34
34
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35
35
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37
.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
38
.Dd September 25, 1999
37
.\" $OpenBSD: ssh.1,v 1.277 2008/07/02 13:47:39 djm Exp $
38
.Dd $Mdocdate: July 2 2008 $
290
290
The recommended way to start X11 programs at a remote site is with
292
292
.Ic ssh -f host xterm .
295
.Cm ExitOnForwardFailure
296
configuration option is set to
298
then a client started with
300
will wait for all remote port forwards to be successfully established
301
before placing itself in the background.
294
303
Allows remote hosts to connect to local forwarded ports.
295
304
.It Fl I Ar smartcard_device
316
325
options (and multiple identities specified in
317
326
configuration files).
319
Enables forwarding (delegation) of GSSAPI credentials to the server.
328
Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
329
credentials to the server.
321
331
Disables forwarding (delegation) of GSSAPI credentials to the server.
558
569
option is enabled (see
559
570
.Xr sshd_config 5 ) .
560
571
.It Fl S Ar ctl_path
561
Specifies the location of a control socket for connection sharing.
572
Specifies the location of a control socket for connection sharing,
575
to disable connection sharing.
562
576
Refer to the description of
681
695
but protocol 2 is preferred since
682
696
it provides additional mechanisms for confidentiality
683
697
(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
684
and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
698
and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
685
699
Protocol 1 lacks a strong mechanism for ensuring the
686
700
integrity of the connection.
1032
1046
.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1034
If the fingerprint is already known,
1035
it can be matched and verified,
1036
and the key can be accepted.
1048
If the fingerprint is already known, it can be matched
1049
and the key can be accepted or rejected.
1050
Because of the difficulty of comparing host keys
1051
just by looking at hex strings,
1052
there is also support to compare host keys visually,
1059
a small ASCII graphic gets displayed on every login to a server, no matter
1060
if the session itself is interactive or not.
1061
By learning the pattern a known server produces, a user can easily
1062
find out that the host key has changed when a completely different pattern
1064
Because these patterns are not unambiguous however, a pattern that looks
1065
similar to the pattern remembered only gives a good probability that the
1066
host key is the same, not guaranteed proof.
1068
To get a listing of the fingerprints along with their random art for
1069
all known hosts, the following command line can be used:
1071
.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
1037
1073
If the fingerprint is unknown,
1038
1074
an alternative method of verification is available:
1039
1075
SSH fingerprints verified by DNS.
1249
1285
but allows host-based authentication without permitting login with
1289
This directory is the default location for all user-specific configuration
1290
and authentication information.
1291
There is no general requirement to keep the entire contents of this directory
1292
secret, but the recommended permissions are read/write/execute for the user,
1293
and not accessible by others.
1252
1295
.It ~/.ssh/authorized_keys
1253
1296
Lists the public keys (RSA/DSA) that can be used for logging in as this user.
1254
1297
The format of this file is described in the
1433
1477
.%T "The Secure Shell (SSH) Public Key File Format"
1481
.%T "Hash Visualization: a New Technique to improve Real-World Security"
1485
.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)"
1437
1488
OpenSSH is a derivative of the original and free
1438
1489
ssh 1.2.12 release by Tatu Ylonen.