.\" incompatible with the protocol description in the RFC file, it must be
.\" called by a name other than "ssh" or "Secure Shell".
.\"
-.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
-.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
-.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
+.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
+.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
+.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.79 2001/01/28 20:36:16 stevesk Exp $
+.\" $OpenBSD: ssh.1,v 1.94 2001/03/05 15:56:16 deraadt Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
.Op Ar command
.Pp
.Nm ssh
-.Op Fl afgknqtvxACNPTX246
+.Op Fl afgknqstvxACNPTX1246
.Op Fl c Ar cipher_spec
.Op Fl e Ar escape_char
.Op Fl i Ar identity_file
.Op Fl l Ar login_name
+.Op Fl m Ar mac_spec
.Op Fl o Ar option
.Op Fl p Ar port
.Oo Fl L Xo
.Pp
Protocol 2 provides additional mechanisms for confidentiality
(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour)
-and integrity (hmac-sha1, hmac-md5).
+and integrity (hmac-md5, hmac-sha1).
Note that protocol 1 lacks a strong mechanism for ensuring the
integrity of the connection.
.Pp
will also make the session transparent even if a tty is used.
.Pp
The session terminates when the command or shell on the remote
-machine exists and all X11 and TCP/IP connections have been closed.
+machine exits and all X11 and TCP/IP connections have been closed.
The exit status of the remote program is returned as the exit status
of
.Nm ssh .
Forwarding of arbitrary TCP/IP connections over the secure channel can
be specified either on command line or in a configuration file.
One possible application of TCP/IP forwarding is a secure connection to an
-electronic purse; another is going trough firewalls.
+electronic purse; another is going through firewalls.
.Pp
.Ss Server authentication
.Pp
.Ar blowfish
is a fast block cipher, it appears very secure and is much faster than
.Ar 3des .
-.It Fl c Ar "3des-cbc,blowfish-cbc,arcfour,cast128-cbc"
+.It Fl c Ar cipher_spec
Additionally, for protocol version 2 a comma-separated list of ciphers can
be specified in order of preference.
-Protocol version 2 supports 3DES, Blowfish, and CAST128 in CBC mode
-and Arcfour.
+See
+.Cm Ciphers
+for more information.
.It Fl e Ar ch|^ch|none
Sets the escape character for sessions with a pty (default:
.Ql ~ ) .
.It Fl l Ar login_name
Specifies the user to log in as on the remote machine.
This also may be specified on a per-host basis in the configuration file.
+.It Fl m Ar mac_spec
+Additionally, for protocol version 2 a comma-separated list of MAC
+(message authentication code) algorithms can
+be specified in order of preference.
+See the
+.Cm MACs
+keyword for more information.
.It Fl n
Redirects stdin from
.Pa /dev/null
Quiet mode.
Causes all warning and diagnostic messages to be suppressed.
Only fatal errors are displayed.
+.It Fl s
+May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use
+of SSH as a secure transport for other application (eg. sftp). The
+subsystem is specified as the remote command.
.It Fl t
Force pseudo-tty allocation.
This can be used to execute arbitrary
Port forwardings can also be specified in the configuration file.
Privileged ports can be forwarded only when
logging in as root on the remote machine.
+.It Fl 1
+Forces
+.Nm
+to try protocol version 1 only.
.It Fl 2
Forces
.Nm
.Nm
to use IPv6 addresses only.
.El
-.Pp
-If
-.Nm
-is not invoked with one of the standard program names
-.Pf ( Dq ssh ,
-.Dq slogin ,
-.Dq rsh ,
-.Dq rlogin ,
-or
-.Dq remsh ) ,
-it uses this name as its
-.Ar hostname
-argument.
-This is consistent with traditional
-.Xr rsh 1
-behavior.
.Sh CONFIGURATION FILES
.Nm
obtains configuration data from the following sources (in this order):
in order of preference.
Multiple ciphers must be comma-separated.
The default is
-.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc .
+.Pp
+.Bd -literal
+ ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+ aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,
+ rijndael256-cbc,rijndael-cbc@lysator.liu.se''
+.Ed
.It Cm Compression
Specifies whether to use compression.
The argument must be
.It Cm HostKeyAlias
Specifies an alias that should be used instead of the
real host name when looking up or saving the host key
-the kown_hosts files.
-This option is useful for tunneling ssh connection
+in the known_hosts files.
+This option is useful for tunneling ssh connections
or if you have multiple servers running on a single host.
.It Cm HostName
Specifies the real host name to log into.
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG.
The default is INFO.
+.It Cm MACs
+Specifies the MAC (message authentication code) algorithms
+in order of preference.
+The MAC algorithm is used in protocol version 2
+for data integrity protection.
+Multiple algorithms must be comma-separated.
+The default is
+.Pp
+.Bd -literal
+ ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,
+ hmac-sha1-96,hmac-md5-96''
+.Ed
.It Cm NumberOfPasswordPrompts
Specifies the number of password prompts before giving up.
The argument to this keyword must be an integer.
attempted if the identity file exists, or an authentication agent is
running.
Note that this option applies to protocol version 1 only.
-.It Cm SkeyAuthentication
-Specifies whether to use
+.It Cm ChallengeResponseAuthentication
+Specifies whether to use challenge response authentication.
+Currently there is only support for
.Xr skey 1
authentication.
The argument to this keyword must be
These files are not
sensitive and can (but need not) be readable by anyone.
These files are
-never used automatically and are not necessary; they is only provided for
+never used automatically and are not necessary; they are only provided for
the convenience of the user.
.It Pa $HOME/.ssh/config
This is the per-user configuration file.
Each line of the file contains a host name (in the canonical form
returned by name servers), and then a user name on that host,
separated by a space.
-One some machines this file may need to be
+On some machines this file may need to be
world-readable if the user's home directory is on a NFS partition,
because
.Xr sshd 8
.Xr rlogin 1 ,
.Xr rsh 1 ,
.Xr scp 1 ,
+.Xr sftp 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
.Xr telnet 1 ,
-.Xr sshd 8 ,
-.Xr ssl 8
+.Xr sshd 8