 |
Index for
Section 1 |
|
 |
Alphabetical
listing for S |
|
 |
Bottom of
page |
|
ssh2(1)
NAME
ssh2, ssh - Secure Shell client remote login application
SYNOPSIS
ssh2 [-l login_name] hostname [command]
ssh2 [-l login_name] [-n] [+a] [-a] [+x] [-x] [-i file] [-F file] [-t] [-v]
[-d debug_level] [-V] [-q] [-f [o]] [-e char] [-c cipher] [-m MAC] [-p
port] [-S] [-L[protocol/]port:host:hostport]
[-R[protocol/]port:host:hostport] [+C] [-C] [-o option] [-h] [login_name@]
hostname [port#] [command]
OPTIONS
-l login_name
Specifies the user for login to the remote system.
-n Redirects input from /dev/null. For example, do not read stdin. This
option can also be specified in the configuration file.
+a Enables authentication agent forwarding (default).
-a Disables authentication agent forwarding.
+x Enables X11 connection forwarding (default).
-x Disables X11 connection forwarding.
-i file
Specifies the identity file for public key authentication. This option
can also be specified in the configuration file.
-F file
Specifies an alternative client configuration file. The default client
configuration file is the /etc/ssh2/ssh2_config file. Each user can
also have their own ssh2_config file in their $HOME/.ssh2 directory,
where $HOME is the name of the user's account. The
/etc/ssh2/ssh2_config file is read first, then the user's copy. The
last obtained value for a keyword is used.
-t For tty allocation. For example, allocate a tty even if a command is
given. This option can also be specified in the /etc/ssh2/ssh2_config
configuration file.
-v Enables verbose mode. Displays verbose debugging messages. Equal to the
-d 2 option. This option can also be specified in the
/etc/ssh2/ssh2_config configuration file.
-d debug_level
Prints extensive debug information to stderr. The debug_level argument
is a number from 0 to 99, where 99 specifies that all debug information
should be displayed or a comma-separated list of assignments.
-V Displays the version string.
-q Disables warning messages. This option can also be specified in the
/etc/ssh2/ssh2_config configuration file.
-f [o]
Forks into background after authentication. The ssh2 command stays in
the background waiting indefinitely for connections. It must be killed
for it to stop listening. The o argument specifies one-shot mode, which
means that once all channels are closed, the ssh2 command exits. This
option can also be specified in the /etc/ssh2/ssh2_config configuration
file.
-e char
Sets the escape character. The default escape character is the tilde
(~). Use none to disable the escape character. This option can also be
specified in the /etc/ssh2/ssh2_config configuration file.
-c cipher
Specifies the encryption algorithm to use. See the Ciphers keyword in
the ssh2_config(4) for more information. Multiple -c options are
allowed; a single -c option can specify only one cipher.
-m MAC
Specifies the MAC (Message Authentication Code) algorithm. See the MACs
keyword in the ssh2_config(4) for more information. Multiple -m options
are allowed; a single -m option can have only one MAC.
-p port #
Specifies the port to connect to on the remote system. This option can
also be specified in the /etc/ssh2/ssh2_config configuration file.
-S Disables requests for a session channel. This can be used with port-
forwarding requests, if a session channel (and tty) is not needed, or
the server does not give one.
-L [protocol/]port:host:hostport
Specifies that the given port on the local (client) system is to be
forwarded to the specified host and port on the remote system. This
allocates a socket to listen to port on the local system. Whenever a
connection is made to this port, the connection is forwarded over the
secure channel, and a connection is made to the host:hostport argument
from the remote system. Only root can forward privileged ports. The
argument protocol enables the protocol-specific forwarding. The
protocols implemented are tcp (default, no special processing) and ftp.
Temporary forwardings are created for ftp data channels, effectively
securing the whole ftp session. This option can also be specified in
the /etc/ssh2/ssh2_config configuration file.
-R [protocol/]port:host:hostport
Specifies that the given port on the remote (server) system is to be
forwarded to the specified host and port on the local system. This
allocates a socket to listen to port on the remote system. Whenever a
connection is made to this port, the connection is forwarded over the
secure channel, and a connection is made to the host:hostport argument
from the local system. Only root can forward privileged ports on the
remote system. The argument protocol enables the protocol-specific
forwarding. The protocols implemented are tcp (default, no special
processing) and ftp. Temporary forwardings are created for ftp data
channels, effectively securing the whole ftp session. This option can
also be specified in the /etc/ssh2/ssh2_config configuration file.
