ssh - OpenSSH SSH client (remote login program)
SYNOPSIS
ssh [-l login_name? hostname | user@hostname [command? ssh [-afgknqstvxACNPTX1246? [-b bind_address? [-c cipher_spec? [-e escape_char? [-i identity_file? [-l login_name? [-m mac_spec? [-o option? [-p port? [-F configfile? host:hostport? host:hostport? [-D port? hostname | user@hostname [command?
DESCRIPTION
ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel.
ssh connects and logs into the specified hostname. The user must prove his/her identity to the remote machine using one of several methods depending on the protocol version used:
SSH protocol version 1
First, if the machine the user logs in from is listed in /etc/hosts.equiv or /etc/ssh/shosts.equiv on the remote machine, and the user names are the same on both sides, the user is immediately permitted to log in. Second, if .rhosts or .shosts exists in the user's home directory on the remote machine and contains a line containing the name of the client machine and the name of the user on that machine, the user is permitted to log in. This form of authentication alone is normally not allowed by the server because it is not secure.
The second authentication method is the rhosts or hosts.equiv method combined with RSA-based host authentication. It means that if the login would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or /etc/ssh/shosts.equiv, and if additionally the server can verify the client's host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the FILES section), only then login is permitted. This authentication method closes secu- rity holes due to IP spoofing, DNS spoofing and routing spoofing. /etc/hosts.equiv, $HOME/.rhosts, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.
As a third authentication method, ssh supports RSA based authentication. The scheme is based on public-key cryptog- raphy: there are cryptosystems where encryption and decryption are done using separate keys, and it is not possible to derive the decryption key from the encryption key. RSA is one such system. The idea is that each user creates a pub- lic/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. The file $HOME/.ssh/authorized_keys lists the public keys that are permitted for logging in. When the user logs in, the ssh program tells the server which key pair it would like to use for authentication. The server checks if this key is permitted, and if so, sends the user (actually the ssh program running on behalf of the user) a challenge, a random number, encrypted by the user's public key. The challenge can only be decrypted using the proper private key. The user's client then decrypts the challenge using the private key, proving that he/she knows the private key but without disclosing it to the server.
ssh implements the RSA authentication protocol automati- cally. The user creates his/her RSA key pair by running ssh-keygen(1). This stores the private key in $HOME/.ssh/identity and the public key in $HOME/.ssh/identity.pub in the user's home directory. The user should then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home directory on the remote machine (the authorized_keys file corresponds to the conventional $HOME/.rhosts file, and has one key per line, though the lines can be very long). After this, the user can log in without giving the password. RSA authentication is much more secure than rhosts authentication.
The most convenient way to use RSA authentication may be with an authentication agent. See ssh-agent(1) for more information.
If other authentication methods fail, ssh prompts the user for a password. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the net- work.
SSH protocol version 2
When a user connects using the protocol version 2 different authentication methods are available. Using the default values for !PreferredAuthentications?, the client will try to authenticate first using the hostbased method; if this method fails public key authentication is attempted, and finally if this method fails keyboard-interactive and pass- word authentication are tried.
The public key method is similar to RSA authentication described in the previous section and allows the RSA or DSA algorithm to be used: The client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, to sign the session identifier and sends the result to the server. The server checks whether the matching public key is listed in $HOME/.ssh/authorized_keys and grants access if both the key is found and the signature is correct. The session identi- fier is derived from a shared Diffie-Hellman value and is only known to the client and the server.
If public key authentication fails or is not available a password can be sent encrypted to the remote host for prov- ing the user's identity.
Additionally, ssh supports hostbased or challenge response authentication.
Protocol 2 provides additional mechanisms for confidentiality (the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) and integrity (hmac-md5, hmac-sha1). Note that protocol 1 lacks a strong mechanism for ensuring the integrity of the connection.
Login session and remote execution
When the user's identity has been accepted by the server, the server either executes the given command, or logs into the machine and gives the user a normal shell on the remote machine. All communication with the remote command or shell will be automatically encrypted.
If a pseudo-terminal has been allocated (normal login ses- sion), the user may use the escape characters noted below.
If no pseudo tty has been allocated, the session is trans- parent and can be used to reliably transfer binary data. On most systems, setting the escape character to ``none'' will also make the session transparent even if a tty is used.
