4
4
ssh - OpenSSH SSH client (remote login program)
7
ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
7
ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
8
8
[-D [bind_address:]port] [-e escape_char] [-F configfile]
9
9
[-i identity_file] [-L [bind_address:]port:host:hostport]
10
10
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
130
130
The recommended way to start X11 programs at a remote site is
131
131
with something like ssh -f host xterm.
133
If the ExitOnForwardFailure configuration option is set to
134
``yes'', then a client started with -f will wait for all remote
135
port forwards to be successfully established before placing it-
136
self in the background.
133
138
-g Allows remote hosts to connect to local forwarded ports.
135
140
-I smartcard_device
147
152
multiple -i options (and multiple identities specified in config-
155
-K Enables GSSAPI-based authentication and forwarding (delegation)
156
of GSSAPI credentials to the server.
150
158
-k Disables forwarding (delegation) of GSSAPI credentials to the
272
280
UserKnownHostsFile
277
286
Port to connect to on the remote host. This can be specified on
278
287
a per-host basis in the configuration file.
280
-q Quiet mode. Causes all warning and diagnostic messages to be
289
-q Quiet mode. Causes most warning and diagnostic messages to be
283
292
-R [bind_address:]port:host:hostport
371
380
protocols support similar authentication methods, but protocol 2 is pre-
372
381
ferred since it provides additional mechanisms for confidentiality (the
373
382
traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and
374
integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a
375
strong mechanism for ensuring the integrity of the connection.
383
integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1
384
lacks a strong mechanism for ensuring the integrity of the connection.
377
386
The methods available for authentication are: GSSAPI-based authentica-
378
387
tion, host-based authentication, public key authentication, challenge-re-
569
578
$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
571
If the fingerprint is already known, it can be matched and verified, and
572
the key can be accepted. If the fingerprint is unknown, an alternative
573
method of verification is available: SSH fingerprints verified by DNS.
574
An additional resource record (RR), SSHFP, is added to a zonefile and the
575
connecting client is able to match the fingerprint with that of the key
580
If the fingerprint is already known, it can be matched and the key can be
581
accepted or rejected. Because of the difficulty of comparing host keys
582
just by looking at hex strings, there is also support to compare host
583
keys visually, using random art. By setting the VisualHostKey option to
584
``yes'', a small ASCII graphic gets displayed on every login to a server,
585
no matter if the session itself is interactive or not. By learning the
586
pattern a known server produces, a user can easily find out that the host
587
key has changed when a completely different pattern is displayed. Be-
588
cause these patterns are not unambiguous however, a pattern that looks
589
similar to the pattern remembered only gives a good probability that the
590
host key is the same, not guaranteed proof.
592
To get a listing of the fingerprints along with their random art for all
593
known hosts, the following command line can be used:
595
$ ssh-keygen -lv -f ~/.ssh/known_hosts
597
If the fingerprint is unknown, an alternative method of verification is
598
available: SSH fingerprints verified by DNS. An additional resource
599
record (RR), SSHFP, is added to a zonefile and the connecting client is
600
able to match the fingerprint with that of the key presented.
578
602
In this example, we are connecting a client to a server,
579
603
``host.example.com''. The SSHFP resource records should first be added
711
735
host-based authentication without permitting login with
739
This directory is the default location for all user-specific con-
740
figuration and authentication information. There is no general
741
requirement to keep the entire contents of this directory secret,
742
but the recommended permissions are read/write/execute for the
743
user, and not accessible by others.
714
745
~/.ssh/authorized_keys
715
746
Lists the public keys (RSA/DSA) that can be used for logging in
716
747
as this user. The format of this file is described in the
823
854
The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
856
A. Perrig and D. Song, Hash Visualization: a New Technique to improve
857
Real-World Security, 1999, International Workshop on Cryptographic
858
Techniques and E-Commerce (CrypTEC '99).
826
861
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
827
862
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo