Systemy Operacyjne
Usługi systemowe
Bazy Danych
Programowanie
CONTENT
  • CHANGES
Szukaj
counter

#top ssh


ssh - OpenSSH SSH client (remote login program)

Powiązane:
ssh, ssh-keygen,

SYNOPSIS
ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-e escape_char] [-F configfile] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-w tunnel:tunnel] [user@]hostname [command]


DESCRIPTION



OPTIONS
ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP ports can also be forwarded over the secure channel.

ssh connects and logs into the specified hostname (with optional user name). The user must prove his/her identity to the remote machine using one of several methods depending on the protocol version used (see below).

If command is specified, it is executed on the remote host instead of a login shell.

The options are as follows:
-1
Forces ssh to try protocol version 1 only.

-2
Forces ssh to try protocol version 2 only.

-4
Forces ssh to use IPv4 addresses only.

-6
Forces ssh to use IPv6 addresses only.

-A
Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file.

Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.

-a
Disables forwarding of the authentication agent connection.

-b bind_address
Use bind_address on the local machine as the source address of the connection. Only useful on systems with more than one address.

-C
Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11 and TCP connections). The compression algorithm is the same used by gzip(1), and the "level" can be controlled by the CompressionLevel option for protocol version 1. Compression is desirable on modem lines and other slow connections, but will only slow down things on fast networks. The default value can be set on a host-by-host basis in the configuration files; see the Compression option.

-c cipher_spec
Selects the cipher specification for encrypting the session.

Protocol version 1 allows specification of a single cipher. The supported values are "3des", "blowfish", and "des". 3des (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. It is believed to be secure. blowfish is a fast block cipher; it appears very secure and is much faster than 3des. des is only supported in the ssh client for interoperability with legacy protocol 1 implementations that do not support the 3des cipher. Its use is strongly discouraged due to cryptographic weaknesses. The default is "3des".

For protocol version 2, cipher_spec is a comma-separated list of ciphers listed in order of preference. The supported ciphers are: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blowfish-cbc, and cast128-cbc. The default is:

aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, aes192-ctr,aes256-ctr

-D [bind_address:]port
Specifies a local "dynamic" application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.

IPv6 addresses can be specified with an alternative syntax: [bind_address/]port or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of "localhost" indicates that the listening port be bound for local use only, while an empty address or '*' indicates that the port should be available from all interfaces.

-e escape_char
Sets the escape character for sessions with a pty (default: '~'). The escape character is only recognized at the beginning of a line. The escape character followed by a dot ('.') closes the connection; followed by control-Z suspends the connection; and followed by itself sends the escape character once. Setting the character to "none" disables any escapes and makes the session fully transparent.

-F configfile
Specifies an alternative per-user configuration file. If a configuration file is given on the command line, the system-wide configuration file (/etc/ssh/ssh_config) will be ignored. The default for the per-user configuration file is ~/.ssh/config.

-f
Requests ssh to go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background. This implies -n. The recommended way to start X11 programs at a remote site is with something like ssh -f host xterm.

-g
Allows remote hosts to connect to local forwarded ports.

-I smartcard_device
Specify the device ssh should use to communicate with a smartcard used for storing the user's private RSA key. This option is only available if support for smartcard devices is compiled in (default is no support).

-i identity_file
Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Identity files may also be specified on a perhost basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files).

-k
Disables forwarding (delegation) of GSSAPI credentials to the server.

-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax: [bind_address/]port/host/hostport or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of "localhost" indicates that the listening port be bound for local use only, while an empty address or '*' indicates that the port should be available from all interfaces.

-l login_name
Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file.

-M
Places the ssh client into "master" mode for connection sharing. Multiple -M options places ssh into "master" mode with confirmation required before slave connections are accepted. Refer to the description of ControlMaster in ssh_config(5) for details.

-m mac_spec
Additionally, for protocol version 2 a comma-separated list of MAC (message authentication code) algorithms can be specified in order of preference. See the MACs keyword for more information.

-N
Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).

-n
Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background. A common trick is to use this to run X11 programs on a remote machine. For example, ssh -n shadows.cs.hut.fi emacs & will start an emacs on shadows.cs.hut.fi, and the X11 connection will be automatically forwarded over an encrypted channel. The ssh program will be put in the background. (This does not work if ssh needs to ask for a password or passphrase; see also the -f option.)

-O ctl_cmd
Control an active connection multiplexing master process. When the -O option is specified, the ctl_cmd argument is interpreted and passed to the master process. Valid commands are: "check" (check that the master process is running) and "exit" (request the master to exit).

-o option
Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag. For full details of the options listed below, and their possible values, see ssh_config(5).

