summaryrefslogtreecommitdiff
path: root/usr/src/man/man1/ssh.sunssh.1
diff options
context:
space:
mode:
authorRichard Lowe <richlowe@richlowe.net>2016-08-09 13:52:53 -0400
committerRichard Lowe <richlowe@richlowe.net>2016-08-22 10:51:23 -0400
commit0343317a7b3df0798d9facd6eb5a0e83abd23d83 (patch)
treefa4c21e47758ad53e9e82c4709593e9731baffb4 /usr/src/man/man1/ssh.sunssh.1
parent09c0accb630678e1a150310a8852806c5052b2ac (diff)
downloadillumos-gate-0343317a7b3df0798d9facd6eb5a0e83abd23d83.tar.gz
7293 Sun Secure Shell is neither
Reviewed by: Albert Lee <trisk@omniti.com> Reviewed by: Alex Wilson <alex.wilson@joyent.com> Reviewed by: Alexander Pyhalov <alp@rsu.ru> Reviewed by: Dan McDonald <danmcd@omniti.com> Reviewed by: Garrett D'Amore <garrett@damore.org> Reviewed by: Peter Tribble <peter.tribble@gmail.com>
Diffstat (limited to 'usr/src/man/man1/ssh.sunssh.1')
-rw-r--r--usr/src/man/man1/ssh.sunssh.1979
1 files changed, 0 insertions, 979 deletions
diff --git a/usr/src/man/man1/ssh.sunssh.1 b/usr/src/man/man1/ssh.sunssh.1
deleted file mode 100644
index 88d8c56fdc..0000000000
--- a/usr/src/man/man1/ssh.sunssh.1
+++ /dev/null
@@ -1,979 +0,0 @@
-'\" te
-.\" To view license terms, attribution, and copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris operating environment has been installed anywhere other than the default, modify the specified path to access the file at
-.\" the installed location.
-.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
-.TH SSH 1 "May 20, 2009"
-.SH NAME
-ssh \- secure shell client (remote login program)
-.SH SYNOPSIS
-.LP
-.nf
-\fBssh\fR [\fB-l\fR \fIlogin_name\fR] \fIhostname\fR | \fIuser@hostname\fR [ \fIcommand\fR]
-.fi
-
-.LP
-.nf
-\fBssh\fR [\fB-afgknqstvxACNTX1246\fR] [\fB-b\fR \fIbind_address\fR] [\fB-m\fR \fImac_spec\fR]
- [\fB-c\fR \fIcipher_spec\fR] [\fB-e\fR \fIescape_char\fR] [\fB-i\fR \fIidentity_file\fR]
- [\fB-l\fR \fIlogin_name\fR] [\fB-F\fR \fIconfigfile\fR] [\fB-o\fR \fIoption\fR] [\fB-p\fR \fIport\fR]
- [\fB-L\fR [\fIbind_address\fR\fB:\fR]\fIport\fR\fB:\fR\fIhost\fR\fB:\fR\fIhostport\fR]
- [\fB-R\fR [\fIbind_address\fR\fB:\fR]\fIport\fR\fB:\fR\fIhost\fR\fB:\fR\fIhostport\fR]
- [\fB-D\fR [\fIbind_address\fR\fB:\fR]\fIport\fR] \fIhostname\fR | \fIuser\fR\fB@\fR\fIhostname\fR [\fIcommand\fR]
-.fi
-
-.SH DESCRIPTION
-.LP
-\fBssh\fR (Secure Shell) is a program for logging into a remote machine and for
-executing commands on a remote machine. It is intended to replace \fBrlogin\fR
-and \fBrsh\fR, and to provide secure encrypted communications between two
-untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP
-ports can also be forwarded over the secure channel.
-.sp
-.LP
-\fBssh\fR connects and logs into the specified hostname. The user must prove
-his or her identity to the remote machine using one of several methods
-depending on the protocol version used:
-.SS "SSH Protocol Version 1"
-.LP
-First, if the machine the user logs in from is listed in \fB/etc/hosts.equiv\fR
-or \fB/etc/shosts.equiv\fR on the remote machine, and the user names are the
-same on both sides, the user is immediately permitted to log in. Second,
-if .\fBrhosts\fR or \fB\&.shosts\fR exists in the user's home directory on the
-remote machine and contains a line containing the name of the client machine
-and the name of the user on that machine, the user is permitted to log in. This
-form of authentication alone is normally not allowed by the server because it
-is not secure.
