.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.98 2001/03/08 00:15:48 markus Exp $
+.\" $OpenBSD: ssh.1,v 1.102 2001/04/10 09:13:22 itojun Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
The public key method is similar to RSA authentication described
in the previous section except that the DSA or RSA algorithm is used
instead.
-The client uses his private key
+The client uses his private key,
.Pa $HOME/.ssh/id_dsa
+or
+.Pa $HOME/.ssh/id_rsa ,
to sign the session identifier and sends the result to the server.
The server checks whether the matching public key is listed in
.Pa $HOME/.ssh/authorized_keys2
.Dq yes
or
.Dq no .
+The default is
+.Dq no .
.It Cm CheckHostIP
If this flag is set to
.Dq yes ,
-ssh will additionally check the host ip address in the
+ssh will additionally check the host IP address in the
.Pa known_hosts
file.
This allows ssh to detect if a host key changed due to DNS spoofing.
If the option is set to
.Dq no ,
the check will not be executed.
+The default is
+.Dq yes .
.It Cm Cipher
Specifies the cipher to use for encrypting the session
in protocol version 1.
.Dq yes
or
.Dq no .
+The default is
+.Dq no .
.It Cm CompressionLevel
-Specifies the compression level to use if compression is enable.
+Specifies the compression level to use if compression is enabled.
The argument must be an integer from 1 (fast) to 9 (slow, best).
The default level is 6, which is good for most applications.
The meaning of the values is the same as in
back to rsh or exiting.
The argument must be an integer.
This may be useful in scripts if the connection sometimes fails.
+The default is 4.
.It Cm PubkeyAuthentication
Specifies whether to try public key authentication.
The argument to this keyword must be
.Dq yes
or
.Dq no .
+The default is
+.Dq yes .
Note that this option applies to protocol version 2 only.
.It Cm EscapeChar
Sets the escape character (default:
.Dq yes
or
.Dq no .
+The default is
+.Dq no .
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
.Dq yes
or
.Dq no .
+The default is
+.Dq yes .
Note that this option applies to both protocol version 1 and 2.
.It Cm Port
Specifies the port number to connect on the remote host.
Default is 22.
+.It Cm PreferredAuthentications
+Specifies the order in which the client should try protocol 2
+authentication methods. This allows a client to prefer one method (e.g.
+.Cm keyboard-interactive )
+over another method (e.g.
+.Cm password )
+The default for this option is:
+.Dq publickey, password, keyboard-interactive
.It Cm Protocol
Specifies the protocol versions
.Nm
.Dq 2 .
Multiple versions must be comma-separated.
The default is
-.Dq 1,2 .
+.Dq 2,1 .
This means that
.Nm
-tries version 1 and falls back to version 2
-if version 1 is not available.
+tries version 2 and falls back to version 1
+if version 2 is not available.
.It Cm ProxyCommand
Specifies the command to use to connect to the server.
The command
.Dq yes
or
.Dq no .
+The default is
+.Dq yes .
.It Cm RhostsRSAAuthentication
Specifies whether to try rhosts based authentication with RSA host
authentication.
-This is the primary authentication method for most sites.
The argument must be
.Dq yes
or
.Dq no .
+The default is
+.Dq yes .
.It Cm RSAAuthentication
Specifies whether to try RSA authentication.
The argument to this keyword must be
RSA authentication will only be
attempted if the identity file exists, or an authentication agent is
running.
+The default is
+.Dq yes .
Note that this option applies to protocol version 1 only.
.It Cm ChallengeResponseAuthentication
Specifies whether to use challenge response authentication.
for protocol version 2).
See
.Xr sshd 8 .
-.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa
-Contains the RSA and the DSA authentication identity of the user.
+.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa
+Contains the authentication identity of the user.
+They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
These files
contain sensitive data and should be readable by the user but not
accessible by others (read/write/execute).
It is possible to specify a passphrase when
generating the key; the passphrase will be used to encrypt the
sensitive part of this file using 3DES.
-.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub
+.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub
Contains the public key for authentication (public part of the
identity file in human-readable form).
The contents of the
file should be added to
.Pa $HOME/.ssh/authorized_keys
on all machines
-where you wish to log in using RSA authentication.
+where you wish to log in using protocol version 1 RSA authentication.
The contents of the
.Pa $HOME/.ssh/id_dsa.pub
+and
+.Pa $HOME/.ssh/id_rsa.pub
file should be added to
.Pa $HOME/.ssh/authorized_keys2
on all machines
-where you wish to log in using DSA authentication.
+where you wish to log in using protocol version 2 DSA/RSA authentication.
These files are not
sensitive and can (but need not) be readable by anyone.
These files are