ssh.0

OpenSSH 是 SSH （Secure SHell） 协议的免费开源实现。它用安全、加密的网络连接工具代替了 telnet、ftp、 rlogin、rsh 和 rcp 工具。OpenSSH 支持

             tion, and configuration problems.  Multiple -v options increase
             the verbosity.  The maximum is 3.

     -X      Enables X11 forwarding.  This can also be specified on a per-host
             basis in a configuration file.

             X11 forwarding should be enabled with caution.  Users with the
             ability to bypass file permissions on the remote host (for the
             user's X authorization database) can access the local X11 display
             through the forwarded connection.  An attacker may then be able
             to perform activities such as keystroke monitoring.

             For this reason, X11 forwarding is subjected to X11 SECURITY ex-
             tension restrictions by default.  Please refer to the ssh -Y op-
             tion and the ForwardX11Trusted directive in ssh_config(5) for
             more information.

     -x      Disables X11 forwarding.

     -Y      Enables trusted X11 forwarding.  Trusted X11 forwardings are not
             subjected to the X11 SECURITY extension controls.

CONFIGURATION FILES
     ssh may additionally obtain configuration data from a per-user configura-
     tion file and a system-wide configuration file.  The file format and con-
     figuration options are described in ssh_config(5).

ENVIRONMENT
     ssh will normally set the following environment variables:

     DISPLAY  The DISPLAY variable indicates the location of the X11 server.
              It is automatically set by ssh to point to a value of the form
              ``hostname:n'' where hostname indicates the host where the shell
              runs, and n is an integer >= 1.  ssh uses this special value to
              forward X11 connections over the secure channel.  The user
              should normally not set DISPLAY explicitly, as that will render
              the X11 connection insecure (and will require the user to manu-
              ally copy any required authorization cookies).

     HOME     Set to the path of the user's home directory.

     LOGNAME  Synonym for USER; set for compatibility with systems that use
              this variable.

     MAIL     Set to the path of the user's mailbox.

     PATH     Set to the default PATH, as specified when compiling ssh.

     SSH_ASKPASS
              If ssh needs a passphrase, it will read the passphrase from the
              current terminal if it was run from a terminal.  If ssh does not
              have a terminal associated with it but DISPLAY and SSH_ASKPASS
              are set, it will execute the program specified by SSH_ASKPASS
              and open an X11 window to read the passphrase.  This is particu-
              larly useful when calling ssh from a .xsession or related
              script.  (Note that on some machines it may be necessary to
              redirect the input from /dev/null to make this work.)

     SSH_AUTH_SOCK
              Identifies the path of a unix-domain socket used to communicate
              with the agent.

     SSH_CONNECTION
              Identifies the client and server ends of the connection.  The
              variable contains four space-separated values: client ip-ad-
              dress, client port number, server ip-address and server port
              number.

     SSH_ORIGINAL_COMMAND
              The variable contains the original command line if a forced com-
              mand is executed.  It can be used to extract the original argu-
              ments.

     SSH_TTY  This is set to the name of the tty (path to the device) associ-
              ated with the current shell or command.  If the current session
              has no tty, this variable is not set.

     TZ       The timezone variable is set to indicate the present timezone if
              it was set when the daemon was started (i.e., the daemon passes
              the value on to new connections).

     USER     Set to the name of the user logging in.

     Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the
     format ``VARNAME=value'' to the environment if the file exists and if
     users are allowed to change their environment.  For more information, see
     the PermitUserEnvironment option in sshd_config(5).

FILES
     $HOME/.ssh/known_hosts
             Records host keys for all hosts the user has logged into that are
             not in /etc/ssh/ssh_known_hosts.  See sshd(8).

     $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa
             Contains the authentication identity of the user.  They are for
             protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
             These files contain sensitive data and should be readable by the
             user but not accessible by others (read/write/execute).  Note
             that ssh ignores a private key file if it is accessible by oth-
             ers.  It is possible to specify a passphrase when generating the
             key; the passphrase will be used to encrypt the sensitive part of
             this file using 3DES.

     $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub
             Contains the public key for authentication (public part of the
             identity file in human-readable form).  The contents of the
             $HOME/.ssh/identity.pub file should be added to the file
             $HOME/.ssh/authorized_keys on all machines where the user wishes
             to log in using protocol version 1 RSA authentication.  The con-
             tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file
             should be added to $HOME/.ssh/authorized_keys on all machines
             where the user wishes to log in using protocol version 2 DSA/RSA
             authentication.  These files are not sensitive and can (but need
             not) be readable by anyone.  These files are never used automati-
             cally and are not necessary; they are only provided for the con-
             venience of the user.

