3 ssh, sshnet, scp, sshserve \- secure login and file copy from/to Unix or Plan 9
48 [host:]file [host:]file
51 [host:]file ... [host:]dir
60 allows authenticated login over an encrypted channel to hosts that
61 support the ssh protocol (see the RFCs listed below for encryption and
62 authentication details).
65 takes the host name of the machine to connect to as its mandatory argument.
66 It may be specified as a domain name or an IP address.
67 Normally, login is attempted using the user name from /dev/user.
69 Command-line options are:
72 force input to be read in cooked mode:
73 ``line at a time'' with local echo.
76 enable agent forwarding.
79 uses SSH's agent forwarding protocol to allow
80 programs running on the remote server to
83 to perform RSA authentication.
86 force interactive mode.
89 prompts for passwords and confirmations of
90 new host keys when necessary.
91 (In non-interactive mode, password requests
92 are rejected and unrecognized host keys are
93 cause for disconnecting.)
96 runs in interactive mode only when its
97 input file descriptor is
101 force non-interactive mode.
106 menu, described below.
109 force pseudoterminal request.
112 protocol, grounded in Unix tradition,
113 differentiates between connections
114 that request controlling pseudoterminals
115 and those that do not.
118 requests a pseudoterminal only when no
123 force no pseudoterminal request.
126 strip carriage returns.
129 put the allocated pseudoterminal, if any, in raw mode.
132 notify the remote side whenever the window changes size.
134 .BR - [ lu ] "\fI user
136 This option is deprecated in favor of the
141 specify an ordered space-separated list of authentication protocols to try.
142 The full set of authentication protocols is
146 to moderate key usage),
148 (use a password gathered from factotum),
151 (challenge-response).
152 The default list is all three in that order.
155 specify an ordered space-separated list of allowed ciphers to use when encrypting the channel.
156 The full set of ciphers is
160 (a somewhat doubtful variation on triple DES),
162 (Bruce Schneier's Blowfish),
168 The default cipher list is
176 character is a local escape, as in
180 Legitimate responses to the prompt are
186 Return from the escape.
189 Run the command with the network connection as its
190 standard input and standard output.
191 Standard error will go to the screen.
194 Toggle printing of carriage returns.
197 If no command is specified,
198 a login session is started on the remote
200 Otherwise, the command is executed with its arguments.
203 establishes a connection with an ssh daemon on the remote host.
206 its RSA public host key and session key.
209 sends a session key which, presumably, only the
210 daemon can decipher. After this, both sides start encrypting their
211 data with this session key.
213 When the daemon's host key has been received,
218 .BR /sys/lib/ssh/keyring .
220 the key is found there, and it matches the received key,
222 is satisfied. If not,
224 reports this and offers to add the key to
225 .BR $home/lib/keyring .
227 Over the encrypted channel,
229 attempts to convince the daemon to accept the call
230 using the listed authentication protocols
235 The preferred way to authenticate is a
237 challenge/response or via a SecurID token.
239 users on other systems than Plan 9 should enable \s-2TIS_A\s0uthentication.
241 When the connection is authenticated, the given command line,
242 (by default, a login shell) is executed on the remote host.
244 The SSH protocol allows clients to make outgoing TCP calls via the server.
246 establishes an SSH connection and, rather than execute a remote command,
247 presents the remote server's TCP stack as a network stack
248 (see the discussion of TCP in
254 optionally posting a 9P service
255 descriptor for the new file system as
256 .IB /srv/ service \fR.
267 to copy files from one host to another. A remote file is identified by
268 a host name, a colon and a file name (no spaces).
270 can copy files from remote hosts and to remote hosts.
273 is the server that services
275 calls from remote hosts.
280 options set valid authentication methods and ciphers
283 except that there is no
285 authentication method.
288 the list is not ordered: the server presents a set and the client makes the choice.
295 By default, users start with the namespace defined in
301 start with the namespace defined in
302 .BR /lib/namespace.noworld .
304 does not provide the TCP forwarding functionality used
307 because many Unix clients present
308 this capability in an insecure manner.
314 identified by having attributes
316 .BR service=sshserve .
317 To generate a host key:
320 auth/rsagen -t 'service=sshserve' >/mnt/factotum/ctl
323 To extract the public part of the host key in the form
324 used by SSH key rings:
327 grep 'service=sshserve' /mnt/factotum/ctl | auth/rsa2ssh
331 .B /sys/lib/ssh/keyring
332 System key ring file containing public keys for remote ssh clients and servers.
334 .B /usr/\fIuser\fP/lib/keyring
335 Personal key ring file containing public keys for remote ssh clients and
340 .B /lib/rfc/rfc425[0-6]
346 Only version 1 of the SSH protocol is implemented.