1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is 10.\" incompatible with the protocol description in the RFC file, it must be 11.\" called by a name other than "ssh" or "Secure Shell". 12.\" 13.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 14.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 15.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 16.\" 17.\" Redistribution and use in source and binary forms, with or without 18.\" modification, are permitted provided that the following conditions 19.\" are met: 20.\" 1. Redistributions of source code must retain the above copyright 21.\" notice, this list of conditions and the following disclaimer. 22.\" 2. Redistributions in binary form must reproduce the above copyright 23.\" notice, this list of conditions and the following disclaimer in the 24.\" documentation and/or other materials provided with the distribution. 25.\" 26.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" 37.\" $OpenBSD: ssh.1,v 1.147 2002/02/09 17:37:34 deraadt Exp $ 38.Dd September 25, 1999 39.Dt SSH 1 40.Os 41.Sh NAME 42.Nm ssh 43.Nd OpenSSH SSH client (remote login program) 44.Sh SYNOPSIS 45.Nm ssh 46.Op Fl l Ar login_name 47.Ar hostname | user@hostname 48.Op Ar command 49.Pp 50.Nm ssh 51.Op Fl afgknqstvxACNPTX1246 52.Op Fl b Ar bind_address 53.Op Fl c Ar cipher_spec 54.Op Fl e Ar escape_char 55.Op Fl i Ar identity_file 56.Op Fl l Ar login_name 57.Op Fl m Ar mac_spec 58.Op Fl o Ar option 59.Op Fl p Ar port 60.Op Fl F Ar configfile 61.Oo Fl L Xo 62.Sm off 63.Ar port : 64.Ar host : 65.Ar hostport 66.Sm on 67.Xc 68.Oc 69.Oo Fl R Xo 70.Sm off 71.Ar port : 72.Ar host : 73.Ar hostport 74.Sm on 75.Xc 76.Oc 77.Op Fl D Ar port 78.Ar hostname | user@hostname 79.Op Ar command 80.Sh DESCRIPTION 81.Nm 82(SSH client) is a program for logging into a remote machine and for 83executing commands on a remote machine. 84It is intended to replace 85rlogin and rsh, and provide secure encrypted communications between 86two untrusted hosts over an insecure network. 87X11 connections and 88arbitrary TCP/IP ports can also be forwarded over the secure channel. 89.Pp 90.Nm 91connects and logs into the specified 92.Ar hostname . 93The user must prove 94his/her identity to the remote machine using one of several methods 95depending on the protocol version used: 96.Pp 97.Ss SSH protocol version 1 98.Pp 99First, if the machine the user logs in from is listed in 100.Pa /etc/hosts.equiv 101or 102.Pa /etc/shosts.equiv 103on the remote machine, and the user names are 104the same on both sides, the user is immediately permitted to log in. 105Second, if 106.Pa \&.rhosts 107or 108.Pa \&.shosts 109exists in the user's home directory on the 110remote machine and contains a line containing the name of the client 111machine and the name of the user on that machine, the user is 112permitted to log in. 113This form of authentication alone is normally not 114allowed by the server because it is not secure. 115.Pp 116The second authentication method is the 117.Pa rhosts 118or 119.Pa hosts.equiv 120method combined with RSA-based host authentication. 121It means that if the login would be permitted by 122.Pa $HOME/.rhosts , 123.Pa $HOME/.shosts , 124.Pa /etc/hosts.equiv , 125or 126.Pa /etc/shosts.equiv , 127and if additionally the server can verify the client's 128host key (see 129.Pa /etc/ssh/ssh_known_hosts 130and 131.Pa $HOME/.ssh/known_hosts 132in the 133.Sx FILES 134section), only then login is permitted. 135This authentication method closes security holes due to IP 136spoofing, DNS spoofing and routing spoofing. 137[Note to the administrator: 138.Pa /etc/hosts.equiv , 139.Pa $HOME/.rhosts , 140and the rlogin/rsh protocol in general, are inherently insecure and should be 141disabled if security is desired.] 142.Pp 143As a third authentication method, 144.Nm 145supports RSA based authentication. 146The scheme is based on public-key cryptography: there are cryptosystems 147where encryption and decryption are done using separate keys, and it 148is not possible to derive the decryption key from the encryption key. 149RSA is one such system. 150The idea is that each user creates a public/private 151key pair for authentication purposes. 152The server knows the public key, and only the user knows the private key. 153The file 154.Pa $HOME/.ssh/authorized_keys 155lists the public keys that are permitted for logging 156in. 157When the user logs in, the 158.Nm 159program tells the server which key pair it would like to use for 160authentication. 161The server checks if this key is permitted, and if 162so, sends the user (actually the 163.Nm 164program running on behalf of the user) a challenge, a random number, 165encrypted by the user's public key. 166The challenge can only be 167decrypted using the proper private key. 168The user's client then decrypts the 169challenge using the private key, proving that he/she knows the private 170key but without disclosing it to the server. 171.Pp 172.Nm 173implements the RSA authentication protocol automatically. 174The user creates his/her RSA key pair by running 175.Xr ssh-keygen 1 . 176This stores the private key in 177.Pa $HOME/.ssh/identity 178and the public key in 179.Pa $HOME/.ssh/identity.pub 180in the user's home directory. 181The user should then copy the 182.Pa identity.pub 183to 184.Pa $HOME/.ssh/authorized_keys 185in his/her home directory on the remote machine (the 186.Pa authorized_keys 187file corresponds to the conventional 188.Pa $HOME/.rhosts 189file, and has one key 190per line, though the lines can be very long). 191After this, the user can log in without giving the password. 192RSA authentication is much 193more secure than rhosts authentication. 194.Pp 195The most convenient way to use RSA authentication may be with an 196authentication agent. 197See 198.Xr ssh-agent 1 199for more information. 200.Pp 201If other authentication methods fail, 202.Nm 203prompts the user for a password. 204The password is sent to the remote 205host for checking; however, since all communications are encrypted, 206the password cannot be seen by someone listening on the network. 207.Pp 208.Ss SSH protocol version 2 209.Pp 210When a user connects using protocol version 2 211similar authentication methods are available. 