The session terminates when the command or shell on the remote machine exits and all X11 and TCP/IP connections have been closed. The exit status of the remote program is returned as the exit status of ssh.
Escape Characters
When a pseudo terminal has been requested, ssh supports a number of functions through the use of an escape character.
A single tilde character can be sent as ~ or by following the tilde by a character other than those described below. The escape character must always follow a newline to be interpreted as special. The escape character can be changed in configuration files using the !EscapeChar? configuration directive or on the command line by the -e option.
The supported escapes (assuming the default ) are:
X11 and TCP forwarding
If the ForwardX11 variable is set to ``yes'' (or, see thedescription of the -X and -x options described later) andthe user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is automatically forwarded to the remote side in such a way that any X11 pro- grams started from the shell (or command) will go through the encrypted channel, and the connection to the real X server will be made from the local machine. The user should not manually set DISPLAY. Forwarding of X11 connections can be configured on the command line or in configuration files.
The DISPLAY value set by ssh will point to the server machine, but with a display number greater than zero. This is normal, and happens because ssh creates a ``proxy'' X server on the server machine for forwarding the connections over the encrypted channel.
ssh will also automatically set up Xauthority data on the server machine. For this purpose, it will generate a random authorization cookie, store it in Xauthority on the server, and verify that any forwarded connections carry this cookie and replace it by the real cookie when the connection is opened. The real authentication cookie is never sent to the server machine (and no cookies are sent in the plain).
If the user is using an authentication agent, the connection to the agent is automatically forwarded to the remote side unless disabled on the command line or in a configuration file.
Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on the command line or in a configuration file. One possible application of TCP/IP for- warding is a secure connection to an electronic purse; another is going through firewalls.
Server authentication
ssh automatically maintains and checks a database containing identifications for all hosts it has ever been used with. Host keys are stored in $HOME/.ssh/known_hosts in the user's home directory. Additionally, the file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's identification ever changes, ssh warns about this and disables password authentication to prevent a trojan horse from getting the user's password. Another pur- pose of this mechanism is to prevent man-in-the-middle attacks which could otherwise be used to circumvent the encryption. The !StrictHostKeyChecking? option (see below) can be used to prevent logins to machines whose host key is not known or has changed.
The options are as follows:
CONFIGURATION FILES
ssh obtains configuration data from the following sources in the following order: command line options, user's configuration file ($HOME/.ssh/config), and system-wide configuration file (/etc/ssh/ssh_config). For each parameter, the first obtained value will be used. The configuration files con- tain sections bracketed by ``Host'' specifications, and that section is only applied for hosts that match one of the pat- terns given in the specification. The matched host name is the one given on the command line.
Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.
The configuration file has the following format:
Empty lines and lines starting with # are comments.
Otherwise a line is of the format ``keyword arguments''. Configuration options may be separated by whitespace or optional whitespace and exactly one =; the latter format is useful to avoid the need to quote whitespace when specifying configuration options using the ssh, scp and sftp -o option.
The possible keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive):
AFSTokenPassingSpecifies whether to pass AFS tokens to remote host.The argument to this keyword must be ``yes or``no. This option applies to protocol version 1only.!BatchModeIf? set to ``yes, passphrase/password querying willbe disabled. In addition, the !ProtocolKeepAlives? andSetupTimeOut options will both be set to 300 secondsby default. This option is useful in scripts andother batch jobs where no user is present to supplythe password, and where it is desirable to detect abroken network swiftly. The argument must be ``yesor ``no. The default is ``no.!BindAddressSpecify? the interface to transmit from on machineswith multiple interfaces or aliased addresses. Notethat this option does not work if !UsePrivilegedPortis? set to ``yes.CheckHostIPIf this flag is set to ``yes, ssh will additionallycheck the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to ``no, the check will not be executed. The default is ``yes.
Cipher Specifies the cipher to use for encrypting the ses- sion in protocol version 1. Currently, ``blowfish, ``3des, and ``des are supported. des is only supported in the ssh client for interoperability with legacy protocol 1 implementations that do not support the 3des cipher. Its use is strongly discouraged due to cryptographic weaknesses. The default is ``3des.
