X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/98143cfc9a9eb27ec628c971fd19845f1740bedb..68874d2bfe5b0b0c8ffce03302ae6b10ef9cce75:/ssh.1

diff --git a/ssh.1 b/ssh.1
index d93b114c..b6fe0550 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.109 2001/05/04 14:21:55 stevesk Exp $
+.\" $OpenBSD: ssh.1,v 1.126 2001/08/01 22:16:45 markus Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -209,12 +209,10 @@ When a user connects using the protocol version 2
 different authentication methods are available.
 Using the default values for
 .Cm PreferredAuthentications ,
-the client will try to authenticate first using the public key method;
-if this method fails password authentication is attempted,
-and finally if this method fails keyboard-interactive authentication
-is attempted.
-If this method fails password authentication is
-tried.
+the client will try to authenticate first using the hostbased method;
+if this method fails public key authentication is attempted,
+and finally if this method fails keyboard-interactive and
+password authentication are tried.
 .Pp
 The public key method is similar to RSA authentication described
 in the previous section and allows the RSA or DSA algorithm to be used:
@@ -224,7 +222,7 @@ or
 .Pa $HOME/.ssh/id_rsa ,
 to sign the session identifier and sends the result to the server.
 The server checks whether the matching public key is listed in
-.Pa $HOME/.ssh/authorized_keys2
+.Pa $HOME/.ssh/authorized_keys
 and grants access if both the key is found and the signature is correct.
 The session identifier is derived from a shared Diffie-Hellman value
 and is only known to the client and the server.
@@ -269,16 +267,16 @@ of
 .Ss Escape Characters
 .Pp
 When a pseudo terminal has been requested, ssh supports a number of functions
-through the use of an escape character. 
+through the use of an escape character.
 .Pp
 A single tilde character can be sent as
 .Ic ~~
-(or by following the tilde by a character other than those described above).
+or by following the tilde by a character other than those described below.
 The escape character must always follow a newline to be interpreted as
 special.
 The escape character can be changed in configuration files using the
 .Cm EscapeChar
-configuration directive or on the command line by the 
+configuration directive or on the command line by the
 .Fl e
 option.
 .Pp
@@ -304,7 +302,16 @@ and if the peer supports it)
 .Pp
 .Ss X11 and TCP forwarding
 .Pp
-If the user is using X11 (the
+If the
+.Cm ForwardX11
+variable is set to
+.Dq yes
+(or, see the description of the
+.Fl X
+and
+.Fl x
+options described later)
+and the user is using X11 (the
 .Ev DISPLAY
 environment variable is set), the connection to the X11 display is
 automatically forwarded to the remote side in such a way that any X11
@@ -340,10 +347,10 @@ sent to the server machine (and no cookies are sent in the plain).
 .Pp
 If the user is using an authentication agent, the connection to the agent
 is automatically forwarded to the remote side unless disabled on
-command line or in a configuration file.
+the command line or in a configuration file.
 .Pp
 Forwarding of arbitrary TCP/IP connections over the secure channel can
-be specified either on command line or in a configuration file.
+be specified either on the command line or in a configuration file.
 One possible application of TCP/IP forwarding is a secure connection to an
 electronic purse; another is going through firewalls.
 .Pp
@@ -352,17 +359,12 @@ electronic purse; another is going through firewalls.
 .Nm
 automatically maintains and checks a database containing
 identifications for all hosts it has ever been used with.
-RSA host keys are stored in
+Host keys are stored in
 .Pa $HOME/.ssh/known_hosts
-and
-host keys used in the protocol version 2 are stored in
-.Pa $HOME/.ssh/known_hosts2
 in the user's home directory.
-Additionally, the files
+Additionally, the file
 .Pa /etc/ssh_known_hosts
-and
-.Pa /etc/ssh_known_hosts2
-are automatically checked for known hosts.
+is automatically checked for known hosts.
 Any new hosts are automatically added to the user's file.
 If a host's identification
 ever changes,
@@ -446,6 +448,12 @@ It is possible to have multiple
 .Fl i
 options (and multiple identities specified in
 configuration files).
+.It Fl I Ar smartcard_device
+Specifies which smartcard device to use. The argument is
+the device
+.Nm
+should use to communicate with a smartcard used for storing the user's
+private RSA key.
 .It Fl k
 Disables forwarding of Kerberos tickets and AFS tokens.
 This may also be specified on a per-host basis in the configuration file.
@@ -506,8 +514,8 @@ Quiet mode.
 Causes all warning and diagnostic messages to be suppressed.
 Only fatal errors are displayed.