212Using the default values for 213.Cm PreferredAuthentications , 214the client will try to authenticate first using the hostbased method; 215if this method fails public key authentication is attempted, 216and finally if this method fails keyboard-interactive and 217password authentication are tried. 218.Pp 219The public key method is similar to RSA authentication described 220in the previous section and allows the RSA or DSA algorithm to be used: 221The client uses his private key, 222.Pa $HOME/.ssh/id_dsa 223or 224.Pa $HOME/.ssh/id_rsa , 225to sign the session identifier and sends the result to the server. 226The server checks whether the matching public key is listed in 227.Pa $HOME/.ssh/authorized_keys 228and grants access if both the key is found and the signature is correct. 229The session identifier is derived from a shared Diffie-Hellman value 230and is only known to the client and the server. 231.Pp 232If public key authentication fails or is not available a password 233can be sent encrypted to the remote host for proving the user's identity. 234.Pp 235Additionally, 236.Nm 237supports hostbased or challenge response authentication. 238.Pp 239Protocol 2 provides additional mechanisms for confidentiality 240(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) 241and integrity (hmac-md5, hmac-sha1). 242Note that protocol 1 lacks a strong mechanism for ensuring the 243integrity of the connection. 244.Pp 245.Ss Login session and remote execution 246.Pp 247When the user's identity has been accepted by the server, the server 248either executes the given command, or logs into the machine and gives 249the user a normal shell on the remote machine. 250All communication with 251the remote command or shell will be automatically encrypted. 252.Pp 253If a pseudo-terminal has been allocated (normal login session), the 254user may use the escape characters noted below. 255.Pp 256If no pseudo tty has been allocated, the 257session is transparent and can be used to reliably transfer binary 258data. 259On most systems, setting the escape character to 260.Dq none 261will also make the session transparent even if a tty is used. 262.Pp 263The session terminates when the command or shell on the remote 264machine exits and all X11 and TCP/IP connections have been closed. 265The exit status of the remote program is returned as the exit status 266of 267.Nm ssh . 268.Pp 269.Ss Escape Characters 270.Pp 271When a pseudo terminal has been requested, ssh supports a number of functions 272through the use of an escape character. 273.Pp 274A single tilde character can be sent as 275.Ic ~~ 276or by following the tilde by a character other than those described below. 277The escape character must always follow a newline to be interpreted as 278special. 279The escape character can be changed in configuration files using the 280.Cm EscapeChar 281configuration directive or on the command line by the 282.Fl e 283option. 284.Pp 285The supported escapes (assuming the default 286.Ql ~ ) 287are: 288.Bl -tag -width Ds 289.It Cm ~. 290Disconnect 291.It Cm ~^Z 292Background ssh 293.It Cm ~# 294List forwarded connections 295.It Cm ~& 296Background ssh at logout when waiting for forwarded connection / X11 sessions 297to terminate 298.It Cm ~? 299Display a list of escape characters 300.It Cm ~R 301Request rekeying of the connection (only useful for SSH protocol version 2 302and if the peer supports it) 303.El 304.Pp 305.Ss X11 and TCP forwarding 306.Pp 307If the 308.Cm ForwardX11 309variable is set to 310.Dq yes 311(or, see the description of the 312.Fl X 313and 314.Fl x 315options described later) 316and the user is using X11 (the 317.Ev DISPLAY 318environment variable is set), the connection to the X11 display is 319automatically forwarded to the remote side in such a way that any X11 320programs started from the shell (or command) will go through the 321encrypted channel, and the connection to the real X server will be made 322from the local machine. 323The user should not manually set 324.Ev DISPLAY . 325Forwarding of X11 connections can be 326configured on the command line or in configuration files. 327.Pp 328The 329.Ev DISPLAY 330value set by 331.Nm 332will point to the server machine, but with a display number greater 333than zero. 334This is normal, and happens because 335.Nm 336creates a 337.Dq proxy 338X server on the server machine for forwarding the 339connections over the encrypted channel. 340.Pp 341.Nm 342will also automatically set up Xauthority data on the server machine. 343For this purpose, it will generate a random authorization cookie, 344store it in Xauthority on the server, and verify that any forwarded 345connections carry this cookie and replace it by the real cookie when 346the connection is opened. 347The real authentication cookie is never 348sent to the server machine (and no cookies are sent in the plain). 349.Pp 350If the user is using an authentication agent, the connection to the agent 351is automatically forwarded to the remote side unless disabled on 352the command line or in a configuration file. 353.Pp 354Forwarding of arbitrary TCP/IP connections over the secure channel can 355be specified either on the command line or in a configuration file. 356One possible application of TCP/IP forwarding is a secure connection to an 357electronic purse; another is going through firewalls. 358.Pp 359.Ss Server authentication 360.Pp 361.Nm 362automatically maintains and checks a database containing 363identifications for all hosts it has ever been used with. 364Host keys are stored in 365.Pa $HOME/.ssh/known_hosts 366in the user's home directory. 367Additionally, the file 368.Pa /etc/ssh/ssh_known_hosts 369is automatically checked for known hosts. 370Any new hosts are automatically added to the user's file. 371If a host's identification 372ever changes, 373.Nm 374warns about this and disables password authentication to prevent a 375trojan horse from getting the user's password. 376Another purpose of 377this mechanism is to prevent man-in-the-middle attacks which could 378otherwise be used to circumvent the encryption. 379The 380.Cm StrictHostKeyChecking 381option (see below) can be used to prevent logins to machines whose 382host key is not known or has changed. 