1
0

ssh 6.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355
  1. .TH SSH 1
  2. .SH NAME
  3. ssh, sshnet, scp, sshserve, ssh_genkey \- secure login and file copy from/to Unix or Plan 9
  4. .SH SYNOPSIS
  5. .B ssh
  6. [
  7. .B -CfiImPpRrw
  8. ]
  9. [
  10. .B -A
  11. .I authlist
  12. ]
  13. [
  14. .B -c
  15. .I cipherlist
  16. ]
  17. [
  18. .B -[lu]
  19. .I user
  20. ]
  21. .RI [ user\fB@ ] host
  22. [
  23. .I cmd
  24. [
  25. .I args
  26. \&... ]]
  27. .PP
  28. .B sshnet
  29. [
  30. .B -A
  31. .I authlist
  32. ]
  33. [
  34. .B -c
  35. .I cipherlist
  36. ]
  37. [
  38. .B -m
  39. .I mtpt
  40. ]
  41. [
  42. .B -s
  43. .I service
  44. ]
  45. .RI [ user\fB@ ] host
  46. .PP
  47. .B scp
  48. [host:]file [host:]file
  49. .br
  50. .B scp
  51. [host:]file ... [host:]dir
  52. .PP
  53. .B aux/sshserve
  54. [
  55. .B -p
  56. ]
  57. .I address
  58. .PP
  59. .B aux/ssh_genkey
  60. [
  61. .I basename
  62. ]
  63. .SH DESCRIPTION
  64. .I Ssh
  65. allows authenticated login over an encrypted channel to hosts that
  66. support the ssh protocol (see the RFC listed below for encryption and
  67. authentication details).
  68. .LP
  69. .I Ssh
  70. takes the host name of the machine to connect to as its mandatory argument.
  71. It may be specified as a domain name or an IP address.
  72. Normally, login is attempted using the user name from /dev/user.
  73. .PP
  74. Command-line options are:
  75. .TP
  76. .B -C
  77. force input to be read in cooked mode:
  78. ``line at a time'' with local echo.
  79. .TP
  80. .B -f
  81. enable agent forwarding.
  82. With this flag,
  83. .I ssh
  84. uses SSH's agent forwarding protocol to allow
  85. programs running on the remote server to
  86. interact with
  87. .IR factotum (4)
  88. to perform RSA authentication.
  89. .TP
  90. .B -i
  91. force interactive mode.
  92. In interactive mode,
  93. .I ssh
  94. prompts for passwords and confirmations of
  95. new host keys when necessary.
  96. (In non-interactive mode, password requests
  97. are rejected and unrecognized host keys are
  98. cause for disconnecting.)
  99. By default,
  100. .I ssh
  101. runs in interactive mode only when its
  102. input file descriptor is
  103. .BR /dev/cons .
  104. .TP
  105. .B -I
  106. force non-interactive mode.
  107. .TP
  108. .B -m
  109. disable the
  110. .RB control- \e
  111. menu, described below.
  112. .TP
  113. .B -p
  114. force pseudoterminal request.
  115. The
  116. .I ssh
  117. protocol, grounded in Unix tradition,
  118. differentiates between connections
  119. that request controlling pseudoterminals
  120. and those that do not.
  121. By default,
  122. .I ssh
  123. requests a pseudoterminal only when no
  124. .I command
  125. is given.
  126. .TP
  127. .B -P
  128. force no pseudoterminal request.
  129. .TP
  130. .B -r
  131. strip carriage returns.
  132. .TP
  133. .B -R
  134. put the allocated pseudoterminal, if any, in raw mode.
  135. .TP
  136. .B -w
  137. notify the remote side whenever the window changes size.
  138. .TP
  139. .BR - [ lu ] "\fI user
  140. specify user name.
  141. This option is deprecated in favor of the
  142. .IB user @ hostname
  143. syntax.
  144. .TP
  145. .B "-A\fI authlist
  146. specify an ordered space-separated list of authentication protocols to try.
  147. The full set of authentication protocols is
  148. .B rsa
  149. (RSA using
  150. .IR factotum (4)
  151. to moderate key usage),
  152. .B password
  153. (use a password gathered from factotum),
  154. and
  155. .B tis
  156. (challenge-response).
  157. The default list is all three in that order.
  158. .TP
  159. .B "-c\fI cipherlist
  160. specify an ordered space-separated list of allowed ciphers to use when encrypting the channel.
  161. The full set of ciphers is
  162. .B des
  163. (standard DES),
  164. .B 3des
  165. (a somewhat doubtful variation on triple DES),
  166. .B blowfish
  167. (Bruce Schneier's Blowfish),
  168. .B rc4
  169. (RC4),
  170. and
  171. .B none
  172. (no encryption).
  173. The default cipher list is
  174. .B blowfish
  175. .B rc4
  176. .BR 3des .
  177. .PD
  178. .PP
  179. The
  180. .RB control\- \e
  181. character is a local escape, as in
  182. .IR con (1).
  183. It prompts with
  184. .BR >>> .
  185. Legitimate responses to the prompt are
  186. .TP
  187. .B q
  188. Exit.
  189. .TP
  190. .B .
