ssh 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342
  1. .TH SSH 1
  2. .SH NAME
  3. ssh, sshnet, scp, sshserve \- secure login and file copy from/to Unix or Plan 9
  4. .SH SYNOPSIS
  5. .B ssh
  6. [
  7. .B -CfiImPpRrw
  8. ]
  9. [
  10. .B -A
  11. .I authlist
  12. ]
  13. [
  14. .B -c
  15. .I cipherlist
  16. ]
  17. [
  18. .B -[lu]
  19. .I user
  20. ]
  21. .RI [ user\fB@ ] host
  22. [
  23. .I cmd
  24. [
  25. .I args
  26. \&... ]]
  27. .PP
  28. .B sshnet
  29. [
  30. .B -A
  31. .I authlist
  32. ]
  33. [
  34. .B -c
  35. .I cipherlist
  36. ]
  37. [
  38. .B -m
  39. .I mtpt
  40. ]
  41. [
  42. .B -s
  43. .I service
  44. ]
  45. .RI [ user\fB@ ] host
  46. .PP
  47. .B scp
  48. [host:]file [host:]file
  49. .br
  50. .B scp
  51. [host:]file ... [host:]dir
  52. .PP
  53. .B aux/sshserve
  54. [
  55. .B -p
  56. ]
  57. .I address
  58. .SH DESCRIPTION
  59. .I Ssh
  60. allows authenticated login over an encrypted channel to hosts that
  61. support the ssh protocol (see the RFC listed below for encryption and
  62. authentication details).
  63. .LP
  64. .I Ssh
  65. takes the host name of the machine to connect to as its mandatory argument.
  66. It may be specified as a domain name or an IP address.
  67. Normally, login is attempted using the user name from /dev/user.
  68. .PP
  69. Command-line options are:
  70. .TP
  71. .B -C
  72. force input to be read in cooked mode:
  73. ``line at a time'' with local echo.
  74. .TP
  75. .B -f
  76. enable agent forwarding.
  77. With this flag,
  78. .I ssh
  79. uses SSH's agent forwarding protocol to allow
  80. programs running on the remote server to
  81. interact with
  82. .IR factotum (4)
  83. to perform RSA authentication.
  84. .TP
  85. .B -i
  86. force interactive mode.
  87. In interactive mode,
  88. .I ssh
  89. prompts for passwords and confirmations of
  90. new host keys when necessary.
  91. (In non-interactive mode, password requests
  92. are rejected and unrecognized host keys are
  93. cause for disconnecting.)
  94. By default,
  95. .I ssh
  96. runs in interactive mode only when its
  97. input file descriptor is
  98. .BR /dev/cons .
  99. .TP
  100. .B -I
  101. force non-interactive mode.
  102. .TP
  103. .B -m
  104. disable the
  105. .RB control- \e
  106. menu, described below.
  107. .TP
  108. .B -p
  109. force pseudoterminal request.
  110. The
  111. .I ssh
  112. protocol, grounded in Unix tradition,
  113. differentiates between connections
  114. that request controlling pseudoterminals
  115. and those that do not.
  116. By default,
  117. .I ssh
  118. requests a pseudoterminal only when no
  119. .I command
  120. is given.
  121. .TP
  122. .B -P
  123. force no pseudoterminal request.
  124. .TP
  125. .B -r
  126. strip carriage returns.
  127. .TP
  128. .B -R
  129. put the allocated pseudoterminal, if any, in raw mode.
  130. .TP
  131. .B -w
  132. notify the remote side whenever the window changes size.
  133. .TP
  134. .BR - [ lu ] "\fI user
  135. specify user name.
  136. This option is deprecated in favor of the
  137. .IB user @ hostname
  138. syntax.
  139. .TP
  140. .B "-A\fI authlist
  141. specify an ordered space-separated list of authentication protocols to try.
  142. The full set of authentication protocols is
  143. .B rsa
  144. (RSA using
  145. .IR factotum (4)
  146. to moderate key usage),
  147. .B password
  148. (use a password gathered from factotum),
  149. and
  150. .B tis
  151. (challenge-response).
  152. The default list is all three in that order.
  153. .TP
  154. .B "-c\fI cipherlist
  155. specify an ordered space-separated list of allowed ciphers to use when encrypting the channel.
  156. The full set of ciphers is
  157. .B des
  158. (standard DES),
  159. .B 3des
  160. (a somewhat doubtful variation on triple DES),
  161. .B blowfish
  162. (Bruce Schneier's Blowfish),
  163. .B rc4
  164. (RC4),
  165. and
  166. .B none
  167. (no encryption).
  168. The default cipher list is
  169. .B blowfish
  170. .B rc4
  171. .BR 3des .
  172. .PD
  173. .PP
  174. The
  175. .RB control\- \e
  176. character is a local escape, as in
  177. .IR con (1).
  178. It prompts with
  179. .BR >>> .
  180. Legitimate responses to the prompt are
  181. .TP
  182. .B q
  183. Exit.
  184. .TP
  185. .B .
