ssh.0

OpenSSL Source code for SFTP, SSH, and many others

     identification ever changes, ssh warns about this and disables password
     authentication to prevent a trojan horse from getting the user's passM--
     word.  Another purpose of this mechanism is to prevent man-in-the-middle
     attacks which could otherwise be used to circumvent the encryption.  The
     StrictHostKeyChecking option can be used to prevent logins to machines
     whose host key is not known or has changed.

     The options are as follows:

     -a      Disables forwarding of the authentication agent connection.

     -A      Enables forwarding of the authentication agent connection.  This
             can also be specified on a per-host basis in a configuration
             file.

     -b bind_address
             Specify the interface to transmit from on machines with multiple
             interfaces or aliased addresses.

     -c blowfish|3des|des
             Selects the cipher to use for encrypting the session.  3des is
             used by default.  It is believed to be secure.  3des (triple-des)
             is an encrypt-decrypt-encrypt triple with three different keys.
             blowfish is a fast block cipher, it appears very secure and is
             much faster than 3des.  des is only supported in the ssh client
             for interoperability with legacy protocol 1 implementations that
             do not support the 3des cipher.  Its use is strongly discouraged
             due to cryptographic weaknesses.

     -c cipher_spec
             Additionally, for protocol version 2 a comma-separated list of
             ciphers can be specified in order of preference.  See Ciphers for
             more information.

     -e ch|^ch|none
             Sets the escape character for sessions with a pty (default: `~').
             The escape character is only recognized at the beginning of a
             line.  The escape character followed by a dot (`.') closes the
             connection, followed by control-Z suspends the connection, and
             followed by itself sends the escape character once.  Setting the
             character to ``none'' disables any escapes and makes the session
             fully transparent.

     -f      Requests ssh to go to background just before command execution.
             This is useful if ssh is going to ask for passwords or
             passphrases, but the user wants it in the background.  This
             implies -n.  The recommended way to start X11 programs at a
             remote site is with something like ssh -f host xterm.

     -g      Allows remote hosts to connect to local forwarded ports.

     -i identity_file
             Selects a file from which the identity (private key) for RSA or
             DSA authentication is read.  The default is $HOME/.ssh/identity
             for protocol version 1, and $HOME/.ssh/id_rsa and
             $HOME/.ssh/id_dsa for protocol version 2.  Identity files may
             also be specified on a per-host basis in the configuration file.
             It is possible to have multiple -i options (and multiple identiM--
             ties specified in configuration files).

     -I smartcard_device
             Specifies which smartcard device to use. The argument is the
             device ssh should use to communicate with a smartcard used for
             storing the user's private RSA key.

     -k      Disables forwarding of Kerberos tickets and AFS tokens.  This may
             also be specified on a per-host basis in the configuration file.

     -l login_name
             Specifies the user to log in as on the remote machine.  This also
             may be specified on a per-host basis in the configuration file.

     -m mac_spec
             Additionally, for protocol version 2 a comma-separated list of
             MAC (message authentication code) algorithms can be specified in
             order of preference.  See the MACs keyword for more information.

     -n      Redirects stdin from /dev/null (actually, prevents reading from
             stdin).  This must be used when ssh is run in the background.  A
             common trick is to use this to run X11 programs on a remote
             machine.  For example, ssh -n shadows.cs.hut.fi emacs & will
             start an emacs on shadows.cs.hut.fi, and the X11 connection will
             be automatically forwarded over an encrypted channel.  The ssh
             program will be put in the background.  (This does not work if
             ssh needs to ask for a password or passphrase; see also the -f
             option.)

     -N      Do not execute a remote command.  This is useful for just forM--
             warding ports (protocol version 2 only).

     -o option
             Can be used to give options in the format used in the configuraM--
             tion file.  This is useful for specifying options for which there
             is no separate command-line flag.

     -p port
             Port to connect to on the remote host.  This can be specified on
             a per-host basis in the configuration file.

     -P      Use a non-privileged port for outgoing connections.  This can be
             used if a firewall does not permit connections from privileged
             ports.  Note that this option turns off RhostsAuthentication and
             RhostsRSAAuthentication for older servers.

