.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.162 2002/08/12 17:30:35 stevesk Exp $
+.\" $OpenBSD: ssh.1,v 1.170 2003/05/14 22:24:42 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
.Op Ar command
.Pp
.Nm ssh
-.Op Fl afgknqstvxACNPTX1246
+.Bk -words
+.Op Fl afgknqstvxACNTVX1246
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl e Ar escape_char
.Sm on
.Xc
.Oc
+.Ek
+.Bk -words
.Oo Fl R Xo
.Sm off
.Ar port :
.Op Fl D Ar port
.Ar hostname | user@hostname
.Op Ar command
+.Ek
.Sh DESCRIPTION
.Nm
(SSH client) is a program for logging into a remote machine and for
to terminate
.It Cm ~?
Display a list of escape characters
+.It Cm ~B
+Send a BREAK to the remote system.
.It Cm ~C
Open command line (only useful for adding port forwardings using the
.Fl L
The real authentication cookie is never
sent to the server machine (and no cookies are sent in the plain).
.Pp
-If the user is using an authentication agent, the connection to the agent
-is automatically forwarded to the remote side unless disabled on
-the command line or in a configuration file.
+If the
+.Cm ForwardAgent
+variable is set to
+.Dq yes
+(or, see the description of the
+.Fl A
+and
+.Fl a
+options described later) and
+the user is using an authentication agent, the connection to the agent
+is automatically forwarded to the remote side.
.Pp
Forwarding of arbitrary TCP/IP connections over the secure channel can
be specified either on the command line or in a configuration file.
.It Fl A
Enables forwarding of the authentication agent connection.
This can also be specified on a per-host basis in a configuration file.
+.Pp
+Agent forwarding should be enabled with caution.
+Users with the ability to bypass file permissions on the remote host
+(for the agent's Unix-domain socket)
+can access the local agent through the forwarded connection.
+An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
.It Fl b Ar bind_address
Specify the interface to transmit from on machines with multiple
interfaces or aliased addresses.
client for interoperability with legacy protocol 1 implementations
that do not support the
.Ar 3des
-cipher. Its use is strongly discouraged due to cryptographic
-weaknesses.
+cipher.
+Its use is strongly discouraged due to cryptographic weaknesses.
.It Fl c Ar cipher_spec
Additionally, for protocol version 2 a comma-separated list of ciphers can
be specified in order of preference.
Port to connect to on the remote host.
This can be specified on a
per-host basis in the configuration file.
-.It Fl P
-Use a non-privileged port for outgoing connections.
-This can be used if a firewall does
-not permit connections from privileged ports.
-Note that this option turns off
-.Cm RhostsAuthentication
-and
-.Cm RhostsRSAAuthentication
-for older servers.
.It Fl q
Quiet mode.
Causes all warning and diagnostic messages to be suppressed.
debugging connection, authentication, and configuration problems.
Multiple
.Fl v
-options increases the verbosity.
-Maximum is 3.
+options increase the verbosity.
+The maximum is 3.
+.It Fl V
+Display the version number and exit.
.It Fl x
Disables X11 forwarding.
.It Fl X
Enables X11 forwarding.
This can also be specified on a per-host basis in a configuration file.
+.Pp
+X11 forwarding should be enabled with caution.
+Users with the ability to bypass file permissions on the remote host
+(for the user's X authorization database)
+can access the local X11 display through the forwarded connection.
+An attacker may then be able to perform activities such as keystroke monitoring.
.It Fl C
Requests compression of all data (including stdin, stdout, stderr, and
data for forwarded X11 and TCP/IP connections).
.Dq level
can be controlled by the
.Cm CompressionLevel
-option.
+option for protocol version 1.
Compression is desirable on modem lines and other
slow connections, but will only slow down things on fast networks.
The default value can be set on a host-by-host basis in the
on the local side, and whenever a connection is made to this port, the
connection is forwarded over the secure channel, and the application
protocol is then used to determine where to connect to from the
-remote machine. Currently the SOCKS4 protocol is supported, and
+remote machine.
+Currently the SOCKS4 protocol is supported, and
.Nm
will act as a SOCKS4 server.
Only root can forward privileged ports.
.It Ev SSH_AUTH_SOCK
Identifies the path of a unix-domain socket used to communicate with the
agent.
-.It Ev SSH_CLIENT
-Identifies the client end of the connection.
+.It Ev SSH_CONNECTION
+Identifies the client and server ends of the connection.
The variable contains
-three space-separated values: client ip-address, client port number,
-and server port number.
+four space-separated values: client ip-address, client port number,
+server ip-address and server port number.
.It Ev SSH_ORIGINAL_COMMAND
The variable contains the original command line if a forced command
is executed.
andersk / openssh.git / blobdiff