AddressFamily
BatchMode
BindAddress
ChallengeResponseAuthentication
CheckHostIP
Cipher
Ciphers
ClearAllForwardings
Compression
CompressionLevel
ConnectionAttempts
ConnectTimeout
ControlMaster
ControlPath
DynamicForward
EscapeChar
ForwardAgent
ForwardX11
ForwardX11Trusted
GatewayPorts
GlobalKnownHostsFile
GSSAPIAuthentication
GSSAPIDelegateCredentials
HashKnownHosts
Host
HostbasedAuthentication
HostKeyAlgorithms
HostKeyAlias
HostName
IdentityFile
IdentitiesOnly
KbdInteractiveDevices
LocalCommand
LocalForward
LogLevel
MACs
NoHostAuthenticationForLocalhost
NumberOfPasswordPrompts
PasswordAuthentication
PermitLocalCommand
Port
PreferredAuthentications
Protocol
ProxyCommand
PubkeyAuthentication
RekeyLimit
RemoteForward
RhostsRSAAuthentication
RSAAuthentication
SendEnv
ServerAliveInterval
ServerAliveCountMax
SmartcardDevice
StrictHostKeyChecking
TCPKeepAlive
Tunnel
TunnelDevice
UsePrivilegedPort
User
UserKnownHostsFile
VerifyHostKeyDNS
XAuthLocation

-p port
Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file.

-q
Quiet mode. Causes all warning and diagnostic messages to be suppressed.

-R [bind_address:]port:host:hostport
Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.

Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square braces or using an alternative syntax: [bind_address/]host/port/hostport.

By default, the listening socket on the server will be bound to the loopback interface only. This may be overriden by specifying a bind_address. An empty bind_address, or the address '*', indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

-S ctl_path
Specifies the location of a control socket for connection sharing. Refer to the description of ControlPath and ControlMaster in ssh_config(5) for details.

-s
May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use of SSH as a secure transport for other applications (eg. sftp(1)). The subsystem is specified as the remote command.

-T
Disable pseudo-tty allocation.

-t
Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g., when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.

-V
Display the version number and exit.

-v
Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity. The maximum is 3.

-w tunnel:tunnel
Requests a tun(4) device on the client (first tunnel arg) and server (second tunnel arg). The devices may be specified by numerical ID or the keyword "any", which uses the next available tunnel device. See also the Tunnel directive in ssh_config(5).

-X
Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file.

X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring.

For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Please refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config(5) for more information.

-x
Disables X11 forwarding.

-Y
Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.

ssh may additionally obtain configuration data from a per-user configuration file and a system-wide configuration file. The file format and configuration options are described in ssh_config(5).

ssh exits with the exit status of the remote command or with 255 if an error occurred.


EXAMPLES
alternative syntax:
ssh host -l user
ssh user@host

listen on localhost:1080 ===> (proxy socks) connect to any
localhost:1080 ===> (ssh tunel) ===> host ===> ...
ssh -f -N -D 1080 host -l user

listen on localhost:2222 ===> connect to REMOTEHOST:REMOTEPORT
localhost:2222 ===> (ssh tunel) ===> host ===> REMOTEHOST:REMOTEPORT
telnet localhost:2222 ===> connect to REMOTEHOST:REMOTEPORT
ssh -f -N -L 2222:REMOTEHOST:REMOTEPORT host -l user

listen on SERVERHOST:SERVERPORT (SERVERHOST is IPADDR on host) forward to localhost:2222
localhost:2222 <=== (ssh tunel) <=== (host)SERVERHOST:SERVERPORT <=== ...
telnet SERVERHOST:SERVERPORT ===> connect to localhost:2222
ssh -f -N -R 2222:SERVERHOST:SERVERPORT host -l user

enable every env in: /etc/ssh/sshd_config: AcceptEnv
ssh -o SendEnv=MYVAR server.example.com mycommand


/etc/ssh/ssh_config
ForwardAgent
Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must be "yes" or "no". The default is "no".
Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.

ForwardX11
Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set. The argument must be "yes" or "no". The default is "no".
X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.

StrictHostKeyChecking
If this flag is set to "yes", ssh will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, however, can be annoying when the /etc/ssh/ssh_known_hosts file is poorly maintained, or connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set to "no", ssh will automatically add new host keys to the user known hosts files. If this flag is set to "ask", new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. The argument must be "yes", "no" or "ask". The default is "ask".


/etc/ssh/ssh_config
# Host *
#   ForwardAgent no
#   ForwardX11 no
[...]
#   StrictHostKeyChecking ask
[...]
    SendEnv ...

   ForwardAgent no
   ForwardX11 no
   StrictHostKeyChecking ask


$HOME/.ssh/config
This is the per-user configuration file. The file format and configuration options are described in ssh_config(5).
Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not accessible by others.