+C Enables compression.
-C Disables compression. (default)
-o option
Specifies an option in the format used in the /etc/ssh2/ssh2_config
configuration file. This is useful for specifying an option for which
there is no command-line option. Comment lines are not accepted with
this option.
-h Displays help on ssh2 command options.
DESCRIPTION
The ssh2 command creates a secure network connection between a Secure Shell
client and server for remote log in and command execution. The ssh2
command is intended as a secure replacement for the rlogin and rsh
commands. X11 connections and arbitrary TCP/IP connections can also be
forwarded over the secure connection. Forwarding of arbitrary TCP/IP
connections over the secure channel can be specified either on the command
line or in the /etc/ssh2/ssh2_config configuration file. TCP/IP forwarding
can be used for secure connections to electronic purses or for going
through firewalls.
When the user enters the ssh2 command, the client establishes a session
with the server and must prove the user's identity to the server by using
an authentication method, which can be password authentication, public key
authentication, or host based authentication. (See the
AllowedAuthentications keyword in ssh2_config(4) for more information.)
When the user's identity has been accepted by the server, the server
executes the given command or logs in to the system and gives the user a
normal shell on the remote system. All communication with the remote
command or shell will be automatically encrypted. If no pseudoterminal has
been allocated, the session is transparent and can be used to reliably
transfer binary data.
The session terminates when the command or shell on the remote system exits
and all X11 and TCP/IP connections have been closed. The exit status of the
remote program is returned as the exit status of the ssh2 command.
If the user is using X11, the ssh2 command sets the DISPLAY environment
variable to point to the server system, but with a display number greater
than zero. This happens because the ssh2 command creates a proxy X server
on the server system for forwarding the connections over the encrypted
channel. The user should not manually set the DISPLAY environment variable.
Forwarding of X11 connections can be configured on the command line or in
the /etc/ssh2/ssh2_config configuration file and in the
/etc/ssh2/sshd2_config configuration file. The connection to the X11
display is automatically forwarded to the remote system in such a way that
any X11 programs started from the shell (or command) will go through the
encrypted channel, and the connection to the real X server will be made
from the local system.
The ssh2 command will also automatically set up the Xauthority data on the
server system. For this purpose, it will generate a random authentication
cookie, store it in the Xauthority data on the server, and verify that any
forwarded connections carry this cookie and replace it with the real cookie
when the connection is opened. The real authentication cookie is never
sent to the server system (and no cookies are sent in plain text).
The ssh2 command automatically maintains and checks a database containing
the host public keys. When logging on to a host for the first time, the
host's public key is stored in a .ssh2/hostkey_PORTNUMBER_HOSTNAME.pub file
in the user's home directory. If a host's identification changes, the ssh2
command issues a warning and disables the password authentication to
prevent a Trojan horse from getting the user's password. Another purpose
of this mechanism is to prevent man-in-the-middle attacks, which could be
used to circumvent the encryption.
The ssh2 command has built-in support for SOCKS Version 4 for traversing
firewalls. See ENVIRONMENT VARIABLES for more information.
CONFIGURATION FILES
The ssh2 command obtains configuration data from the following sources (in
this order). The last obtained value is used.
1. The system default configuration file (/etc/ssh2/ssh2_config) or the
file specified with the -F option.
2. The user's configuration file ($HOME/.ssh2/ssh2_config).
3. Command-line options.
ESCAPE SEQUENCES
The ssh2 command supports the following escape sequences that enable you to
have some manageability with the session. For any escape sequences to take
effect, you must enter a newline character (press the Enter key), then
enter the characters. For example, a newline, a tilde (~), and the
appropriate character for a task.
~. Terminates the connection.
~Ctrl/Z
Suspends the session. Simultaneously press the Ctrl key and the Z key.
~~ Sends the escape character.
~# Lists forwarded connections.
~- Disables the escape character.
~? Displays escape sequences.
~r Initiates rekeying manually.
~s Displays statistics about the connection, including server and client
version, compression, packets in, packets out, compression, key
exchange algorithms, public key algorithms, and symmetric ciphers.