383.Pp 384The options are as follows: 385.Bl -tag -width Ds 386.It Fl a 387Disables forwarding of the authentication agent connection. 388.It Fl A 389Enables forwarding of the authentication agent connection. 390This can also be specified on a per-host basis in a configuration file. 391.It Fl b Ar bind_address 392Specify the interface to transmit from on machines with multiple 393interfaces or aliased addresses. 394.It Fl c Ar blowfish|3des|des 395Selects the cipher to use for encrypting the session. 396.Ar 3des 397is used by default. 398It is believed to be secure. 399.Ar 3des 400(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. 401.Ar blowfish 402is a fast block cipher, it appears very secure and is much faster than 403.Ar 3des . 404.Ar des 405is only supported in the 406.Nm 407client for interoperability with legacy protocol 1 implementations 408that do not support the 409.Ar 3des 410cipher. Its use is strongly discouraged due to cryptographic 411weaknesses. 412.It Fl c Ar cipher_spec 413Additionally, for protocol version 2 a comma-separated list of ciphers can 414be specified in order of preference. 415See 416.Cm Ciphers 417for more information. 418.It Fl e Ar ch|^ch|none 419Sets the escape character for sessions with a pty (default: 420.Ql ~ ) . 421The escape character is only recognized at the beginning of a line. 422The escape character followed by a dot 423.Pq Ql \&. 424closes the connection, followed 425by control-Z suspends the connection, and followed by itself sends the 426escape character once. 427Setting the character to 428.Dq none 429disables any escapes and makes the session fully transparent. 430.It Fl f 431Requests 432.Nm 433to go to background just before command execution. 434This is useful if 435.Nm 436is going to ask for passwords or passphrases, but the user 437wants it in the background. 438This implies 439.Fl n . 440The recommended way to start X11 programs at a remote site is with 441something like 442.Ic ssh -f host xterm . 443.It Fl g 444Allows remote hosts to connect to local forwarded ports. 445.It Fl i Ar identity_file 446Selects a file from which the identity (private key) for 447RSA or DSA authentication is read. 448The default is 449.Pa $HOME/.ssh/identity 450for protocol version 1, and 451.Pa $HOME/.ssh/id_rsa 452and 453.Pa $HOME/.ssh/id_dsa 454for protocol version 2. 455Identity files may also be specified on 456a per-host basis in the configuration file. 457It is possible to have multiple 458.Fl i 459options (and multiple identities specified in 460configuration files). 461.It Fl I Ar smartcard_device 462Specifies which smartcard device to use. The argument is 463the device 464.Nm 465should use to communicate with a smartcard used for storing the user's 466private RSA key. 467.It Fl k 468Disables forwarding of Kerberos tickets and AFS tokens. 469This may also be specified on a per-host basis in the configuration file. 470.It Fl l Ar login_name 471Specifies the user to log in as on the remote machine. 472This also may be specified on a per-host basis in the configuration file. 473.It Fl m Ar mac_spec 474Additionally, for protocol version 2 a comma-separated list of MAC 475(message authentication code) algorithms can 476be specified in order of preference. 477See the 478.Cm MACs 479keyword for more information. 480.It Fl n 481Redirects stdin from 482.Pa /dev/null 483(actually, prevents reading from stdin). 484This must be used when 485.Nm 486is run in the background. 487A common trick is to use this to run X11 programs on a remote machine. 488For example, 489.Ic ssh -n shadows.cs.hut.fi emacs & 490will start an emacs on shadows.cs.hut.fi, and the X11 491connection will be automatically forwarded over an encrypted channel. 492The 493.Nm 494program will be put in the background. 495(This does not work if 496.Nm 497needs to ask for a password or passphrase; see also the 498.Fl f 499option.) 500.It Fl N 501Do not execute a remote command. 502This is useful for just forwarding ports 503(protocol version 2 only). 504.It Fl o Ar option 505Can be used to give options in the format used in the configuration file. 506This is useful for specifying options for which there is no separate 507command-line flag. 508.It Fl p Ar port 509Port to connect to on the remote host. 510This can be specified on a 511per-host basis in the configuration file. 512.It Fl P 513Use a non-privileged port for outgoing connections. 514This can be used if a firewall does 515not permit connections from privileged ports. 516Note that this option turns off 517.Cm RhostsAuthentication 518and 519.Cm RhostsRSAAuthentication 520for older servers. 521.It Fl q 522Quiet mode. 523Causes all warning and diagnostic messages to be suppressed. 524Only fatal errors are displayed. 525.It Fl s 526May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use 527of SSH as a secure transport for other applications (eg. sftp). The 528subsystem is specified as the remote command. 529.It Fl t 530Force pseudo-tty allocation. 531This can be used to execute arbitrary 532screen-based programs on a remote machine, which can be very useful, 533e.g., when implementing menu services. 534Multiple 535.Fl t 536options force tty allocation, even if 537.Nm 538has no local tty. 539.It Fl T 540Disable pseudo-tty allocation. 541.It Fl v 542Verbose mode. 543Causes 544.Nm 545to print debugging messages about its progress. 546This is helpful in 547debugging connection, authentication, and configuration problems. 548Multiple 549.Fl v 550options increases the verbosity. 551Maximum is 3. 552.It Fl x 553Disables X11 forwarding. 554.It Fl X 555Enables X11 forwarding. 556This can also be specified on a per-host basis in a configuration file. 557.It Fl C 558Requests compression of all data (including stdin, stdout, stderr, and 559data for forwarded X11 and TCP/IP connections). 560The compression algorithm is the same used by 561.Xr gzip 1 , 562and the 563.Dq level 564can be controlled by the 565.Cm CompressionLevel 566option (see below). 567Compression is desirable on modem lines and other 568slow connections, but will only slow down things on fast networks. 569The default value can be set on a host-by-host basis in the 570configuration files; see the 571.Cm Compression 572option below. 