +465,10 @@ AUTHENTICATION The user creates his/her key pair by running ssh-keygen(1). This stores the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol 2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), ~/.ssh/id_ed25519 (protocol 2 - ED25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in + Ed25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), ~/.ssh/id_ed25519.pub (protocol 2 - ED25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home + Ed25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home directory. The user should then copy the public key to ~/.ssh/authorized_keys in his/her home directory on the remote machine. The authorized_keys file corresponds to the conventional ~/.rhosts file, @@ -512,8 +519,8 @@ AUTHENTICATION If no pseudo-tty has been allocated, the session is transparent and can be used to reliably transfer binary data. On most systems, setting the - escape character to ``none'' will also make the session transparent even - if a tty is used. + escape character to M-bM-^@M-^\noneM-bM-^@M-^] will also make the session transparent even if + a tty is used. The session terminates when the command or shell on the remote machine exits and all X11 and TCP connections have been closed. @@ -528,7 +535,7 @@ ESCAPE CHARACTERS character can be changed in configuration files using the EscapeChar configuration directive or on the command line by the -e option. - The supported escapes (assuming the default `~') are: + The supported escapes (assuming the default M-bM-^@M-^X~M-bM-^@M-^Y) are: ~. Disconnect. @@ -577,26 +584,26 @@ TCP FORWARDING same local port, and ssh will encrypt and forward the connection. The following example tunnels an IRC session from client machine - ``127.0.0.1'' (localhost) to remote server ``server.example.com'': + M-bM-^@M-^\127.0.0.1M-bM-^@M-^] (localhost) to remote server M-bM-^@M-^\server.example.comM-bM-^@M-^]: $ ssh -f -L 1234:localhost:6667 server.example.com sleep 10 $ irc -c '#users' -p 1234 pinky 127.0.0.1 - This tunnels a connection to IRC server ``server.example.com'', joining - channel ``#users'', nickname ``pinky'', using port 1234. It doesn't - matter which port is used, as long as it's greater than 1023 (remember, - only root can open sockets on privileged ports) and doesn't conflict with - any ports already in use. The connection is forwarded to port 6667 on - the remote server, since that's the standard port for IRC services. + This tunnels a connection to IRC server M-bM-^@M-^\server.example.comM-bM-^@M-^], joining + channel M-bM-^@M-^\#usersM-bM-^@M-^], nickname M-bM-^@M-^\pinkyM-bM-^@M-^], using port 1234. It doesn't matter + which port is used, as long as it's greater than 1023 (remember, only + root can open sockets on privileged ports) and doesn't conflict with any + ports already in use. The connection is forwarded to port 6667 on the + remote server, since that's the standard port for IRC services. - The -f option backgrounds ssh and the remote command ``sleep 10'' is + The -f option backgrounds ssh and the remote command M-bM-^@M-^\sleep 10M-bM-^@M-^] is specified to allow an amount of time (10 seconds, in the example) to start the service which is to be tunnelled. If no connections are made within the time specified, ssh will exit. X11 FORWARDING - If the ForwardX11 variable is set to ``yes'' (or see the description of - the -X, -x, and -Y options above) and the user is using X11 (the DISPLAY + If the ForwardX11 variable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or see the description of the + -X, -x, and -Y options above) and the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is automatically forwarded to the remote side in such a way that any X11 programs started from the shell (or command) will go through the @@ -607,7 +614,7 @@ X11 FORWARDING The DISPLAY value set by ssh will point to the server machine, but with a display number greater than zero. This is normal, and happens because - ssh creates a ``proxy'' X server on the server machine for forwarding the + ssh creates a M-bM-^@M-^\proxyM-bM-^@M-^] X server on the server machine for forwarding the connections over the encrypted channel. ssh will also automatically set up Xauthority data on the server machine. @@ -617,7 +624,7 @@ X11 FORWARDING is opened. The real authentication cookie is never sent to the server machine (and no cookies are sent in the plain). - If the ForwardAgent variable is set to ``yes'' (or see the description of + If the ForwardAgent variable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or see the description of the -A and -a options above) and the user is using an authentication agent, the connection to the agent is automatically forwarded to the remote