Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ ssh2(1) — Tru64 UNIX 5.1b

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

scp2(1)

sftp(1)

rlogin(1)

rsh(1)

telnet(1)

Files: hosts.equiv(4)

rhosts(4)

shosts(4)

ssh2_config(4)

sshd2_config(4)

ssh2(1)  —  Commands

NAME

ssh2, ssh − Secure Shell client remote login and command execution application

SYNOPSIS

ssh2 [−l login_name] hostname [command]

ssh2 [−l login_name] [−n] [+a] [−a] [+x] [−x] [−i file] [−F file] [−t] [−v] [−d debug_level] [−V] [−q] [−f [o]] [−e char] [−c cipher] [−m MAC] [−p port] [−S] [−L[protocol/]port:host:hostport] [−R[protocol/]port:host:hostport] [+C] [−C] [−o option] [−h] [login_name@] hostname [port#] [command]

OPTIONS

−l login_name
Specifies the user for login to the remote system.

−nRedirects input from /dev/null. For example, do not read stdin. This option can also be specified in the configuration file. 

+aEnables authentication agent forwarding (default). 

−aDisables authentication agent forwarding. 

+xEnables X11 connection forwarding (default). 

−xDisables X11 connection forwarding. 

−i file
Specifies the identity file for public key authentication. This option can also be specified in the configuration file.

−F file
Specifies an alternative client configuration file. The default client configuration file is the /etc/ssh2/ssh2_config file.  Each user can also have their own ssh2_config file in their $HOME/.ssh2 directory, where $HOME is the name of the user’s account. The /etc/ssh2/ssh2_config file is read first, then the user’s copy. The last obtained value for a keyword is used. 

−tFor tty allocation. For example, allocate a tty even if a command is given. This option can also be specified in the /etc/ssh2/ssh2_config configuration file. 

−vEnables verbose mode. Displays verbose debugging messages. Equal to the −d 2 option. This option can also be specified in the /etc/ssh2/ssh2_config configuration file. 

−d debug_level
Prints extensive debug information to stderr. The debug_level argument is a number from 0 to 99, where 99 specifies that all debug information should be displayed or a comma-separated list of assignments. 

−VDisplays the version string. 

−qDisables warning messages.  This option can also be specified in the /etc/ssh2/ssh2_config configuration file. 

−f [o]
Forks into background after authentication. The ssh2 command stays in the background waiting indefinitely for connections. It must be killed for it to stop listening. The o argument specifies one-shot mode, which means that once all channels are closed, the ssh2 command exits. This option can also be specified in the /etc/ssh2/ssh2_config configuration file. 

−e char
Sets the escape character. The default escape character is the tilde (~). Use none to disable the escape character. This option can also be specified in the /etc/ssh2/ssh2_config configuration file. 

−c cipher
Specifies the encryption algorithm to use. See the Ciphers keyword in the /etc/ssh2/sshd2_config file and in the /etc/ssh2/ssh2_config file for more information.  Multiple −c options are allowed; a single −c option can specify only one cipher. 

−m MAC
Specifies the MAC (Message Authentication Code) algorithm. See the MACs keyword in the /etc/ssh2/sshd2_config file and in the /etc/ssh2/ssh2_config file for more information. Multiple −m options are allowed; a single −m option can have only one MAC. 

−p port #
Specifies the port to connect to on the remote system. This option can also be specified in the /etc/ssh2/ssh2_config file. 

−SDisables requests for a session channel. This can be used with port-forwarding requests, if a session channel (and tty) is not needed, or the server does not give one. 

−L [protocol/]port:host:hostport
Specifies that the given port on the local (client) system is to be forwarded to the specified host and port on the remote system.  This allocates a socket to listen to port on the local system. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to the host:hostport argument from the remote system. Only root can forward privileged ports. The argument protocol enables the protocol-specific forwarding. The protocols implemented are tcp (default, no special processing) and ftp. Temporary forwardings are created for ftp data channels, effectively securing the whole ftp session.  This option can also be specified in the /etc/ssh2/ssh2_config file. 

−R [protocol/]port:host:hostport
Specifies that the given port on the remote (server) system is to be forwarded to the specified host and port on the local system.  This allocates a socket to listen to port on the remote system. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to the host:hostport argument from the local system.  Only root can forward privileged ports on the remote system.  The argument protocol enables the protocol-specific forwarding. The protocols implemented are tcp (default, no special processing) and ftp. Temporary forwardings are created for ftp data channels, effectively securing the whole ftp session. This option can also be specified in the /etc/ssh2/ssh2_config file. 

+CEnables compression. 

−CDisables compression. (default)

−o option
Specifies an option in the format used in the /etc/ssh2/ssh2_config file.  This is useful for specifying an option for which there is no command-line option.  Comment lines are not accepted with this option. 

