1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is 10.\" incompatible with the protocol description in the RFC file, it must be 11.\" called by a name other than "ssh" or "Secure Shell". 12.\" 13.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 14.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 15.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 16.\" 17.\" Redistribution and use in source and binary forms, with or without 18.\" modification, are permitted provided that the following conditions 19.\" are met: 20.\" 1. Redistributions of source code must retain the above copyright 21.\" notice, this list of conditions and the following disclaimer. 22.\" 2. Redistributions in binary form must reproduce the above copyright 23.\" notice, this list of conditions and the following disclaimer in the 24.\" documentation and/or other materials provided with the distribution. 25.\" 26.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" 37.\" $OpenBSD: ssh.1,v 1.142 2001/12/28 22:37:48 stevesk Exp $ 38.Dd September 25, 1999 39.Dt SSH 1 40.Os 41.Sh NAME 42.Nm ssh 43.Nd OpenSSH SSH client (remote login program) 44.Sh SYNOPSIS 45.Nm ssh 46.Op Fl l Ar login_name 47.Ar hostname | user@hostname 48.Op Ar command 49.Pp 50.Nm ssh 51.Op Fl afgknqstvxACNPTX1246 52.Op Fl b Ar bind_address 53.Op Fl c Ar cipher_spec 54.Op Fl e Ar escape_char 55.Op Fl i Ar identity_file 56.Op Fl l Ar login_name 57.Op Fl m Ar mac_spec 58.Op Fl o Ar option 59.Op Fl p Ar port 60.Op Fl F Ar configfile 61.Oo Fl L Xo 62.Sm off 63.Ar port : 64.Ar host : 65.Ar hostport 66.Sm on 67.Xc 68.Oc 69.Oo Fl R Xo 70.Sm off 71.Ar port : 72.Ar host : 73.Ar hostport 74.Sm on 75.Xc 76.Oc 77.Op Fl D Ar port 78.Ar hostname | user@hostname 79.Op Ar command 80.Sh DESCRIPTION 81.Nm 82(SSH client) is a program for logging into a remote machine and for 83executing commands on a remote machine. 84It is intended to replace 85rlogin and rsh, and provide secure encrypted communications between 86two untrusted hosts over an insecure network. 87X11 connections and 88arbitrary TCP/IP ports can also be forwarded over the secure channel. 89.Pp 90.Nm 91connects and logs into the specified 92.Ar hostname . 93The user must prove 94his/her identity to the remote machine using one of several methods 95depending on the protocol version used: 96.Pp 97.Ss SSH protocol version 1 98.Pp 99First, if the machine the user logs in from is listed in 100.Pa /etc/hosts.equiv 101or 102.Pa /etc/shosts.equiv 103on the remote machine, and the user names are 104the same on both sides, the user is immediately permitted to log in. 105Second, if 106.Pa \&.rhosts 107or 108.Pa \&.shosts 109exists in the user's home directory on the 110remote machine and contains a line containing the name of the client 111machine and the name of the user on that machine, the user is 112permitted to log in. 113This form of authentication alone is normally not 114allowed by the server because it is not secure. 115.Pp 116The second authentication method is the 117.Pa rhosts 118or 119.Pa hosts.equiv 120method combined with RSA-based host authentication. 121It means that if the login would be permitted by 122.Pa $HOME/.rhosts , 123.Pa $HOME/.shosts , 124.Pa /etc/hosts.equiv , 125or 126.Pa /etc/shosts.equiv , 127and if additionally the server can verify the client's 128host key (see 129.Pa /etc/ssh_known_hosts 130and 131.Pa $HOME/.ssh/known_hosts 132in the 133.Sx FILES 134section), only then login is permitted. 135This authentication method closes security holes due to IP 136spoofing, DNS spoofing and routing spoofing. 137[Note to the administrator: 138.Pa /etc/hosts.equiv , 139.Pa $HOME/.rhosts , 140and the rlogin/rsh protocol in general, are inherently insecure and should be 141disabled if security is desired.] 142.Pp 143As a third authentication method, 144.Nm 145supports RSA based authentication. 146The scheme is based on public-key cryptography: there are cryptosystems 147where encryption and decryption are done using separate keys, and it 148is not possible to derive the decryption key from the encryption key. 149RSA is one such system. 150The idea is that each user creates a public/private 151key pair for authentication purposes. 152The server knows the public key, and only the user knows the private key. 153The file 154.Pa $HOME/.ssh/authorized_keys 155lists the public keys that are permitted for logging 156in. 157When the user logs in, the 158.Nm 159program tells the server which key pair it would like to use for 160authentication. 161The server checks if this key is permitted, and if 162so, sends the user (actually the 163.Nm 164program running on behalf of the user) a challenge, a random number, 165encrypted by the user's public key. 166The challenge can only be 167decrypted using the proper private key. 168The user's client then decrypts the 169challenge using the private key, proving that he/she knows the private 170key but without disclosing it to the server. 171.Pp 172.Nm 173implements the RSA authentication protocol automatically. 174The user creates his/her RSA key pair by running 175.Xr ssh-keygen 1 . 176This stores the private key in 177.Pa $HOME/.ssh/identity 178and the public key in 179.Pa $HOME/.ssh/identity.pub 180in the user's home directory. 181The user should then copy the 182.Pa identity.pub 183to 184.Pa $HOME/.ssh/authorized_keys 185in his/her home directory on the remote machine (the 186.Pa authorized_keys 187file corresponds to the conventional 188.Pa $HOME/.rhosts 189file, and has one key 190per line, though the lines can be very long). 191After this, the user can log in without giving the password. 192RSA authentication is much 193more secure than rhosts authentication. 194.Pp 195The most convenient way to use RSA authentication may be with an 196authentication agent. 197See 198.Xr ssh-agent 1 199for more information. 200.Pp 201If other authentication methods fail, 202.Nm 203prompts the user for a password. 204The password is sent to the remote 205host for checking; however, since all communications are encrypted, 206the password cannot be seen by someone listening on the network. 207.Pp 208.Ss SSH protocol version 2 209.Pp 210When a user connects using the protocol version 2 211different authentication methods are available. 