-.sp
-.LP
-The second (and primary) authentication method is the \fBrhosts\fR or
-\fBhosts.equiv\fR method combined with RSA-based host authentication. It means
-that if the login would be permitted by \fB$HOME/.rhosts\fR,
-\fB$HOME/.shosts\fR, \fB/etc/hosts.equiv\fR, or \fB/etc/shosts.equiv\fR, and if
-additionally the server can verify the client's host key (see
-\fB/etc/ssh_known_hosts\fR in the FILES section), only then is login permitted.
-This authentication method closes security holes due to \fBIP\fR spoofing,
-\fBDNS\fR spoofing, and routing spoofing.
-.sp
-.LP
-\fBNote to the administrator:\fR \fB/etc/hosts.equiv\fR, \fB$HOME/.rhosts\fR,
-and the rlogin/rsh protocol in general, are inherently insecure and should be
-disabled if security is desired.
-.sp
-.LP
-As a third authentication method, \fBssh\fR supports \fBRSA\fR-based
-authentication. The scheme is based on public-key cryptography. There are
-cryptosystems where encryption and decryption are done using separate keys, and
-it is not possible to derive the decryption key from the encryption key.
-\fBRSA\fR is one such system. The idea is that each user creates a
-public/private key pair for authentication purposes. The server knows the
-public key, and only the user knows the private key. The file
-\fB$HOME/.ssh/authorized_keys\fR lists the public keys that are permitted for
-logging in. When the user logs in, the \fBssh\fR program tells the server which
-key pair it would like to use for authentication. The server checks if this key
-is permitted, and if so, sends the user (actually the \fBssh\fR program running
-on behalf of the user) a challenge in the form of a random number, encrypted by
-the user's public key. The challenge can only be decrypted using the proper
-private key. The user's client then decrypts the challenge using the private
-key, proving that he or she knows the private key but without disclosing it to
-the server.
-.sp
-.LP
-\fBssh\fR implements the \fBRSA\fR authentication protocol automatically. The
-user creates his or her \fBRSA\fR key pair by running \fBssh-keygen\fR(1). This
-stores the private key in \fB$HOME/.ssh/identity\fR and the public key in
-\fB$HOME/.ssh/identity.pub\fR in the user's home directory. The user should
-then copy the \fBidentity.pub\fR to \fB$HOME/.ssh/authorized_keys\fR in his or
-her home directory on the remote machine (the \fBauthorized_keys\fR file
-corresponds to the conventional \fB$HOME/.rhosts\fR file, and has one key per
-line, though the lines can be very long). After this, the user can log in
-without giving the password. \fBRSA\fR authentication is much more secure than
-\fBrhosts\fR authentication.
-.sp
-.LP
-The most convenient way to use \fBRSA\fR authentication can be with an
-authentication agent. See \fBssh-agent\fR(1) for more information.
-.sp
-.LP
-If other authentication methods fail, \fBssh\fR prompts the user for a
-password. The password is sent to the remote host for checking. However, since
-all communications are encrypted, the password cannot be seen by someone
-listening on the network.
-.SS "SSH Protocol Version 2"
-.LP
-The SSH version 2 protocol supports multiple user authentication methods, some
-of which are similar to those available with the SSH protocol version 1. These
-authentication mechanisms are negotiated by the client and server, with the
-client trying methods in the order specified in the
-\fBPreferredAuthentications\fR client configuration option. The server decides
-when enough authentication methods have passed successfully so as to complete
-the authentication phase of the protocol.
-.sp
-.LP
-When a user connects by using protocol version 2, similar authentication
-methods are available. Using the default values for
-\fBPreferredAuthentications\fR, the client tries to authenticate first by using
-the hostbased method. If this method fails, public key authentication is
-attempted. Finally, if this method fails, keyboard-interactive and password
-authentication are tried.
-.sp
-.LP
-The public key method is similar to \fBRSA\fR authentication described in the
-previous section and allows the \fBRSA\fR or \fBDSA\fR algorithm to be used:
-The client uses his or her private key, \fB$HOME/.ssh/id_dsa\fR or
-\fB$HOME/.ssh/id_rsa\fR, to sign the session identifier and sends the result to
-the server. The server checks whether the matching public key is listed in
-\fB$HOME/.ssh/authorized_keys\fR and grants access if both the key is found and
-the signature is correct. The session identifier is derived from a shared
-Diffie-Hellman value and is only known to the client and the server.
