- (djm) Clean up. Strip some unnecessary differences with OpenBSD's code,

[openssh.git] / ssh.1

diff --git a/ssh.1 b/ssh.1
index 662e4082ed76d740a7f6d104928a4b12d066a7aa..5786782204e4e77dd00e2f3ca200e9d6fc1686e1 100644 (file)
--- a/ssh.1
+++ b/ssh.1
@@ -1,15 +1,38 @@
 .\"  -*- nroff -*-
 .\"
 .\"  -*- nroff -*-
 .\"

-.\" ssh.1.in
-.\"

 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>

-.\"

 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 .\"                    All rights reserved
 .\"
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 .\"                    All rights reserved
 .\"

-.\" Created: Sat Apr 22 21:55:14 1995 ylo
+.\" As far as I am concerned, the code I have written for this software
+.\" can be used freely for any purpose.  Any derived versions of this
+.\" software must be clearly marked as such, and if the derived work is
+.\" incompatible with the protocol description in the RFC file, it must be
+.\" called by a name other than "ssh" or "Secure Shell".
+.\"
+.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
+.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
+.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.

 .\"
 .\"

-.\" $Id$
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 .\"
 .Dd September 25, 1999
 .Dt SSH 1
 .\"
 .Dd September 25, 1999
 .Dt SSH 1


@@ -24,8 +47,8 @@
 .Op Ar command
 .Pp
 .Nm ssh
 .Op Ar command
 .Pp
 .Nm ssh

-.Op Fl afgknqtvxCPX246
-.Op Fl c Ar blowfish | 3des
+.Op Fl afgknqtvxACNPTX246
+.Op Fl c Ar cipher_spec

 .Op Fl e Ar escape_char
 .Op Fl i Ar identity_file
 .Op Fl l Ar login_name
 .Op Fl e Ar escape_char
 .Op Fl i Ar identity_file
 .Op Fl l Ar login_name


@@ -202,7 +225,7 @@ This protocol 2 implementation does not yet support Kerberos or
 S/Key authentication.
 .Pp
 Protocol 2 provides additional mechanisms for confidentiality
 S/Key authentication.
 .Pp
 Protocol 2 provides additional mechanisms for confidentiality

-(the traffic is encrypted using 3DES, blowfish, cast128 or arcfour)
+(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour)

 and integrity (hmac-sha1, hmac-md5).
 Note that protocol 1 lacks a strong mechanism for ensuring the
 integrity of the connection.
 and integrity (hmac-sha1, hmac-md5).
 Note that protocol 1 lacks a strong mechanism for ensuring the
 integrity of the connection.


@@ -332,7 +355,9 @@ host key is not known or has changed.
 .Bl -tag -width Ds
 .It Fl a
 Disables forwarding of the authentication agent connection.
 .Bl -tag -width Ds
 .It Fl a
 Disables forwarding of the authentication agent connection.

-This may also be specified on a per-host basis in the configuration file.
+.It Fl A
+Enables forwarding of the authentication agent connection.
+This can also be specified on a per-host basis in a configuration file.

 .It Fl c Ar blowfish|3des
 Selects the cipher to use for encrypting the session.
 .Ar 3des
 .It Fl c Ar blowfish|3des
 Selects the cipher to use for encrypting the session.
 .Ar 3des


@@ -342,10 +367,15 @@ It is believed to be secure.
 (triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
 It is presumably more secure than the
 .Ar des
 (triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
 It is presumably more secure than the
 .Ar des

-cipher which is no longer supported in ssh.
+cipher which is no longer supported in
+.Nm ssh .

 .Ar blowfish
 is a fast block cipher, it appears very secure and is much faster than
 .Ar 3des .
 .Ar blowfish
 is a fast block cipher, it appears very secure and is much faster than
 .Ar 3des .

+.It Fl c Ar "3des-cbc,blowfish-cbc,arcfour,cast128-cbc"
+Additionally, for protocol version 2 a comma-separated list of ciphers can
+be specified in order of preference. Protocol version 2 supports
+3DES, Blowfish and CAST128 in CBC mode and Arcfour.

 .It Fl e Ar ch|^ch|none
 Sets the escape character for sessions with a pty (default:
 .Ql ~ ) .
 .It Fl e Ar ch|^ch|none
 Sets the escape character for sessions with a pty (default:
 .Ql ~ ) .


@@ -411,6 +441,10 @@ program will be put in the background.
 needs to ask for a password or passphrase; see also the
 .Fl f
 option.)
 needs to ask for a password or passphrase; see also the
 .Fl f
 option.)

+.It Fl N
+Do not execute a remote command.
+This is usefull if you just want to forward ports
+(protocol version 2 only).

