1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is 10.\" incompatible with the protocol description in the RFC file, it must be 11.\" called by a name other than "ssh" or "Secure Shell". 12.\" 13.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 14.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 15.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 16.\" 17.\" Redistribution and use in source and binary forms, with or without 18.\" modification, are permitted provided that the following conditions 19.\" are met: 20.\" 1. Redistributions of source code must retain the above copyright 21.\" notice, this list of conditions and the following disclaimer. 22.\" 2. Redistributions in binary form must reproduce the above copyright 23.\" notice, this list of conditions and the following disclaimer in the 24.\" documentation and/or other materials provided with the distribution. 25.\" 26.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" 37.\" $OpenBSD: ssh.1,v 1.138 2001/09/19 19:24:19 stevesk Exp $ 38.Dd September 25, 1999 39.Dt SSH 1 40.Os 41.Sh NAME 42.Nm ssh 43.Nd OpenSSH SSH client (remote login program) 44.Sh SYNOPSIS 45.Nm ssh 46.Op Fl l Ar login_name 47.Ar hostname | user@hostname 48.Op Ar command 49.Pp 50.Nm ssh 51.Op Fl afgknqstvxACNPTX1246 52.Op Fl b Ar bind_address 53.Op Fl c Ar cipher_spec 54.Op Fl e Ar escape_char 55.Op Fl i Ar identity_file 56.Op Fl l Ar login_name 57.Op Fl m Ar mac_spec 58.Op Fl o Ar option 59.Op Fl p Ar port 60.Op Fl F Ar configfile 61.Oo Fl L Xo 62.Sm off 63.Ar port : 64.Ar host : 65.Ar hostport 66.Sm on 67.Xc 68.Oc 69.Oo Fl R Xo 70.Sm off 71.Ar port : 72.Ar host : 73.Ar hostport 74.Sm on 75.Xc 76.Oc 77.Op Fl D Ar port 78.Ar hostname | user@hostname 79.Op Ar command 80.Sh DESCRIPTION 81.Nm 82(SSH client) is a program for logging into a remote machine and for 83executing commands on a remote machine. 84It is intended to replace 85rlogin and rsh, and provide secure encrypted communications between 86two untrusted hosts over an insecure network. 87X11 connections and 88arbitrary TCP/IP ports can also be forwarded over the secure channel. 89.Pp 90.Nm 91connects and logs into the specified 92.Ar hostname . 93The user must prove 94his/her identity to the remote machine using one of several methods 95depending on the protocol version used: 96.Pp 97.Ss SSH protocol version 1 98.Pp 99First, if the machine the user logs in from is listed in 100.Pa /etc/hosts.equiv 101or 102.Pa /etc/shosts.equiv 103on the remote machine, and the user names are 104the same on both sides, the user is immediately permitted to log in. 105Second, if 106.Pa \&.rhosts 107or 108.Pa \&.shosts 109exists in the user's home directory on the 110remote machine and contains a line containing the name of the client 111machine and the name of the user on that machine, the user is 112permitted to log in. 113This form of authentication alone is normally not 114allowed by the server because it is not secure. 115.Pp 116The second authentication method is the 117.Pa rhosts 118or 119.Pa hosts.equiv 120method combined with RSA-based host authentication. 121It means that if the login would be permitted by 122.Pa $HOME/.rhosts , 123.Pa $HOME/.shosts , 124.Pa /etc/hosts.equiv , 125or 126.Pa /etc/shosts.equiv , 127and if additionally the server can verify the client's 128host key (see 129.Pa /etc/ssh_known_hosts 130and 131.Pa $HOME/.ssh/known_hosts 132in the 133.Sx FILES 134section), only then login is permitted. 135This authentication method closes security holes due to IP 136spoofing, DNS spoofing and routing spoofing. 137[Note to the administrator: 138.Pa /etc/hosts.equiv , 139.Pa $HOME/.rhosts , 140and the rlogin/rsh protocol in general, are inherently insecure and should be 141disabled if security is desired.] 142.Pp 143As a third authentication method, 144.Nm 145supports RSA based authentication. 146The scheme is based on public-key cryptography: there are cryptosystems 147where encryption and decryption are done using separate keys, and it 148is not possible to derive the decryption key from the encryption key. 149RSA is one such system. 150The idea is that each user creates a public/private 151key pair for authentication purposes. 152The server knows the public key, and only the user knows the private key. 153The file 154.Pa $HOME/.ssh/authorized_keys 155lists the public keys that are permitted for logging 156in. 157When the user logs in, the 158.Nm 159program tells the server which key pair it would like to use for 160authentication. 161The server checks if this key is permitted, and if 162so, sends the user (actually the 163.Nm 164program running on behalf of the user) a challenge, a random number, 165encrypted by the user's public key. 166The challenge can only be 167decrypted using the proper private key. 168The user's client then decrypts the 169challenge using the private key, proving that he/she knows the private 170key but without disclosing it to the server. 171.Pp 172.Nm 173implements the RSA authentication protocol automatically. 174The user creates his/her RSA key pair by running 175.Xr ssh-keygen 1 . 176This stores the private key in 177.Pa $HOME/.ssh/identity 178and the public key in 179.Pa $HOME/.ssh/identity.pub 180in the user's home directory. 181The user should then copy the 182.Pa identity.pub 183to 184.Pa $HOME/.ssh/authorized_keys 185in his/her home directory on the remote machine (the 186.Pa authorized_keys 187file corresponds to the conventional 188.Pa $HOME/.rhosts 189file, and has one key 190per line, though the lines can be very long). 191After this, the user can log in without giving the password. 192RSA authentication is much 193more secure than rhosts authentication. 194.Pp 195The most convenient way to use RSA authentication may be with an 196authentication agent. 197See 198.Xr ssh-agent 1 199for more information. 200.Pp 201If other authentication methods fail, 202.Nm 203prompts the user for a password. 204The password is sent to the remote 205host for checking; however, since all communications are encrypted, 206the password cannot be seen by someone listening on the network. 