573.It Fl F Ar configfile 574Specifies an alternative per-user configuration file. 575If a configuration file is given on the command line, 576the system-wide configuration file 577.Pq Pa /etc/ssh/ssh_config 578will be ignored. 579The default for the per-user configuration file is 580.Pa $HOME/.ssh/config . 581.It Fl L Ar port:host:hostport 582Specifies that the given port on the local (client) host is to be 583forwarded to the given host and port on the remote side. 584This works by allocating a socket to listen to 585.Ar port 586on the local side, and whenever a connection is made to this port, the 587connection is forwarded over the secure channel, and a connection is 588made to 589.Ar host 590port 591.Ar hostport 592from the remote machine. 593Port forwardings can also be specified in the configuration file. 594Only root can forward privileged ports. 595IPv6 addresses can be specified with an alternative syntax: 596.Ar port/host/hostport 597.It Fl R Ar port:host:hostport 598Specifies that the given port on the remote (server) host is to be 599forwarded to the given host and port on the local side. 600This works by allocating a socket to listen to 601.Ar port 602on the remote side, and whenever a connection is made to this port, the 603connection is forwarded over the secure channel, and a connection is 604made to 605.Ar host 606port 607.Ar hostport 608from the local machine. 609Port forwardings can also be specified in the configuration file. 610Privileged ports can be forwarded only when 611logging in as root on the remote machine. 612IPv6 addresses can be specified with an alternative syntax: 613.Ar port/host/hostport 614.It Fl D Ar port 615Specifies a local 616.Dq dynamic 617application-level port forwarding. 618This works by allocating a socket to listen to 619.Ar port 620on the local side, and whenever a connection is made to this port, the 621connection is forwarded over the secure channel, and the application 622protocol is then used to determine where to connect to from the 623remote machine. Currently the SOCKS4 protocol is supported, and 624.Nm 625will act as a SOCKS4 server. 626Only root can forward privileged ports. 627Dynamic port forwardings can also be specified in the configuration file. 628.It Fl 1 629Forces 630.Nm 631to try protocol version 1 only. 632.It Fl 2 633Forces 634.Nm 635to try protocol version 2 only. 636.It Fl 4 637Forces 638.Nm 639to use IPv4 addresses only. 640.It Fl 6 641Forces 642.Nm 643to use IPv6 addresses only. 644.El 645.Sh CONFIGURATION FILES 646.Nm 647obtains configuration data from the following sources in 648the following order: 649command line options, user's configuration file 650.Pq Pa $HOME/.ssh/config , 651and system-wide configuration file 652.Pq Pa /etc/ssh/ssh_config . 653For each parameter, the first obtained value 654will be used. 655The configuration files contain sections bracketed by 656.Dq Host 657specifications, and that section is only applied for hosts that 658match one of the patterns given in the specification. 659The matched host name is the one given on the command line. 660.Pp 661Since the first obtained value for each parameter is used, more 662host-specific declarations should be given near the beginning of the 663file, and general defaults at the end. 664.Pp 665The configuration file has the following format: 666.Pp 667Empty lines and lines starting with 668.Ql # 669are comments. 670.Pp 671Otherwise a line is of the format 672.Dq keyword arguments . 673Configuration options may be separated by whitespace or 674optional whitespace and exactly one 675.Ql = ; 676the latter format is useful to avoid the need to quote whitespace 677when specifying configuration options using the 678.Nm ssh , 679.Nm scp 680and 681.Nm sftp 682.Fl o 683option. 684.Pp 685The possible 686keywords and their meanings are as follows (note that 687keywords are case-insensitive and arguments are case-sensitive): 688.Bl -tag -width Ds 689.It Cm Host 690Restricts the following declarations (up to the next 691.Cm Host 692keyword) to be only for those hosts that match one of the patterns 693given after the keyword. 694.Ql \&* 695and 696.Ql ? 697can be used as wildcards in the 698patterns. 699A single 700.Ql \&* 701as a pattern can be used to provide global 702defaults for all hosts. 703The host is the 704.Ar hostname 705argument given on the command line (i.e., the name is not converted to 706a canonicalized host name before matching). 707.It Cm AFSTokenPassing 708Specifies whether to pass AFS tokens to remote host. 709The argument to this keyword must be 710.Dq yes 711or 712.Dq no . 713This option applies to protocol version 1 only. 714.It Cm BatchMode 715If set to 716.Dq yes , 717passphrase/password querying will be disabled. 718This option is useful in scripts and other batch jobs where no user 719is present to supply the password. 720The argument must be 721.Dq yes 722or 723.Dq no . 724The default is 725.Dq no . 726.It Cm BindAddress 727Specify the interface to transmit from on machines with multiple 728interfaces or aliased addresses. 729Note that this option does not work if 730.Cm UsePrivilegedPort 731is set to 732.Dq yes . 733.It Cm CheckHostIP 734If this flag is set to 735.Dq yes , 736ssh will additionally check the host IP address in the 737.Pa known_hosts 738file. 739This allows ssh to detect if a host key changed due to DNS spoofing. 740If the option is set to 741.Dq no , 742the check will not be executed. 743The default is 744.Dq yes . 745.It Cm Cipher 746Specifies the cipher to use for encrypting the session 747in protocol version 1. 748Currently, 749.Dq blowfish , 750.Dq 3des , 751and 752.Dq des 753are supported. 754.Ar des 755is only supported in the 756.Nm 757client for interoperability with legacy protocol 1 implementations 758that do not support the 759.Ar 3des 760cipher. Its use is strongly discouraged due to cryptographic 761weaknesses. 762The default is 763.Dq 3des . 764.It Cm Ciphers 765Specifies the ciphers allowed for protocol version 2 766in order of preference. 767Multiple ciphers must be comma-separated. 