-.sp
-.LP
-If public key authentication fails or is not available, a password can be sent
-encrypted to the remote host for proving the user's identity, or an extended
-prompt/reply protocol can be engaged.
-.sp
-.LP
-Additionally, \fBssh\fR supports hostbased or challenge response
-authentication.
-.sp
-.LP
-Protocol 2 provides additional mechanisms for confidentiality (the traffic is
-encrypted using 3DES, Blowfish, CAST128 or Arcfour) and integrity
-(\fBhmac-sha1\fR, \fBhmac-md5\fR). Protocol 1 lacks a strong mechanism for
-ensuring the integrity of the connection.
-.SS "Login Session and Remote Execution"
-.LP
-When the user's identity has been accepted by the server, the server either
-executes the specified command, or logs into the machine and gives the user a
-normal shell on the remote machine. All communication with the remote command
-or shell is automatically encrypted.
-.sp
-.LP
-If a pseudo-terminal has been allocated (normal login session), the user can
-use the escape characters noted below. If a pseudo-terminal has been allocated
-(normal login session), the user can disconnect with \fB~.\fR, and suspend
-\fBssh\fR with \fB~^Z\fR. All forwarded connections can be listed with
-\fB~#\fR. If the session blocks waiting for forwarded X11 or TCP/IP connections
-to terminate, \fBssh\fR can be backgrounded with \fB~&\fR, although this should
-not be used while the user shell is active, as it can cause the shell to hang.
-All available escapes can be listed with \fB~?\fR.
-.sp
-.LP
-A single tilde character can be sent as \fB~~\fR, or by following the tilde
-with a character other than those described above. The escape character must
-always follow a newline to be interpreted as special. The escape character can
-be changed in configuration files or on the command line.
-.sp
-.LP
-If no pseudo tty has been allocated, the session is transparent and can be used
-to reliably transfer binary data. On most systems, setting the escape character
-to "\fBnone\fR" also makes the session transparent even if a tty is used.
-.sp
-.LP
-The session terminates when the command or shell on the remote machine exits
-and all X11 and TCP/IP connections have been closed. The exit status of the
-remote program is returned as the exit status of \fBssh\fR.
-.SS "Escape Characters"
-.LP
-When a pseudo-terminal has been requested, \fBssh\fR supports a number of
-functions through the use of an escape character.
-.sp
-.LP
-A single tilde character can be sent as \fB~~\fR or by following the tilde with
-a character other than those described below. The escape character must always
-follow a newline to be interpreted as special. The escape character can be
-changed in configuration files using the \fBEscapeChar\fR configuration
-directive or on the command line by the \fB-e\fR option.
-.sp
-.LP
-The supported escapes, assuming the default \fB~\fR, are:
-.sp
-.ne 2
-.na
-\fB\fB~.\fR\fR
-.ad
-.RS 7n
-Disconnect.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB~^Z\fR\fR
-.ad
-.RS 7n
-Background \fBssh\fR.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB~#\fR\fR
-.ad
-.RS 7n
-List forwarded connections.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB~&\fR\fR
-.ad
-.RS 7n
-Background \fBssh\fR at logout when waiting for forwarded connection / X11
-sessions to terminate.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB~?\fR\fR
-.ad
-.RS 7n
-Display a list of escape characters.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB~B\fR\fR
-.ad
-.RS 7n
-Send a break to the remote system. Only useful for SSH protocol version 2 and
-if the peer supports it.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB~C\fR\fR
-.ad
-.RS 7n
-Open command line. Only useful for adding port forwardings using the \fB-L\fR
-and \fB-R\fR options).
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB~R\fR\fR
-.ad
-.RS 7n
-Request rekeying of the connection. Only useful for SSH protocol version 2 and
-if the peer supports it.
-.RE
-
-.SS "X11 and TCP Forwarding"
-.LP
-If the \fBForwardX11\fR variable is set to ``\fByes\fR'' (or, see the
-description of the \fB-X\fR and \fB-x\fR options described later) and the user
-is using X11 (the \fBDISPLAY\fR environment variable is set), the connection to
-the X11 display is automatically forwarded to the remote side in such a way
-that any X11 programs started from the shell (or command) goes through the
-encrypted channel, and the connection to the real X server is made from the
-local machine. The user should not manually set \fBDISPLAY\fR. Forwarding of
-X11 connections can be configured on the command line or in configuration
-files.