207.Pp 208.Ss SSH protocol version 2 209.Pp 210When a user connects using the protocol version 2 211different authentication methods are available. 212Using the default values for 213.Cm PreferredAuthentications , 214the client will try to authenticate first using the hostbased method; 215if this method fails public key authentication is attempted, 216and finally if this method fails keyboard-interactive and 217password authentication are tried. 218.Pp 219The public key method is similar to RSA authentication described 220in the previous section and allows the RSA or DSA algorithm to be used: 221The client uses his private key, 222.Pa $HOME/.ssh/id_dsa 223or 224.Pa $HOME/.ssh/id_rsa , 225to sign the session identifier and sends the result to the server. 226The server checks whether the matching public key is listed in 227.Pa $HOME/.ssh/authorized_keys 228and grants access if both the key is found and the signature is correct. 229The session identifier is derived from a shared Diffie-Hellman value 230and is only known to the client and the server. 231.Pp 232If public key authentication fails or is not available a password 233can be sent encrypted to the remote host for proving the user's identity. 234.Pp 235Additionally, 236.Nm 237supports hostbased or challenge response authentication. 238.Pp 239Protocol 2 provides additional mechanisms for confidentiality 240(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) 241and integrity (hmac-md5, hmac-sha1). 242Note that protocol 1 lacks a strong mechanism for ensuring the 243integrity of the connection. 244.Pp 245.Ss Login session and remote execution 246.Pp 247When the user's identity has been accepted by the server, the server 248either executes the given command, or logs into the machine and gives 249the user a normal shell on the remote machine. 250All communication with 251the remote command or shell will be automatically encrypted. 252.Pp 253If a pseudo-terminal has been allocated (normal login session), the 254user may use the escape characters noted below. 255.Pp 256If no pseudo tty has been allocated, the 257session is transparent and can be used to reliably transfer binary 258data. 259On most systems, setting the escape character to 260.Dq none 261will also make the session transparent even if a tty is used. 262.Pp 263The session terminates when the command or shell on the remote 264machine exits and all X11 and TCP/IP connections have been closed. 265The exit status of the remote program is returned as the exit status 266of 267.Nm ssh . 268.Pp 269.Ss Escape Characters 270.Pp 271When a pseudo terminal has been requested, ssh supports a number of functions 272through the use of an escape character. 273.Pp 274A single tilde character can be sent as 275.Ic ~~ 276or by following the tilde by a character other than those described below. 277The escape character must always follow a newline to be interpreted as 278special. 279The escape character can be changed in configuration files using the 280.Cm EscapeChar 281configuration directive or on the command line by the 282.Fl e 283option. 284.Pp 285The supported escapes (assuming the default 286.Ql ~ ) 287are: 288.Bl -tag -width Ds 289.It Cm ~. 290Disconnect 291.It Cm ~^Z 292Background ssh 293.It Cm ~# 294List forwarded connections 295.It Cm ~& 296Background ssh at logout when waiting for forwarded connection / X11 sessions 297to terminate (protocol version 1 only) 298.It Cm ~? 299Display a list of escape characters 300.It Cm ~R 301Request rekeying of the connection (only useful for SSH protocol version 2 302and if the peer supports it) 303.El 304.Pp 305.Ss X11 and TCP forwarding 306.Pp 307If the 308.Cm ForwardX11 309variable is set to 310.Dq yes 311(or, see the description of the 312.Fl X 313and 314.Fl x 315options described later) 316and the user is using X11 (the 317.Ev DISPLAY 318environment variable is set), the connection to the X11 display is 319automatically forwarded to the remote side in such a way that any X11 320programs started from the shell (or command) will go through the 321encrypted channel, and the connection to the real X server will be made 322from the local machine. 323The user should not manually set 324.Ev DISPLAY . 325Forwarding of X11 connections can be 326configured on the command line or in configuration files. 327.Pp 328The 329.Ev DISPLAY 330value set by 331.Nm 332will point to the server machine, but with a display number greater 333than zero. 334This is normal, and happens because 335.Nm 336creates a 337.Dq proxy 338X server on the server machine for forwarding the 339connections over the encrypted channel. 340.Pp 341.Nm 342will also automatically set up Xauthority data on the server machine. 343For this purpose, it will generate a random authorization cookie, 344store it in Xauthority on the server, and verify that any forwarded 345connections carry this cookie and replace it by the real cookie when 346the connection is opened. 347The real authentication cookie is never 348sent to the server machine (and no cookies are sent in the plain). 349.Pp 350If the user is using an authentication agent, the connection to the agent 351is automatically forwarded to the remote side unless disabled on 352the command line or in a configuration file. 353.Pp 354Forwarding of arbitrary TCP/IP connections over the secure channel can 355be specified either on the command line or in a configuration file. 356One possible application of TCP/IP forwarding is a secure connection to an 357electronic purse; another is going through firewalls. 358.Pp 359.Ss Server authentication 360.Pp 361.Nm 362automatically maintains and checks a database containing 363identifications for all hosts it has ever been used with. 364Host keys are stored in 365.Pa $HOME/.ssh/known_hosts 366in the user's home directory. 367Additionally, the file 368.Pa /etc/ssh_known_hosts 369is automatically checked for known hosts. 370Any new hosts are automatically added to the user's file. 371If a host's identification 372ever changes, 373.Nm 374warns about this and disables password authentication to prevent a 375trojan horse from getting the user's password. 376Another purpose of 377this mechanism is to prevent man-in-the-middle attacks which could 378otherwise be used to circumvent the encryption. 379The 380.Cm StrictHostKeyChecking 381option (see below) can be used to prevent logins to machines whose 382host key is not known or has changed. 383.Pp 384The options are as follows: 385.Bl -tag -width Ds 386.It Fl a 387Disables forwarding of the authentication agent connection. 388.It Fl A 389Enables forwarding of the authentication agent connection. 390This can also be specified on a per-host basis in a configuration file. 391.It Fl b Ar bind_address 392Specify the interface to transmit from on machines with multiple 393interfaces or aliased addresses. 394.It Fl c Ar blowfish|3des|des 395Selects the cipher to use for encrypting the session. 396.Ar 3des 397is used by default. 398It is believed to be secure. 399.Ar 3des 400(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. 401.Ar blowfish 402is a fast block cipher, it appears very secure and is much faster than 403.Ar 3des . 404.Ar des 405is only supported in the 406.Nm 407client for interoperability with legacy protocol 1 implementations 408that do not support the 409.Ar 3des 410cipher. Its use is strongly discouraged due to cryptographic 411weaknesses. 412.It Fl c Ar cipher_spec 413Additionally, for protocol version 2 a comma-separated list of ciphers can 414be specified in order of preference. 415See 416.Cm Ciphers 417for more information. 418.It Fl e Ar ch|^ch|none 419Sets the escape character for sessions with a pty (default: 420.Ql ~ ) . 421The escape character is only recognized at the beginning of a line. 422The escape character followed by a dot 423.Pq Ql \&. 424closes the connection, followed 425by control-Z suspends the connection, and followed by itself sends the 426escape character once. 427Setting the character to 428.Dq none 429disables any escapes and makes the session fully transparent. 430.It Fl f 431Requests 432.Nm 433to go to background just before command execution. 434This is useful if 435.Nm 436is going to ask for passwords or passphrases, but the user 437wants it in the background. 438This implies 439.Fl n . 440The recommended way to start X11 programs at a remote site is with 441something like 442.Ic ssh -f host xterm . 443.It Fl g 444Allows remote hosts to connect to local forwarded ports. 445.It Fl i Ar identity_file 446Selects the file from which the identity (private key) for 447RSA or DSA authentication is read. 448Default is 449.Pa $HOME/.ssh/identity 450in the user's home directory. 451Identity files may also be specified on 452a per-host basis in the configuration file. 453It is possible to have multiple 454.Fl i 455options (and multiple identities specified in 456configuration files). 457.It Fl I Ar smartcard_device 458Specifies which smartcard device to use. The argument is 459the device 460.Nm 461should use to communicate with a smartcard used for storing the user's 462private RSA key. 463.It Fl k 464Disables forwarding of Kerberos tickets and AFS tokens. 465This may also be specified on a per-host basis in the configuration file. 466.It Fl l Ar login_name 467Specifies the user to log in as on the remote machine. 468This also may be specified on a per-host basis in the configuration file. 469.It Fl m Ar mac_spec 470Additionally, for protocol version 2 a comma-separated list of MAC 471(message authentication code) algorithms can 472be specified in order of preference. 473See the 474.Cm MACs 475keyword for more information. 476.It Fl n 477Redirects stdin from 478.Pa /dev/null 479(actually, prevents reading from stdin). 480This must be used when 481.Nm 482is run in the background. 483A common trick is to use this to run X11 programs on a remote machine. 484For example, 485.Ic ssh -n shadows.cs.hut.fi emacs & 486will start an emacs on shadows.cs.hut.fi, and the X11 487connection will be automatically forwarded over an encrypted channel. 488The 489.Nm 490program will be put in the background. 491(This does not work if 492.Nm 493needs to ask for a password or passphrase; see also the 494.Fl f 495option.) 496.It Fl N 497Do not execute a remote command. 498This is useful for just forwarding ports 499(protocol version 2 only). 500.It Fl o Ar option 501Can be used to give options in the format used in the configuration file. 502This is useful for specifying options for which there is no separate 503command-line flag. 504.It Fl p Ar port 505Port to connect to on the remote host. 506This can be specified on a 507per-host basis in the configuration file. 508.It Fl P 509Use a non-privileged port for outgoing connections. 510This can be used if a firewall does 511not permit connections from privileged ports. 512Note that this option turns off 513.Cm RhostsAuthentication 514and 515.Cm RhostsRSAAuthentication 516for older servers. 517.It Fl q 518Quiet mode. 519Causes all warning and diagnostic messages to be suppressed. 520Only fatal errors are displayed. 521.It Fl s 522May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use 523of SSH as a secure transport for other applications (eg. sftp). The 524subsystem is specified as the remote command. 525.It Fl t 526Force pseudo-tty allocation. 527This can be used to execute arbitrary 528screen-based programs on a remote machine, which can be very useful, 529e.g., when implementing menu services. 530Multiple 531.Fl t 532options force tty allocation, even if 533.Nm 534has no local tty. 535.It Fl T 536Disable pseudo-tty allocation. 537.It Fl v 538Verbose mode. 539Causes 540.Nm 541to print debugging messages about its progress. 542This is helpful in 543debugging connection, authentication, and configuration problems. 544Multiple 545.Fl v 546options increases the verbosity. 547Maximum is 3. 548.It Fl x 549Disables X11 forwarding. 550.It Fl X 551Enables X11 forwarding. 552This can also be specified on a per-host basis in a configuration file. 553.It Fl C 554Requests compression of all data (including stdin, stdout, stderr, and 555data for forwarded X11 and TCP/IP connections). 