212Using the default values for 213.Cm PreferredAuthentications , 214the client will try to authenticate first using the hostbased method; 215if this method fails public key authentication is attempted, 216and finally if this method fails keyboard-interactive and 217password authentication are tried. 218.Pp 219The public key method is similar to RSA authentication described 220in the previous section and allows the RSA or DSA algorithm to be used: 221The client uses his private key, 222.Pa $HOME/.ssh/id_dsa 223or 224.Pa $HOME/.ssh/id_rsa , 225to sign the session identifier and sends the result to the server. 226The server checks whether the matching public key is listed in 227.Pa $HOME/.ssh/authorized_keys 228and grants access if both the key is found and the signature is correct. 229The session identifier is derived from a shared Diffie-Hellman value 230and is only known to the client and the server. 231.Pp 232If public key authentication fails or is not available a password 233can be sent encrypted to the remote host for proving the user's identity. 234.Pp 235Additionally, 236.Nm 237supports hostbased or challenge response authentication. 238.Pp 239Protocol 2 provides additional mechanisms for confidentiality 240(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) 241and integrity (hmac-md5, hmac-sha1). 242Note that protocol 1 lacks a strong mechanism for ensuring the 243integrity of the connection. 244.Pp 245.Ss Login session and remote execution 246.Pp 247When the user's identity has been accepted by the server, the server 248either executes the given command, or logs into the machine and gives 249the user a normal shell on the remote machine. 250All communication with 251the remote command or shell will be automatically encrypted. 252.Pp 253If a pseudo-terminal has been allocated (normal login session), the 254user may use the escape characters noted below. 255.Pp 256If no pseudo tty has been allocated, the 257session is transparent and can be used to reliably transfer binary 258data. 259On most systems, setting the escape character to 260.Dq none 261will also make the session transparent even if a tty is used. 262.Pp 263The session terminates when the command or shell on the remote 264machine exits and all X11 and TCP/IP connections have been closed. 265The exit status of the remote program is returned as the exit status 266of 267.Nm ssh . 268.Pp 269.Ss Escape Characters 270.Pp 271When a pseudo terminal has been requested, ssh supports a number of functions 272through the use of an escape character. 273.Pp 274A single tilde character can be sent as 275.Ic ~~ 276or by following the tilde by a character other than those described below. 277The escape character must always follow a newline to be interpreted as 278special. 279The escape character can be changed in configuration files using the 280.Cm EscapeChar 281configuration directive or on the command line by the 282.Fl e 283option. 284.Pp 285The supported escapes (assuming the default 286.Ql ~ ) 287are: 288.Bl -tag -width Ds 289.It Cm ~. 290Disconnect 291.It Cm ~^Z 292Background ssh 293.It Cm ~# 294List forwarded connections 295.It Cm ~& 296Background ssh at logout when waiting for forwarded connection / X11 sessions 297to terminate 298.It Cm ~? 299Display a list of escape characters 300.It Cm ~R 301Request rekeying of the connection (only useful for SSH protocol version 2 302and if the peer supports it) 303.El 304.Pp 305.Ss X11 and TCP forwarding 306.Pp 307If the 308.Cm ForwardX11 309variable is set to 310.Dq yes 311(or, see the description of the 312.Fl X 313and 314.Fl x 315options described later) 316and the user is using X11 (the 317.Ev DISPLAY 318environment variable is set), the connection to the X11 display is 319automatically forwarded to the remote side in such a way that any X11 320programs started from the shell (or command) will go through the 321encrypted channel, and the connection to the real X server will be made 322from the local machine. 323The user should not manually set 324.Ev DISPLAY . 325Forwarding of X11 connections can be 326configured on the command line or in configuration files. 327.Pp 328The 329.Ev DISPLAY 330value set by 331.Nm 332will point to the server machine, but with a display number greater 333than zero. 334This is normal, and happens because 335.Nm 336creates a 337.Dq proxy 338X server on the server machine for forwarding the 339connections over the encrypted channel. 340.Pp 341.Nm 342will also automatically set up Xauthority data on the server machine. 343For this purpose, it will generate a random authorization cookie, 344store it in Xauthority on the server, and verify that any forwarded 345connections carry this cookie and replace it by the real cookie when 346the connection is opened. 347The real authentication cookie is never 348sent to the server machine (and no cookies are sent in the plain). 349.Pp 350If the user is using an authentication agent, the connection to the agent 351is automatically forwarded to the remote side unless disabled on 352the command line or in a configuration file. 353.Pp 354Forwarding of arbitrary TCP/IP connections over the secure channel can 355be specified either on the command line or in a configuration file. 356One possible application of TCP/IP forwarding is a secure connection to an 357electronic purse; another is going through firewalls. 358.Pp 359.Ss Server authentication 360.Pp 361.Nm 362automatically maintains and checks a database containing 363identifications for all hosts it has ever been used with. 364Host keys are stored in 365.Pa $HOME/.ssh/known_hosts 366in the user's home directory. 367Additionally, the file 368.Pa /etc/ssh_known_hosts 369is automatically checked for known hosts. 370Any new hosts are automatically added to the user's file. 371If a host's identification 372ever changes, 373.Nm 374warns about this and disables password authentication to prevent a 375trojan horse from getting the user's password. 376Another purpose of 377this mechanism is to prevent man-in-the-middle attacks which could 378otherwise be used to circumvent the encryption. 379The 380.Cm StrictHostKeyChecking 381option (see below) can be used to prevent logins to machines whose 382host key is not known or has changed. 