ssh 6.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341
  1. .TH SSH 1
  2. .SH NAME
  3. ssh, sshnet, scp, sshserve, ssh_genkey \- secure login and file copy from/to Unix or Plan 9
  4. .SH SYNOPSIS
  5. .B ssh
  6. [
  7. .B -CiImPpRrvw
  8. ]
  9. [
  10. .B -A
  11. .I authlist
  12. ]
  13. [
  14. .B -c
  15. .I cipherlist
  16. ]
  17. [
  18. .B -[lu]
  19. .I user
  20. ]
  21. .RI [ user\fB@ ] host
  22. [
  23. .I cmd
  24. [
  25. .I args
  26. \&... ]]
  27. .PP
  28. .B sshnet
  29. [
  30. .B -A
  31. .I authlist
  32. ]
  33. [
  34. .B -c
  35. .I cipherlist
  36. ]
  37. [
  38. .B -m
  39. .I mtpt
  40. ]
  41. .RI [ user\fB@ ] host
  42. .PP
  43. .B scp
  44. [host:]file [host:]file
  45. .br
  46. .B scp
  47. [host:]file ... [host:]dir
  48. .PP
  49. .B aux/sshserve
  50. [
  51. .B -p
  52. ]
  53. .I address
  54. .PP
  55. .B aux/ssh_genkey
  56. [
  57. .I basename
  58. ]
  59. .SH DESCRIPTION
  60. .I Ssh
  61. allows authenticated login over an encrypted channel to hosts that
  62. support the ssh protocol (see the RFC listed below for encryption and
  63. authentication details).
  64. .LP
  65. .I Ssh
  66. takes the host name of the machine to connect to as its mandatory argument.
  67. It may be specified as a domain name or an IP address.
  68. Normally, login is attempted using the user name from /dev/user.
  69. .PP
  70. Command-line options are:
  71. .TP
  72. .B -C
  73. force input to be read in cooked mode:
  74. ``line at a time'' with local echo.
  75. .TP
  76. .B -i
  77. force interactive mode.
  78. In interactive mode,
  79. .I ssh
  80. prompts for passwords and confirmations of
  81. new host keys when necessary.
  82. (In non-interactive mode, password requests
  83. are rejected and unrecognized host keys are
  84. cause for disconnecting.)
  85. By default,
  86. .I ssh
  87. runs in interactive mode only when its
  88. input file descriptor is
  89. .BR /dev/cons .
  90. .TP
  91. .B -I
  92. force non-interactive mode.
  93. .TP
  94. .B -m
  95. disable the
  96. .RB control- \e
  97. menu, described below.
  98. .TP
  99. .B -p
  100. force pseudoterminal request.
  101. The
  102. .I ssh
  103. protocol, grounded in Unix tradition,
  104. differentiates between connections
  105. that request controlling pseudoterminals
  106. and those that do not.
  107. By default,
  108. .I ssh
  109. requests a pseudoterminal only when no
  110. .I command
  111. is given.
  112. .TP
  113. .B -P
  114. force no pseudoterminal request.
  115. .TP
  116. .B -r
  117. strip carriage returns.
  118. .TP
  119. .B -R
  120. put the allocated pseudoterminal, if any, in raw mode.
  121. .TP
  122. .B -v
  123. enable verbose feedback during the connection and authentication process.
  124. .TP
  125. .B -w
  126. notify the remote side whenever the window changes size.
  127. .TP
  128. .BR - [ lu ] "\fI user
  129. specify user name.
  130. This option is deprecated in favor of the
  131. .IB user @ hostname
  132. syntax.
  133. .TP
  134. .B "-A\fI authlist
  135. specify an ordered space-separated list of authentication protocols to try.
  136. The full set of authentication protocols is
  137. .B rsa
  138. (RSA using
  139. .IR factotum (4)
  140. to moderate key usage),
  141. .B password
  142. (use a password gathered from factotum),
  143. and
  144. .B tis
  145. (challenge-response).
  146. The default list is all three in that order.
  147. .TP
  148. .B "-c\fI cipherlist
  149. specify an ordered space-separated list of allowed ciphers to use when encrypting the channel.
  150. The full set of ciphers is
  151. .B des
  152. (standard DES),
  153. .B 3des
  154. (a somewhat doubtful variation on triple DES),
  155. .B blowfish
  156. (Bruce Schneier's Blowfish),
  157. .B rc4
  158. (RC4),
  159. and
  160. .B none
  161. (no encryption).
  162. The default cipher list is
  163. .B blowfish
  164. .B rc4
  165. .BR 3des .
  166. .PD
  167. .PP
  168. The
  169. .RB control\- \e
  170. character is a local escape, as in
  171. .IR con (1).
  172. It prompts with
  173. .BR >>> .
  174. Legitimate responses to the prompt are
  175. .TP
  176. .B q
  177. Exit.
  178. .TP
  179. .B .
  180. Return from the escape.
  181. .TP
  182. .B !cmd
  183. Run the command with the network connection as its
  184. standard input and standard output.
