ssh1 6.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364
  1. .TH SSH1 1
  2. .SH NAME
  3. ssh1, sshnet, scp, sshserve \- encrypted login and file copy with foreign systems via SSHv1
  4. .SH SYNOPSIS
  5. .B ssh1
  6. [
  7. .B -CfiImPpRrw
  8. ]
  9. [
  10. .B -A
  11. .I authlist
  12. ]
  13. [
  14. .B -c
  15. .I cipherlist
  16. ]
  17. [
  18. .B -[lu]
  19. .I user
  20. ]
  21. .RI [ user\fB@ ] host
  22. [
  23. .I cmd
  24. [
  25. .I args
  26. \&... ]]
  27. .PP
  28. .B sshnet
  29. [
  30. .B -A
  31. .I authlist
  32. ]
  33. [
  34. .B -c
  35. .I cipherlist
  36. ]
  37. [
  38. .B -m
  39. .I mtpt
  40. ]
  41. [
  42. .B -s
  43. .I service
  44. ]
  45. .RI [ user\fB@ ] host
  46. .PP
  47. .B scp
  48. .RI [ host :] file
  49. .RI [ host2 :] file2
  50. .br
  51. .B scp
  52. .RI [ host :] file
  53. \&...
  54. .RI [ host2 :] dir
  55. .PP
  56. .B aux/sshserve
  57. [
  58. .B -A
  59. .I authlist
  60. ]
  61. [
  62. .B -c
  63. .I cipherlist
  64. ]
  65. [
  66. .B -i
  67. .I id-string
  68. ]
  69. .I address
  70. .SH DESCRIPTION
  71. .I Ssh1
  72. performs authenticated login over an encrypted channel to hosts that
  73. support the SSH v1 protocol (see the RFCs listed below for encryption and
  74. authentication details).
  75. .I Ssh1
  76. takes the host name of the machine to connect to as its mandatory argument.
  77. It may be specified as a domain name or an IP address.
  78. Normally, login is attempted using the user name from
  79. .BR /dev/user .
  80. .PP
  81. Command-line options are:
  82. .TF "C
  83. .PD
  84. .TP
  85. .B -C
  86. force input to be read in cooked mode:
  87. ``line at a time'' with local echo.
  88. .TP
  89. .B -f
  90. enable agent forwarding.
  91. With this flag,
  92. .I ssh1
  93. uses SSH's agent forwarding protocol to allow
  94. programs running on the remote server to
  95. interact with
  96. .IR factotum (4)
  97. to perform RSA authentication.
  98. .TP
  99. .B -i
  100. force interactive mode.
  101. In interactive mode,
  102. .I ssh1
  103. prompts for passwords and confirmations of
  104. new host keys when necessary.
  105. (In non-interactive mode, password requests
  106. are rejected and unrecognized host keys are
  107. cause for disconnecting.)
  108. By default,
  109. .I ssh 1
  110. runs in interactive mode only when its
  111. input file descriptor is
  112. .BR /dev/cons .
  113. .TP
  114. .B -I
  115. force non-interactive mode.
  116. .TP
  117. .B -m
  118. disable the
  119. .RB control- \e
  120. menu, described below.
  121. .TP
  122. .B -p
  123. force pseudoterminal request.
  124. The SSH protocol, grounded in Unix tradition,
  125. differentiates between connections
  126. that request controlling pseudoterminals
  127. and those that do not.
  128. By default,
  129. .I ssh1
  130. requests a pseudoterminal only when no
  131. .I command
  132. is given.
  133. .TP
  134. .B -P
  135. force no pseudoterminal request.
  136. .TP
  137. .B -r
  138. strip carriage returns.
  139. .TP
  140. .B -R
  141. put the allocated pseudoterminal, if any, in raw mode.
  142. .TP
  143. .B -w
  144. notify the remote side whenever the window changes size.
  145. .TP
  146. .BR - [ lu ] "\fI user
  147. specify user name.
  148. This option is deprecated in favor of the
  149. .IB user @ hostname
  150. syntax.
  151. .TP
  152. .B "-A\fI authlist
  153. specify an ordered space-separated list of authentication protocols to try.
  154. The full set of authentication protocols is
  155. .B rsa
  156. (RSA using
  157. .IR factotum (4)
  158. to moderate key usage),
  159. .B password
  160. (use a password gathered from factotum),
  161. and
  162. .B tis
  163. (challenge-response).
  164. The default list is all three in that order.
  165. .TP
  166. .B "-c\fI cipherlist
  167. specify an ordered space-separated list of allowed ciphers to use when encrypting the channel.
  168. The full set of ciphers is
  169. .B des
  170. (standard DES),
  171. .B 3des
  172. (a somewhat doubtful variation on triple DES),
  173. .B blowfish
  174. (Bruce Schneier's Blowfish),
  175. .B rc4
  176. (RC4),
  177. and
  178. .B none
  179. (no encryption).
  180. The default cipher list is
  181. .B blowfish
  182. .B rc4
  183. .BR 3des .
  184. .PD
  185. .PP
  186. The
  187. .RB control\- \e
  188. character is a local escape, as in
  189. .IR con (1).
  190. It prompts with
  191. .BR >>> .
  192. Legitimate responses to the prompt are
  193. .TP
  194. .B q
  195. Exit.
  196. .TP
  197. .B .
  198. Return from the escape.
  199. .TP
  200. .B !cmd
  201. Run the command with the network connection as its
  202. standard input and standard output.
  203. Standard error will go to the screen.
  204. .TP
  205. .B r
  206. Toggle printing of carriage returns.
  207. .PD
  208. .LP
  209. If no command is specified,
  210. a login session is started on the remote
  211. host.
  212. Otherwise, the command is executed with its arguments.
  213. .LP
  214. .I Ssh1
  215. establishes a connection with an SSH daemon on the remote host.
  216. The daemon sends to
  217. .I ssh1
  218. its RSA public host key and session key.
  219. Using these,
  220. .I ssh1
  221. sends a session key which, presumably, only the
  222. daemon can decipher. After this, both sides start encrypting their
  223. data with this session key.
  224. .LP
  225. When the daemon's host key has been received,
  226. .I ssh1
  227. looks it up in
  228. .B $home/lib/keyring
  229. and in
  230. .BR /sys/lib/ssh/keyring .
  231. If
  232. the key is found there, and it matches the received key,
  233. .I ssh1
  234. is satisfied. If not,
  235. .I ssh1
  236. reports this and offers to add the key to
  237. .BR $home/lib/keyring .
  238. .LP
  239. Over the encrypted channel,
  240. .I ssh1
  241. attempts to convince the daemon to accept the call
  242. using the listed authentication protocols
  243. (see the
  244. .B -A
  245. option above).
  246. .LP
  247. The preferred way to authenticate is a
  248. .IR netkey -style
  249. challenge/response or via a SecurID token.
  250. SSH users on other systems than Plan 9 should enable \s-2TIS_A\s0uthentication.
  251. .LP
  252. When the connection is authenticated, the given command line,
  253. (by default, a login shell) is executed on the remote host.
  254. .sp 1
  255. The SSH protocol allows clients to make outgoing TCP calls via the server.
  256. .I Sshnet
  257. establishes an SSH connection and, rather than execute a remote command,
  258. presents the remote server's TCP stack as a network stack
  259. (see the discussion of TCP in
  260. .IR ip (3))
  261. mounted at
  262. .I mtpt
  263. (default
  264. .BR /net ),
  265. optionally posting a 9P service
  266. descriptor for the new file system as
  267. .BI /srv/ service \fR.
  268. The
  269. .B -A
  270. and
  271. .B -c
  272. arguments are as for
  273. .IR ssh1 .
  274. .sp 1
  275. .I Scp
  276. uses
  277. .I ssh
  278. to copy files from one host to another.
  279. A remote file is identified by
  280. a host name, a colon and a file name (no spaces).
  281. .I Scp
  282. can copy files from remote hosts and to remote hosts.
  283. .SS "Server and Keys
  284. .I Sshserve
  285. is the server that services
  286. SSH
  287. calls from remote hosts.
  288. The
  289. .B -A
  290. and
  291. .B -c
  292. options set valid authentication methods and ciphers
  293. as for
  294. .IR ssh1 ,
  295. except that there is no
  296. .B rsa
  297. authentication method.
  298. Unlike in
  299. .IR ssh1 ,
  300. the list is not ordered: the server presents a set and the client makes the choice.
  301. The default sets are
  302. .B tis
  303. and
  304. .B blowfish
  305. .B rc4
  306. .BR 3des .
  307. The
  308. .B -i
  309. option prevents reading the client's ID-string line and assumes
  310. its ID string to be
  311. .IR id-string .
  312. By default, users start with the namespace defined in
  313. .BR /lib/namespace .
  314. Users in group
  315. .B noworld
  316. in
  317. .B /adm/users
  318. start with the namespace defined in
  319. .BR /lib/namespace.noworld .
  320. .I Sshserve
  321. does not provide the TCP forwarding functionality used
  322. by
  323. .IR sshnet ,
  324. because many Unix clients present
  325. this capability in an insecure manner.
  326. .PP
  327. .I Sshserve
  328. requires that
  329. .IR factotum (4)
  330. hold the host key,
  331. identified by having attributes
  332. .B proto=rsa
  333. .BR service=sshserve .
  334. To generate a host key:
  335. .IP
  336. .EX
  337. auth/rsagen -t 'service=sshserve' >/mnt/factotum/ctl
  338. .EE
  339. .LP
  340. To extract the public part of the host key in the form
  341. used by SSH key rings:
  342. .IP
  343. .EX
  344. grep 'service=sshserve' /mnt/factotum/ctl | auth/rsa2ssh
  345. .EE
  346. .SH FILES
  347. .TP
  348. .B /sys/lib/ssh/keyring
  349. System key ring file containing public keys for remote SSH clients and servers.
  350. .TP
  351. .B /usr/\fIuser\fP/lib/keyring
  352. Personal key ring file containing public keys for remote SSH clients and
  353. servers.
  354. .SH SOURCE
  355. .B /sys/src/cmd/ssh1
  356. .SH "SEE ALSO"
  357. .B /lib/rfc/rfc425[0-6]
  358. .br
  359. .IR con (1),
  360. .IR cpu (1),
  361. .IR ssh2 (1),
  362. .IR factotum (4),
  363. .IR authsrv (6),
  364. .IR rsa (8)