383.Pp 384The options are as follows: 385.Bl -tag -width Ds 386.It Fl a 387Disables forwarding of the authentication agent connection. 388.It Fl A 389Enables forwarding of the authentication agent connection. 390This can also be specified on a per-host basis in a configuration file. 391.It Fl b Ar bind_address 392Specify the interface to transmit from on machines with multiple 393interfaces or aliased addresses. 394.It Fl c Ar blowfish|3des|des 395Selects the cipher to use for encrypting the session. 396.Ar 3des 397is used by default. 398It is believed to be secure. 399.Ar 3des 400(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. 401.Ar blowfish 402is a fast block cipher, it appears very secure and is much faster than 403.Ar 3des . 404.Ar des 405is only supported in the 406.Nm 407client for interoperability with legacy protocol 1 implementations 408that do not support the 409.Ar 3des 410cipher. Its use is strongly discouraged due to cryptographic 411weaknesses. 412.It Fl c Ar cipher_spec 413Additionally, for protocol version 2 a comma-separated list of ciphers can 414be specified in order of preference. 415See 416.Cm Ciphers 417for more information. 418.It Fl e Ar ch|^ch|none 419Sets the escape character for sessions with a pty (default: 420.Ql ~ ) . 421The escape character is only recognized at the beginning of a line. 422The escape character followed by a dot 423.Pq Ql \&. 424closes the connection, followed 425by control-Z suspends the connection, and followed by itself sends the 426escape character once. 427Setting the character to 428.Dq none 429disables any escapes and makes the session fully transparent. 430.It Fl f 431Requests 432.Nm 433to go to background just before command execution. 434This is useful if 435.Nm 436is going to ask for passwords or passphrases, but the user 437wants it in the background. 438This implies 439.Fl n . 440The recommended way to start X11 programs at a remote site is with 441something like 442.Ic ssh -f host xterm . 443.It Fl g 444Allows remote hosts to connect to local forwarded ports. 445.It Fl i Ar identity_file 446Selects the file from which the identity (private key) for 447RSA or DSA authentication is read. 448Default is 449.Pa $HOME/.ssh/identity 450in the user's home directory. 451Identity files may also be specified on 452a per-host basis in the configuration file. 453It is possible to have multiple 454.Fl i 455options (and multiple identities specified in 456configuration files). 457.It Fl I Ar smartcard_device 458Specifies which smartcard device to use. The argument is 459the device 460.Nm 461should use to communicate with a smartcard used for storing the user's 462private RSA key. 463.It Fl k 464Disables forwarding of Kerberos tickets and AFS tokens. 465This may also be specified on a per-host basis in the configuration file. 466.It Fl l Ar login_name 467Specifies the user to log in as on the remote machine. 468This also may be specified on a per-host basis in the configuration file. 469.It Fl m Ar mac_spec 470Additionally, for protocol version 2 a comma-separated list of MAC 471(message authentication code) algorithms can 472be specified in order of preference. 473See the 474.Cm MACs 475keyword for more information. 476.It Fl n 477Redirects stdin from 478.Pa /dev/null 479(actually, prevents reading from stdin). 480This must be used when 481.Nm 482is run in the background. 483A common trick is to use this to run X11 programs on a remote machine. 484For example, 485.Ic ssh -n shadows.cs.hut.fi emacs & 486will start an emacs on shadows.cs.hut.fi, and the X11 487connection will be automatically forwarded over an encrypted channel. 488The 489.Nm 490program will be put in the background. 491(This does not work if 492.Nm 493needs to ask for a password or passphrase; see also the 494.Fl f 495option.) 496.It Fl N 497Do not execute a remote command. 498This is useful for just forwarding ports 499(protocol version 2 only). 500.It Fl o Ar option 501Can be used to give options in the format used in the configuration file. 502This is useful for specifying options for which there is no separate 503command-line flag. 504.It Fl p Ar port 505Port to connect to on the remote host. 506This can be specified on a 507per-host basis in the configuration file. 508.It Fl P 509Use a non-privileged port for outgoing connections. 510This can be used if a firewall does 511not permit connections from privileged ports. 512Note that this option turns off 513.Cm RhostsAuthentication 514and 515.Cm RhostsRSAAuthentication 516for older servers. 517.It Fl q 518Quiet mode. 519Causes all warning and diagnostic messages to be suppressed. 520Only fatal errors are displayed. 521.It Fl s 522May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use 523of SSH as a secure transport for other applications (eg. sftp). The 524subsystem is specified as the remote command. 525.It Fl t 526Force pseudo-tty allocation. 527This can be used to execute arbitrary 528screen-based programs on a remote machine, which can be very useful, 529e.g., when implementing menu services. 530Multiple 531.Fl t 532options force tty allocation, even if 533.Nm 534has no local tty. 535.It Fl T 536Disable pseudo-tty allocation. 537.It Fl v 538Verbose mode. 539Causes 540.Nm 541to print debugging messages about its progress. 542This is helpful in 543debugging connection, authentication, and configuration problems. 544Multiple 545.Fl v 546options increases the verbosity. 547Maximum is 3. 548.It Fl x 549Disables X11 forwarding. 550.It Fl X 551Enables X11 forwarding. 552This can also be specified on a per-host basis in a configuration file. 553.It Fl C 554Requests compression of all data (including stdin, stdout, stderr, and 555data for forwarded X11 and TCP/IP connections). 556The compression algorithm is the same used by 557.Xr gzip 1 , 558and the 559.Dq level 560can be controlled by the 561.Cm CompressionLevel 562option (see below). 563Compression is desirable on modem lines and other 564slow connections, but will only slow down things on fast networks. 565The default value can be set on a host-by-host basis in the 566configuration files; see the 567.Cm Compression 568option below. 