768The default is 769.Pp 770.Bd -literal 771 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 772 aes192-cbc,aes256-cbc'' 773.Ed 774.It Cm ClearAllForwardings 775Specifies that all local, remote and dynamic port forwardings 776specified in the configuration files or on the command line be 777cleared. This option is primarily useful when used from the 778.Nm 779command line to clear port forwardings set in 780configuration files, and is automatically set by 781.Xr scp 1 782and 783.Xr sftp 1 . 784The argument must be 785.Dq yes 786or 787.Dq no . 788The default is 789.Dq no . 790.It Cm Compression 791Specifies whether to use compression. 792The argument must be 793.Dq yes 794or 795.Dq no . 796The default is 797.Dq no . 798.It Cm CompressionLevel 799Specifies the compression level to use if compression is enabled. 800The argument must be an integer from 1 (fast) to 9 (slow, best). 801The default level is 6, which is good for most applications. 802The meaning of the values is the same as in 803.Xr gzip 1 . 804Note that this option applies to protocol version 1 only. 805.It Cm ConnectionAttempts 806Specifies the number of tries (one per second) to make before falling 807back to rsh or exiting. 808The argument must be an integer. 809This may be useful in scripts if the connection sometimes fails. 810The default is 1. 811.It Cm DynamicForward 812Specifies that a TCP/IP port on the local machine be forwarded 813over the secure channel, and the application 814protocol is then used to determine where to connect to from the 815remote machine. The argument must be a port number. 816Currently the SOCKS4 protocol is supported, and 817.Nm 818will act as a SOCKS4 server. 819Multiple forwardings may be specified, and 820additional forwardings can be given on the command line. Only 821the superuser can forward privileged ports. 822.It Cm EscapeChar 823Sets the escape character (default: 824.Ql ~ ) . 825The escape character can also 826be set on the command line. 827The argument should be a single character, 828.Ql ^ 829followed by a letter, or 830.Dq none 831to disable the escape 832character entirely (making the connection transparent for binary 833data). 834.It Cm FallBackToRsh 835Specifies that if connecting via 836.Nm 837fails due to a connection refused error (there is no 838.Xr sshd 8 839listening on the remote host), 840.Xr rsh 1 841should automatically be used instead (after a suitable warning about 842the session being unencrypted). 843The argument must be 844.Dq yes 845or 846.Dq no . 847The default is 848.Dq no . 849.It Cm ForwardAgent 850Specifies whether the connection to the authentication agent (if any) 851will be forwarded to the remote machine. 852The argument must be 853.Dq yes 854or 855.Dq no . 856The default is 857.Dq no . 858.It Cm ForwardX11 859Specifies whether X11 connections will be automatically redirected 860over the secure channel and 861.Ev DISPLAY 862set. 863The argument must be 864.Dq yes 865or 866.Dq no . 867The default is 868.Dq no . 869.It Cm GatewayPorts 870Specifies whether remote hosts are allowed to connect to local 871forwarded ports. 872By default, 873.Nm 874binds local port forwardings to the loopback addresss. This 875prevents other remote hosts from connecting to forwarded ports. 876.Cm GatewayPorts 877can be used to specify that 878.Nm 879should bind local port forwardings to the wildcard address, 880thus allowing remote hosts to connect to forwarded ports. 881The argument must be 882.Dq yes 883or 884.Dq no . 885The default is 886.Dq no . 887.It Cm GlobalKnownHostsFile 888Specifies a file to use for the global 889host key database instead of 890.Pa /etc/ssh/ssh_known_hosts . 891.It Cm HostbasedAuthentication 892Specifies whether to try rhosts based authentication with public key 893authentication. 894The argument must be 895.Dq yes 896or 897.Dq no . 898The default is 899.Dq no . 900This option applies to protocol version 2 only and 901is similar to 902.Cm RhostsRSAAuthentication . 903.It Cm HostKeyAlgorithms 904Specifies the protocol version 2 host key algorithms 905that the client wants to use in order of preference. 906The default for this option is: 907.Dq ssh-rsa,ssh-dss . 908.It Cm HostKeyAlias 909Specifies an alias that should be used instead of the 910real host name when looking up or saving the host key 911in the host key database files. 912This option is useful for tunneling ssh connections 913or for multiple servers running on a single host. 914.It Cm HostName 915Specifies the real host name to log into. 916This can be used to specify nicknames or abbreviations for hosts. 917Default is the name given on the command line. 918Numeric IP addresses are also permitted (both on the command line and in 919.Cm HostName 920specifications). 921.It Cm IdentityFile 922Specifies a file from which the user's RSA or DSA authentication identity 923is read. The default is 924.Pa $HOME/.ssh/identity 925for protocol version 1, and 926.Pa $HOME/.ssh/id_rsa 927and 928.Pa $HOME/.ssh/id_dsa 929for protocol version 2. 930Additionally, any identities represented by the authentication agent 931will be used for authentication. 932The file name may use the tilde 933syntax to refer to a user's home directory. 934It is possible to have 935multiple identity files specified in configuration files; all these 936identities will be tried in sequence. 937.It Cm KeepAlive 938Specifies whether the system should send TCP keepalive messages to the 939other side. 940If they are sent, death of the connection or crash of one 941of the machines will be properly noticed. 942However, this means that 943connections will die if the route is down temporarily, and some people 944find it annoying. 945.Pp 946The default is 947.Dq yes 948(to send keepalives), and the client will notice 949if the network goes down or the remote host dies. 950This is important in scripts, and many users want it too. 951.Pp 952To disable keepalives, the value should be set to 953.Dq no . 954.It Cm KerberosAuthentication 955Specifies whether Kerberos authentication will be used. 956The argument to this keyword must be 957.Dq yes 958or 959.Dq no . 960.It Cm KerberosTgtPassing 961Specifies whether a Kerberos TGT will be forwarded to the server. 962This will only work if the Kerberos server is actually an AFS kaserver. 963The argument to this keyword must be 964.Dq yes 965or 966.Dq no . 