TH SSH 1
SH NAME
ssh, sshnet, scp, sshserve, ssh_genkey \- secure login and file copy from/to Unix or Plan 9
SH SYNOPSIS
B ssh
[
B -CiImPprvw
]
[
B -A
I authlist
]
[
B -c
I cipherlist
]
[
B -[lu]
I user
]
RI [ user\fB@ ] host
[
I cmd
[
I args
\&... ]]
PP
B sshnet
[
B -A
I authlist
]
[
B -c
I cipherlist
]
[
B -m
I mtpt
]
RI [ user\fB@ ] host
PP
B scp
[host:]file [host:]file
br
B scp
[host:]file ... [host:]dir
PP
B aux/sshserve
[
B -p
]
I address
PP
B aux/ssh_genkey
[
I basename
]
SH DESCRIPTION
I Ssh
allows authenticated login over an encrypted channel to hosts that
support the ssh protocol (see the RFC listed below for encryption and
authentication details).
LP
I Ssh
takes the host name of the machine to connect to as its mandatory argument.
It may be specified as a domain name or an IP address.
Normally, login is attempted using the user name from /dev/user.
PP
Command-line options are:
TP
B -C
force input to be read in cooked mode:
``line at a time'' with local echo.
TP
B -i
force interactive mode.
In interactive mode,
I ssh
prompts for passwords and confirmations of
new host keys when necessary.
(In non-interactive mode, password requests
are rejected and unrecognized host keys are
cause for disconnecting.)
By default,
I ssh
runs in interactive mode only when its
input file descriptor is
BR /dev/cons .
TP
B -I
force non-interactive mode.
TP
B -m
disable the
RB control- \e
menu, described below.
TP
B -p
force pseudoterminal request.
The
I ssh
protocol, grounded in Unix tradition,
differentiates between connections
that request controlling pseudoterminals
and those that do not.
By default,
I ssh
requests a pseudoterminal only when no
I command
is given.
TP
B -P
force no pseudoterminal request.
TP
B -r
strip carriage returns.
TP
B -v
enable verbose feedback during the connection and authentication process.
TP
B -w
notify the remote side whenever the window changes size.
TP
BR - [ lu ] "\fI user
specify user name.
This option is deprecated in favor of the
IB user @ hostname
syntax.
TP
B "-A\fI authlist
specify an ordered space-separated list of authentication protocols to try.
The full set of authentication protocols is
B rsa
(RSA using
IR factotum (4)
to moderate key usage),
B password
(use a password gathered from factotum),
and
B tis
(challenge-response).
The default list is all three in that order.
TP
B "-c\fI cipherlist
specify an ordered space-separated list of allowed ciphers to use when encrypting the channel.
The full set of ciphers is
B des
(standard DES),
B 3des
(a somewhat doubtful variation on triple DES),
B blowfish
(Bruce Schneier's Blowfish),
B rc4
(RC4),
and
B none
(no encryption).
The default cipher list is
B blowfish
B rc4
BR 3des .
PD
PP
The
RB control\- \e
character is a local escape, as in
IR con (1).
It prompts with
BR >>> .
Legitimate responses to the prompt are
TP
B q
Exit.
TP
B .
Return from the escape.
TP
B !cmd
Run the command with the network connection as its
standard input and standard output.
Standard error will go to the screen.
TP
B r
Toggle printing of carriage returns.
PD
LP
If no command is specified,
a login session is started on the remote
host.
Otherwise, the command is executed with its arguments.
LP
I Ssh
establishes a connection with an ssh daemon on the remote host.
The daemon sends to
I ssh
its RSA public host key and session key.
Using these,
I ssh
sends a session key which, presumably, only the
daemon can decipher.  After this, both sides start encrypting their
data with this session key.
LP
When the daemon's host key has been received,
I ssh
looks it up in
B $home/lib/keyring
and in
BR /sys/lib/ssh/keyring .
If
the key is found there, and it matches the received key,
I ssh
is satisfied.  If not,
I ssh
reports this and offers to add the key to
BR $home/lib/keyring .
LP
Over the encrypted channel,
I ssh
attempts to convince the daemon to accept the call
using the listed authentication protocols
(see the
B -A
option above).
LP
The preferred way to authenticate is a
IR netkey -style
challenge/response or via a SecurID token.
I Ssh
users on other systems than Plan 9 should enable \s-2TIS_A\s0uthentication.
LP
When the connection is authenticated, the given command line,
(by default, a login shell) is executed on the remote host.
sp 1
The SSH protocol allows clients to make outgoing TCP calls via the server.
I Sshnet
establishes an SSH connection and, rather than execute a remote command,
presents the remote server's TCP stack as a network stack
(see the discussion of TCP in
IR ip (3))
mounted at
I mtpt
(default
BR /net ).
The
B -A
and
B -c
arguments are as in
IR ssh .
sp 1
I Scp
uses
I ssh
to copy files from one host to another.  A remote file is identified by
a host name, a colon and a file name (no spaces).
I Scp
can copy files from remote hosts and to remote hosts.
sp 1
I Sshserve
is the server that services
I ssh
calls from remote hosts.
The
B -A
and
B -c
options set valid authentication methods and ciphers
as in
IR ssh ,
except that there is no
B rsa
authentication method.
Unlike in
IR ssh ,
the list is not ordered: the server presents a set and the client makes the choice.
The default sets are
B tis
and
B blowfish
B rc4
BR 3des .
By default, users start with the namespace defined in
BR /lib/namespace .
Users in group
B noworld
in
B /adm/users
start with the namespace defined in
BR /lib/namespace.noworld .
I Sshserve
does not provide the TCP forwarding functionality used
by
IR sshnet ,
because many Unix clients present
this capability in an insecure manner.
PP
I Ssh_genkey
generates an RSA key set, writing the
private key to
IB basename .secret
and the public key to
IB basename .public\fR.
I Ssh_genkey
also writes
a secret key in the style expected by factotum
to
IB basename .secret.factotum\fR.
The default
B basename
is
BR /sys/lib/ssh/hostkey ,
so running it with no arguments
will generate an RSA key set
for the file server in use.
SH FILES
TF /sys/lib/ssh/hostkey.public
TP
B /sys/lib/ssh/hostkey.public
Public key for the host on which the program runs.
TP
B /sys/lib/ssh/hostkey.secret
Secret key for the host on which the program runs.  This file must
be owned and be readable by bootes only.
TP
B /sys/lib/ssh/keyring
System keyring file containing public keys for remote ssh clients and servers.
TP
B /usr/\fIuser\fP/lib/keyring
Personal keyring file containing public keys for remote ssh clients and
servers.
SH SOURCE
B /sys/src/cmd/ssh
SH "SEE ALSO"
IR /sys/src/cmd/ssh/RFC*
br
IR factotum (4),
IR authsrv (6)

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.