569.It Fl F Ar configfile 570Specifies an alternative per-user configuration file. 571If a configuration file is given on the command line, 572the system-wide configuration file 573.Pq Pa /etc/ssh_config 574will be ignored. 575The default for the per-user configuration file is 576.Pa $HOME/.ssh/config . 577.It Fl L Ar port:host:hostport 578Specifies that the given port on the local (client) host is to be 579forwarded to the given host and port on the remote side. 580This works by allocating a socket to listen to 581.Ar port 582on the local side, and whenever a connection is made to this port, the 583connection is forwarded over the secure channel, and a connection is 584made to 585.Ar host 586port 587.Ar hostport 588from the remote machine. 589Port forwardings can also be specified in the configuration file. 590Only root can forward privileged ports. 591IPv6 addresses can be specified with an alternative syntax: 592.Ar port/host/hostport 593.It Fl R Ar port:host:hostport 594Specifies that the given port on the remote (server) host is to be 595forwarded to the given host and port on the local side. 596This works by allocating a socket to listen to 597.Ar port 598on the remote side, and whenever a connection is made to this port, the 599connection is forwarded over the secure channel, and a connection is 600made to 601.Ar host 602port 603.Ar hostport 604from the local machine. 605Port forwardings can also be specified in the configuration file. 606Privileged ports can be forwarded only when 607logging in as root on the remote machine. 608IPv6 addresses can be specified with an alternative syntax: 609.Ar port/host/hostport 610.It Fl D Ar port 611Specifies a local 612.Dq dynamic 613application-level port forwarding. 614This works by allocating a socket to listen to 615.Ar port 616on the local side, and whenever a connection is made to this port, the 617connection is forwarded over the secure channel, and the application 618protocol is then used to determine where to connect to from the 619remote machine. Currently the SOCKS4 protocol is supported, and 620.Nm 621will act as a SOCKS4 server. 622Only root can forward privileged ports. 623Dynamic port forwardings can also be specified in the configuration file. 624.It Fl 1 625Forces 626.Nm 627to try protocol version 1 only. 628.It Fl 2 629Forces 630.Nm 631to try protocol version 2 only. 632.It Fl 4 633Forces 634.Nm 635to use IPv4 addresses only. 636.It Fl 6 637Forces 638.Nm 639to use IPv6 addresses only. 640.El 641.Sh CONFIGURATION FILES 642.Nm 643obtains configuration data from the following sources in 644the following order: 645command line options, user's configuration file 646.Pq Pa $HOME/.ssh/config , 647and system-wide configuration file 648.Pq Pa /etc/ssh_config . 649For each parameter, the first obtained value 650will be used. 651The configuration files contain sections bracketed by 652.Dq Host 653specifications, and that section is only applied for hosts that 654match one of the patterns given in the specification. 655The matched host name is the one given on the command line. 656.Pp 657Since the first obtained value for each parameter is used, more 658host-specific declarations should be given near the beginning of the 659file, and general defaults at the end. 660.Pp 661The configuration file has the following format: 662.Pp 663Empty lines and lines starting with 664.Ql # 665are comments. 666.Pp 667Otherwise a line is of the format 668.Dq keyword arguments . 669Configuration options may be separated by whitespace or 670optional whitespace and exactly one 671.Ql = ; 672the latter format is useful to avoid the need to quote whitespace 673when specifying configuration options using the 674.Nm ssh , 675.Nm scp 676and 677.Nm sftp 678.Fl o 679option. 680.Pp 681The possible 682keywords and their meanings are as follows (note that 683keywords are case-insensitive and arguments are case-sensitive): 684.Bl -tag -width Ds 685.It Cm Host 686Restricts the following declarations (up to the next 687.Cm Host 688keyword) to be only for those hosts that match one of the patterns 689given after the keyword. 690.Ql \&* 691and 692.Ql ? 693can be used as wildcards in the 694patterns. 695A single 696.Ql \&* 697as a pattern can be used to provide global 698defaults for all hosts. 699The host is the 700.Ar hostname 701argument given on the command line (i.e., the name is not converted to 702a canonicalized host name before matching). 703.It Cm AFSTokenPassing 704Specifies whether to pass AFS tokens to remote host. 705The argument to this keyword must be 706.Dq yes 707or 708.Dq no . 709This option applies to protocol version 1 only. 710.It Cm BatchMode 711If set to 712.Dq yes , 713passphrase/password querying will be disabled. 714This option is useful in scripts and other batch jobs where no user 715is present to supply the password. 716The argument must be 717.Dq yes 718or 719.Dq no . 720The default is 721.Dq no . 722.It Cm BindAddress 723Specify the interface to transmit from on machines with multiple 724interfaces or aliased addresses. 725Note that this option does not work if 726.Cm UsePrivilegedPort 727is set to 728.Dq yes . 729.It Cm CheckHostIP 730If this flag is set to 731.Dq yes , 732ssh will additionally check the host IP address in the 733.Pa known_hosts 734file. 735This allows ssh to detect if a host key changed due to DNS spoofing. 736If the option is set to 737.Dq no , 738the check will not be executed. 739The default is 740.Dq yes . 741.It Cm Cipher 742Specifies the cipher to use for encrypting the session 743in protocol version 1. 744Currently, 745.Dq blowfish , 746.Dq 3des , 747and 748.Dq des 749are supported. 750.Ar des 751is only supported in the 752.Nm 753client for interoperability with legacy protocol 1 implementations 754that do not support the 755.Ar 3des 756cipher. Its use is strongly discouraged due to cryptographic 757weaknesses. 758The default is 759.Dq 3des . 760.It Cm Ciphers 761Specifies the ciphers allowed for protocol version 2 762in order of preference. 763Multiple ciphers must be comma-separated. 