 .It Fl s
-May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use 
-of SSH as a secure transport for other applications (eg. sftp). The 
+May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use
+of SSH as a secure transport for other applications (eg. sftp). The
 subsystem is specified as the remote command.
 .It Fl t
 Force pseudo-tty allocation.
@@ -551,7 +559,7 @@ Compression is desirable on modem lines and other
 slow connections, but will only slow down things on fast networks.
 The default value can be set on a host-by-host basis in the
 configuration files; see the
-.Cm Compress
+.Cm Compression
 option below.
 .It Fl L Ar port:host:hostport
 Specifies that the given port on the local (client) host is to be
@@ -694,7 +702,7 @@ The default is
 Specifies the cipher to use for encrypting the session
 in protocol version 1.
 Currently,
-.Dq blowfish 
+.Dq blowfish
 and
 .Dq 3des
 are supported.
@@ -730,7 +738,7 @@ Specifies the number of tries (one per second) to make before falling
 back to rsh or exiting.
 The argument must be an integer.
 This may be useful in scripts if the connection sometimes fails.
-The default is 4.
+The default is 1.
 .It Cm EscapeChar
 Sets the escape character (default:
 .Ql ~ ) .
@@ -788,13 +796,9 @@ or
 The default is
 .Dq no .
 .It Cm GlobalKnownHostsFile
-Specifies a file to use for the protocol version 1 global
+Specifies a file to use for the global
 host key database instead of
 .Pa /etc/ssh_known_hosts .
-.It Cm GlobalKnownHostsFile2
-Specifies a file to use for the protocol version 2 global
-host key database instead of
-.Pa /etc/ssh_known_hosts2 .
 .It Cm HostbasedAuthentication
 Specifies whether to try rhosts based authentication with public key
 authentication.
@@ -803,7 +807,7 @@ The argument must be
 or
 .Dq no .
 The default is
-.Dq yes .
+.Dq no .
 This option applies to protocol version 2 only and
 is similar to
 .Cm RhostsRSAAuthentication .
@@ -883,17 +887,13 @@ The possible values are:
 QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG.
 The default is INFO.
 .It Cm MACs
-Specifies the MAC (message authentication code) algorithms 
+Specifies the MAC (message authentication code) algorithms
 in order of preference.
 The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
 The default is
-.Pp
-.Bd -literal
-  ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,
-    hmac-sha1-96,hmac-md5-96''
-.Ed
+.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
 .It Cm NumberOfPasswordPrompts
 Specifies the number of password prompts before giving up.
 The argument to this keyword must be an integer.
@@ -910,13 +910,13 @@ The default is
 Specifies the port number to connect on the remote host.
 Default is 22.
 .It Cm PreferredAuthentications
-Specifies the order in which the client should try protocol 2 
-authentication methods. This allows a client to prefer one method (e.g. 
+Specifies the order in which the client should try protocol 2
+authentication methods. This allows a client to prefer one method (e.g.
 .Cm keyboard-interactive )
 over another method (e.g.
 .Cm password )
 The default for this option is:
-.Dq publickey, password, keyboard-interactive
+.Dq hostbased,publickey,keyboard-interactive,password
 .It Cm Protocol
 Specifies the protocol versions
 .Nm
@@ -983,8 +983,8 @@ Disabling rhosts authentication may reduce
 authentication time on slow connections when rhosts authentication is
 not used.
 Most servers do not permit RhostsAuthentication because it
-is not secure (see 
-.Cm RhostsRSAAuthentication ).
+is not secure (see
+.Cm RhostsRSAAuthentication ) .
 The argument to this keyword must be
 .Dq yes
 or
@@ -1016,29 +1016,29 @@ The default is
 Note that this option applies to protocol version 1 only.
 .It Cm ChallengeResponseAuthentication
 Specifies whether to use challenge response authentication.
-Currently there is only support for
-.Xr skey 1
-authentication.
 The argument to this keyword must be
 .Dq yes
 or
 .Dq no .
 The default is
-.Dq no .
+.Dq yes .
+.It Cm SmartcardDevice
+Specifies which smartcard device to use. The argument to this keyword is
+the device
+.Nm
+should use to communicate with a smartcard used for storing the user's
+private RSA key. By default, no device is specified and smartcard support
+is not activated.
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,
 .Nm
 will never automatically add host keys to the
 .Pa $HOME/.ssh/known_hosts
-and
-.Pa $HOME/.ssh/known_hosts2
-files, and refuses to connect to hosts whose host key has changed.
+file, and refuses to connect to hosts whose host key has changed.
 This provides maximum protection against trojan horse attacks.
 However, it can be somewhat annoying if you don't have good
 .Pa /etc/ssh_known_hosts
-and
-.Pa /etc/ssh_known_hosts2
 files installed and frequently
 connect to new hosts.