−hDisplays help on ssh2 command options. 

DESCRIPTION

The ssh2 command creates a secure connection between a Secure Shell client and server for remote log in and command execution.  The ssh2 command is intended as a secure replacement for the rlogin and rsh commands. A secure connection provides client and server authentication, user authentication, data encryption, data integrity, and nonrepudiation. 

After the client’s, server’s, and user’s identity has been proven, the Secure Shell server executes the given command or logs the user in to the system and gives the user a normal shell on the remote system.  All communication with the remote command or shell will be automatically encrypted and checked for integrity. The session terminates when the command or shell on the remote system exits. 

A Secure Shell client and server use public host keys to authenticate each other. When a client connect to a server for the first time, the user is prompted to accept a copy of the server’s public host key. If the user accepts the key, a copy of the server’s public host key is copied to the user’s hostkeys directory on the client. The client uses this public host key to authenticate the server on subsequent connects. A Secure Shell server authenticates a user by using password authentication, host-based authentication, or public key authentication. 

See Security Administration for more information about Secure Shell clients and servers and Secure Shell authentication. 

ESCAPE SEQUENCES

The ssh2 command supports the following escape sequences that enable you to have some manageability with the session. For any escape sequences to take effect, you must enter a newline character (press the Enter key), then enter the characters. For example, a newline, a tilde (~), and the appropriate character for a task. 

~.Terminates the connection. 

~Ctrl/Z
Suspends the session. Simultaneously press the Ctrl key and the Z key.

~~Sends the escape character. 

~#Lists forwarded connections. 

~-Disables the escape character. 

~?Displays escape sequences. 

~rInitiates rekeying manually. 

~sDisplays statistics about the connection, including server and client version, compression, packets in, packets out, compression, key exchange algorithms, public key algorithms, and symmetric ciphers. 

~VDisplays the client version number to stderr (useful for troubleshooting). 

ENVIRONMENT VARIABLES

The ssh2 command will set the following environment variables. Additionally, the ssh2 command reads the /etc/environment file and the $HOME/.ssh2/environment file and adds lines of the format VARNAME=value to the environment. 

DISPLAY
Indicates the location of the X11 server. It is automatically set to point to a value of the form hostname:n, where hostname is the host where the shell runs, and n is an integer >= 1. The ssh2 command uses this special value to forward X11 connections over the secure channel.  The user should normally not set the DISPLAY environment variable, as that will render the X11 connection insecure (and will require the user to manually copy any required authorization cookies). 

HOME
Sets to the path of the user’s home directory.

LOGNAME
Synonym for USER; sets for compatibility with systems using this variable.

MAIL
Sets to point to the user’s mailbox.

PATH
Sets the default PATH, as specified when compiling the ssh2 command or, on some systems, /etc/environment or /etc/default/login. 

SSH_SOCKS_SERVER
If SOCKS is used, it is configured with this variable. The format of the variable is:

socks://username@socks_server:port/network/netmask,network/netmask...

For example, setting the environment variable SSH_SOCKS_SERVER to socks://mylogin@socks.ssh.com:1080/203.123.0.0/16,198.74.23.0/24 uses host socks.ssh.com port 1080 as the SOCKS server if connection is attempted outside of networks 203.123.0.0 (16 bit domain) and 198.74.23.0 (8 bit domain) which are connected directly. 

A default value for the SSH_SOCKS_SERVER variable can be specified at compile time by specifying --with-socks-server=VALUE on the configure command line when compiling the ssh2 command. The default value can be cancelled by setting SSH_SOCKS_SERVER to an empty string and overridden by setting SSH_SOCKS_SERVER to a new value.  If the SSH_SOCKS_SERVER variable is set, it should contain a local loopback network (127.0.0.0/8) as the network that is connected directly. 

SSH2_AUTH_SOCK
If this exists, it is used to indicate the path of a unix-domain socket used to communicate with the authentication agent (or its local representative). 

SSH2_CLIENT
Identifies the client of the connection. The variable contains the following space-separated values: client ip-address, client port number, host ip-address, and server port number.

SSH2_ORIGINAL_COMMAND
This will be the original command given to the ssh2 command if a forced command is run. For example, it can be used to fetch arguments from the other system.  This does not have to be a real command, it can be the name of a file, device, parameters or anything else. 

SSH2_TTY
Set to the name of the tty (path to the device) associated with the current shell or command.  If the current session has no tty, this variable is not set. 

TZSets to the present time zone if it was set when the daemon was started. The daemon passes the value to new connections. 

USER
Sets to the name of the user logging in.

FILES

/etc/ssh2/ssh2_config
Specifies Secure Shell client configuration information.