-.sp
-.LP
-The \fBDISPLAY\fR value set by \fBssh\fR points to the server machine, but with
-a display number greater than zero. This is normal behavior, because \fBssh\fR
-creates a "proxy" X11 server on the server machine for forwarding the
-connections over the encrypted channel.
-.sp
-.LP
-\fBssh\fR also automatically sets up \fBXauthority\fR data on the server
-machine. For this purpose, it generates a random authorization cookie, store it
-in \fBXauthority\fR on the server, and verify that any forwarded connections
-carry this cookie and replace it by the real cookie when the connection is
-opened. The real authentication cookie is never sent to the server machine (and
-no cookies are sent in the plain).
-.sp
-.LP
-If the \fBForwardAgent\fR variable is set to "\fByes\fR" (or, see the
-description of the \fB-A\fR and \fB-a\fR options described later) and the user
-is using an authentication agent, the connection to the agent is automatically
-forwarded to the remote side.
-.sp
-.LP
-Forwarding of arbitrary TCP/IP connections over the secure channel can be
-specified either on the command line or in a configuration file. One possible
-application of TCP/IP forwarding is a secure connection to an electronic purse.
-Another possible application is firewall traversal.
-.SS "Server Authentication"
-.LP
-\fBssh\fR automatically maintains and checks a database containing
-identifications for all hosts it has ever been used with. Host keys are stored
-in \fB$HOME/.ssh/known_hosts\fR in the user's home directory. Additionally, the
-file \fB/etc/ssh_known_hosts\fR is automatically checked for known hosts. The
-behavior of \fBssh\fR with respect to unknown host keys is controlled by the
-\fBStrictHostKeyChecking\fR parameter. If a host's identification ever changes,
-\fBssh\fR warns about this and disables password authentication to prevent a
-trojan horse from getting the user's password. Another purpose of this
-mechanism is to prevent attacks by intermediaries which could otherwise be used
-to circumvent the encryption. The \fBStrictHostKeyChecking\fR option can be
-used to prevent logins to machines whose host key is not known or has changed.
-.sp
-.LP
-However, when using key exchange protected by GSS-API, the server can advertise
-a host key. The client automatically adds this host key to its known hosts
-file, \fB$HOME/.ssh/known_hosts\fR, regardless of the setting of the
-\fBStrictHostKeyChecking\fR option, unless the advertised host key collides
-with an existing known hosts entry.
-.sp
-.LP
-When the user's GSS-API credentials expire, the client continues to be able to
-rekey the session using the server's public host key to protect the key
-exchanges.
-.SS "GSS-API User and Server Authentication"
-.LP
-\fBssh\fR uses the user's GSS-API credentials to authenticate the client to the
-server wherever possible, if \fBGssKeyEx\fR and/or \fBGssAuthentication\fR are
-set.
-.sp
-.LP
-With \fBGssKeyEx\fR, one can have an SSHv2 server that has no host public keys,
-so that only \fBGssKeyEx\fR can be used. With such servers, rekeying fails if
-the client's credentials are expired.
-.sp
-.LP
-GSS-API user authentication has the disadvantage that it does not obviate the
-need for SSH host keys, but its failure does not impact rekeying. \fBssh\fR can
-try other authentication methods (such as public key, password, and so on) if
-GSS-API authentication fails.
-.sp
-.LP
-Delegation of GSS-API credentials can be quite useful, but is not without
-danger. As with passwords, users should not delegate GSS credentials to
-untrusted servers, since a compromised server can use a user's delegated GSS
-credentials to impersonate the user.
-.sp
-.LP
-GSS-API user authorization is covered in \fBgss_auth_rules\fR(5).
-.sp
-.LP
-Rekeying can be used to redelegate credentials when \fBGssKeyEx\fR is
-"\fByes\fR". (See \fB~R\fR under \fBEscape Characters\fR above.)
-.SH OPTIONS
-.LP
-The following options are supported:
-.sp
-.ne 2
-.na
-\fB\fB-1\fR\fR
-.ad
-.sp .6
-.RS 4n
-Forces \fBssh\fR to try protocol version 1 only.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-2\fR\fR
-.ad
-.sp .6
-.RS 4n
-Forces \fBssh\fR to try protocol version 2 only.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-4\fR\fR
-.ad
-.sp .6
-.RS 4n
-Forces \fBssh\fR to use IPv4 addresses only.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-6\fR\fR
-.ad
-.sp .6
-.RS 4n
-Forces \fBssh\fR to use IPv6 addresses only.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-a\fR\fR
-.ad
-.sp .6
-.RS 4n
-Disables forwarding of the authentication agent connection.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-A\fR\fR
-.ad
-.sp .6
-.RS 4n
-Enables forwarding of the authentication agent connection. This can also be
-specified on a per-host basis in a configuration file.