764The default is 765.Pp 766.Bd -literal 767 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 768 aes192-cbc,aes256-cbc'' 769.Ed 770.It Cm ClearAllForwardings 771Specifies that all local, remote and dynamic port forwardings 772specified in the configuration files or on the command line be 773cleared. This option is primarily useful when used from the 774.Nm 775command line to clear port forwardings set in 776configuration files, and is automatically set by 777.Xr scp 1 778and 779.Xr sftp 1 . 780The argument must be 781.Dq yes 782or 783.Dq no . 784The default is 785.Dq no . 786.It Cm Compression 787Specifies whether to use compression. 788The argument must be 789.Dq yes 790or 791.Dq no . 792The default is 793.Dq no . 794.It Cm CompressionLevel 795Specifies the compression level to use if compression is enabled. 796The argument must be an integer from 1 (fast) to 9 (slow, best). 797The default level is 6, which is good for most applications. 798The meaning of the values is the same as in 799.Xr gzip 1 . 800Note that this option applies to protocol version 1 only. 801.It Cm ConnectionAttempts 802Specifies the number of tries (one per second) to make before falling 803back to rsh or exiting. 804The argument must be an integer. 805This may be useful in scripts if the connection sometimes fails. 806The default is 1. 807.It Cm DynamicForward 808Specifies that a TCP/IP port on the local machine be forwarded 809over the secure channel, and the application 810protocol is then used to determine where to connect to from the 811remote machine. The argument must be a port number. 812Currently the SOCKS4 protocol is supported, and 813.Nm 814will act as a SOCKS4 server. 815Multiple forwardings may be specified, and 816additional forwardings can be given on the command line. Only 817the superuser can forward privileged ports. 818.It Cm EscapeChar 819Sets the escape character (default: 820.Ql ~ ) . 821The escape character can also 822be set on the command line. 823The argument should be a single character, 824.Ql ^ 825followed by a letter, or 826.Dq none 827to disable the escape 828character entirely (making the connection transparent for binary 829data). 830.It Cm FallBackToRsh 831Specifies that if connecting via 832.Nm 833fails due to a connection refused error (there is no 834.Xr sshd 8 835listening on the remote host), 836.Xr rsh 1 837should automatically be used instead (after a suitable warning about 838the session being unencrypted). 839The argument must be 840.Dq yes 841or 842.Dq no . 843The default is 844.Dq no . 845.It Cm ForwardAgent 846Specifies whether the connection to the authentication agent (if any) 847will be forwarded to the remote machine. 848The argument must be 849.Dq yes 850or 851.Dq no . 852The default is 853.Dq no . 854.It Cm ForwardX11 855Specifies whether X11 connections will be automatically redirected 856over the secure channel and 857.Ev DISPLAY 858set. 859The argument must be 860.Dq yes 861or 862.Dq no . 863The default is 864.Dq no . 865.It Cm GatewayPorts 866Specifies whether remote hosts are allowed to connect to local 867forwarded ports. 868By default, 869.Nm 870binds local port forwardings to the loopback addresss. This 871prevents other remote hosts from connecting to forwarded ports. 872.Cm GatewayPorts 873can be used to specify that 874.Nm 875should bind local port forwardings to the wildcard address, 876thus allowing remote hosts to connect to forwarded ports. 877The argument must be 878.Dq yes 879or 880.Dq no . 881The default is 882.Dq no . 883.It Cm GlobalKnownHostsFile 884Specifies a file to use for the global 885host key database instead of 886.Pa /etc/ssh_known_hosts . 887.It Cm HostbasedAuthentication 888Specifies whether to try rhosts based authentication with public key 889authentication. 890The argument must be 891.Dq yes 892or 893.Dq no . 894The default is 895.Dq no . 896This option applies to protocol version 2 only and 897is similar to 898.Cm RhostsRSAAuthentication . 899.It Cm HostKeyAlgorithms 900Specifies the protocol version 2 host key algorithms 901that the client wants to use in order of preference. 902The default for this option is: 903.Dq ssh-rsa,ssh-dss 904.It Cm HostKeyAlias 905Specifies an alias that should be used instead of the 906real host name when looking up or saving the host key 907in the host key database files. 908This option is useful for tunneling ssh connections 909or for multiple servers running on a single host. 910.It Cm HostName 911Specifies the real host name to log into. 912This can be used to specify nicknames or abbreviations for hosts. 913Default is the name given on the command line. 914Numeric IP addresses are also permitted (both on the command line and in 915.Cm HostName 916specifications). 917.It Cm IdentityFile 918Specifies the file from which the user's RSA or DSA authentication identity 919is read (default 920.Pa $HOME/.ssh/identity 921in the user's home directory). 922Additionally, any identities represented by the authentication agent 923will be used for authentication. 924The file name may use the tilde 925syntax to refer to a user's home directory. 926It is possible to have 927multiple identity files specified in configuration files; all these 928identities will be tried in sequence. 929.It Cm KeepAlive 930Specifies whether the system should send keepalive messages to the 931other side. 932If they are sent, death of the connection or crash of one 933of the machines will be properly noticed. 934However, this means that 935connections will die if the route is down temporarily, and some people 936find it annoying. 937.Pp 938The default is 939.Dq yes 940(to send keepalives), and the client will notice 941if the network goes down or the remote host dies. 942This is important in scripts, and many users want it too. 943.Pp 944To disable keepalives, the value should be set to 945.Dq no 946in both the server and the client configuration files. 947.It Cm KerberosAuthentication 948Specifies whether Kerberos authentication will be used. 949The argument to this keyword must be 950.Dq yes 951or 952.Dq no . 953.It Cm KerberosTgtPassing 954Specifies whether a Kerberos TGT will be forwarded to the server. 955This will only work if the Kerberos server is actually an AFS kaserver. 956The argument to this keyword must be 957.Dq yes 958or 959.Dq no . 