556The compression algorithm is the same used by 557.Xr gzip 1 , 558and the 559.Dq level 560can be controlled by the 561.Cm CompressionLevel 562option (see below). 563Compression is desirable on modem lines and other 564slow connections, but will only slow down things on fast networks. 565The default value can be set on a host-by-host basis in the 566configuration files; see the 567.Cm Compression 568option below. 569.It Fl F Ar configfile 570Specifies an alternative per-user configuration file. 571If a configuration file is given on the command line, 572the system-wide configuration file 573.Pq Pa /etc/ssh_config 574will be ignored. 575The default for the per-user configuration file is 576.Pa $HOME/.ssh/config . 577.It Fl L Ar port:host:hostport 578Specifies that the given port on the local (client) host is to be 579forwarded to the given host and port on the remote side. 580This works by allocating a socket to listen to 581.Ar port 582on the local side, and whenever a connection is made to this port, the 583connection is forwarded over the secure channel, and a connection is 584made to 585.Ar host 586port 587.Ar hostport 588from the remote machine. 589Port forwardings can also be specified in the configuration file. 590Only root can forward privileged ports. 591IPv6 addresses can be specified with an alternative syntax: 592.Ar port/host/hostport 593.It Fl R Ar port:host:hostport 594Specifies that the given port on the remote (server) host is to be 595forwarded to the given host and port on the local side. 596This works by allocating a socket to listen to 597.Ar port 598on the remote side, and whenever a connection is made to this port, the 599connection is forwarded over the secure channel, and a connection is 600made to 601.Ar host 602port 603.Ar hostport 604from the local machine. 605Port forwardings can also be specified in the configuration file. 606Privileged ports can be forwarded only when 607logging in as root on the remote machine. 608IPv6 addresses can be specified with an alternative syntax: 609.Ar port/host/hostport 610.It Fl D Ar port 611Specifies a local 612.Dq dynamic 613application-level port forwarding. 614This works by allocating a socket to listen to 615.Ar port 616on the local side, and whenever a connection is made to this port, the 617connection is forwarded over the secure channel, and the application 618protocol is then used to determine where to connect to from the 619remote machine. Currently the SOCKS4 protocol is supported, and 620.Nm 621will act as a SOCKS4 server. 622Only root can forward privileged ports. 623Dynamic port forwardings can also be specified in the configuration file. 624.It Fl 1 625Forces 626.Nm 627to try protocol version 1 only. 628.It Fl 2 629Forces 630.Nm 631to try protocol version 2 only. 632.It Fl 4 633Forces 634.Nm 635to use IPv4 addresses only. 636.It Fl 6 637Forces 638.Nm 639to use IPv6 addresses only. 640.El 641.Sh CONFIGURATION FILES 642.Nm 643obtains configuration data from the following sources in 644the following order: 645command line options, user's configuration file 646.Pq Pa $HOME/.ssh/config , 647and system-wide configuration file 648.Pq Pa /etc/ssh_config . 649For each parameter, the first obtained value 650will be used. 651The configuration files contain sections bracketed by 652.Dq Host 653specifications, and that section is only applied for hosts that 654match one of the patterns given in the specification. 655The matched host name is the one given on the command line. 656.Pp 657Since the first obtained value for each parameter is used, more 658host-specific declarations should be given near the beginning of the 659file, and general defaults at the end. 660.Pp 661The configuration file has the following format: 662.Pp 663Empty lines and lines starting with 664.Ql # 665are comments. 666.Pp 667Otherwise a line is of the format 668.Dq keyword arguments . 669Configuration options may be separated by whitespace or 670optional whitespace and exactly one 671.Ql = ; 672the latter format is useful to avoid the need to quote whitespace 673when specifying configuration options using the 674.Nm ssh , 675.Nm scp 676and 677.Nm sftp 678.Fl o 679option. 680.Pp 681The possible 682keywords and their meanings are as follows (note that 683keywords are case-insensitive and arguments are case-sensitive): 684.Bl -tag -width Ds 685.It Cm Host 686Restricts the following declarations (up to the next 687.Cm Host 688keyword) to be only for those hosts that match one of the patterns 689given after the keyword. 690.Ql \&* 691and 692.Ql ? 693can be used as wildcards in the 694patterns. 695A single 696.Ql \&* 697as a pattern can be used to provide global 698defaults for all hosts. 699The host is the 700.Ar hostname 701argument given on the command line (i.e., the name is not converted to 702a canonicalized host name before matching). 703.It Cm AFSTokenPassing 704Specifies whether to pass AFS tokens to remote host. 705The argument to this keyword must be 706.Dq yes 707or 708.Dq no . 709This option applies to protocol version 1 only. 710.It Cm BatchMode 711If set to 712.Dq yes , 713passphrase/password querying will be disabled. 714This option is useful in scripts and other batch jobs where no user 715is present to supply the password. 716The argument must be 717.Dq yes 718or 719.Dq no . 720The default is 721.Dq no . 722.It Cm BindAddress 723Specify the interface to transmit from on machines with multiple 724interfaces or aliased addresses. 725Note that this option does not work if 726.Cm UsePrivilegedPort 727is set to 728.Dq yes . 729.It Cm CheckHostIP 730If this flag is set to 731.Dq yes , 732ssh will additionally check the host IP address in the 733.Pa known_hosts 734file. 735This allows ssh to detect if a host key changed due to DNS spoofing. 736If the option is set to 737.Dq no , 738the check will not be executed. 739The default is 740.Dq yes . 741.It Cm Cipher 742Specifies the cipher to use for encrypting the session 743in protocol version 1. 744Currently, 745.Dq blowfish , 746.Dq 3des , 747and 748.Dq des 749are supported. 