Ciphers Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The default is
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc''
Specifies that all local, remote and dynamic port forwardings specified in the configuration files or on the command line be cleared. This option is pri- marily useful when used from the ssh command line to clear port forwardings set in configuration files, and is automatically set by scp(1) and sftp(1). The argument must be ``yes or ``no. The default is ``no''.
Compression Specifies whether to use compression. The argument must be ``yes or ``no. The default is ``no''.
Specifies the compression level to use if compression is enabled. The argument must be an integer from 1 (fast) to 9 (slow, best). The default level is 6, which is good for most applications. The meaning of the values is the same as in gzip(1). Note that this option applies to protocol version 1 only.
Specifies the number of tries (one per second) to make before falling back to rsh or exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1.
Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to con- nect to from the remote machine. The argument must be a port number. Currently the SOCKS4 protocol is supported, and ssh will act as a SOCKS4 server. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports.
Sets the escape character (default: ). The escape character can also be set on the command line. The argument should be a single character, ^ followed by a letter, or ``none'' to disable the escape character entirely (making the connection transparent for binary data).
Specifies that if connecting via ssh fails due to a connection refused error (there is no sshd(8) listen- ing on the remote host), rsh(1) should automatically be used instead (after a suitable warning about the session being unencrypted). The argument must be ``yes or ``no. The default is ``no''.
Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must be ``yes or ``no. The default is ``no''.
ForwardX11 Specifies whether X11 connections will be automati- cally redirected over the secure channel and DISPLAY set. The argument must be ``yes or ``no. The default is ``no''.
Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, ssh binds local port forwardings to the loopback addresss. This prevents other remote hosts from connecting to forwarded ports.
local port forwardings to the wildcard address, thus allowing remote hosts to con- nect to forwarded ports. The argument must be ``yes or ``no. The default is ``no''.
Specifies a file to use for the global host key database instead of /etc/ssh/ssh_known_hosts.
Specifies whether to try rhosts based authentication with public key authentication. The argument must be ``yes or ``no. The default is ``no''. This option applies to protocol version 2 only and is sim- ilar to RhostsRSAAuthentication.
Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference. The default for this option is: ``ssh-rsa,ssh-dss''
Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. This option is use- ful for tunneling ssh connections or for multiple servers running on a single host.
Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. Default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in !HostName specifications).
Specifies the file from which the user's RSA or DSA authentication identity is read (default $HOME/.ssh/identity in the user's home directory). Additionally, any identities represented by the authentication agent will be used for authentication. The file name may use the tilde syntax to refer to a user's home directory. It is possible to have multi- ple identity files specified in configuration files; all these identities will be tried in sequence.
Specifies whether the system should send keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. This option only uses TCP keepalives (as opposed to using ssh level keepalives), so takes a long time to notice when the connection dies. As such, you probably want the
connections will die if the route is down temporarily, and some people find it annoying.
The default is ``yes'' (to send keepalives), and the client will notice if the network goes down or the remote host dies. This is important in scripts, and many users want it too.
To disable keepalives, the value should be set to ``no'' in both the server and the client configuration files.
Specifies whether Kerberos authentication will be used. The argument to this keyword must be ``yes or ``no.
Specifies whether a Kerberos TGT will be forwarded to the server. This will only work if the Kerberos server is actually an AFS kaserver. The argument to this keyword must be ``yes or ``no.
Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be a port number, and the second must be host:port. IPv6 addresses can be specified with an alternative syntax: host/port. Multiple forward- ings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports.
Gives the verbosity level that is used when logging messages from ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. The default is INFO.
MACs Specifies the MAC (message authentication code) algo- rithms in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protec- tion. Multiple algorithms must be comma-separated. The default is ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''.
This option can be used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of the machines and the user will get many warnings about changed host keys. However, this option disables host authentication for localhost. The argument to this keyword must be ``yes or ``no. The default is to check the host key for localhost.
Specifies the number of password prompts before giv- ing up. The argument to this keyword must be an integer. Default is 3.
Specifies whether to use password authentication. The argument to this keyword must be ``yes or ``no. The default is ``yes''.
Port Specifies the port number to connect on the remote host. Default is 22.