960.It Cm LocalForward 961Specifies that a TCP/IP port on the local machine be forwarded over 962the secure channel to the specified host and port from the remote machine. 963The first argument must be a port number, and the second must be 964.Ar host:port . 965IPv6 addresses can be specified with an alternative syntax: 966.Ar host/port . 967Multiple forwardings may be specified, and additional 968forwardings can be given on the command line. 969Only the superuser can forward privileged ports. 970.It Cm LogLevel 971Gives the verbosity level that is used when logging messages from 972.Nm ssh . 973The possible values are: 974QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. 975The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 976and DEBUG3 each specify higher levels of verbose output. 977.It Cm MACs 978Specifies the MAC (message authentication code) algorithms 979in order of preference. 980The MAC algorithm is used in protocol version 2 981for data integrity protection. 982Multiple algorithms must be comma-separated. 983The default is 984.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . 985.It Cm NoHostAuthenticationForLocalhost 986This option can be used if the home directory is shared across machines. 987In this case localhost will refer to a different machine on each of 988the machines and the user will get many warnings about changed host keys. 989However, this option disables host authentication for localhost. 990The argument to this keyword must be 991.Dq yes 992or 993.Dq no . 994The default is to check the host key for localhost. 995.It Cm NumberOfPasswordPrompts 996Specifies the number of password prompts before giving up. 997The argument to this keyword must be an integer. 998Default is 3. 999.It Cm PasswordAuthentication 1000Specifies whether to use password authentication. 1001The argument to this keyword must be 1002.Dq yes 1003or 1004.Dq no . 1005The default is 1006.Dq yes . 1007.It Cm Port 1008Specifies the port number to connect on the remote host. 1009Default is 22. 1010.It Cm PreferredAuthentications 1011Specifies the order in which the client should try protocol 2 1012authentication methods. This allows a client to prefer one method (e.g. 1013.Cm keyboard-interactive ) 1014over another method (e.g. 1015.Cm password ) 1016The default for this option is: 1017.Dq hostbased,publickey,keyboard-interactive,password 1018.It Cm Protocol 1019Specifies the protocol versions 1020.Nm 1021should support in order of preference. 1022The possible values are 1023.Dq 1 1024and 1025.Dq 2 . 1026Multiple versions must be comma-separated. 1027The default is 1028.Dq 2,1 . 1029This means that 1030.Nm 1031tries version 2 and falls back to version 1 1032if version 2 is not available. 1033.It Cm ProxyCommand 1034Specifies the command to use to connect to the server. 1035The command 1036string extends to the end of the line, and is executed with 1037.Pa /bin/sh . 1038In the command string, 1039.Ql %h 1040will be substituted by the host name to 1041connect and 1042.Ql %p 1043by the port. 1044The command can be basically anything, 1045and should read from its standard input and write to its standard output. 1046It should eventually connect an 1047.Xr sshd 8 1048server running on some machine, or execute 1049.Ic sshd -i 1050somewhere. 1051Host key management will be done using the 1052HostName of the host being connected (defaulting to the name typed by 1053the user). 1054Note that 1055.Cm CheckHostIP 1056is not available for connects with a proxy command. 1057.Pp 1058.It Cm PubkeyAuthentication 1059Specifies whether to try public key authentication. 1060The argument to this keyword must be 1061.Dq yes 1062or 1063.Dq no . 1064The default is 1065.Dq yes . 1066This option applies to protocol version 2 only. 1067.It Cm RemoteForward 1068Specifies that a TCP/IP port on the remote machine be forwarded over 1069the secure channel to the specified host and port from the local machine. 1070The first argument must be a port number, and the second must be 1071.Ar host:port . 1072IPv6 addresses can be specified with an alternative syntax: 1073.Ar host/port . 1074Multiple forwardings may be specified, and additional 1075forwardings can be given on the command line. 1076Only the superuser can forward privileged ports. 1077.It Cm RhostsAuthentication 1078Specifies whether to try rhosts based authentication. 1079Note that this 1080declaration only affects the client side and has no effect whatsoever 1081on security. 1082Disabling rhosts authentication may reduce 1083authentication time on slow connections when rhosts authentication is 1084not used. 1085Most servers do not permit RhostsAuthentication because it 1086is not secure (see 1087.Cm RhostsRSAAuthentication ) . 1088The argument to this keyword must be 1089.Dq yes 1090or 1091.Dq no . 1092The default is 1093.Dq yes . 1094This option applies to protocol version 1 only. 1095.It Cm RhostsRSAAuthentication 1096Specifies whether to try rhosts based authentication with RSA host 1097authentication. 1098The argument must be 1099.Dq yes 1100or 1101.Dq no . 1102The default is 1103.Dq yes . 1104This option applies to protocol version 1 only. 1105.It Cm RSAAuthentication 1106Specifies whether to try RSA authentication. 1107The argument to this keyword must be 1108.Dq yes 1109or 1110.Dq no . 1111RSA authentication will only be 1112attempted if the identity file exists, or an authentication agent is 1113running. 1114The default is 1115.Dq yes . 1116Note that this option applies to protocol version 1 only. 1117.It Cm ChallengeResponseAuthentication 1118Specifies whether to use challenge response authentication. 1119The argument to this keyword must be 1120.Dq yes 1121or 1122.Dq no . 1123The default is 1124.Dq yes . 1125.It Cm SmartcardDevice 1126Specifies which smartcard device to use. The argument to this keyword is 1127the device 1128.Nm 1129should use to communicate with a smartcard used for storing the user's 1130private RSA key. By default, no device is specified and smartcard support 1131is not activated. 1132.It Cm StrictHostKeyChecking 1133If this flag is set to 1134.Dq yes , 1135.Nm 1136will never automatically add host keys to the 1137.Pa $HOME/.ssh/known_hosts 1138file, and refuses to connect to hosts whose host key has changed. 