750.Ar des 751is only supported in the 752.Nm 753client for interoperability with legacy protocol 1 implementations 754that do not support the 755.Ar 3des 756cipher. Its use is strongly discouraged due to cryptographic 757weaknesses. 758The default is 759.Dq 3des . 760.It Cm Ciphers 761Specifies the ciphers allowed for protocol version 2 762in order of preference. 763Multiple ciphers must be comma-separated. 764The default is 765.Pp 766.Bd -literal 767 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 768 aes192-cbc,aes256-cbc'' 769.Ed 770.It Cm ClearAllForwardings 771Specifies that all local, remote and dynamic port forwardings 772specified in the configuration files or on the command line be 773cleared. This option is primarily useful when used from the 774.Nm 775command line to clear port forwardings set in 776configuration files, and is automatically set by 777.Xr scp 1 778and 779.Xr sftp 1 . 780The argument must be 781.Dq yes 782or 783.Dq no . 784The default is 785.Dq no . 786.It Cm Compression 787Specifies whether to use compression. 788The argument must be 789.Dq yes 790or 791.Dq no . 792The default is 793.Dq no . 794.It Cm CompressionLevel 795Specifies the compression level to use if compression is enabled. 796The argument must be an integer from 1 (fast) to 9 (slow, best). 797The default level is 6, which is good for most applications. 798The meaning of the values is the same as in 799.Xr gzip 1 . 800Note that this option applies to protocol version 1 only. 801.It Cm ConnectionAttempts 802Specifies the number of tries (one per second) to make before falling 803back to rsh or exiting. 804The argument must be an integer. 805This may be useful in scripts if the connection sometimes fails. 806The default is 1. 807.It Cm DynamicForward 808Specifies that a TCP/IP port on the local machine be forwarded 809over the secure channel, and the application 810protocol is then used to determine where to connect to from the 811remote machine. The argument must be a port number. 812Currently the SOCKS4 protocol is supported, and 813.Nm 814will act as a SOCKS4 server. 815Multiple forwardings may be specified, and 816additional forwardings can be given on the command line. Only 817the superuser can forward privileged ports. 818.It Cm EscapeChar 819Sets the escape character (default: 820.Ql ~ ) . 821The escape character can also 822be set on the command line. 823The argument should be a single character, 824.Ql ^ 825followed by a letter, or 826.Dq none 827to disable the escape 828character entirely (making the connection transparent for binary 829data). 830.It Cm FallBackToRsh 831Specifies that if connecting via 832.Nm 833fails due to a connection refused error (there is no 834.Xr sshd 8 835listening on the remote host), 836.Xr rsh 1 837should automatically be used instead (after a suitable warning about 838the session being unencrypted). 839The argument must be 840.Dq yes 841or 842.Dq no . 843The default is 844.Dq no . 845.It Cm ForwardAgent 846Specifies whether the connection to the authentication agent (if any) 847will be forwarded to the remote machine. 848The argument must be 849.Dq yes 850or 851.Dq no . 852The default is 853.Dq no . 854.It Cm ForwardX11 855Specifies whether X11 connections will be automatically redirected 856over the secure channel and 857.Ev DISPLAY 858set. 859The argument must be 860.Dq yes 861or 862.Dq no . 863The default is 864.Dq no . 865.It Cm GatewayPorts 866Specifies whether remote hosts are allowed to connect to local 867forwarded ports. 868By default, 869.Nm 870binds local port forwardings to the loopback addresss. This 871prevents other remote hosts from connecting to forwarded ports. 872.Cm GatewayPorts 873can be used to specify that 874.Nm 875should bind local port forwardings to the wildcard address, 876thus allowing remote hosts to connect to forwarded ports. 877The argument must be 878.Dq yes 879or 880.Dq no . 881The default is 882.Dq no . 883.It Cm GlobalKnownHostsFile 884Specifies a file to use for the global 885host key database instead of 886.Pa /etc/ssh_known_hosts . 887.It Cm HostbasedAuthentication 888Specifies whether to try rhosts based authentication with public key 889authentication. 890The argument must be 891.Dq yes 892or 893.Dq no . 894The default is 895.Dq no . 896This option applies to protocol version 2 only and 897is similar to 898.Cm RhostsRSAAuthentication . 899.It Cm HostKeyAlgorithms 900Specifies the protocol version 2 host key algorithms 901that the client wants to use in order of preference. 902The default for this option is: 903.Dq ssh-rsa,ssh-dss 904.It Cm HostKeyAlias 905Specifies an alias that should be used instead of the 906real host name when looking up or saving the host key 907in the host key database files. 908This option is useful for tunneling ssh connections 909or for multiple servers running on a single host. 910.It Cm HostName 911Specifies the real host name to log into. 912This can be used to specify nicknames or abbreviations for hosts. 913Default is the name given on the command line. 914Numeric IP addresses are also permitted (both on the command line and in 915.Cm HostName 916specifications). 917.It Cm IdentityFile 918Specifies the file from which the user's RSA or DSA authentication identity 919is read (default 920.Pa $HOME/.ssh/identity 921in the user's home directory). 922Additionally, any identities represented by the authentication agent 923will be used for authentication. 924The file name may use the tilde 925syntax to refer to a user's home directory. 926It is possible to have 927multiple identity files specified in configuration files; all these 928identities will be tried in sequence. 929.It Cm KeepAlive 930Specifies whether the system should send keepalive messages to the 931other side. 932If they are sent, death of the connection or crash of one 933of the machines will be properly noticed. 934However, this means that 935connections will die if the route is down temporarily, and some people 936find it annoying. 937.Pp 938The default is 939.Dq yes 940(to send keepalives), and the client will notice 941if the network goes down or the remote host dies. 942This is important in scripts, and many users want it too. 943.Pp 944To disable keepalives, the value should be set to 945.Dq no 946in both the server and the client configuration files. 