 |
Index for
Section 1 |
|
 |
Alphabetical
listing for S |
|
 |
Bottom of
page |
|
ssh2(1)
NAME
ssh2, ssh - Secure Shell client remote login and command execution
application
SYNOPSIS
ssh2 [-l login_name] hostname [command]
ssh2 [-l login_name] [-n] [+a] [-a] [+x] [-x] [-i file] [-F file] [-t] [-v]
[-d debug_level] [-V] [-q] [-f [o]] [-e char] [-c cipher] [-m MAC] [-p
port] [-S] [-L[protocol/]port:host:hostport]
[-R[protocol/]port:host:hostport] [+C] [-C] [-o option] [-h] [login_name@]
hostname [port#] [command]
OPTIONS
-l login_name
Specifies the user for login to the remote system.
-n Redirects input from /dev/null. For example, do not read stdin. This
option can also be specified in the configuration file.
+a Enables authentication agent forwarding (default).
-a Disables authentication agent forwarding.
+x Enables X11 connection forwarding (default).
-x Disables X11 connection forwarding.
-i file
Specifies the identity file for public key authentication. This option
can also be specified in the configuration file.
-F file
Specifies an alternative client configuration file. The default client
configuration file is the /etc/ssh2/ssh2_config file. Each user can
also have their own ssh2_config file in their $HOME/.ssh2 directory,
where $HOME is the name of the user's account. The
/etc/ssh2/ssh2_config file is read first, then the user's copy. The
last obtained value for a keyword is used.
-t For tty allocation. For example, allocate a tty even if a command is
given. This option can also be specified in the /etc/ssh2/ssh2_config
configuration file.
-v Enables verbose mode. Displays verbose debugging messages. Equal to the
-d 2 option. This option can also be specified in the
/etc/ssh2/ssh2_config configuration file.
-d debug_level
Prints extensive debug information to stderr. The debug_level argument
is a number from 0 to 99, where 99 specifies that all debug information
should be displayed or a comma-separated list of assignments.
-V Displays the version string.
-q Disables warning messages. This option can also be specified in the
/etc/ssh2/ssh2_config configuration file.
-f [o]
Forks into background after authentication. The ssh2 command stays in
the background waiting indefinitely for connections. It must be killed
for it to stop listening. The o argument specifies one-shot mode, which
means that once all channels are closed, the ssh2 command exits. This
option can also be specified in the /etc/ssh2/ssh2_config configuration
file.
-e char
Sets the escape character. The default escape character is the tilde
(~). Use none to disable the escape character. This option can also be
specified in the /etc/ssh2/ssh2_config configuration file.
-c cipher
Specifies the encryption algorithm to use. See the Ciphers keyword in
the /etc/ssh2/sshd2_config file and in the /etc/ssh2/ssh2_config file
for more information. Multiple -c options are allowed; a single -c
option can specify only one cipher.
-m MAC
Specifies the MAC (Message Authentication Code) algorithm. See the MACs
keyword in the /etc/ssh2/sshd2_config file and in the
/etc/ssh2/ssh2_config file for more information. Multiple -m options
are allowed; a single -m option can have only one MAC.
-p port #
Specifies the port to connect to on the remote system. This option can
also be specified in the /etc/ssh2/ssh2_config file.
-S Disables requests for a session channel. This can be used with port-
forwarding requests, if a session channel (and tty) is not needed, or
the server does not give one.
-L [protocol/]port:host:hostport
Specifies that the given port on the local (client) system is to be
forwarded to the specified host and port on the remote system. This
allocates a socket to listen to port on the local system. Whenever a
connection is made to this port, the connection is forwarded over the
secure channel, and a connection is made to the host:hostport argument
from the remote system. Only root can forward privileged ports. The
argument protocol enables the protocol-specific forwarding. The
protocols implemented are tcp (default, no special processing) and ftp.
Temporary forwardings are created for ftp data channels, effectively
securing the whole ftp session. This option can also be specified in
the /etc/ssh2/ssh2_config file.
-R [protocol/]port:host:hostport
Specifies that the given port on the remote (server) system is to be
forwarded to the specified host and port on the local system. This
allocates a socket to listen to port on the remote system. Whenever a
connection is made to this port, the connection is forwarded over the
secure channel, and a connection is made to the host:hostport argument
from the local system. Only root can forward privileged ports on the
remote system. The argument protocol enables the protocol-specific
forwarding. The protocols implemented are tcp (default, no special
processing) and ftp. Temporary forwardings are created for ftp data
channels, effectively securing the whole ftp session. This option can
also be specified in the /etc/ssh2/ssh2_config file.
+C Enables compression.
-C Disables compression. (default)
-o option
Specifies an option in the format used in the /etc/ssh2/ssh2_config
file. This is useful for specifying an option for which there is no
command-line option. Comment lines are not accepted with this option.