967.It Cm LocalForward 968Specifies that a TCP/IP port on the local machine be forwarded over 969the secure channel to the specified host and port from the remote machine. 970The first argument must be a port number, and the second must be 971.Ar host:port . 972IPv6 addresses can be specified with an alternative syntax: 973.Ar host/port . 974Multiple forwardings may be specified, and additional 975forwardings can be given on the command line. 976Only the superuser can forward privileged ports. 977.It Cm LogLevel 978Gives the verbosity level that is used when logging messages from 979.Nm ssh . 980The possible values are: 981QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. 982The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 983and DEBUG3 each specify higher levels of verbose output. 984.It Cm MACs 985Specifies the MAC (message authentication code) algorithms 986in order of preference. 987The MAC algorithm is used in protocol version 2 988for data integrity protection. 989Multiple algorithms must be comma-separated. 990The default is 991.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . 992.It Cm NoHostAuthenticationForLocalhost 993This option can be used if the home directory is shared across machines. 994In this case localhost will refer to a different machine on each of 995the machines and the user will get many warnings about changed host keys. 996However, this option disables host authentication for localhost. 997The argument to this keyword must be 998.Dq yes 999or 1000.Dq no . 1001The default is to check the host key for localhost. 1002.It Cm NumberOfPasswordPrompts 1003Specifies the number of password prompts before giving up. 1004The argument to this keyword must be an integer. 1005Default is 3. 1006.It Cm PasswordAuthentication 1007Specifies whether to use password authentication. 1008The argument to this keyword must be 1009.Dq yes 1010or 1011.Dq no . 1012The default is 1013.Dq yes . 1014.It Cm Port 1015Specifies the port number to connect on the remote host. 1016Default is 22. 1017.It Cm PreferredAuthentications 1018Specifies the order in which the client should try protocol 2 1019authentication methods. This allows a client to prefer one method (e.g. 1020.Cm keyboard-interactive ) 1021over another method (e.g. 1022.Cm password ) 1023The default for this option is: 1024.Dq hostbased,publickey,keyboard-interactive,password . 1025.It Cm Protocol 1026Specifies the protocol versions 1027.Nm 1028should support in order of preference. 1029The possible values are 1030.Dq 1 1031and 1032.Dq 2 . 1033Multiple versions must be comma-separated. 1034The default is 1035.Dq 2,1 . 1036This means that 1037.Nm 1038tries version 2 and falls back to version 1 1039if version 2 is not available. 1040.It Cm ProxyCommand 1041Specifies the command to use to connect to the server. 1042The command 1043string extends to the end of the line, and is executed with 1044.Pa /bin/sh . 1045In the command string, 1046.Ql %h 1047will be substituted by the host name to 1048connect and 1049.Ql %p 1050by the port. 1051The command can be basically anything, 1052and should read from its standard input and write to its standard output. 1053It should eventually connect an 1054.Xr sshd 8 1055server running on some machine, or execute 1056.Ic sshd -i 1057somewhere. 1058Host key management will be done using the 1059HostName of the host being connected (defaulting to the name typed by 1060the user). 1061Note that 1062.Cm CheckHostIP 1063is not available for connects with a proxy command. 1064.Pp 1065.It Cm PubkeyAuthentication 1066Specifies whether to try public key authentication. 1067The argument to this keyword must be 1068.Dq yes 1069or 1070.Dq no . 1071The default is 1072.Dq yes . 1073This option applies to protocol version 2 only. 1074.It Cm RemoteForward 1075Specifies that a TCP/IP port on the remote machine be forwarded over 1076the secure channel to the specified host and port from the local machine. 1077The first argument must be a port number, and the second must be 1078.Ar host:port . 1079IPv6 addresses can be specified with an alternative syntax: 1080.Ar host/port . 1081Multiple forwardings may be specified, and additional 1082forwardings can be given on the command line. 1083Only the superuser can forward privileged ports. 1084.It Cm RhostsAuthentication 1085Specifies whether to try rhosts based authentication. 1086Note that this 1087declaration only affects the client side and has no effect whatsoever 1088on security. 1089Disabling rhosts authentication may reduce 1090authentication time on slow connections when rhosts authentication is 1091not used. 1092Most servers do not permit RhostsAuthentication because it 1093is not secure (see 1094.Cm RhostsRSAAuthentication ) . 1095The argument to this keyword must be 1096.Dq yes 1097or 1098.Dq no . 1099The default is 1100.Dq yes . 1101This option applies to protocol version 1 only. 1102.It Cm RhostsRSAAuthentication 1103Specifies whether to try rhosts based authentication with RSA host 1104authentication. 1105The argument must be 1106.Dq yes 1107or 1108.Dq no . 1109The default is 1110.Dq yes . 1111This option applies to protocol version 1 only. 1112.It Cm RSAAuthentication 1113Specifies whether to try RSA authentication. 1114The argument to this keyword must be 1115.Dq yes 1116or 1117.Dq no . 1118RSA authentication will only be 1119attempted if the identity file exists, or an authentication agent is 1120running. 1121The default is 1122.Dq yes . 1123Note that this option applies to protocol version 1 only. 1124.It Cm ChallengeResponseAuthentication 1125Specifies whether to use challenge response authentication. 1126The argument to this keyword must be 1127.Dq yes 1128or 1129.Dq no . 1130The default is 1131.Dq yes . 1132.It Cm SmartcardDevice 1133Specifies which smartcard device to use. The argument to this keyword is 1134the device 1135.Nm 1136should use to communicate with a smartcard used for storing the user's 1137private RSA key. By default, no device is specified and smartcard support 1138is not activated. 1139.It Cm StrictHostKeyChecking 1140If this flag is set to 1141.Dq yes , 1142.Nm 1143will never automatically add host keys to the 1144.Pa $HOME/.ssh/known_hosts 1145file, and refuses to connect to hosts whose host key has changed. 