-.sp
-Agent forwarding should be enabled with caution. Users with the ability to
-bypass file permissions on the remote host (for the agent's UNIX-domain socket)
-can access the local agent through the forwarded connection. An attacker cannot
-obtain key material from the agent. However, the attacker can perform
-operations on the keys that enable the attacker to authenticate using the
-identities loaded into the agent.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-b\fR \fIbind_address\fR\fR
-.ad
-.sp .6
-.RS 4n
-Specifies the interface to transmit from on machines with multiple interfaces
-or aliased addresses.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-c\fR \fIcipher_spec\fR\fR
-.ad
-.sp .6
-.RS 4n
-Selects the cipher specification for encrypting the session.
-.sp
-For protocol version 1, \fIcipher_spec\fR is a single cipher. See the
-\fBCipher\fR option in \fBssh_config\fR(4) for more information.
-.sp
-For protocol version 2, \fIcipher_spec\fR is a comma-separated list of ciphers
-listed in order of preference. See the \fICiphers\fR option in
-\fBssh_config\fR(4) for more information.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-C\fR\fR
-.ad
-.sp .6
-.RS 4n
-Requests compression of all data (including stdin, stdout, stderr, and data for
-forwarded X11 and TCP/IP connections). The compression algorithm is the same
-used by \fBgzip\fR(1). The \fBgzip\fR man page is available in the
-\fBSUNWsfman\fR package. The "level" can be controlled by the
-\fBCompressionLevel\fR option (see \fBssh_config\fR(4)). Compression is
-desirable on modem lines and other slow connections, but only slows down things
-on fast networks. The default value can be set on a host-by-host basis in the
-configuration files. See the \fBCompression\fR option in \fBssh_config\fR(4).
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-D\fR [\fIbind_address\fR\fB:\fR]\fIport\fR\fR
-.ad
-.sp .6
-.RS 4n
-Specifies a local \fBdynamic\fR application-level port forwarding. This works
-by allocating a socket to listen to port on the local side, optionally bound to
-the specified \fIbind_address\fR. Whenever a connection is made to this port,
-the connection is forwarded over the secure channel. The application protocol
-is then used to determine where to connect to from the remote machine.
-Currently, the \fBSOCKS4\fR and \fBSOCKS5\fR protocols are supported and
-\fBssh\fR acts as a SOCKS server. Only a user with enough privileges can
-forward privileged ports. Dynamic port forwardings can also be specified in the
-configuration file.
-.sp
-IPv6 addresses can be specified with an alternative syntax:
-\fB[\fR\fIbind_address\fR\fB/]\fR\fIport\fR or by enclosing the address in
-square brackets. By default, the local port is bound in accordance with the
-\fBGatewayPorts\fR setting. However, an explicit \fIbind_address\fR can be used
-to bind the connection to a specific address. The \fIbind_address\fR of
-\fBlocalhost\fR indicates that the listening port be bound for local use only,
-while an empty address or \fB*\fR indicates that the port should be available
-from all interfaces.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-e\fR \fIch\fR | ^\fIch\fR | none\fR
-.ad
-.sp .6
-.RS 4n
-Sets the escape character for sessions with a pty (default: `\fB~\fR'). The
-escape character is only recognized at the beginning of a line. The escape
-character followed by a dot (\fB\&.\fR) closes the connection. If followed by
-CTRL-z, the escape character suspends the connection. If followed by itself,
-the escape character sends itself once. Setting the character to \fBnone\fR
-disables any escapes and makes the session fully transparent.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-f\fR\fR
-.ad
-.sp .6
-.RS 4n
-Requests \fBssh\fR to go to background just before command execution. This is
-useful if \fBssh\fR is going to ask for passwords or passphrases, but the user
-wants it in the background. This implies the \fB-n\fR option. The recommended
-way to start X11 programs at a remote site is with something like \fBssh\fR
-\fB-f\fR \fIhost\fR \fIxterm\fR.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-F\fR \fIconfigfile\fR\fR
-.ad
-.sp .6
-.RS 4n
-Specifies an alternative per-user configuration file. If a configuration file
-is specified on the command line, the system-wide configuration file,
-\fB/etc/ssh_config\fR, is ignored. The default for the per-user configuration
-file is \fB$HOME/.ssh/config\fR.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-g\fR\fR
-.ad
-.sp .6
-.RS 4n
-Allows remote hosts to connect to local forwarded ports.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-i\fR \fIidentity_file\fR\fR
-.ad
-.sp .6
-.RS 4n
-Selects a file from which the identity (private key) for \fBRSA\fR or \fBDSA\fR
-authentication is read. The default is \fB$HOME/.ssh/identity\fR for protocol
-version 1, and \fB$HOME/.ssh/id_rsa\fR and \fB$HOME/.ssh/id_dsa\fR for protocol
-version 2. Identity files can also be specified on a per-host basis in the
-configuration file. It is possible to have multiple \fB-i\fR options (and
-multiple identities specified in configuration files).