  185. Standard error will go to the screen.
  186. .TP
  187. .B r
  188. Toggle printing of carriage returns.
  189. .PD
  190. .LP
  191. If no command is specified,
  192. a login session is started on the remote
  193. host.
  194. Otherwise, the command is executed with its arguments.
  195. .LP
  196. .I Ssh
  197. establishes a connection with an ssh daemon on the remote host.
  198. The daemon sends to
  199. .I ssh
  200. its RSA public host key and session key.
  201. Using these,
  202. .I ssh
  203. sends a session key which, presumably, only the
  204. daemon can decipher. After this, both sides start encrypting their
  205. data with this session key.
  206. .LP
  207. When the daemon's host key has been received,
  208. .I ssh
  209. looks it up in
  210. .B $home/lib/keyring
  211. and in
  212. .BR /sys/lib/ssh/keyring .
  213. If
  214. the key is found there, and it matches the received key,
  215. .I ssh
  216. is satisfied. If not,
  217. .I ssh
  218. reports this and offers to add the key to
  219. .BR $home/lib/keyring .
  220. .LP
  221. Over the encrypted channel,
  222. .I ssh
  223. attempts to convince the daemon to accept the call
  224. using the listed authentication protocols
  225. (see the
  226. .B -A
  227. option above).
  228. .LP
  229. The preferred way to authenticate is a
  230. .IR netkey -style
  231. challenge/response or via a SecurID token.
  232. .I Ssh
  233. users on other systems than Plan 9 should enable \s-2TIS_A\s0uthentication.
  234. .LP
  235. When the connection is authenticated, the given command line,
  236. (by default, a login shell) is executed on the remote host.
  237. .sp 1
  238. The SSH protocol allows clients to make outgoing TCP calls via the server.
  239. .I Sshnet
  240. establishes an SSH connection and, rather than execute a remote command,
  241. presents the remote server's TCP stack as a network stack
  242. (see the discussion of TCP in
  243. .IR ip (3))
  244. mounted at
  245. .I mtpt
  246. (default
  247. .BR /net ).
  248. The
  249. .B -A
  250. and
  251. .B -c
  252. arguments are as in
  253. .IR ssh .
  254. .sp 1
  255. .I Scp
  256. uses
  257. .I ssh
  258. to copy files from one host to another. A remote file is identified by
  259. a host name, a colon and a file name (no spaces).
  260. .I Scp
  261. can copy files from remote hosts and to remote hosts.
  262. .sp 1
  263. .I Sshserve
  264. is the server that services
  265. .I ssh
  266. calls from remote hosts.
  267. The
  268. .B -A
  269. and
  270. .B -c
  271. options set valid authentication methods and ciphers
  272. as in
  273. .IR ssh ,
  274. except that there is no
  275. .B rsa
  276. authentication method.
  277. Unlike in
  278. .IR ssh ,
  279. the list is not ordered: the server presents a set and the client makes the choice.
  280. The default sets are
  281. .B tis
  282. and
  283. .B blowfish
  284. .B rc4
  285. .BR 3des .
  286. By default, users start with the namespace defined in
  287. .BR /lib/namespace .
  288. Users in group
  289. .B noworld
  290. in
  291. .B /adm/users
  292. start with the namespace defined in
  293. .BR /lib/namespace.noworld .
  294. .I Sshserve
  295. does not provide the TCP forwarding functionality used
  296. by
  297. .IR sshnet ,
  298. because many Unix clients present
  299. this capability in an insecure manner.
  300. .PP
  301. .I Ssh_genkey
  302. generates an RSA key set, writing the
  303. private key to
  304. .IB basename .secret
  305. and the public key to
  306. .IB basename .public\fR.
  307. .I Ssh_genkey
  308. also writes
  309. a secret key in the style expected by factotum
  310. to
  311. .IB basename .secret.factotum\fR.
  312. The default
  313. .B basename
  314. is
  315. .BR /sys/lib/ssh/hostkey ,
  316. so running it with no arguments
  317. will generate an RSA key set
  318. for the file server in use.
  319. .SH FILES
  320. .TF /sys/lib/ssh/hostkey.public
  321. .TP
  322. .B /sys/lib/ssh/hostkey.public
  323. Public key for the host on which the program runs.
  324. .TP
  325. .B /sys/lib/ssh/hostkey.secret
  326. Secret key for the host on which the program runs. This file must
  327. be owned and be readable by bootes only.
  328. .TP
  329. .B /sys/lib/ssh/keyring
  330. System keyring file containing public keys for remote ssh clients and servers.
  331. .TP
  332. .B /usr/\fIuser\fP/lib/keyring
  333. Personal keyring file containing public keys for remote ssh clients and
  334. servers.
  335. .SH SOURCE
  336. .B /sys/src/cmd/ssh
  337. .SH "SEE ALSO"
  338. .IR /sys/src/cmd/ssh/RFC*
  339. .br
  340. .IR factotum (4),
  341. .IR authsrv (6)