1146This provides maximum protection against trojan horse attacks, 1147however, can be annoying when the 1148.Pa /etc/ssh/ssh_known_hosts 1149file is poorly maintained, or connections to new hosts are 1150frequently made. 1151This option forces the user to manually 1152add all new hosts. 1153If this flag is set to 1154.Dq no , 1155.Nm 1156will automatically add new host keys to the 1157user known hosts files. 1158If this flag is set to 1159.Dq ask , 1160new host keys 1161will be added to the user known host files only after the user 1162has confirmed that is what they really want to do, and 1163.Nm 1164will refuse to connect to hosts whose host key has changed. 1165The host keys of 1166known hosts will be verified automatically in all cases. 1167The argument must be 1168.Dq yes , 1169.Dq no 1170or 1171.Dq ask . 1172The default is 1173.Dq ask . 1174.It Cm UsePrivilegedPort 1175Specifies whether to use a privileged port for outgoing connections. 1176The argument must be 1177.Dq yes 1178or 1179.Dq no . 1180The default is 1181.Dq no . 1182Note that this option must be set to 1183.Dq yes 1184if 1185.Cm RhostsAuthentication 1186and 1187.Cm RhostsRSAAuthentication 1188authentications are needed with older servers. 1189.It Cm User 1190Specifies the user to log in as. 1191This can be useful when a different user name is used on different machines. 1192This saves the trouble of 1193having to remember to give the user name on the command line. 1194.It Cm UserKnownHostsFile 1195Specifies a file to use for the user 1196host key database instead of 1197.Pa $HOME/.ssh/known_hosts . 1198.It Cm UseRsh 1199Specifies that rlogin/rsh should be used for this host. 1200It is possible that the host does not at all support the 1201.Nm 1202protocol. 1203This causes 1204.Nm 1205to immediately execute 1206.Xr rsh 1 . 1207All other options (except 1208.Cm HostName ) 1209are ignored if this has been specified. 1210The argument must be 1211.Dq yes 1212or 1213.Dq no . 1214.It Cm XAuthLocation 1215Specifies the location of the 1216.Xr xauth 1 1217program. 1218The default is 1219.Pa /usr/X11R6/bin/xauth . 1220.El 1221.Sh ENVIRONMENT 1222.Nm 1223will normally set the following environment variables: 1224.Bl -tag -width Ds 1225.It Ev DISPLAY 1226The 1227.Ev DISPLAY 1228variable indicates the location of the X11 server. 1229It is automatically set by 1230.Nm 1231to point to a value of the form 1232.Dq hostname:n 1233where hostname indicates 1234the host where the shell runs, and n is an integer >= 1. 1235.Nm 1236uses this special value to forward X11 connections over the secure 1237channel. 1238The user should normally not set 1239.Ev DISPLAY 1240explicitly, as that 1241will render the X11 connection insecure (and will require the user to 1242manually copy any required authorization cookies). 1243.It Ev HOME 1244Set to the path of the user's home directory. 1245.It Ev LOGNAME 1246Synonym for 1247.Ev USER ; 1248set for compatibility with systems that use this variable. 1249.It Ev MAIL 1250Set to the path of the user's mailbox. 1251.It Ev PATH 1252Set to the default 1253.Ev PATH , 1254as specified when compiling 1255.Nm ssh . 1256.It Ev SSH_ASKPASS 1257If 1258.Nm 1259needs a passphrase, it will read the passphrase from the current 1260terminal if it was run from a terminal. 1261If 1262.Nm 1263does not have a terminal associated with it but 1264.Ev DISPLAY 1265and 1266.Ev SSH_ASKPASS 1267are set, it will execute the program specified by 1268.Ev SSH_ASKPASS 1269and open an X11 window to read the passphrase. 1270This is particularly useful when calling 1271.Nm 1272from a 1273.Pa .Xsession 1274or related script. 1275(Note that on some machines it 1276may be necessary to redirect the input from 1277.Pa /dev/null 1278to make this work.) 1279.It Ev SSH_AUTH_SOCK 1280Identifies the path of a unix-domain socket used to communicate with the 1281agent. 1282.It Ev SSH_CLIENT 1283Identifies the client end of the connection. 1284The variable contains 1285three space-separated values: client ip-address, client port number, 1286and server port number. 1287.It Ev SSH_ORIGINAL_COMMAND 1288The variable contains the original command line if a forced command 1289is executed. 1290It can be used to extract the original arguments. 1291.It Ev SSH_TTY 1292This is set to the name of the tty (path to the device) associated 1293with the current shell or command. 1294If the current session has no tty, 1295this variable is not set. 1296.It Ev TZ 1297The timezone variable is set to indicate the present timezone if it 1298was set when the daemon was started (i.e., the daemon passes the value 1299on to new connections). 1300.It Ev USER 1301Set to the name of the user logging in. 1302.El 1303.Pp 1304Additionally, 1305.Nm 1306reads 1307.Pa $HOME/.ssh/environment , 1308and adds lines of the format 1309.Dq VARNAME=value 1310to the environment. 1311.Sh FILES 1312.Bl -tag -width Ds 1313.It Pa $HOME/.ssh/known_hosts 1314Records host keys for all hosts the user has logged into that are not 1315in 1316.Pa /etc/ssh/ssh_known_hosts . 1317See 1318.Xr sshd 8 . 1319.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa 1320Contains the authentication identity of the user. 1321They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. 1322These files 1323contain sensitive data and should be readable by the user but not 1324accessible by others (read/write/execute). 1325Note that 1326.Nm 1327ignores a private key file if it is accessible by others. 1328It is possible to specify a passphrase when 1329generating the key; the passphrase will be used to encrypt the 1330sensitive part of this file using 3DES. 1331.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub 1332Contains the public key for authentication (public part of the 1333identity file in human-readable form). 1334The contents of the 1335.Pa $HOME/.ssh/identity.pub 1336file should be added to 1337.Pa $HOME/.ssh/authorized_keys 1338on all machines 1339where the user wishes to log in using protocol version 1 RSA authentication. 1340The contents of the 1341.Pa $HOME/.ssh/id_dsa.pub 1342and 1343.Pa $HOME/.ssh/id_rsa.pub 1344file should be added to 1345.Pa $HOME/.ssh/authorized_keys 1346on all machines 1347where the user wishes to log in using protocol version 2 DSA/RSA authentication. 1348These files are not 1349sensitive and can (but need not) be readable by anyone. 