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-l\fR \fIlogin_name\fR\fR
-.ad
-.sp .6
-.RS 4n
-Specifies the user to log in as on the remote machine. This also can be
-specified on a per-host basis in the configuration file.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-L\fR [\fIbind_address:\fR]\fIport\fR:\fIhost\fR:\fIhostport\fR\fR
-.ad
-.sp .6
-.RS 4n
-Specifies that the specified port on the local (client) host is to be forwarded
-to the specified host and port on the remote side. This works by allocating a
-socket to listen to the port on the local side, optionally bound to the
-specified \fIbind_address\fR. Then, whenever a connection is made to this port,
-the connection is forwarded over the secure channel and a connection is made to
-host port \fIhostport\fR from the remote machine. Port forwardings can also be
-specified in the configuration file. Only a user with enough privileges can
-forward privileged ports. IPv6 addresses can be specified with an alternative
-syntax: \fB[\fR\fIbind_address\fR\fB/]\fR\fIport\fR\fB/\fR\fIhost\fR\fB/\fR\fIh
-ostport\fR or by enclosing the address in square brackets.
-.sp
-By default, the local port is bound in accordance with the \fBGatewayPorts\fR
-setting. However, an explicit \fIbind_address\fR can be used to bind the
-connection to a specific address. The \fIbind_address\fR of \fBlocalhost\fR
-indicates that the listening port be bound for local use only, while an empty
-address or \fB*\fR indicates that the port should be available from all
-interfaces.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-m\fR \fImac_spec\fR\fR
-.ad
-.sp .6
-.RS 4n
-Additionally, for protocol version 2 a comma-separated list of \fBMAC\fR
-(message authentication code) algorithms can be specified in order of
-preference. See the MACs keyword for more information.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-n\fR\fR
-.ad
-.sp .6
-.RS 4n
-Redirects \fBstdin\fR from \fB/dev/null\fR (actually, prevents reading from
-\fBstdin\fR). This must be used when \fBssh\fR is run in the background. A
-common trick is to use this to run X11 programs on a remote machine. For
-example,
-.sp
-.in +2
-.nf
-ssh -n shadows.cs.hut.fi emacs &
-.fi
-.in -2
-.sp
-
-starts an \fBemacs\fR on \fBshadows.cs.hut.fi\fR, and the X11 connection is
-automatically forwarded over an encrypted channel. The \fBssh\fR program is put
-in the background. This does not work if \fBssh\fR needs to ask for a password
-or passphrase. See also the \fB-f\fR option.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-N\fR\fR
-.ad
-.sp .6
-.RS 4n
-Does not execute a remote command. This is useful if you just want to forward
-ports (protocol version 2 only).
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-o\fR \fIoption\fR\fR
-.ad
-.sp .6
-.RS 4n
-Can be used to give options in the format used in the configuration file. This
-is useful for specifying options for which there is no separate command-line
-flag. The option has the same format as a line in the configuration file.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-p\fR \fIport\fR\fR
-.ad
-.sp .6
-.RS 4n
-Specifies the port to connect to on the remote host. This can be specified on a
-per-host basis in the configuration file.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-P\fR\fR
-.ad
-.sp .6
-.RS 4n
-Obsoleted option. SSHv1 connections from privileged ports are not supported.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-q\fR\fR
-.ad
-.sp .6
-.RS 4n
-Quiet mode. Causes all warning and diagnostic messages to be suppressed. Only
-fatal errors are displayed.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-R\fR [\fIbind_address\fR:]\fIport\fR:\fIhost\fR:\fIhostport\fR\fR
-.ad
-.sp .6
-.RS 4n
-Specifies that the specified port on the remote (server) host is to be
-forwarded to the specified host and port on the local side. This works by
-allocating a socket to listen to the port on the remote side. Then, whenever a
-connection is made to this port, the connection is forwarded over the secure
-channel and a connection is made to host port \fIhostport\fR from the local
-machine. Port forwardings can also be specified in the configuration file.