~V Displays the client version number to stderr (useful for
troubleshooting).
ENVIRONMENT VARIABLES
The ssh2 command will set the following environment variables.
Additionally, the ssh2 command reads the /etc/environment file and the
$HOME/.ssh2/environment file and adds lines of the format VARNAME=value to
the environment.
DISPLAY
Indicates the location of the X11 server. It is automatically set to
point to a value of the form hostname:n, where hostname is the host
where the shell runs, and n is an integer >= 1. The ssh2 command uses
this special value to forward X11 connections over the secure channel.
The user should normally not set the DISPLAY environment variable, as
that will render the X11 connection insecure (and will require the user
to manually copy any required authorization cookies).
HOME
Sets to the path of the user's home directory.
LOGNAME
Synonym for USER; sets for compatibility with systems using this
variable.
MAIL
Sets to point to the user's mailbox.
PATH
Sets the default PATH, as specified when compiling the ssh2 command or,
on some systems, /etc/environment or /etc/default/login.
SSH_SOCKS_SERVER
If SOCKS is used, it is configured with this variable. The format of
the variable is:
socks://username@socks_server:port/network/netmask,network/netmask...
For example, setting the environment variable SSH_SOCKS_SERVER to
socks://mylogin@socks.ssh.com:1080/203.123.0.0/16,198.74.23.0/24 uses
host socks.ssh.com port 1080 as the SOCKS server if connection is
attempted outside of networks 203.123.0.0 (16 bit domain) and
198.74.23.0 (8 bit domain) which are connected directly.
A default value for the SSH_SOCKS_SERVER variable can be specified at
compile time by specifying --with-socks-server=VALUE on the configure
command line when compiling the ssh2 command. The default value can be
cancelled by setting SSH_SOCKS_SERVER to an empty string and overridden
by setting SSH_SOCKS_SERVER to a new value. If the SSH_SOCKS_SERVER
variable is set, it should contain a local loopback network
(127.0.0.0/8) as the network that is connected directly.
SSH2_AUTH_SOCK
If this exists, it is used to indicate the path of a unix-domain socket
used to communicate with the authentication agent (or its local
representative).
SSH2_CLIENT
Identifies the client of the connection. The variable contains the
following space-separated values: client ip-address, client port
number, host ip-address, and server port number.
SSH2_ORIGINAL_COMMAND
This will be the original command given to the ssh2 command if a forced
command is run. For example, it can be used to fetch arguments from the
other system. This does not have to be a real command, it can be the
name of a file, device, parameters or anything else.
SSH2_TTY
Set to the name of the tty (path to the device) associated with the
current shell or command. If the current session has no tty, this
variable is not set.
TZ Sets to the present time zone if it was set when the daemon was
started. The daemon passes the value to new connections.
USER
Sets to the name of the user logging in.
FILES
$HOME/.ssh2/random_seed
Contains a seed for the random number generator.
$HOME/.ssh2/ssh2_config
Contains user specific configuration information.
$HOME/.ssh2/identification
Contains information on how the user wishes to authenticate himself
when contacting a specific host. The identification file has the same
general syntax as the configuration files. The following keywords can
be used:
IdKey This is followed by the file name of a private key in the
$HOME/.ssh2 directory used for identification when contacting a
host. If there is more than one IdKey, they are tried in the
order that they appear in the identification file.
PgpSecretKeyFile
This is followed by the file name of the user's OpenPGP private
keyring in the $HOME/.ssh2 directory. The OpenPGP keys listed
after this line are expected to be found from this file. The
keys identified with IdPgpKey*-keywords are used like ones
identified with IdKey-keyword.
IdPgpKeyName
This is followed by the OpenPGP key name of the key in the
PgpSecretKeyFile file.
IdPgpKeyFingerprint
This is followed by the OpenPGP key fingerprint of the key in
the PgpSecretKeyFile file.
IdPgpKeyId
This is followed by the OpenPGP key ID of the key in the
PgpSecretKeyFile file.
$HOME/.ssh2/authorization
Contains information on how the server will verify the identity of an
user. The authorization file has the same general syntax as the
configuration files. The following keywords can be used:
Key This is followed by the file name of a public key in the
$HOME/.ssh2 directory used for identification when contacting
the host. More than one key is acceptable for login.