 This option forces the user to manually
@@ -1085,13 +1085,9 @@ This can be useful if you have a different user name on different machines.
 This saves the trouble of
 having to remember to give the user name on the command line.
 .It Cm UserKnownHostsFile
-Specifies a file to use for the protocol version 1 user
+Specifies a file to use for the user
 host key database instead of
 .Pa $HOME/.ssh/known_hosts .
-.It Cm UserKnownHostsFile2
-Specifies a file to use for the protocol version 2 user
-host key database instead of
-.Pa $HOME/.ssh/known_hosts2 .
 .It Cm UseRsh
 Specifies that rlogin/rsh should be used for this host.
 It is possible that the host does not at all support the
@@ -1150,6 +1146,29 @@ Set to the default
 .Ev PATH ,
 as specified when compiling
 .Nm ssh .
+.It Ev SSH_ASKPASS
+If
+.Nm
+needs a passphrase, it will read the passphrase from the current
+terminal if it was run from a terminal.
+If
+.Nm
+does not have a terminal associated with it but
+.Ev DISPLAY
+and
+.Ev SSH_ASKPASS
+are set, it will execute the program specified by
+.Ev SSH_ASKPASS
+and open an X11 window to read the passphrase.
+This is particularly useful when calling
+.Nm
+from a
+.Pa .Xsession
+or related script.
+(Note that on some machines it
+may be necessary to redirect the input from
+.Pa /dev/null
+to make this work.)
 .It Ev SSH_AUTH_SOCK
 indicates the path of a unix-domain socket used to communicate with the
 agent.
@@ -1184,13 +1203,10 @@ and adds lines of the format
 to the environment.
 .Sh FILES
 .Bl -tag -width Ds
-.It Pa $HOME/.ssh/known_hosts, $HOME/.ssh/known_hosts2
+.It Pa $HOME/.ssh/known_hosts
 Records host keys for all hosts the user has logged into (that are not
 in
-.Pa /etc/ssh_known_hosts
-for protocol version 1 or
-.Pa /etc/ssh_known_hosts2
-for protocol version 2).
+.Pa /etc/ssh_known_hosts .
 See
 .Xr sshd 8 .
 .It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa
@@ -1219,7 +1235,7 @@ The contents of the
 and
 .Pa $HOME/.ssh/id_rsa.pub
 file should be added to
-.Pa $HOME/.ssh/authorized_keys2
+.Pa $HOME/.ssh/authorized_keys
 on all machines
 where you wish to log in using protocol version 2 DSA/RSA authentication.
 These files are not
@@ -1237,34 +1253,23 @@ This file does not usually contain any sensitive information,
 but the recommended permissions are read/write for the user, and not
 accessible by others.
 .It Pa $HOME/.ssh/authorized_keys
-Lists the RSA keys that can be used for logging in as this user.
+Lists the public keys (RSA/DSA) that can be used for logging in as this user.
 The format of this file is described in the
 .Xr sshd 8
 manual page.
 In the simplest form the format is the same as the .pub
-identity files (that is, each line contains the number of bits in
-modulus, public exponent, modulus, and comment fields, separated by
-spaces).
+identity files.
 This file is not highly sensitive, but the recommended
 permissions are read/write for the user, and not accessible by others.
-.It Pa $HOME/.ssh/authorized_keys2
-Lists the public keys (RSA/DSA) that can be used for logging in as this user.
-This file is not highly sensitive, but the recommended
-permissions are read/write for the user, and not accessible by others.
-.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2
+.It Pa /etc/ssh_known_hosts
 Systemwide list of known host keys.
-.Pa /etc/ssh_known_hosts
-contains RSA and
-.Pa /etc/ssh_known_hosts2
-contains RSA or DSA keys for protocol version 2.
-These files should be prepared by the
+This file should be prepared by the
 system administrator to contain the public host keys of all machines in the
 organization.
 This file should be world-readable.
 This file contains
 public keys, one per line, in the following format (fields separated
-by spaces): system name, number of bits in modulus, public exponent,
-modulus, and optional comment field.
+by spaces): system name, public key and optional comment field.
 When different names are used
 for the same machine, all such names should be listed, separated by
 commas.
@@ -1394,7 +1399,7 @@ protocol versions 1.5 and 2.0.
 .%A T. Rinne
 .%A S. Lehtinen
 .%T "SSH Protocol Architecture"
-.%N draft-ietf-secsh-architecture-07.txt
-.%D January 2001
+.%N draft-ietf-secsh-architecture-09.txt
+.%D July 2001
 .%O work in progress material
 .Re