     -q      Quiet mode.  Causes all warning and diagnostic messages to be
             suppressed.

     -s      May be used to request invocation of a subsystem on the remote
             system. Subsystems are a feature of the SSH2 protocol which
             facilitate the use of SSH as a secure transport for other appliM--
             cations (eg. sftp). The subsystem is specified as the remote comM--
             mand.

     -t      Force pseudo-tty allocation.  This can be used to execute arbiM--
             trary screen-based programs on a remote machine, which can be
             very useful, e.g., when implementing menu services.  Multiple -t
             options force tty allocation, even if ssh has no local tty.

     -T      Disable pseudo-tty allocation.

     -v      Verbose mode.  Causes ssh to print debugging messages about its
             progress.  This is helpful in debugging connection, authenticaM--
             tion, and configuration problems.  Multiple -v options increases
             the verbosity.  Maximum is 3.

     -x      Disables X11 forwarding.

     -X      Enables X11 forwarding.  This can also be specified on a per-host
             basis in a configuration file.

     -C      Requests compression of all data (including stdin, stdout,
             stderr, and data for forwarded X11 and TCP/IP connections).  The
             compression algorithm is the same used by gzip(1), and the
             ``level'' can be controlled by the CompressionLevel option.  ComM--
             pression is desirable on modem lines and other slow connections,
             but will only slow down things on fast networks.  The default
             value can be set on a host-by-host basis in the configuration
             files; see the Compression option.

     -F configfile
             Specifies an alternative per-user configuration file.  If a conM--
             figuration file is given on the command line, the system-wide
             configuration file (/etc/ssh/ssh_config) will be ignored.  The
             default for the per-user configuration file is $HOME/.ssh/config.

     -L port:host:hostport
             Specifies that the given port on the local (client) host is to be
             forwarded to the given host and port on the remote side.  This
             works by allocating a socket to listen to port on the local side,
             and whenever a connection is made to this port, the connection is
             forwarded over the secure channel, and a connection is made to
             host port hostport from the remote machine.  Port forwardings can
             also be specified in the configuration file.  Only root can forM--
             ward privileged ports.  IPv6 addresses can be specified with an
             alternative syntax: port/host/hostport

     -R port:host:hostport
             Specifies that the given port on the remote (server) host is to
             be forwarded to the given host and port on the local side.  This
             works by allocating a socket to listen to port on the remote
             side, and whenever a connection is made to this port, the connecM--
             tion is forwarded over the secure channel, and a connection is
             made to host port hostport from the local machine.  Port forwardM--
             ings can also be specified in the configuration file.  Privileged
             ports can be forwarded only when logging in as root on the remote
             machine.  IPv6 addresses can be specified with an alternative
             syntax: port/host/hostport

     -D port
             Specifies a local ``dynamic'' application-level port forwarding.
             This works by allocating a socket to listen to port on the local
             side, and whenever a connection is made to this port, the connecM--
             tion is forwarded over the secure channel, and the application
             protocol is then used to determine where to connect to from the
             remote machine.  Currently the SOCKS4 protocol is supported, and
             ssh will act as a SOCKS4 server.  Only root can forward priviM--
             leged ports.  Dynamic port forwardings can also be specified in
             the configuration file.

     -1      Forces ssh to try protocol version 1 only.

     -2      Forces ssh to try protocol version 2 only.

     -4      Forces ssh to use IPv4 addresses only.

     -6      Forces ssh to use IPv6 addresses only.

CONFIGURATION FILES
     ssh may additionally obtain configuration data from a per-user configuraM--
     tion file and a system-wide configuration file.  The file format and conM--
     figuration options are described in ssh_config(5).

ENVIRONMENT
     ssh will normally set the following environment variables:

     DISPLAY
             The DISPLAY variable indicates the location of the X11 server.
             It is automatically set by ssh to point to a value of the form
             ``hostname:n'' where hostname indicates the host where the shell
             runs, and n is an integer >= 1.  ssh uses this special value to
             forward X11 connections over the secure channel.  The user should