 .It Fl o Ar option
 Can be used to give options in the format used in the config file.
 This is useful for specifying options for which there is no separate
 .It Fl o Ar option
 Can be used to give options in the format used in the config file.
 This is useful for specifying options for which there is no separate


@@ -437,6 +471,8 @@ Force pseudo-tty allocation.
 This can be used to execute arbitrary
 screen-based programs on a remote machine, which can be very useful,
 e.g., when implementing menu services.
 This can be used to execute arbitrary
 screen-based programs on a remote machine, which can be very useful,
 e.g., when implementing menu services.

+.It Fl T
+Disable pseudo-tty allocation (protocol version 2 only).

 .It Fl v
 Verbose mode.
 Causes
 .It Fl v
 Verbose mode.
 Causes


@@ -447,11 +483,12 @@ debugging connection, authentication, and configuration problems.
 The verbose mode is also used to display
 .Xr skey 1
 challenges, if the user entered "s/key" as password.
 The verbose mode is also used to display
 .Xr skey 1
 challenges, if the user entered "s/key" as password.

+Multiple -v options increases the verbosity. Maximum is 3.

 .It Fl x
 Disables X11 forwarding.
 .It Fl x
 Disables X11 forwarding.

-This can also be specified on a per-host basis in a configuration file.

 .It Fl X
 Enables X11 forwarding.
 .It Fl X
 Enables X11 forwarding.

+This can also be specified on a per-host basis in a configuration file.

 .It Fl C
 Requests compression of all data (including stdin, stdout, stderr, and
 data for forwarded X11 and TCP/IP connections).
 .It Fl C
 Requests compression of all data (including stdin, stdout, stderr, and
 data for forwarded X11 and TCP/IP connections).


@@ -601,7 +638,7 @@ Specifies the ciphers allowed for protocol version 2
 in order of preference.
 Multiple ciphers must be comma-separated.
 The default is
 in order of preference.
 Multiple ciphers must be comma-separated.
 The default is

-.Dq blowfish-cbc,3des-cbc,arcfour,cast128-cbc .
+.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc .

 .It Cm Compression
 Specifies whether to use compression.
 The argument must be
 .It Cm Compression
 Specifies whether to use compression.
 The argument must be


@@ -660,6 +697,8 @@ The argument must be
 .Dq yes
 or
 .Dq no .
 .Dq yes
 or
 .Dq no .

+The default is
+.Dq no .

 .It Cm ForwardX11
 Specifies whether X11 connections will be automatically redirected
 over the secure channel and
 .It Cm ForwardX11
 Specifies whether X11 connections will be automatically redirected
 over the secure channel and


@@ -785,7 +824,7 @@ The default is
 This means that
 .Nm
 tries version 1 and falls back to version 2
 This means that
 .Nm
 tries version 1 and falls back to version 2

-if version 1 is no available.
+if version 1 is not available.

 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.
 The command
 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.
 The command


@@ -925,6 +964,13 @@ The argument must be
 .Dq yes
 or
 .Dq no .
 .Dq yes
 or
 .Dq no .

+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
+.El

 .Sh ENVIRONMENT
 .Nm
 will normally set the following environment variables:
 .Sh ENVIRONMENT
 .Nm
 will normally set the following environment variables:


@@ -973,7 +1019,7 @@ If the current session has no tty,
 this variable is not set.
 .It Ev TZ
 The timezone variable is set to indicate the present timezone if it
 this variable is not set.
 .It Ev TZ
 The timezone variable is set to indicate the present timezone if it

-was set when the daemon was started (e.i., the daemon passes the value
+was set when the daemon was started (i.e., the daemon passes the value

 on to new connections).
 .It Ev USER
 Set to the name of the user logging in.
 on to new connections).
 .It Ev USER
 Set to the name of the user logging in.


@@ -1168,6 +1214,7 @@ above.
 .It Pa libcrypto.so.X.1
 A version of this library which includes support for the RSA algorithm
 is required for proper operation.
 .It Pa libcrypto.so.X.1
 A version of this library which includes support for the RSA algorithm
 is required for proper operation.

+.El

 .Sh AUTHOR
 OpenSSH
 is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen,
 .Sh AUTHOR
 OpenSSH
 is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen,


@@ -1179,7 +1226,8 @@ more restrictive licenses, and thus demand for a free version was born.
 This version of OpenSSH
 .Bl -bullet
 .It
 This version of OpenSSH
 .Bl -bullet
 .It

-has all components of a restrictive nature (i.e., patents)
+has all components of a restrictive nature (i.e., patents, see
+.Xr crypto 3 )

 directly removed from the source code; any licensed or patented components
 are chosen from
 external libraries.
 directly removed from the source code; any licensed or patented components
 are chosen from
 external libraries.


@@ -1208,3 +1256,4 @@ The support for SSH protocol 2 was written by Markus Friedl.
 .Xr ssh-keygen 1 ,
 .Xr telnet 1 ,
 .Xr sshd 8 ,
 .Xr ssh-keygen 1 ,
 .Xr telnet 1 ,
 .Xr sshd 8 ,

+.Xr crypto 3