  191. Return from the escape.
  192. .TP
  193. .B !cmd
  194. Run the command with the network connection as its
  195. standard input and standard output.
  196. Standard error will go to the screen.
  197. .TP
  198. .B r
  199. Toggle printing of carriage returns.
  200. .PD
  201. .LP
  202. If no command is specified,
  203. a login session is started on the remote
  204. host.
  205. Otherwise, the command is executed with its arguments.
  206. .LP
  207. .I Ssh
  208. establishes a connection with an ssh daemon on the remote host.
  209. The daemon sends to
  210. .I ssh
  211. its RSA public host key and session key.
  212. Using these,
  213. .I ssh
  214. sends a session key which, presumably, only the
  215. daemon can decipher. After this, both sides start encrypting their
  216. data with this session key.
  217. .LP
  218. When the daemon's host key has been received,
  219. .I ssh
  220. looks it up in
  221. .B $home/lib/keyring
  222. and in
  223. .BR /sys/lib/ssh/keyring .
  224. If
  225. the key is found there, and it matches the received key,
  226. .I ssh
  227. is satisfied. If not,
  228. .I ssh
  229. reports this and offers to add the key to
  230. .BR $home/lib/keyring .
  231. .LP
  232. Over the encrypted channel,
  233. .I ssh
  234. attempts to convince the daemon to accept the call
  235. using the listed authentication protocols
  236. (see the
  237. .B -A
  238. option above).
  239. .LP
  240. The preferred way to authenticate is a
  241. .IR netkey -style
  242. challenge/response or via a SecurID token.
  243. .I Ssh
  244. users on other systems than Plan 9 should enable \s-2TIS_A\s0uthentication.
  245. .LP
  246. When the connection is authenticated, the given command line,
  247. (by default, a login shell) is executed on the remote host.
  248. .sp 1
  249. The SSH protocol allows clients to make outgoing TCP calls via the server.
  250. .I Sshnet
  251. establishes an SSH connection and, rather than execute a remote command,
  252. presents the remote server's TCP stack as a network stack
  253. (see the discussion of TCP in
  254. .IR ip (3))
  255. mounted at
  256. .I mtpt
  257. (default
  258. .BR /net ),
  259. optionally posting a 9P service
  260. descriptor for the new file system as
  261. .IB /srv/ service \fR.
  262. The
  263. .B -A
  264. and
  265. .B -c
  266. arguments are as in
  267. .IR ssh .
  268. .sp 1
  269. .I Scp
  270. uses
  271. .I ssh
  272. to copy files from one host to another. A remote file is identified by
  273. a host name, a colon and a file name (no spaces).
  274. .I Scp
  275. can copy files from remote hosts and to remote hosts.
  276. .sp 1
  277. .I Sshserve
  278. is the server that services
  279. .I ssh
  280. calls from remote hosts.
  281. The
  282. .B -A
  283. and
  284. .B -c
  285. options set valid authentication methods and ciphers
  286. as in
  287. .IR ssh ,
  288. except that there is no
  289. .B rsa
  290. authentication method.
  291. Unlike in
  292. .IR ssh ,
  293. the list is not ordered: the server presents a set and the client makes the choice.
  294. The default sets are
  295. .B tis
  296. and
  297. .B blowfish
  298. .B rc4
  299. .BR 3des .
  300. By default, users start with the namespace defined in
  301. .BR /lib/namespace .
  302. Users in group
  303. .B noworld
  304. in
  305. .B /adm/users
  306. start with the namespace defined in
  307. .BR /lib/namespace.noworld .
  308. .I Sshserve
  309. does not provide the TCP forwarding functionality used
  310. by
  311. .IR sshnet ,
  312. because many Unix clients present
  313. this capability in an insecure manner.
  314. .PP
  315. .I Ssh_genkey
  316. generates an RSA key set, writing the
  317. private key to
  318. .IB basename .secret
  319. and the public key to
  320. .IB basename .public\fR.
  321. .I Ssh_genkey
  322. also writes
  323. a secret key in the style expected by factotum
  324. to
  325. .IB basename .secret.factotum\fR.
  326. The default
  327. .B basename
  328. is
  329. .BR /sys/lib/ssh/hostkey ,
  330. so running it with no arguments
  331. will generate an RSA key set
  332. for the file server in use.
  333. .SH FILES
  334. .TF /sys/lib/ssh/hostkey.public
  335. .TP
  336. .B /sys/lib/ssh/hostkey.public
  337. Public key for the host on which the program runs.
  338. .TP
  339. .B /sys/lib/ssh/hostkey.secret
  340. Secret key for the host on which the program runs. This file must
  341. be owned and be readable by bootes only.
  342. .TP
  343. .B /sys/lib/ssh/keyring
  344. System keyring file containing public keys for remote ssh clients and servers.
  345. .TP
  346. .B /usr/\fIuser\fP/lib/keyring
  347. Personal keyring file containing public keys for remote ssh clients and
  348. servers.
  349. .SH SOURCE
  350. .B /sys/src/cmd/ssh
  351. .SH "SEE ALSO"
  352. .IR /sys/src/cmd/ssh/RFC*
  353. .br
  354. .IR factotum (4),
  355. .IR authsrv (6)