947.It Cm KerberosAuthentication 948Specifies whether Kerberos authentication will be used. 949The argument to this keyword must be 950.Dq yes 951or 952.Dq no . 953.It Cm KerberosTgtPassing 954Specifies whether a Kerberos TGT will be forwarded to the server. 955This will only work if the Kerberos server is actually an AFS kaserver. 956The argument to this keyword must be 957.Dq yes 958or 959.Dq no . 960.It Cm LocalForward 961Specifies that a TCP/IP port on the local machine be forwarded over 962the secure channel to the specified host and port from the remote machine. 963The first argument must be a port number, and the second must be 964.Ar host:port . 965IPv6 addresses can be specified with an alternative syntax: 966.Ar host/port . 967Multiple forwardings may be specified, and additional 968forwardings can be given on the command line. 969Only the superuser can forward privileged ports. 970.It Cm LogLevel 971Gives the verbosity level that is used when logging messages from 972.Nm ssh . 973The possible values are: 974QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. 975The default is INFO. 976.It Cm MACs 977Specifies the MAC (message authentication code) algorithms 978in order of preference. 979The MAC algorithm is used in protocol version 2 980for data integrity protection. 981Multiple algorithms must be comma-separated. 982The default is 983.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . 984.It Cm NumberOfPasswordPrompts 985Specifies the number of password prompts before giving up. 986The argument to this keyword must be an integer. 987Default is 3. 988.It Cm PasswordAuthentication 989Specifies whether to use password authentication. 990The argument to this keyword must be 991.Dq yes 992or 993.Dq no . 994The default is 995.Dq yes . 996.It Cm Port 997Specifies the port number to connect on the remote host. 998Default is 22. 999.It Cm PreferredAuthentications 1000Specifies the order in which the client should try protocol 2 1001authentication methods. This allows a client to prefer one method (e.g. 1002.Cm keyboard-interactive ) 1003over another method (e.g. 1004.Cm password ) 1005The default for this option is: 1006.Dq hostbased,publickey,keyboard-interactive,password 1007.It Cm Protocol 1008Specifies the protocol versions 1009.Nm 1010should support in order of preference. 1011The possible values are 1012.Dq 1 1013and 1014.Dq 2 . 1015Multiple versions must be comma-separated. 1016The default is 1017.Dq 2,1 . 1018This means that 1019.Nm 1020tries version 2 and falls back to version 1 1021if version 2 is not available. 1022.It Cm ProxyCommand 1023Specifies the command to use to connect to the server. 1024The command 1025string extends to the end of the line, and is executed with 1026.Pa /bin/sh . 1027In the command string, 1028.Ql %h 1029will be substituted by the host name to 1030connect and 1031.Ql %p 1032by the port. 1033The command can be basically anything, 1034and should read from its standard input and write to its standard output. 1035It should eventually connect an 1036.Xr sshd 8 1037server running on some machine, or execute 1038.Ic sshd -i 1039somewhere. 1040Host key management will be done using the 1041HostName of the host being connected (defaulting to the name typed by 1042the user). 1043Note that 1044.Cm CheckHostIP 1045is not available for connects with a proxy command. 1046.Pp 1047.It Cm PubkeyAuthentication 1048Specifies whether to try public key authentication. 1049The argument to this keyword must be 1050.Dq yes 1051or 1052.Dq no . 1053The default is 1054.Dq yes . 1055This option applies to protocol version 2 only. 1056.It Cm RemoteForward 1057Specifies that a TCP/IP port on the remote machine be forwarded over 1058the secure channel to the specified host and port from the local machine. 1059The first argument must be a port number, and the second must be 1060.Ar host:port . 1061IPv6 addresses can be specified with an alternative syntax: 1062.Ar host/port . 1063Multiple forwardings may be specified, and additional 1064forwardings can be given on the command line. 1065Only the superuser can forward privileged ports. 1066.It Cm RhostsAuthentication 1067Specifies whether to try rhosts based authentication. 1068Note that this 1069declaration only affects the client side and has no effect whatsoever 1070on security. 1071Disabling rhosts authentication may reduce 1072authentication time on slow connections when rhosts authentication is 1073not used. 1074Most servers do not permit RhostsAuthentication because it 1075is not secure (see 1076.Cm RhostsRSAAuthentication ) . 1077The argument to this keyword must be 1078.Dq yes 1079or 1080.Dq no . 1081The default is 1082.Dq yes . 1083This option applies to protocol version 1 only. 1084.It Cm RhostsRSAAuthentication 1085Specifies whether to try rhosts based authentication with RSA host 1086authentication. 1087The argument must be 1088.Dq yes 1089or 1090.Dq no . 1091The default is 1092.Dq yes . 1093This option applies to protocol version 1 only. 1094.It Cm RSAAuthentication 1095Specifies whether to try RSA authentication. 1096The argument to this keyword must be 1097.Dq yes 1098or 1099.Dq no . 1100RSA authentication will only be 1101attempted if the identity file exists, or an authentication agent is 1102running. 1103The default is 1104.Dq yes . 1105Note that this option applies to protocol version 1 only. 1106.It Cm ChallengeResponseAuthentication 1107Specifies whether to use challenge response authentication. 1108The argument to this keyword must be 1109.Dq yes 1110or 1111.Dq no . 1112The default is 1113.Dq yes . 1114.It Cm SmartcardDevice 1115Specifies which smartcard device to use. The argument to this keyword is 1116the device 1117.Nm 1118should use to communicate with a smartcard used for storing the user's 1119private RSA key. By default, no device is specified and smartcard support 1120is not activated. 