side. @@ -632,15 +639,15 @@ VERIFYING HOST KEYS If the fingerprint is already known, it can be matched and the key can be accepted or rejected. Because of the difficulty of comparing host keys - just by looking at hex strings, there is also support to compare host - keys visually, using random art. By setting the VisualHostKey option to - ``yes'', a small ASCII graphic gets displayed on every login to a server, - no matter if the session itself is interactive or not. By learning the - pattern a known server produces, a user can easily find out that the host - key has changed when a completely different pattern is displayed. - Because these patterns are not unambiguous however, a pattern that looks - similar to the pattern remembered only gives a good probability that the - host key is the same, not guaranteed proof. + just by looking at fingerprint strings, there is also support to compare + host keys visually, using random art. By setting the VisualHostKey + option to M-bM-^@M-^\yesM-bM-^@M-^], a small ASCII graphic gets displayed on every login to a + server, no matter if the session itself is interactive or not. By + learning the pattern a known server produces, a user can easily find out + that the host key has changed when a completely different pattern is + displayed. Because these patterns are not unambiguous however, a pattern + that looks similar to the pattern remembered only gives a good + probability that the host key is the same, not guaranteed proof. To get a listing of the fingerprints along with their random art for all known hosts, the following command line can be used: @@ -653,8 +660,8 @@ VERIFYING HOST KEYS able to match the fingerprint with that of the key presented. In this example, we are connecting a client to a server, - ``host.example.com''. The SSHFP resource records should first be added - to the zonefile for host.example.com: + M-bM-^@M-^\host.example.comM-bM-^@M-^]. The SSHFP resource records should first be added to + the zonefile for host.example.com: $ ssh-keygen -r host.example.com. @@ -697,9 +704,9 @@ SSH-BASED VIRTUAL PRIVATE NETWORKS Client access may be more finely tuned via the /root/.ssh/authorized_keys file (see below) and the PermitRootLogin server option. The following - entry would permit connections on tun(4) device 1 from user ``jane'' and - on tun device 2 from user ``john'', if PermitRootLogin is set to - ``forced-commands-only'': + entry would permit connections on tun(4) device 1 from user M-bM-^@M-^\janeM-bM-^@M-^] and on + tun device 2 from user M-bM-^@M-^\johnM-bM-^@M-^], if PermitRootLogin is set to + M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^]: tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john @@ -714,14 +721,14 @@ ENVIRONMENT DISPLAY The DISPLAY variable indicates the location of the X11 server. It is automatically set by ssh to - point to a value of the form ``hostname:n'', where - ``hostname'' indicates the host where the shell - runs, and `n' is an integer >= 1. ssh uses this - special value to forward X11 connections over the - secure channel. The user should normally not set - DISPLAY explicitly, as that will render the X11 - connection insecure (and will require the user to - manually copy any required authorization cookies). + point to a value of the form M-bM-^@M-^\hostname:nM-bM-^@M-^], where + M-bM-^@M-^\hostnameM-bM-^@M-^] indicates the host where the shell runs, + and M-bM-^@M-^XnM-bM-^@M-^Y is an integer M-bM-^IM-% 1. ssh uses this special + value to forward X11 connections over the secure + channel. The user should normally not set DISPLAY + explicitly, as that will render the X11 connection + insecure (and will require the user to manually + copy any required authorization cookies). HOME Set to the path of the user's home directory. @@ -770,7 +777,7 @@ ENVIRONMENT USER Set to the name of the user logging in. Additionally, ssh reads ~/.ssh/environment, and adds lines of the format - ``VARNAME=value'' to the environment if the file exists and users are + M-bM-^@M-^\VARNAME=valueM-bM-^@M-^] to the environment if the file exists and users are allowed to change their environment. For more information, see the PermitUserEnvironment option in sshd_config(5). @@ -797,7 +804,7 @@ FILES for the user, and not accessible by others. ~/.ssh/authorized_keys - Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used + Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user. The format of this file is described in the sshd(8) manual page. This file is not highly sensitive, but the recommended permissions are read/write for the @@ -941,4 +948,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.6 July 24, 2014 OpenBSD 5.6 +OpenBSD 5.7 March 3, 2015 OpenBSD 5.7 |