ssh [-1246AaCfgkNnqsTtVvXxY] [-b bind_address] [-c
cipher_spec] [-D port] [-e escape_char] [-F configfile] [-i
identity_file] [-L port:host:hostport] [-l login_name] [-m
mac_spec] [-o option] [-p port] [-R p_rt:host:hostport]
[user@]hostname [command]
| -1 |
Forces ssh to try protocol
version 1 only. |
| -2 |
Forces ssh to try protocol
version 2 only. |
| -4 |
Forces ssh to use IPv4 addresses
only. |
| -6 |
Forces ssh to use IPv6 addresses
only. |
| -A |
Enables forwarding of the
authentication agent connection. This can also be specified
on a per-host basis in a configuration file. Agent
forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for
the agent's Unix-domain socket) can access the local agent
through the forwarded connection. An attacker cannot obtain
key material from the agent, however they can perform
operations on the keys that enable them to authenticate
using the identities loaded into the agent. |
| -a |
Disables forwarding of the
authentication agent connection. |
| -b bind_address |
Specify the interface to
transmit from on machines with multiple interfaces or
aliased addresses. |
| -C |
Requests compression of all data
(including stdin, stdout, stderr, and data for forwarded X11
and TCP/IP connections). The compression algorithm is the
same used by gzip, and the ``level''
can be controlled by the CompressionLevel option for
protocol version 1. Compression is desirable on modem lines
and other slow connections, but will only slow down things
on fast networks. The default value can be set on a
host-by-host basis in the configuration files; see the
Compression option. |
| -c blowfish | 3des |
des |
Selects the cipher to use for
encrypting the session. 3des is used by default. It is
believed to be secure. 3des (triple-des) is an
encrypt-decrypt-encrypt triple with three different keys.
blowfish is a fast block cipher; it appears very secure and
is much faster than 3des. des is only supported in the ssh
client for interoperability with legacy protocol 1
implementations that do not support the 3des cipher. Its use
is strongly discouraged due to cryptographic weaknesses. |
| -c cipher_spec |
Additionally, for protocol
version 2 a comma-separated list of ciphers can be specified
in order of preference. |
| -D port |
Specifies a local ``dynamic''
application-level port forwarding. This works by allocating
a socket to listen to port on the local side, and whenever a
connection is made to this port, the connection is forwarded
over the secure channel, and the application protocol is
then used to determine where to connect to from the remote
machine. Currently the SOCKS4 and SOCKS5 protocols are
supported, and ssh will act as a SOCKS server. Only root can
forward privileged ports. Dynamic port forwardings can also
be specified in the configuration file. |
| -e ch | ^ch | none |
Sets the escape character for
sessions with a pty (default: '~'). The escape character is
only recognized at the beginning of a line. The escape
character followed by a dot ('.') closes the connection;
followed by control-Z suspends the connection; and followed
by itself sends the escape character once. Setting the
character to ``none'' disables any escapes and makes the
session fully transparent. |
| -F configfile |
Specifies an alternative
per-user configuration file. If a configuration file is
given on the command line, the system-wide configuration
file (/etc/ssh/ssh_config) will be ignored. The default for
the per-user configuration file is $HOME/.ssh/config. |
| -f |
Requests ssh to go to background
just before command execution. This is useful if ssh is
going to ask for passwords or passphrases, but the user
wants it in the background. This implies -n. The recommended
way to start X11 programs at a remote site is with something
like ssh -f host xterm. |
| -g |
Allows remote hosts to connect
to local forwarded ports. |
| -I smartcard_device |
Specifies which smartcard device
to use. The argument is the device ssh should use to
communicate with a smartcard used for storing the user's
private RSA key. |
| -i identity_file |
Selects a file from which the
identity (private key) for RSA or DSA authentication is
read. The default is $HOME/.ssh/identity for protocol
version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for
protocol version 2. Identity files may also be specified on
a per-host basis in the configuration file. It is possible
to have multiple -i options (and multiple identities
specified in configuration files). |
| -k |
Disables forwarding (delegation)
of GSSAPI credentials to the server. |
| -L
port:host:hostport |
Specifies that the given port on
the local (client) host is to be forwarded to the given host
and port on the remote side. This works by allocating a
socket to listen to port on the local side, and whenever a
connection is
made to this port, the connection is forwarded over the
secure channel, and a connection is made to host port
hostport from the remote machine. Port forwardings can also
be specified in the configuration file. Only root can
forward privileged ports. IPv6 addresses can be specified
with an alternative syntax: port/host/hostport. |
| -l login_name |
Specifies the user to log in as
on the remote machine. This also may be specified on a
per-host basis in the configuration file. |
| -m mac_spec |
Additionally, for protocol
version 2 a comma-separated list of MAC (message
authentication code) algorithms can be specified in order of
preference. See the MACs keyword for more information. |
| -N |
Do not execute a remote command.