-Privileged ports can be forwarded only when logging in on the remote machine as
-a user with enough privileges.
-.sp
-IPv6 addresses can be specified by enclosing the address in square braces or
-using an alternative syntax: \fB[\fR\fIbind_address\fR\fB/]\fR\fIhost\fR\fB/\fR
-\fIport\fR\fB/\fR\fIhostport\fR.
-.sp
-By default, the listening socket on the server is bound to the loopback
-interface only. This can be overridden by specifying a \fIbind_address\fR. An
-empty \fIbind_address\fR, or the address \fB*\fR, indicates that the remote
-socket should listen on all interfaces. Specifying a remote \fIbind_address\fR
-only succeeds if the server's \fBGatewayPorts\fR option is enabled. See
-\fBsshd_config\fR(4).
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-s\fR\fR
-.ad
-.sp .6
-.RS 4n
-Can be used to request invocation of a subsystem on the remote system.
-Subsystems are a feature of the SSH2 protocol which facilitate the use of SSH
-as a secure transport for other applications, for example, \fBsftp\fR. The
-subsystem is specified as the remote command.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-t\fR\fR
-.ad
-.sp .6
-.RS 4n
-Forces pseudo-tty allocation. This can be used to execute arbitrary
-screen-based programs on a remote machine, which can be very useful, for
-example, when implementing menu services. Multiple \fB-t\fR options force
-allocation, even if \fBssh\fR has no local \fBtty\fR.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-T\fR\fR
-.ad
-.sp .6
-.RS 4n
-Disables pseudo-tty allocation (protocol version 2 only).
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-v\fR\fR
-.ad
-.sp .6
-.RS 4n
-Verbose mode. Causes \fBssh\fR to print debugging messages about its progress.
-This is helpful in debugging connection, authentication, and configuration
-problems. Multiple \fB-v\fR options increase the verbosity. Maximum is 3.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-x\fR\fR
-.ad
-.sp .6
-.RS 4n
-Disables X11 forwarding.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB-X\fR\fR
-.ad
-.sp .6
-.RS 4n
-Enables X11 forwarding. This can also be specified on a per-host basis in a
-configuration file.
-.sp
-X11 forwarding should be enabled with caution. Users with the ability to bypass
-file permissions on the remote host (for the user's X authorization database)
-can access the local X11 display through the forwarded connection. An attacker
-can then be able to perform activities such as keystroke monitoring.
-.sp
-For this reason, X11 forwarding might be subjected to X11 SECURITY extension
-restrictions. Refer to the \fBForwardX11Trusted\fR directive in
-\fBssh_config\fR(4) for more information.
-.sp
-If X11 forwarding is enabled, remote X11 clients is trusted by default. This
-means that they have full access to the original X11 display.
-.RE
-
-.SH ENVIRONMENT VARIABLES
-.LP
-\fBssh\fR normally sets the following environment variables:
-.sp
-.ne 2
-.na
-\fB\fBDISPLAY\fR\fR
-.ad
-.sp .6
-.RS 4n
-The \fBDISPLAY\fR variable must be set for X11 display forwarding to work.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fBSSH_ASKPASS\fR\fR
-.ad
-.sp .6
-.RS 4n
-If \fBssh\fR needs a passphrase, it reads the passphrase from the current
-terminal if it was run from a terminal. If \fBssh\fR does not have a terminal
-associated with it but \fBDISPLAY\fR and \fBSSH_ASKPASS\fR are set, it executes
-the program specified by \fBSSH_ASKPASS\fR and opens an X11 window to read the
-passphrase. This is particularly useful when calling \fBssh\fR from a .Xsession
-or related script. On some machines it might be necessary to redirect the input
-from \fB/dev/null\fR to make this work. The system is shipped with
-\fB/usr/lib/ssh/ssh-askpass\fR which is the default value for \fBSSH_ASKPASS\fR
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fBSSH_AUTH_SOCK\fR\fR
-.ad
-.sp .6
-.RS 4n
-Indicates the path of a unix-domain socket used to communicate with the agent.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fBSSH_LANGS\fR\fR
-.ad
-.sp .6
-.RS 4n
-A comma-separated list of IETF language tags (see RFC3066) indicating the
-languages that the user can read and write. Used for negotiation of the locale
-on the server.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fBLANG\fR, \fBLC_ALL\fR, \fBLC_COLLATE\fR, \fBLC_CTYPE\fR,\fR
-.ad
-.br
-.na
-\fB\fBLC_MESSAGES\fR, \fBLC_MONETARY\fR, \fBLC_NUMERIC\fR, \fBLC_TIME\fR\fR
-.ad
-.sp .6
-.RS 4n
-The values of these environment variables can be set in remote sessions
-according to the locale settings on the client side and availability of support
-for those locales on the server side. Environment Variable Passing (see \fIRFC
-4254\fR) is used for passing them over to the server side.