  186. Return from the escape.
  187. .TP
  188. .B !cmd
  189. Run the command with the network connection as its
  190. standard input and standard output.
  191. Standard error will go to the screen.
  192. .TP
  193. .B r
  194. Toggle printing of carriage returns.
  195. .PD
  196. .LP
  197. If no command is specified,
  198. a login session is started on the remote
  199. host.
  200. Otherwise, the command is executed with its arguments.
  201. .LP
  202. .I Ssh
  203. establishes a connection with an ssh daemon on the remote host.
  204. The daemon sends to
  205. .I ssh
  206. its RSA public host key and session key.
  207. Using these,
  208. .I ssh
  209. sends a session key which, presumably, only the
  210. daemon can decipher. After this, both sides start encrypting their
  211. data with this session key.
  212. .LP
  213. When the daemon's host key has been received,
  214. .I ssh
  215. looks it up in
  216. .B $home/lib/keyring
  217. and in
  218. .BR /sys/lib/ssh/keyring .
  219. If
  220. the key is found there, and it matches the received key,
  221. .I ssh
  222. is satisfied. If not,
  223. .I ssh
  224. reports this and offers to add the key to
  225. .BR $home/lib/keyring .
  226. .LP
  227. Over the encrypted channel,
  228. .I ssh
  229. attempts to convince the daemon to accept the call
  230. using the listed authentication protocols
  231. (see the
  232. .B -A
  233. option above).
  234. .LP
  235. The preferred way to authenticate is a
  236. .IR netkey -style
  237. challenge/response or via a SecurID token.
  238. .I Ssh
  239. users on other systems than Plan 9 should enable \s-2TIS_A\s0uthentication.
  240. .LP
  241. When the connection is authenticated, the given command line,
  242. (by default, a login shell) is executed on the remote host.
  243. .sp 1
  244. The SSH protocol allows clients to make outgoing TCP calls via the server.
  245. .I Sshnet
  246. establishes an SSH connection and, rather than execute a remote command,
  247. presents the remote server's TCP stack as a network stack
  248. (see the discussion of TCP in
  249. .IR ip (3))
  250. mounted at
  251. .I mtpt
  252. (default
  253. .BR /net ),
  254. optionally posting a 9P service
  255. descriptor for the new file system as
  256. .IB /srv/ service \fR.
  257. The
  258. .B -A
  259. and
  260. .B -c
  261. arguments are as in
  262. .IR ssh .
  263. .sp 1
  264. .I Scp
  265. uses
  266. .I ssh
  267. to copy files from one host to another. A remote file is identified by
  268. a host name, a colon and a file name (no spaces).
  269. .I Scp
  270. can copy files from remote hosts and to remote hosts.
  271. .sp 1
  272. .I Sshserve
  273. is the server that services
  274. .I ssh
  275. calls from remote hosts.
  276. The
  277. .B -A
  278. and
  279. .B -c
  280. options set valid authentication methods and ciphers
  281. as in
  282. .IR ssh ,
  283. except that there is no
  284. .B rsa
  285. authentication method.
  286. Unlike in
  287. .IR ssh ,
  288. the list is not ordered: the server presents a set and the client makes the choice.
  289. The default sets are
  290. .B tis
  291. and
  292. .B blowfish
  293. .B rc4
  294. .BR 3des .
  295. By default, users start with the namespace defined in
  296. .BR /lib/namespace .
  297. Users in group
  298. .B noworld
  299. in
  300. .B /adm/users
  301. start with the namespace defined in
  302. .BR /lib/namespace.noworld .
  303. .I Sshserve
  304. does not provide the TCP forwarding functionality used
  305. by
  306. .IR sshnet ,
  307. because many Unix clients present
  308. this capability in an insecure manner.
  309. .PP
  310. .I Sshserve
  311. requires that
  312. .IR factotum (4)
  313. hold the host key,
  314. identified by having attributes
  315. .B proto=rsa
  316. .BR service=sshserve .
  317. To generate a host key:
  318. .IP
  319. .EX
  320. auth/rsagen -t 'service=sshserve' >/mnt/factotum/ctl
  321. .EE
  322. .LP
  323. To extract the public part of the host key in the form
  324. used by SSH key rings:
  325. .IP
  326. .EX
  327. grep 'service=sshserve' /mnt/factotum/ctl | auth/rsa2ssh
  328. .EE
  329. .SH FILES
  330. .TP
  331. .B /sys/lib/ssh/keyring
  332. System key ring file containing public keys for remote ssh clients and servers.
  333. .TP
  334. .B /usr/\fIuser\fP/lib/keyring
  335. Personal key ring file containing public keys for remote ssh clients and
  336. servers.
  337. .SH SOURCE
  338. .B /sys/src/cmd/ssh
  339. .SH "SEE ALSO"
  340. .IR factotum (4),
  341. .IR authsrv (6),
  342. .IR rsa (8)