     $HOME/.ssh/config
             This is the per-user configuration file.  The file format and
             configuration options are described in ssh_config(5).  Because of
             the potential for abuse, this file must have strict permissions:
             read/write for the user, and not accessible by others.

     $HOME/.ssh/authorized_keys
             Lists the public keys (RSA/DSA) that can be used for logging in
             as this user.  The format of this file is described in the
             sshd(8) manual page.  In the simplest form the format is the same
             as the .pub identity files.  This file is not highly sensitive,
             but the recommended permissions are read/write for the user, and
             not accessible by others.

     /etc/ssh/ssh_known_hosts
             Systemwide list of known host keys.  This file should be prepared
             by the system administrator to contain the public host keys of
             all machines in the organization.  This file should be world-
             readable.  This file contains public keys, one per line, in the
             following format (fields separated by spaces): system name, pub-
             lic key and optional comment field.  When different names are
             used for the same machine, all such names should be listed, sepa-
             rated by commas.  The format is described in the sshd(8) manual
             page.

             The canonical system name (as returned by name servers) is used
             by sshd(8) to verify the client host when logging in; other names
             are needed because ssh does not convert the user-supplied name to
             a canonical name before checking the key, because someone with
             access to the name servers would then be able to fool host au-
             thentication.

     /etc/ssh/ssh_config
             Systemwide configuration file.  The file format and configuration
             options are described in ssh_config(5).

     /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key,
             /etc/ssh/ssh_host_rsa_key
             These three files contain the private parts of the host keys and
             are used for RhostsRSAAuthentication and HostbasedAuthentication.
             If the protocol version 1 RhostsRSAAuthentication method is used,
             ssh must be setuid root, since the host key is readable only by
             root.  For protocol version 2, ssh uses ssh-keysign(8) to access
             the host keys for HostbasedAuthentication.  This eliminates the
             requirement that ssh be setuid root when that authentication
             method is used.  By default ssh is not setuid root.

     $HOME/.rhosts
             This file is used in RhostsRSAAuthentication and
             HostbasedAuthentication authentication to list the host/user
             pairs that are permitted to log in.  (Note that this file is also
             used by rlogin and rsh, which makes using this file insecure.)
             Each line of the file contains a host name (in the canonical form
             returned by name servers), and then a user name on that host,
             separated by a space.  On some machines this file may need to be
             world-readable if the user's home directory is on a NFS parti-
             tion, because sshd(8) reads it as root.  Additionally, this file
             must be owned by the user, and must not have write permissions
             for anyone else.  The recommended permission for most machines is
             read/write for the user, and not accessible by others.

             Note that sshd(8) allows authentication only in combination with
             client host key authentication before permitting log in.  If the
             server machine does not have the client's host key in
             /etc/ssh/ssh_known_hosts, it can be stored in
             $HOME/.ssh/known_hosts.  The easiest way to do this is to connect
             back to the client from the server machine using ssh; this will
             automatically add the host key to $HOME/.ssh/known_hosts.

     $HOME/.shosts
             This file is used exactly the same way as .rhosts.  The purpose
             for having this file is to be able to use RhostsRSAAuthentication
             and HostbasedAuthentication authentication without permitting lo-
             gin with rlogin or rsh(1).

     /etc/hosts.equiv
             This file is used during RhostsRSAAuthentication and
             HostbasedAuthentication authentication.  It contains canonical
             hosts names, one per line (the full format is described in the
             sshd(8) manual page).  If the client host is found in this file,
             login is automatically permitted provided client and server user
             names are the same.  Additionally, successful client host key au-
             thentication is required.  This file should only be writable by
             root.

     /etc/shosts.equiv
             This file is processed exactly as /etc/hosts.equiv.  This file
             may be useful to permit logins using ssh but not using
             rsh/rlogin.

     /etc/ssh/sshrc
             Commands in this file are executed by ssh when the user logs in
             just before the user's shell (or command) is started.  See the
             sshd(8) manual page for more information.

     $HOME/.ssh/rc
             Commands in this file are executed by ssh when the user logs in
             just before the user's shell (or command) is started.  See the
             sshd(8) manual page for more information.

     $HOME/.ssh/environment
             Contains additional definitions for environment variables, see
             section ENVIRONMENT above.

DIAGNOSTICS
     ssh exits with the exit status of the remote command or with 255 if an
     error occurred.

SEE ALSO
     gzip(1), rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1),
     ssh-keygen(1), telnet(1), hosts.equiv(5), ssh_config(5), ssh-keysign(8),
     sshd(8)

     T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH
     Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January
     2002, work in progress material.

AUTHORS
     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
     de Raadt and Dug Song removed many bugs, re-added newer features and
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.

OpenBSD 3.6                   September 25, 1999                            11