1121.It Cm StrictHostKeyChecking 1122If this flag is set to 1123.Dq yes , 1124.Nm 1125will never automatically add host keys to the 1126.Pa $HOME/.ssh/known_hosts 1127file, and refuses to connect to hosts whose host key has changed. 1128This provides maximum protection against trojan horse attacks, 1129however, can be annoying when the 1130.Pa /etc/ssh_known_hosts 1131file is poorly maintained, or connections to new hosts are 1132frequently made. 1133This option forces the user to manually 1134add all new hosts. 1135If this flag is set to 1136.Dq no , 1137.Nm 1138will automatically add new host keys to the 1139user known hosts files. 1140If this flag is set to 1141.Dq ask , 1142new host keys 1143will be added to the user known host files only after the user 1144has confirmed that is what they really want to do, and 1145.Nm 1146will refuse to connect to hosts whose host key has changed. 1147The host keys of 1148known hosts will be verified automatically in all cases. 1149The argument must be 1150.Dq yes , 1151.Dq no 1152or 1153.Dq ask . 1154The default is 1155.Dq ask . 1156.It Cm UsePrivilegedPort 1157Specifies whether to use a privileged port for outgoing connections. 1158The argument must be 1159.Dq yes 1160or 1161.Dq no . 1162The default is 1163.Dq no . 1164Note that this option must be set to 1165.Dq yes 1166if 1167.Cm RhostsAuthentication 1168and 1169.Cm RhostsRSAAuthentication 1170authentications are needed with older servers. 1171.It Cm User 1172Specifies the user to log in as. 1173This can be useful when a different user name is used on different machines. 1174This saves the trouble of 1175having to remember to give the user name on the command line. 1176.It Cm UserKnownHostsFile 1177Specifies a file to use for the user 1178host key database instead of 1179.Pa $HOME/.ssh/known_hosts . 1180.It Cm UseRsh 1181Specifies that rlogin/rsh should be used for this host. 1182It is possible that the host does not at all support the 1183.Nm 1184protocol. 1185This causes 1186.Nm 1187to immediately execute 1188.Xr rsh 1 . 1189All other options (except 1190.Cm HostName ) 1191are ignored if this has been specified. 1192The argument must be 1193.Dq yes 1194or 1195.Dq no . 1196.It Cm XAuthLocation 1197Specifies the location of the 1198.Xr xauth 1 1199program. 1200The default is 1201.Pa /usr/X11R6/bin/xauth . 1202.El 1203.Sh ENVIRONMENT 1204.Nm 1205will normally set the following environment variables: 1206.Bl -tag -width Ds 1207.It Ev DISPLAY 1208The 1209.Ev DISPLAY 1210variable indicates the location of the X11 server. 1211It is automatically set by 1212.Nm 1213to point to a value of the form 1214.Dq hostname:n 1215where hostname indicates 1216the host where the shell runs, and n is an integer >= 1. 1217.Nm 1218uses this special value to forward X11 connections over the secure 1219channel. 1220The user should normally not set 1221.Ev DISPLAY 1222explicitly, as that 1223will render the X11 connection insecure (and will require the user to 1224manually copy any required authorization cookies). 1225.It Ev HOME 1226Set to the path of the user's home directory. 1227.It Ev LOGNAME 1228Synonym for 1229.Ev USER ; 1230set for compatibility with systems that use this variable. 1231.It Ev MAIL 1232Set to the path of the user's mailbox. 1233.It Ev PATH 1234Set to the default 1235.Ev PATH , 1236as specified when compiling 1237.Nm ssh . 1238.It Ev SSH_ASKPASS 1239If 1240.Nm 1241needs a passphrase, it will read the passphrase from the current 1242terminal if it was run from a terminal. 1243If 1244.Nm 1245does not have a terminal associated with it but 1246.Ev DISPLAY 1247and 1248.Ev SSH_ASKPASS 1249are set, it will execute the program specified by 1250.Ev SSH_ASKPASS 1251and open an X11 window to read the passphrase. 1252This is particularly useful when calling 1253.Nm 1254from a 1255.Pa .Xsession 1256or related script. 1257(Note that on some machines it 1258may be necessary to redirect the input from 1259.Pa /dev/null 1260to make this work.) 1261.It Ev SSH_AUTH_SOCK 1262Identifies the path of a unix-domain socket used to communicate with the 1263agent. 1264.It Ev SSH_CLIENT 1265Identifies the client end of the connection. 1266The variable contains 1267three space-separated values: client ip-address, client port number, 1268and server port number. 1269.It Ev SSH_ORIGINAL_COMMAND 1270The variable contains the original command line if a forced command 1271is executed. 1272It can be used to extract the original arguments. 1273.It Ev SSH_TTY 1274This is set to the name of the tty (path to the device) associated 1275with the current shell or command. 1276If the current session has no tty, 1277this variable is not set. 1278.It Ev TZ 1279The timezone variable is set to indicate the present timezone if it 1280was set when the daemon was started (i.e., the daemon passes the value 1281on to new connections). 1282.It Ev USER 1283Set to the name of the user logging in. 1284.El 1285.Pp 1286Additionally, 1287.Nm 1288reads 1289.Pa $HOME/.ssh/environment , 1290and adds lines of the format 1291.Dq VARNAME=value 1292to the environment. 1293.Sh FILES 1294.Bl -tag -width Ds 1295.It Pa $HOME/.ssh/known_hosts 1296Records host keys for all hosts the user has logged into that are not 1297in 1298.Pa /etc/ssh_known_hosts . 1299See 1300.Xr sshd 8 . 1301.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa 1302Contains the authentication identity of the user. 1303They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. 1304These files 1305contain sensitive data and should be readable by the user but not 1306accessible by others (read/write/execute). 1307Note that 1308.Nm 1309ignores a private key file if it is accessible by others. 1310It is possible to specify a passphrase when 1311generating the key; the passphrase will be used to encrypt the 1312sensitive part of this file using 3DES. 1313.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub 1314Contains the public key for authentication (public part of the 1315identity file in human-readable form). 1316The contents of the 1317.Pa $HOME/.ssh/identity.pub 1318file should be added to 1319.Pa $HOME/.ssh/authorized_keys 1320on all machines 1321where the user wishes to log in using protocol version 1 RSA authentication. 