1139This provides maximum protection against trojan horse attacks, 1140however, can be annoying when the 1141.Pa /etc/ssh_known_hosts 1142file is poorly maintained, or connections to new hosts are 1143frequently made. 1144This option forces the user to manually 1145add all new hosts. 1146If this flag is set to 1147.Dq no , 1148.Nm 1149will automatically add new host keys to the 1150user known hosts files. 1151If this flag is set to 1152.Dq ask , 1153new host keys 1154will be added to the user known host files only after the user 1155has confirmed that is what they really want to do, and 1156.Nm 1157will refuse to connect to hosts whose host key has changed. 1158The host keys of 1159known hosts will be verified automatically in all cases. 1160The argument must be 1161.Dq yes , 1162.Dq no 1163or 1164.Dq ask . 1165The default is 1166.Dq ask . 1167.It Cm UsePrivilegedPort 1168Specifies whether to use a privileged port for outgoing connections. 1169The argument must be 1170.Dq yes 1171or 1172.Dq no . 1173The default is 1174.Dq no . 1175Note that this option must be set to 1176.Dq yes 1177if 1178.Cm RhostsAuthentication 1179and 1180.Cm RhostsRSAAuthentication 1181authentications are needed with older servers. 1182.It Cm User 1183Specifies the user to log in as. 1184This can be useful when a different user name is used on different machines. 1185This saves the trouble of 1186having to remember to give the user name on the command line. 1187.It Cm UserKnownHostsFile 1188Specifies a file to use for the user 1189host key database instead of 1190.Pa $HOME/.ssh/known_hosts . 1191.It Cm UseRsh 1192Specifies that rlogin/rsh should be used for this host. 1193It is possible that the host does not at all support the 1194.Nm 1195protocol. 1196This causes 1197.Nm 1198to immediately execute 1199.Xr rsh 1 . 1200All other options (except 1201.Cm HostName ) 1202are ignored if this has been specified. 1203The argument must be 1204.Dq yes 1205or 1206.Dq no . 1207.It Cm XAuthLocation 1208Specifies the location of the 1209.Xr xauth 1 1210program. 1211The default is 1212.Pa /usr/X11R6/bin/xauth . 1213.El 1214.Sh ENVIRONMENT 1215.Nm 1216will normally set the following environment variables: 1217.Bl -tag -width Ds 1218.It Ev DISPLAY 1219The 1220.Ev DISPLAY 1221variable indicates the location of the X11 server. 1222It is automatically set by 1223.Nm 1224to point to a value of the form 1225.Dq hostname:n 1226where hostname indicates 1227the host where the shell runs, and n is an integer >= 1. 1228.Nm 1229uses this special value to forward X11 connections over the secure 1230channel. 1231The user should normally not set 1232.Ev DISPLAY 1233explicitly, as that 1234will render the X11 connection insecure (and will require the user to 1235manually copy any required authorization cookies). 1236.It Ev HOME 1237Set to the path of the user's home directory. 1238.It Ev LOGNAME 1239Synonym for 1240.Ev USER ; 1241set for compatibility with systems that use this variable. 1242.It Ev MAIL 1243Set to the path of the user's mailbox. 1244.It Ev PATH 1245Set to the default 1246.Ev PATH , 1247as specified when compiling 1248.Nm ssh . 1249.It Ev SSH_ASKPASS 1250If 1251.Nm 1252needs a passphrase, it will read the passphrase from the current 1253terminal if it was run from a terminal. 1254If 1255.Nm 1256does not have a terminal associated with it but 1257.Ev DISPLAY 1258and 1259.Ev SSH_ASKPASS 1260are set, it will execute the program specified by 1261.Ev SSH_ASKPASS 1262and open an X11 window to read the passphrase. 1263This is particularly useful when calling 1264.Nm 1265from a 1266.Pa .Xsession 1267or related script. 1268(Note that on some machines it 1269may be necessary to redirect the input from 1270.Pa /dev/null 1271to make this work.) 1272.It Ev SSH_AUTH_SOCK 1273Identifies the path of a unix-domain socket used to communicate with the 1274agent. 1275.It Ev SSH_CLIENT 1276Identifies the client end of the connection. 1277The variable contains 1278three space-separated values: client ip-address, client port number, 1279and server port number. 1280.It Ev SSH_ORIGINAL_COMMAND 1281The variable contains the original command line if a forced command 1282is executed. 1283It can be used to extract the original arguments. 1284.It Ev SSH_TTY 1285This is set to the name of the tty (path to the device) associated 1286with the current shell or command. 1287If the current session has no tty, 1288this variable is not set. 1289.It Ev TZ 1290The timezone variable is set to indicate the present timezone if it 1291was set when the daemon was started (i.e., the daemon passes the value 1292on to new connections). 1293.It Ev USER 1294Set to the name of the user logging in. 1295.El 1296.Pp 1297Additionally, 1298.Nm 1299reads 1300.Pa $HOME/.ssh/environment , 1301and adds lines of the format 1302.Dq VARNAME=value 1303to the environment. 1304.Sh FILES 1305.Bl -tag -width Ds 1306.It Pa $HOME/.ssh/known_hosts 1307Records host keys for all hosts the user has logged into that are not 1308in 1309.Pa /etc/ssh_known_hosts . 1310See 1311.Xr sshd 8 . 1312.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa 1313Contains the authentication identity of the user. 1314They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. 1315These files 1316contain sensitive data and should be readable by the user but not 1317accessible by others (read/write/execute). 1318Note that 1319.Nm 1320ignores a private key file if it is accessible by others. 1321It is possible to specify a passphrase when 1322generating the key; the passphrase will be used to encrypt the 1323sensitive part of this file using 3DES. 1324.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub 1325Contains the public key for authentication (public part of the 1326identity file in human-readable form). 1327The contents of the 1328.Pa $HOME/.ssh/identity.pub 1329file should be added to 1330.Pa $HOME/.ssh/authorized_keys 1331on all machines 1332where the user wishes to log in using protocol version 1 RSA authentication. 1333The contents of the 1334.Pa $HOME/.ssh/id_dsa.pub 1335and 1336.Pa $HOME/.ssh/id_rsa.pub 1337file should be added to 1338.Pa $HOME/.ssh/authorized_keys 1339on all machines 1340where the user wishes to log in using protocol version 2 DSA/RSA authentication. 