-h Displays help on ssh2 command options.
DESCRIPTION
The ssh2 command creates a secure connection between a Secure Shell client
and server for remote log in and command execution. The ssh2 command is
intended as a secure replacement for the rlogin and rsh commands. A secure
connection provides client and server authentication, user authentication,
data encryption, data integrity, and nonrepudiation.
After the client's, server's, and user's identity has been proven, the
Secure Shell server executes the given command or logs the user in to the
system and gives the user a normal shell on the remote system. All
communication with the remote command or shell will be automatically
encrypted and checked for integrity. The session terminates when the
command or shell on the remote system exits.
A Secure Shell client and server use public host keys to authenticate each
other. When a client connect to a server for the first time, the user is
prompted to accept a copy of the server's public host key. If the user
accepts the key, a copy of the server's public host key is copied to the
user's hostkeys directory on the client. The client uses this public host
key to authenticate the server on subsequent connects. A Secure Shell
server authenticates a user by using password authentication, host-based
authentication, or public key authentication.
See Security Administration for more information about Secure Shell clients
and servers and Secure Shell authentication.
ESCAPE SEQUENCES
The ssh2 command supports the following escape sequences that enable you to
have some manageability with the session. For any escape sequences to take
effect, you must enter a newline character (press the Enter key), then
enter the characters. For example, a newline, a tilde (~), and the
appropriate character for a task.
~. Terminates the connection.
~Ctrl/Z
Suspends the session. Simultaneously press the Ctrl key and the Z key.
~~ Sends the escape character.
~# Lists forwarded connections.
~- Disables the escape character.
~? Displays escape sequences.
~r Initiates rekeying manually.
~s Displays statistics about the connection, including server and client
version, compression, packets in, packets out, compression, key
exchange algorithms, public key algorithms, and symmetric ciphers.
~V Displays the client version number to stderr (useful for
troubleshooting).
ENVIRONMENT VARIABLES
The ssh2 command will set the following environment variables.
Additionally, the ssh2 command reads the /etc/environment file and the
$HOME/.ssh2/environment file and adds lines of the format VARNAME=value to
the environment.
DISPLAY
Indicates the location of the X11 server. It is automatically set to
point to a value of the form hostname:n, where hostname is the host
where the shell runs, and n is an integer >= 1. The ssh2 command uses
this special value to forward X11 connections over the secure channel.
The user should normally not set the DISPLAY environment variable, as
that will render the X11 connection insecure (and will require the user
to manually copy any required authorization cookies).
HOME
Sets to the path of the user's home directory.
LOGNAME
Synonym for USER; sets for compatibility with systems using this
variable.
MAIL
Sets to point to the user's mailbox.
PATH
Sets the default PATH, as specified when compiling the ssh2 command or,
on some systems, /etc/environment or /etc/default/login.
SSH_SOCKS_SERVER
If SOCKS is used, it is configured with this variable. The format of
the variable is:
socks://username@socks_server:port/network/netmask,network/netmask...
For example, setting the environment variable SSH_SOCKS_SERVER to
socks://mylogin@socks.ssh.com:1080/203.123.0.0/16,198.74.23.0/24 uses
host socks.ssh.com port 1080 as the SOCKS server if connection is
attempted outside of networks 203.123.0.0 (16 bit domain) and
198.74.23.0 (8 bit domain) which are connected directly.
A default value for the SSH_SOCKS_SERVER variable can be specified at
compile time by specifying --with-socks-server=VALUE on the configure
command line when compiling the ssh2 command. The default value can be
cancelled by setting SSH_SOCKS_SERVER to an empty string and overridden
by setting SSH_SOCKS_SERVER to a new value. If the SSH_SOCKS_SERVER
variable is set, it should contain a local loopback network
(127.0.0.0/8) as the network that is connected directly.
SSH2_AUTH_SOCK
If this exists, it is used to indicate the path of a unix-domain socket
used to communicate with the authentication agent (or its local
representative).
SSH2_CLIENT
Identifies the client of the connection. The variable contains the
following space-separated values: client ip-address, client port
number, host ip-address, and server port number.
SSH2_ORIGINAL_COMMAND
This will be the original command given to the ssh2 command if a forced
command is run. For example, it can be used to fetch arguments from the
other system. This does not have to be a real command, it can be the
name of a file, device, parameters or anything else.
SSH2_TTY
Set to the name of the tty (path to the device) associated with the
current shell or command. If the current session has no tty, this
variable is not set.
TZ Sets to the present time zone if it was set when the daemon was
started. The daemon passes the value to new connections.
USER
Sets to the name of the user logging in.
FILES
/etc/ssh2/ssh2_config
Specifies Secure Shell client configuration information.