This is useful for just forwarding ports (protocol version 2
only). |
| -n |
Redirects stdin from /dev/null
(actually, prevents reading from stdin). This must be used
when ssh is run in the
background. A common trick is to use this to run X11
programs on a remote machine. For example, ssh -n
shadows.cs.hut.fi emacs & will start an emacs on
shadows.cs.hut.fi, and the X11 connection will be
automatically forwarded over an encrypted channel. The ssh
program will be put in the background. (This does not work
if ssh needs to ask for a password or passphrase; see also
the -f option.) |
| -o option |
an be used to give options in
the format used in the configuration file. This is useful
for specifying options for which there is no separate
command-line flag. For full details of the options listed
below, and their possible values, see ssh_config(5).
AddressFamily
BatchMode
BindAddress
ChallengeResponseAuthentication
CheckHostIP
Cipher
Ciphers
ClearAllForwardings
Compression
CompressionLevel
ConnectionAttempts
ConnectionTimeout
DynamicForward
EscapeChar
ForwardAgent
ForwardX11
ForwardX11Trusted
GatewayPorts
GlobalKnownHostsFile
GSSAPIAuthentication
GSSAPIDelegateCredentials
Host
HostbasedAuthentication
HostKeyAlgorithms
HostKeyAlias
HostName
IdentityFile
IdentitiesOnly
LocalForward
LogLevel
MACs
NoHostAuthenticationForLocalhost
NumberOfPasswordPrompts
PasswordAuthentication
Port
PreferredAuthentications
Protocol
ProxyCommand
PubkeyAuthentication
RemoteForward
RhostsRSAAuthentication
RSAAuthentication
ServerAliveInterval
ServerAliveCountMax
SmartcardDevice
StrictHostKeyChecking
TCPKeepAlive
UsePrivilegedPort
User
UserKnownHostsFile
VerifyHostKeyDNS
XAuthLocation |
| -p port |
Port to connect to on the remote
host. This can be specified on a per-host basis in the
configuration file. |
| -q |
Quiet mode. Causes all warning
and diagnostic messages to be suppressed. Only fatal errors
are displayed. If a second -q is given then even fatal
errors are suppressed. |
| -R
port:host:hostport |
Specifies that the given port on
the remote (server) host is to be forwarded to the given
host and port on the
local side. This works by allocating a socket to listen to
port on the remote side, and whenever a connection is
made to this port, the connection is forwarded over the
secure channel, and a connection is made to host port
hostport from the local machine. Port forwardings can also
be specified in the configuration file. Privileged ports can
be forwarded only when logging in as root on the remote
machine. IPv6 addresses can be specified with an alternative
syntax: port/host/hostport. |
| -s |
May be used to request
invocation of a subsystem on the remote system. Subsystems
are a feature of the SSH2 protocol which facilitate the use
of SSH as a secure transport for other applications (eg.
sftp). The subsystem is specified as
the remote command. |
| -T |
Disable pseudo-tty allocation. |
| -t |
Force pseudo-tty allocation.
This can be used to execute arbitrary screen-based programs
on a remote machine, which can be very useful, e.g., when
implementing menu services. Multiple -t options force tty
allocation, even if ssh has no local tty. |
| -V |
Display the version number and
exit. |
| -v |
Verbose mode. Causes ssh to
print debugging messages about its progress. This is helpful
in debugging connection, authentication, and configuration
problems. Multiple -v options increase the verbosity. The
maximum is 3. |
| -X |
Enables X11 forwarding. This can
also be specified on a per-host basis in a configuration
file.
X11 forwarding should be enabled with caution. Users with
the ability to bypass file permissions on the remote
host (for the user's X authorization database) can access
the local X11 display through the forwarded connection. An
attacker may then be able to perform activities such as
keystroke monitoring. |
| -x |
Disables X11 forwarding. |
| -Y |
Enables trusted X11 forwarding. |
The above example would do a secure login to the
shell.computerhope.com computer. Below is an example of what would
be seen during a slogin.
As can be seen in the above example the server
provides you with a DSA fingerprint key and once verified that you
wish to connect by typing "yes" is added to the known hosts. After
providing the correct password you will be successfully logged in.