-.RE
-
-.sp
-.LP
-See the \fBENVIRONMENT VARIABLES\fR section in the \fBsshd\fR(1M) man page for
-more information on how locale setting can be further changed depending on
-server side configuration.
-.SH EXIT STATUS
-.LP
-The status of the remote program is returned as the exit status of \fBssh\fR.
-\fB255\fR is returned if an error occurred at anytime during the \fBssh\fR
-connection, including the initial key exchange.
-.SH FILES
-.ne 2
-.na
-\fB\fB$HOME/.ssh/known_hosts\fR\fR
-.ad
-.RS 26n
-Records host keys for all hosts the user has logged into that are not in
-\fB/etc/ssh/ssh_known_hosts\fR. See \fBsshd\fR(1M).
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB$HOME/.ssh/identity\fR\fR
-.ad
-.br
-.na
-\fB\fB$HOME/.ssh/id_dsa\fR\fR
-.ad
-.br
-.na
-\fB\fB$HOME/.ssh/id_ssa\fR\fR
-.ad
-.RS 26n
-Contains the authentication identity of the user. These files are for protocol
-1 \fBRSA\fR, protocol 2 \fBDSA\fR, and protocol 2 \fBRSA\fR, respectively.
-These files contain sensitive data and should be readable by the user but not
-accessible by others (read/write/execute). \fBssh\fR ignores a private key file
-if it is accessible by others. It is possible to specify a passphrase when
-generating the key. The passphrase is used to encrypt the sensitive part of
-this file using \fB3DES\fR.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB/etc/ssh/sshrc\fR\fR
-.ad
-.RS 26n
-Commands in this file are executed by \fBssh\fR when the user logs in just
-before the user's shell or command is started. See \fBsshd\fR(1M) for more
-information.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB$HOME/.ssh/rc\fR\fR
-.ad
-.RS 26n
-Commands in this file are executed by \fBssh\fR when the user logs in just
-before the user's shell or command is started. See \fBsshd\fR(1M) for more
-information.
-.RE
-
-.sp
-.ne 2
-.na
-\fB\fB$HOME/.ssh/environment\fR\fR
-.ad
-.RS 26n
-Contains additional definitions for environment variables. See ENVIRONMENT
-VARIABLES.
-.RE
-
-.SH ATTRIBUTES
-.LP
-See \fBattributes\fR(5) for descriptions of the following attributes:
-.sp
-
-.sp
-.TS
-box;
-c | c
-l | l .
-ATTRIBUTE TYPE ATTRIBUTE VALUE
-_
-Interface Stability See below.
-.TE
-
-.sp
-.LP
-The command line syntax is Committed. The remote locale selection through
-passing \fBLC_*\fR environment variables is Uncommitted.
-.SH SEE ALSO
-.LP
-\fBrlogin\fR(1), \fBrsh\fR(1), \fBscp\fR(1), \fBssh-add\fR(1),
-\fBssh-agent\fR(1), \fBssh-keygen\fR(1), \fBssh-http-proxy-connect\fR(1),
-\fBssh-socks5-proxy-connect\fR(1), \fBtelnet\fR(1), \fBsshd\fR(1M),
-\fBssh_config\fR(4), \fBsshd_config\fR(4), \fBattributes\fR(5),
-\fBgss_auth_rules\fR(5), \fBkerberos\fR(5), \fBprivileges\fR(5)
-.sp
-.LP
-\fIRFC 1928\fR
-.sp
-.LP
-\fIRFC 4254\fR