/etc/ssh2/sshd2_config
Specifies Secure Shell server configuration information.
$HOME/.ssh2/identification
Contains information on how the user will be authenticated when
contacting a specific host. The identification file has the same
general syntax as the configuration files. The following keywords can
be used:
IdKey This is followed by the file name of a private key in the
$HOME/.ssh2 directory used for identification when contacting a
host. If there is more than one IdKey, they are tried in the
order that they appear in the identification file.
PgpSecretKeyFile
This is followed by the file name of the user's OpenPGP private
keyring in the $HOME/.ssh2 directory. The OpenPGP keys listed
after this line are expected to be found from this file. The
keys identified with IdPgpKey*-keywords are used like ones
identified with IdKey-keyword.
IdPgpKeyName
This is followed by the OpenPGP key name of the key in the
PgpSecretKeyFile file.
IdPgpKeyFingerprint
This is followed by the OpenPGP key fingerprint of the key in
the PgpSecretKeyFile file.
IdPgpKeyId
This is followed by the OpenPGP key ID of the key in the
PgpSecretKeyFile file.
$HOME/.ssh2/authorization
Contains information on how the server will verify the identity of an
user. The authorization file has the same general syntax as the
configuration files. The following keywords can be used:
Key This is followed by the file name of a public key in the
$HOME/.ssh2 directory used for identification when contacting
the host. More than one key is acceptable for login.
PgpPublicKeyFile
This is followed by the file name of the user's OpenPGP public
keyring in the $HOME/.ssh2directory. OpenPGP keys listed after
this line are expected to be found from this file. Keys
identified with PgpKey*-keywords are used like ones identified
with Key-keyword.
PgpKeyName
This is followed by the OpenPGP key name.
PgpKeyFingerprint
This is followed by the OpenPGP key fingerprint.
PgpKeyId
This is followed by the OpenPGP key ID.
Command This keyword, if used, must follow the Key or PgpKey* keyword.
This is used to specify a forced command that will be executed
on the server when the user is authenticated. The command
supplied by the user (if any) is put in the environment
variable SSH2_ORIGINAL_COMMAND.
The command is run on a pseudoterminal if the connection
requests a pseudoterminal; otherwise it is run without a
terminal.
This keyword might be useful for restricting certain public
keys to perform a specific operation. For example, a key that
permits remote backups but nothing else.
A client can specify TCP/IP and/or X11 forwardings, unless they
are explicitly prohibited.
$HOME/.ssh2/hostkeys/key_xxxx_yyyy.pub
They files are the public keys of the hosts to which you connect. These
are updated automatically, unless you have set the
StrictHostKeyChecking parameter to yes in the ssh2_config file. If a
host's key changes, you should put the key here only if you are sure
that the new key is valid; for example that there was no man-in-the-
middle attack. The xxxx is the port on the server, where the sshd2
deamon runs, and the yyyy is the host (specified on the command line).
/etc/ssh2/hostkeys/key_xxxx_yyyy.pub
If a host key is not found from the user's $HOME/.ssh2/hostkeys
directory, this is the next location to be checked. These files have to
be updated manually; no files are put here automatically.
$HOME/.rhosts and $HOME/.shosts
Contains a list of remote users who are not required to supply a
password when they use Secure Shell host-based authentication with the
ssh2 command.
/etc/hosts.equiv
Contains the names of remote hosts and users that are equivalent to the
local host or user. An equivalent host or user is allowed to use the
ssh2 command with Secure Shell host-based authentication without
supplying a password.
$HOME/.ssh2/knownhosts/xxxxyyyy.pub
Contains the public host keys of hosts that users need to log in to
when using host based authentication.
The xxxx is the fully qualified domain name (FQDN) and yyyy is the
public key algorithm. Public key algorithms are ssh-dss and ssh-rsa.
For example, if the FQDN for a host is server1.foo.fi and it has a key
algorithm of ssh-dss, the host key would be server1.foo.fi.ssh-dss.pub
in the knownhosts directory.
A user must add the host name to a $HOME/.shosts file or an
$HOME/.rhosts file.
/etc/ssh2/knownhosts/xxxxyyyy.pub
Same as the $HOME/.ssh2/knownhosts/xxxxyyyy.pub file, but system-wide.
This file is overridden if the user puts a file with the same name in
the $HOME/.ssh2/knownhosts directory.
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
SEE ALSO
Commands: scp2(1), sftp(1), rlogin(1), rsh(1), telnet(1),
Files: hosts.equiv(4), rhosts(4), shosts(4), ssh2_config(4),
sshd2_config(4)
Guides: Security Administration
|
Index for
Section 1 |
|
|
Alphabetical
listing for S |
|
 |
Top of
page |
|