1322The contents of the 1323.Pa $HOME/.ssh/id_dsa.pub 1324and 1325.Pa $HOME/.ssh/id_rsa.pub 1326file should be added to 1327.Pa $HOME/.ssh/authorized_keys 1328on all machines 1329where the user wishes to log in using protocol version 2 DSA/RSA authentication. 1330These files are not 1331sensitive and can (but need not) be readable by anyone. 1332These files are 1333never used automatically and are not necessary; they are only provided for 1334the convenience of the user. 1335.It Pa $HOME/.ssh/config 1336This is the per-user configuration file. 1337The format of this file is described above. 1338This file is used by the 1339.Nm 1340client. 1341This file does not usually contain any sensitive information, 1342but the recommended permissions are read/write for the user, and not 1343accessible by others. 1344.It Pa $HOME/.ssh/authorized_keys 1345Lists the public keys (RSA/DSA) that can be used for logging in as this user. 1346The format of this file is described in the 1347.Xr sshd 8 1348manual page. 1349In the simplest form the format is the same as the .pub 1350identity files. 1351This file is not highly sensitive, but the recommended 1352permissions are read/write for the user, and not accessible by others. 1353.It Pa /etc/ssh_known_hosts 1354Systemwide list of known host keys. 1355This file should be prepared by the 1356system administrator to contain the public host keys of all machines in the 1357organization. 1358This file should be world-readable. 1359This file contains 1360public keys, one per line, in the following format (fields separated 1361by spaces): system name, public key and optional comment field. 1362When different names are used 1363for the same machine, all such names should be listed, separated by 1364commas. 1365The format is described on the 1366.Xr sshd 8 1367manual page. 1368.Pp 1369The canonical system name (as returned by name servers) is used by 1370.Xr sshd 8 1371to verify the client host when logging in; other names are needed because 1372.Nm 1373does not convert the user-supplied name to a canonical name before 1374checking the key, because someone with access to the name servers 1375would then be able to fool host authentication. 1376.It Pa /etc/ssh_config 1377Systemwide configuration file. 1378This file provides defaults for those 1379values that are not specified in the user's configuration file, and 1380for those users who do not have a configuration file. 1381This file must be world-readable. 1382.It Pa $HOME/.rhosts 1383This file is used in 1384.Pa \&.rhosts 1385authentication to list the 1386host/user pairs that are permitted to log in. 1387(Note that this file is 1388also used by rlogin and rsh, which makes using this file insecure.) 1389Each line of the file contains a host name (in the canonical form 1390returned by name servers), and then a user name on that host, 1391separated by a space. 1392On some machines this file may need to be 1393world-readable if the user's home directory is on a NFS partition, 1394because 1395.Xr sshd 8 1396reads it as root. 1397Additionally, this file must be owned by the user, 1398and must not have write permissions for anyone else. 1399The recommended 1400permission for most machines is read/write for the user, and not 1401accessible by others. 1402.Pp 1403Note that by default 1404.Xr sshd 8 1405will be installed so that it requires successful RSA host 1406authentication before permitting \s+2.\s0rhosts authentication. 1407If the server machine does not have the client's host key in 1408.Pa /etc/ssh_known_hosts , 1409it can be stored in 1410.Pa $HOME/.ssh/known_hosts . 1411The easiest way to do this is to 1412connect back to the client from the server machine using ssh; this 1413will automatically add the host key to 1414.Pa $HOME/.ssh/known_hosts . 1415.It Pa $HOME/.shosts 1416This file is used exactly the same way as 1417.Pa \&.rhosts . 1418The purpose for 1419having this file is to be able to use rhosts authentication with 1420.Nm 1421without permitting login with 1422.Xr rlogin 1 1423or 1424.Xr rsh 1 . 1425.It Pa /etc/hosts.equiv 1426This file is used during 1427.Pa \&.rhosts authentication. 1428It contains 1429canonical hosts names, one per line (the full format is described on 1430the 1431.Xr sshd 8 1432manual page). 1433If the client host is found in this file, login is 1434automatically permitted provided client and server user names are the 1435same. 1436Additionally, successful RSA host authentication is normally 1437required. 1438This file should only be writable by root. 1439.It Pa /etc/shosts.equiv 1440This file is processed exactly as 1441.Pa /etc/hosts.equiv . 1442This file may be useful to permit logins using 1443.Nm 1444but not using rsh/rlogin. 1445.It Pa /etc/sshrc 1446Commands in this file are executed by 1447.Nm 1448when the user logs in just before the user's shell (or command) is started. 1449See the 1450.Xr sshd 8 1451manual page for more information. 1452.It Pa $HOME/.ssh/rc 1453Commands in this file are executed by 1454.Nm 1455when the user logs in just before the user's shell (or command) is 1456started. 1457See the 1458.Xr sshd 8 1459manual page for more information. 1460.It Pa $HOME/.ssh/environment 1461Contains additional definitions for environment variables, see section 1462.Sx ENVIRONMENT 1463above. 1464.El 1465.Sh AUTHORS 1466OpenSSH is a derivative of the original and free 1467ssh 1.2.12 release by Tatu Ylonen. 1468Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 1469Theo de Raadt and Dug Song 1470removed many bugs, re-added newer features and 1471created OpenSSH. 1472Markus Friedl contributed the support for SSH 1473protocol versions 1.5 and 2.0. 1474.Sh SEE ALSO 1475.Xr rlogin 1 , 1476.Xr rsh 1 , 1477.Xr scp 1 , 1478.Xr sftp 1 , 1479.Xr ssh-add 1 , 1480.Xr ssh-agent 1 , 1481.Xr ssh-keygen 1 , 1482.Xr telnet 1 , 1483.Xr sshd 8 1484.Rs 1485.%A T. Ylonen 1486.%A T. Kivinen 1487.%A M. Saarinen 1488.%A T. Rinne 1489.%A S. Lehtinen 1490.%T "SSH Protocol Architecture" 1491.%N draft-ietf-secsh-architecture-09.txt 1492.%D July 2001 1493.%O work in progress material 1494.Re 1495