1341These files are not 1342sensitive and can (but need not) be readable by anyone. 1343These files are 1344never used automatically and are not necessary; they are only provided for 1345the convenience of the user. 1346.It Pa $HOME/.ssh/config 1347This is the per-user configuration file. 1348The format of this file is described above. 1349This file is used by the 1350.Nm 1351client. 1352This file does not usually contain any sensitive information, 1353but the recommended permissions are read/write for the user, and not 1354accessible by others. 1355.It Pa $HOME/.ssh/authorized_keys 1356Lists the public keys (RSA/DSA) that can be used for logging in as this user. 1357The format of this file is described in the 1358.Xr sshd 8 1359manual page. 1360In the simplest form the format is the same as the .pub 1361identity files. 1362This file is not highly sensitive, but the recommended 1363permissions are read/write for the user, and not accessible by others. 1364.It Pa /etc/ssh_known_hosts 1365Systemwide list of known host keys. 1366This file should be prepared by the 1367system administrator to contain the public host keys of all machines in the 1368organization. 1369This file should be world-readable. 1370This file contains 1371public keys, one per line, in the following format (fields separated 1372by spaces): system name, public key and optional comment field. 1373When different names are used 1374for the same machine, all such names should be listed, separated by 1375commas. 1376The format is described on the 1377.Xr sshd 8 1378manual page. 1379.Pp 1380The canonical system name (as returned by name servers) is used by 1381.Xr sshd 8 1382to verify the client host when logging in; other names are needed because 1383.Nm 1384does not convert the user-supplied name to a canonical name before 1385checking the key, because someone with access to the name servers 1386would then be able to fool host authentication. 1387.It Pa /etc/ssh_config 1388Systemwide configuration file. 1389This file provides defaults for those 1390values that are not specified in the user's configuration file, and 1391for those users who do not have a configuration file. 1392This file must be world-readable. 1393.It Pa /etc/ssh_host_key, /etc/ssh_host_dsa_key, /etc/ssh_host_rsa_key 1394These three files contain the private parts of the host keys 1395and are used for 1396.Cm RhostsRSAAuthentication 1397and 1398.Cm HostbasedAuthentication . 1399Since they are readable only by root 1400.Nm 1401must be setuid root if these authentication methods are desired. 1402.It Pa $HOME/.rhosts 1403This file is used in 1404.Pa \&.rhosts 1405authentication to list the 1406host/user pairs that are permitted to log in. 1407(Note that this file is 1408also used by rlogin and rsh, which makes using this file insecure.) 1409Each line of the file contains a host name (in the canonical form 1410returned by name servers), and then a user name on that host, 1411separated by a space. 1412On some machines this file may need to be 1413world-readable if the user's home directory is on a NFS partition, 1414because 1415.Xr sshd 8 1416reads it as root. 1417Additionally, this file must be owned by the user, 1418and must not have write permissions for anyone else. 1419The recommended 1420permission for most machines is read/write for the user, and not 1421accessible by others. 1422.Pp 1423Note that by default 1424.Xr sshd 8 1425will be installed so that it requires successful RSA host 1426authentication before permitting \s+2.\s0rhosts authentication. 1427If the server machine does not have the client's host key in 1428.Pa /etc/ssh_known_hosts , 1429it can be stored in 1430.Pa $HOME/.ssh/known_hosts . 1431The easiest way to do this is to 1432connect back to the client from the server machine using ssh; this 1433will automatically add the host key to 1434.Pa $HOME/.ssh/known_hosts . 1435.It Pa $HOME/.shosts 1436This file is used exactly the same way as 1437.Pa \&.rhosts . 1438The purpose for 1439having this file is to be able to use rhosts authentication with 1440.Nm 1441without permitting login with 1442.Xr rlogin 1 1443or 1444.Xr rsh 1 . 1445.It Pa /etc/hosts.equiv 1446This file is used during 1447.Pa \&.rhosts authentication. 1448It contains 1449canonical hosts names, one per line (the full format is described on 1450the 1451.Xr sshd 8 1452manual page). 1453If the client host is found in this file, login is 1454automatically permitted provided client and server user names are the 1455same. 1456Additionally, successful RSA host authentication is normally 1457required. 1458This file should only be writable by root. 1459.It Pa /etc/shosts.equiv 1460This file is processed exactly as 1461.Pa /etc/hosts.equiv . 1462This file may be useful to permit logins using 1463.Nm 1464but not using rsh/rlogin. 1465.It Pa /etc/sshrc 1466Commands in this file are executed by 1467.Nm 1468when the user logs in just before the user's shell (or command) is started. 1469See the 1470.Xr sshd 8 1471manual page for more information. 1472.It Pa $HOME/.ssh/rc 1473Commands in this file are executed by 1474.Nm 1475when the user logs in just before the user's shell (or command) is 1476started. 1477See the 1478.Xr sshd 8 1479manual page for more information. 1480.It Pa $HOME/.ssh/environment 1481Contains additional definitions for environment variables, see section 1482.Sx ENVIRONMENT 1483above. 1484.El 1485.Sh AUTHORS 1486OpenSSH is a derivative of the original and free 1487ssh 1.2.12 release by Tatu Ylonen. 1488Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 1489Theo de Raadt and Dug Song 1490removed many bugs, re-added newer features and 1491created OpenSSH. 1492Markus Friedl contributed the support for SSH 1493protocol versions 1.5 and 2.0. 1494.Sh SEE ALSO 1495.Xr rlogin 1 , 1496.Xr rsh 1 , 1497.Xr scp 1 , 1498.Xr sftp 1 , 1499.Xr ssh-add 1 , 1500.Xr ssh-agent 1 , 1501.Xr ssh-keygen 1 , 1502.Xr telnet 1 , 1503.Xr sshd 8 1504.Rs 1505.%A T. Ylonen 1506.%A T. Kivinen 1507.%A M. Saarinen 1508.%A T. Rinne 1509.%A S. Lehtinen 1510.%T "SSH Protocol Architecture" 1511.%N draft-ietf-secsh-architecture-09.txt 1512.%D July 2001 1513.%O work in progress material 1514.Re 1515