Specifies the order in which the client should try protocol 2 authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password) The default for this option is: ``hostbased,publickey,keyboard-interactive,password''
Protocol Specifies the protocol versions ssh should support in order of preference. The possible values are ``1 and ``2. Multiple versions must be comma-separated. The default is ``2,1''. This means that ssh tries version 2 and falls back to version 1 if ver- sion 2 is not available.
Specifies the interval at which IGNORE packets will be sent to the server during dile periods. Use this option in scripts to detect when the network fails. The argument must be an integer. The default is 0 (disabled), or 300 if the
Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with /bin/sh. In the command string, %h will be substituted by the host name to connect and %p by the port. The command can be basi- cally anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd(8) server running on some machine, or execute sshd -i somewhere. Host key man- agement will be done using the !HostName of the host being connected (defaulting to the name typed by the user). Note that CheckHostIP is not available for connects with a proxy command.
Specifies whether to try public key authentication. The argument to this keyword must be ``yes or ``no. The default is ``yes''. This option applies to protocol version 2 only.
Specifies that a TCP/IP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. The first argument must be a port number, and the second must be host:port. IPv6 addresses can be specified with an alternative syntax: host/port. Multiple forward- ings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports.
Specifies whether to try rhosts based authentication. Note that this declaration only affects the client side and has no effect whatsoever on security. Dis- abling rhosts authentication may reduce authentication time on slow connections when rhosts authentication is not used. Most servers do not permit Rhost- sAuthentication because it is not secure (see RhostsRSAAuthentication). The argument to this key- word must be ``yes or ``no. The default is ``yes''. This option applies to protocol version 1 only.
RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. The argument must be ``yes or ``no. The default is ``yes''. This option applies to protocol version 1 only.
RSAAuthentication Specifies whether to try RSA authentication. The argument to this keyword must be ``yes or ``no. RSA authentication will only be attempted if the identity file exists, or an authentication agent is running. The default is ``yes''. Note that this option applies to protocol version 1 only.
Specifies whether to use challenge response authenti- cation. The argument to this keyword must be ``yes or ``no. The default is ``yes''.
Normally, ssh blocks indefinitly whilst waiting to receive the ssh banner and other setup protocol from the server, during the session setup. This can cause ssh to hang under certain circumstances. If this option is set, ssh will give up if no data from the server is received for the specified number of sec- onds. The argument must be an integer. The default is 0 (disabled), or 300 if !BatchMode? is set.
Specifies which smartcard device to use. The argument to this keyword is the device ssh should use to com- municate with a smartcard used for storing the user's private RSA key. By default, no device is specified and smartcard support is not activated.
If this flag is set to ``yes, ssh will never auto- matically add host keys to the $HOME/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, however, can be annoy- ing when the /etc/ssh/ssh_known_hosts file is poorly maintained, or connections to new hosts are fre- quently made. This option forces the user to manu- ally add all new hosts. If this flag is set to ``no, ssh will automatically add new host keys to the user known hosts files. If this flag is set to ``ask, new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be veri- fied automatically in all cases. The argument must be ``yes, ``no or ``ask. The default is ``ask''.
Specifies whether to use a privileged port for outgo- ing connections. The argument must be ``yes or ``no. The default is ``no. Note that this option must be set to ``yes if !RhostsAuthentication? and RhostsRSAAuthentication authentications are needed with older servers.
User Specifies the user to log in as. This can be useful when a different user name is used on different machines. This saves the trouble of having to remem- ber to give the user name on the command line.
Specifies a file to use for the user host key database instead of $HOME/.ssh/known_hosts.
Specifies that rlogin/rsh should be used for this host. It is possible that the host does not at all support the ssh protocol. This causes ssh to immedi- ately execute rsh(1). All other options (except !HostName) are ignored if this has been specified. The argument must be ``yes or ``no.
XAuthLocation Specifies the location of the xauth(1) program. The default is /usr/bin/X11/xauth.
ENVIRONMENT
ssh will normally set the following environment variables:
Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the format ``VARNAME=value'' to the environment.
FILES
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and created OpenSSH. Markus Friedl contributed the support for SSH protocol ver- sions 1.5 and 2.0.
SEE ALSO
rlogin(1), rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), telnet(1), sshd(8)
27 pages link to ssh(1):
Notice: ' /etc/hosts.equiv, $HOME/.rhosts, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.': Bad page name: too long