/etc/ssh2/sshd2_config
Specifies Secure Shell server configuration information.

$HOME/.ssh2/identification
Contains information on how the user will be authenticated when contacting a specific host.  The identification file has the same general syntax as the configuration files. The following keywords can be used:

IdKey This is followed by the file name of a private key in the $HOME/.ssh2 directory used for identification when contacting a host. If there is more than one IdKey, they are tried in the order that they appear in the identification file. 

PgpSecretKeyFile
This is followed by the file name of the user’s OpenPGP private keyring in the $HOME/.ssh2 directory.  The OpenPGP keys listed after this line are expected to be found from this file. The keys identified with IdPgpKey∗-keywords are used like ones identified with IdKey-keyword. 

IdPgpKeyName
This is followed by the OpenPGP key name of the key in the PgpSecretKeyFile file. 

IdPgpKeyFingerprint
This is followed by the OpenPGP key fingerprint of the key in the PgpSecretKeyFile file. 

IdPgpKeyId
This is followed by the OpenPGP key ID of the key in the PgpSecretKeyFile file. 

$HOME/.ssh2/authorization
Contains information on how the server will verify the identity of an user. The authorization file has the same general syntax as the configuration files. The following keywords can be used:

KeyThis is followed by the file name of a public key in the $HOME/.ssh2 directory used for identification when contacting the host. More than one key is acceptable for login. 

PgpPublicKeyFile
This is followed by the file name of the user’s OpenPGP public keyring in the $HOME/.ssh2directory.  OpenPGP keys listed after this line are expected to be found from this file.  Keys identified with PgpKey∗-keywords are used like ones identified with Key-keyword. 

PgpKeyName
This is followed by the OpenPGP key name.

PgpKeyFingerprint
This is followed by the OpenPGP key fingerprint.

PgpKeyId
This is followed by the OpenPGP key ID.

Command
This keyword, if used, must follow the Key or PgpKey∗ keyword. This is used to specify a forced command that will be executed on the server when the user is authenticated. The command supplied by the user (if any) is put in the environment variable SSH2_ORIGINAL_COMMAND. 

The command is run on a pseudoterminal if the connection requests a pseudoterminal; otherwise it is run without a terminal. 

This keyword might be useful for restricting certain public keys to perform a specific operation. For example, a key that permits remote backups but nothing else. 

A client can specify TCP/IP and/or X11 forwardings, unless they are explicitly prohibited. 

$HOME/.ssh2/hostkeys/key_xxxx_yyyy.pub
They files are the public keys of the hosts to which you connect. These are updated automatically, unless you have set the StrictHostKeyChecking parameter to yes in the ssh2_config file. If a host’s key changes, you should put the key here only if you are sure that the new key is valid; for example that there was no man-in-the-middle attack.  The xxxx is the port on the server, where the sshd2 deamon runs, and the yyyy is the host (specified on the command line). 

/etc/ssh2/hostkeys/key_xxxx_yyyy.pub
If a host key is not found from the user’s $HOME/.ssh2/hostkeys directory, this is the next location to be checked. These files have to be updated manually; no files are put here automatically. 

$HOME/.rhosts and $HOME/.shosts
Contains a list of remote users who are not required to supply a password when they use Secure Shell host-based authentication with the ssh2 command. 

/etc/hosts.equiv
Contains the names of remote hosts and users that are equivalent to the local host or user. An equivalent host or user is allowed to use the ssh2 command with Secure Shell host-based authentication without supplying a password. 

$HOME/.ssh2/knownhosts/xxxxyyyy.pub
Contains the public host keys of hosts that users need to log in to when using host based authentication.

The xxxx is the fully qualified domain name (FQDN) and yyyy is the public key algorithm. Public key algorithms are ssh-dss and ssh-rsa.  For example, if the FQDN for a host is server1.foo.fi and it has a key algorithm of ssh-dss, the host key would be server1.foo.fi.ssh-dss.pub in the knownhosts directory. 

A user must add the host name to a $HOME/.shosts file or an $HOME/.rhosts file. 

/etc/ssh2/knownhosts/xxxxyyyy.pub
Same as the $HOME/.ssh2/knownhosts/xxxxyyyy.pub file, but system-wide. This file is overridden if the user puts a file with the same name in the $HOME/.ssh2/knownhosts directory. 

LEGAL NOTICES

SSH is a registered trademark of SSH Communication Security Ltd. 

SEE ALSO

Commands: scp2(1), sftp(1), rlogin(1), rsh(1), telnet(1),

Files: hosts.equiv(4), rhosts(4), shosts(4), ssh2_config(4), sshd2_config(4)

Guides: Security Administration

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026