$HOME/.ssh/config
Host *
#ServerAliveCountMax
#        Sets the number of server alive messages (see below) which may be
#        sent without ssh receiving any messages back from the server.
#        If this threshold is reached while server alive messages are being
#        sent, ssh will disconnect from the server, terminating the
#        session. It is important to note that the use of server alive
#        messages is very different from TCPKeepAlive (below). The
#        server alive messages are sent through the encrypted channel and
#        therefore will not be spoofable. The TCP keepalive option
#        enabled by TCPKeepAlive is spoofable. The server alive mechanism is
#        valuable when the client or server depend on knowing when
#        a connection has become inactive.
#        The default value is 3. If, for example, ServerAliveInterval (see
#        below) is set to 15, and ServerAliveCountMax is left at the
#        default, if the server becomes unresponsive ssh will disconnect after
#        approximately 45 seconds.
#ServerAliveInterval
#        Sets a timeout interval in seconds after which if no data has been
#        received from the server, ssh will send a message through
#        the encrypted channel to request a response from the server. The
#        default is 0, indicating that these messages will not be sent
#        to the server. This option applies to protocol version 2 only.
#TCPKeepAlive
#        Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection
#        or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down
#        temporarily, and some people find it annoying.
#        The default is "yes" (to send TCP keepalive messages), and the client will notice if the network goes down or the remote host
#        dies. This is important in scripts, and many users want it too.
#        To disable TCP keepalive messages, the value should be set to "no".

ServerAliveCountMax 8
ServerAliveInterval 5
TCPKeepAlive yes

$HOME/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described in the sshd(8) manual page.
This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.

AUTHORIZED_KEYS FILE FORMAT
from="pattern-list" - Specifies that in addition to public key authentication,
command="command" - Specifies that the command is executed whenever this key is used for authentication.
environment="NAME=value" - Specifies that the string is to be added to the environment when logging in using this key.
no-port-forwarding - Forbids TCP forwarding when this key is used for authentication.
no-X11-forwarding - Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error.
no-agent-forwarding - Forbids authentication agent forwarding when this key is used for authentication.
no-pty - Prevents tty allocation (a request to allocate a pty will fail).
permitopen="host:port" - Limit local "ssh -L" port forwarding such that it may only connect to the specified host and port.
tunnel="n" - Force a tun(4) device on the server. Without this option, the next available device will be used if the client requests a tunnel.



Examples
1024 33 12121...312314325 ylo@foo.bar
from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== reyk@openbsd.org


ConnectTimeout
Specifies the timeout (in seconds) used when connecting to the ssh server, instead of using the default system TCP timeout. This value is used only when the target is down or really unreachable, not when it refuses the connection.
ssh -o ConnectTimeout=10 host -l user

HashKnownHosts
Indicates that ssh should hash host names and addresses when they are added to ~/.ssh/known_hosts. These hashed names may be used normally by ssh and sshd, but they do not reveal identifying information should the file's contents be disclosed. The default is "no". Note that hashing of names and addresses will not be retrospectively applied to existing known hosts files, but these may be manually hashed using ssh-keygen(1).
ssh -o HashKnownHosts=/dev/null host -l user
ssh -o HashKnownHosts=/dev/null host -p port -l user
scp -o HashKnownHosts=/dev/null /path/to/local/filename user@host:/path/to/remote/filename


$HOME/.ssh/config
Host *
    StrictHostKeyChecking no
#ServerAliveCountMax
#        Sets the number of server alive messages (see below) which may be sent without ssh receiving any messages back from the server.
#        If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the
#        session. It is important to note that the use of server alive messages is very different from TCPKeepAlive (below). The
#        server alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option
#        enabled by TCPKeepAlive is spoofable. The server alive mechanism is valuable when the client or server depend on knowing when
#        a connection has become inactive.
#
#        The default value is 3. If, for example, ServerAliveInterval (see below) is set to 15, and ServerAliveCountMax is left at the
#        default, if the server becomes unresponsive ssh will disconnect after approximately 45 seconds.
#
#ServerAliveInterval
#        Sets a timeout interval in seconds after which if no data has been received from the server, ssh will send a message through
#        the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent
#        to the server. This option applies to protocol version 2 only.
ServerAliveCountMax 3
ServerAliveInterval 5
TCPKeepAlive yes



Zmodyfikowany ostatnio: 2014/05/15 10:01:27 (9 lat temu), textsize: 26,4 kB, htmlsize: 28,8 kB
Zapraszam do komentowania, zgłaszania sugestii, propozycji, własnych przykładów, ...
Dodaj komentarzKomentarze użytkowników