PgpPublicKeyFile
This is followed by the file name of the user's OpenPGP public
keyring in the $HOME/.ssh2directory. OpenPGP keys listed after
this line are expected to be found from this file. Keys
identified with PgpKey*-keywords are used like ones identified
with Key-keyword.
PgpKeyName
This is followed by the OpenPGP key name.
PgpKeyFingerprint
This is followed by the OpenPGP key fingerprint.
PgpKeyId
This is followed by the OpenPGP key ID.
Command This keyword, if used, must follow the Key or PgpKey* keyword.
This is used to specify a forced command that will be executed
on the server when the user is authenticated. The command
supplied by the user (if any) is put in the environment
variable SSH2_ORIGINAL_COMMAND.
The command is run on a pseudoterminal if the connection
requests a pseudoterminal; otherwise it is run without a
terminal.
This keyword might be useful for restricting certain public
keys to perform a specific operation. For example, a key that
permits remote backups but nothing else.
A client can specify TCP/IP and/or X11 forwardings, unless they
are explicitly prohibited.
$HOME/.ssh2/hostkeys/key_xxxx_yyyy.pub
They files are the public keys of the hosts to which you connect. These
are updated automatically, unless you have set the
StrictHostKeyChecking parameter to yes in the ssh2_config file. If a
host's key changes, you should put the key here only if you are sure
that the new key is valid; for example that there was no man-in-the-
middle attack. The xxxx is the port on the server, where the sshd2
deamon runs, and the yyyy is the host (specified on the command line).
/etc/ssh2/hostkeys/key_xxxx_yyyy.pub
If a host key is not found from the user's $HOME/.ssh2/hostkeys
directory, this is the next location to be checked. These files have to
be updated manually; no files are put here automatically.
$HOME/.rhosts
Contains a list of remote users who are not required to supply a
password when they use the ssh2 command to log in. Before the user can
log in, the sshd2 daemon requires public host key authentication in
addition to validating the host name retrieved from domain name
servers.
The file must be writable only by the user; it should not be accessible
by others. You can use +@group to specify a netgroup. Negated entries
start with a minus sign (-).
This file is also used by the rlogind and rshd daemons.
See .rhosts(4) for more information about the .rhosts file.
$HOME/.shosts
This file is the same as the .rhosts file except that only the sshd2
daemon uses it.
/etc/hosts.equiv
Contains the names of remote hosts and users that are equivalent to the
local host or user. An equivalent host or user is allowed to use the
ssh2 command to log in to such an account without supplying a password.
Additionally, successful host-based authentication is normally
required. This file must be writable only by root and should be
readable by world.
You can use +@group to specify a netgroup. Negated entries start with
a minus sign (-).
Note
The only valid use for user names should be in negated entries.
Specified user names in the hosts.equiv file can log in as anybody
including bin, daemon, adm, and other accounts that own critical
binaries and directories.
This file is also used by the rlogind and rshd daemons.
See hosts.equiv(4) for more information about the hosts.equiv file.
/etc/shosts.equiv
This file is the same as the hosts.equiv file except that only the
sshd2 daemon uses it.
$HOME/.ssh2/knownhosts/xxxxyyyy.pub
Contains the public host keys of hosts that users need to log in to
when using host based authentication.
The xxxx is the fully qualified domain name (FQDN) and yyyy is the
public key algorithm. Public key algorithms are ssh-dss and ssh-rsa.
For example, if the FQDN for a host is server1.foo.fi and it has a key
algorithm of ssh-dss, the host key would be server1.foo.fi.ssh-dss.pub
in the knownhosts directory.
A user must add the host name to a $HOME/.shosts file or an
$HOME/.rhosts file.
/etc/ssh2/knownhosts/xxxxyyyy.pub
Same as the $HOME/.ssh2/knownhosts/xxxxyyyy.pub file, but system-wide.
This file is overridden if the user puts a file with the same name in
the $HOME/.ssh2/knownhosts directory.
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
SEE ALSO
Commands: scp2(1), sftp(1), rlogin(1), rsh(1), telnet(1),
Files: ssh2_config(4)
|
Index for
Section 1 |
|
|
Alphabetical
listing for S |
|
 |
Top of
page |
|