1350These files are 1351never used automatically and are not necessary; they are only provided for 1352the convenience of the user. 1353.It Pa $HOME/.ssh/config 1354This is the per-user configuration file. 1355The format of this file is described above. 1356This file is used by the 1357.Nm 1358client. 1359This file does not usually contain any sensitive information, 1360but the recommended permissions are read/write for the user, and not 1361accessible by others. 1362.It Pa $HOME/.ssh/authorized_keys 1363Lists the public keys (RSA/DSA) that can be used for logging in as this user. 1364The format of this file is described in the 1365.Xr sshd 8 1366manual page. 1367In the simplest form the format is the same as the .pub 1368identity files. 1369This file is not highly sensitive, but the recommended 1370permissions are read/write for the user, and not accessible by others. 1371.It Pa /etc/ssh/ssh_known_hosts 1372Systemwide list of known host keys. 1373This file should be prepared by the 1374system administrator to contain the public host keys of all machines in the 1375organization. 1376This file should be world-readable. 1377This file contains 1378public keys, one per line, in the following format (fields separated 1379by spaces): system name, public key and optional comment field. 1380When different names are used 1381for the same machine, all such names should be listed, separated by 1382commas. 1383The format is described on the 1384.Xr sshd 8 1385manual page. 1386.Pp 1387The canonical system name (as returned by name servers) is used by 1388.Xr sshd 8 1389to verify the client host when logging in; other names are needed because 1390.Nm 1391does not convert the user-supplied name to a canonical name before 1392checking the key, because someone with access to the name servers 1393would then be able to fool host authentication. 1394.It Pa /etc/ssh/ssh_config 1395Systemwide configuration file. 1396This file provides defaults for those 1397values that are not specified in the user's configuration file, and 1398for those users who do not have a configuration file. 1399This file must be world-readable. 1400.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key 1401These three files contain the private parts of the host keys 1402and are used for 1403.Cm RhostsRSAAuthentication 1404and 1405.Cm HostbasedAuthentication . 1406Since they are readable only by root 1407.Nm 1408must be setuid root if these authentication methods are desired. 1409.It Pa $HOME/.rhosts 1410This file is used in 1411.Pa \&.rhosts 1412authentication to list the 1413host/user pairs that are permitted to log in. 1414(Note that this file is 1415also used by rlogin and rsh, which makes using this file insecure.) 1416Each line of the file contains a host name (in the canonical form 1417returned by name servers), and then a user name on that host, 1418separated by a space. 1419On some machines this file may need to be 1420world-readable if the user's home directory is on a NFS partition, 1421because 1422.Xr sshd 8 1423reads it as root. 1424Additionally, this file must be owned by the user, 1425and must not have write permissions for anyone else. 1426The recommended 1427permission for most machines is read/write for the user, and not 1428accessible by others. 1429.Pp 1430Note that by default 1431.Xr sshd 8 1432will be installed so that it requires successful RSA host 1433authentication before permitting \s+2.\s0rhosts authentication. 1434If the server machine does not have the client's host key in 1435.Pa /etc/ssh/ssh_known_hosts , 1436it can be stored in 1437.Pa $HOME/.ssh/known_hosts . 1438The easiest way to do this is to 1439connect back to the client from the server machine using ssh; this 1440will automatically add the host key to 1441.Pa $HOME/.ssh/known_hosts . 1442.It Pa $HOME/.shosts 1443This file is used exactly the same way as 1444.Pa \&.rhosts . 1445The purpose for 1446having this file is to be able to use rhosts authentication with 1447.Nm 1448without permitting login with 1449.Xr rlogin 1 1450or 1451.Xr rsh 1 . 1452.It Pa /etc/hosts.equiv 1453This file is used during 1454.Pa \&.rhosts authentication. 1455It contains 1456canonical hosts names, one per line (the full format is described on 1457the 1458.Xr sshd 8 1459manual page). 1460If the client host is found in this file, login is 1461automatically permitted provided client and server user names are the 1462same. 1463Additionally, successful RSA host authentication is normally 1464required. 1465This file should only be writable by root. 1466.It Pa /etc/shosts.equiv 1467This file is processed exactly as 1468.Pa /etc/hosts.equiv . 1469This file may be useful to permit logins using 1470.Nm 1471but not using rsh/rlogin. 1472.It Pa /etc/ssh/sshrc 1473Commands in this file are executed by 1474.Nm 1475when the user logs in just before the user's shell (or command) is started. 1476See the 1477.Xr sshd 8 1478manual page for more information. 1479.It Pa $HOME/.ssh/rc 1480Commands in this file are executed by 1481.Nm 1482when the user logs in just before the user's shell (or command) is 1483started. 1484See the 1485.Xr sshd 8 1486manual page for more information. 1487.It Pa $HOME/.ssh/environment 1488Contains additional definitions for environment variables, see section 1489.Sx ENVIRONMENT 1490above. 1491.El 1492.Sh DIAGNOSTICS 1493.Nm 1494exits with the exit status of the remote command or with 255 1495if an error occurred. 1496.Sh AUTHORS 1497OpenSSH is a derivative of the original and free 1498ssh 1.2.12 release by Tatu Ylonen. 1499Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 1500Theo de Raadt and Dug Song 1501removed many bugs, re-added newer features and 1502created OpenSSH. 1503Markus Friedl contributed the support for SSH 1504protocol versions 1.5 and 2.0. 1505.Sh SEE ALSO 1506.Xr rlogin 1 , 1507.Xr rsh 1 , 1508.Xr scp 1 , 1509.Xr sftp 1 , 1510.Xr ssh-add 1 , 1511.Xr ssh-agent 1 , 1512.Xr ssh-keygen 1 , 1513.Xr telnet 1 , 1514.Xr sshd 8 1515.Rs 1516.%A T. Ylonen 1517.%A T. Kivinen 1518.%A M. Saarinen 1519.%A T. Rinne 1520.%A S. Lehtinen 1521.%T "SSH Protocol Architecture" 1522.%N draft-ietf-secsh-architecture-09.txt 1523.%D July 2001 1524.%O work in progress material 1525.Re 1526