ssh will assume your remote username is also henry and requests a connection to that account on server.example.com. If your remote account name differs from the local one, you must tell the SSH client your remote account name. For henry to connect to a remote account called sally, he can use the -l command-line option:# SSH1, SSH2, OpenSSH $ ssh server.example.com
If copying files with scp, the syntax is different for specifying the remote account name, looking more like an email address. [Section 7.5.1, "Full Syntax"] To copy the file myfile to the remote account sally on server.example.com:# SSH1, SSH2, OpenSSH $ ssh -l sally server.example.com
# SSH1, SSH2, OpenSSH
$ scp myfile [email protected]:
If you frequently connect to a remote machine using a different
username, instead of monkeying with command-line options, specify the
remote username in your client configuration file. The
User
keyword serves this purpose, and both ssh and
scp pay attention to it. The following table shows
how to declare that your remote username is sally on a given remote
host:
SSH1, OpenSSH | SSH2 |
---|---|
Host server.example.com User sally |
server.example.com: User sally |
Now, when connecting to server.example.com, you don't have to specify that your remote username is sally:
# The remote username sally will be used automatically $ ssh server.example.com
SSH1, OpenSSH | SSH2 |
---|---|
Host simple HostName server.example.com User sally |
simple: Host server.example.com User sally |
then these long commands:
$ ssh server.example.com -l sally
$ scp myfile [email protected]:
may be reduced to:
This table shows how you can specify separately several different accounts names on different hosts, each in its own section of the configuration file:$ ssh simple $ scp myfile simple:
SSH1, OpenSSH | SSH2 |
---|---|
Host server.example.com User sally ... Host another.example.com User sharon ... |
server.example.com: User sally ... another.example.com: User sharon ... |
This technique is convenient if you have only one account on each remote machine. But suppose you have two accounts on server.example.com, called sally and sally2. Is there some way to specify both in the configuration file? The following attempt doesn't work (we show SSH1 syntax only):
because only the first value (sally) prevails. To get around this limitation, you can use nicknames to create two sections for the same machine in your configuration file, each with a different User:# THIS WILL NOT WORK PROPERLY Host server.example.com User sally User sally2 Compression yes
Now you can access the two accounts easily by nickname:# SSH1, OpenSSH # Section 1: Convenient access to the sally account Host sally-account HostName server.example.com User sally Compression yes # Section 2: Convenient access to the sally2 account Host sally2-account HostName server.example.com User sally2 Compression yes
This works, but it isn't ideal. You've duplicated your settings (HostName and Compression) in each section. Duplication makes a configuration file harder to maintain, since any future changes needs to be applied twice. (In general, duplication isn't good software engineering.) Are you doomed to duplicate? No, there's a better solution. Immediately after the two sections, create a third section with a Host wildcard that matches both sally-account and sally2-account. Suppose you use sally*-account and move all duplicated settings into this new section:$ ssh sally-account $ ssh sally2-account
The end result is shown in this table:# SSH1, OpenSSH Host sally*-account HostName server.example.com Compression yes
SSH1, OpenSSH | SSH2 |
---|---|
Host sally-account User sally Host sally2-account User sally2 Host sally*-account HostName server.example.com Compression yes |
sally-account: User sally sally2-account: User sally2 sally*-account: Host server.example.com Compression yes |
Since sally*-account matches both previous sections, its full name and compression settings apply to both sally-account and sally2-account. Any settings that differ between sally-account and sally2-account (in this case, User) are kept in their respective sections. You've now achieved the same effect as in the previous example -- two accounts with different settings on the same remote machine -- but with no duplication of settings.
or with the configuration keyword:$ ssh1 -i my-key server.example.com $ scp1 -i my-key myfile server.example.com:
The file location is assumed to be relative to the current directory, i.e., in these cases the file is ./my-key. SSH2 also has -i and IdentityFile, but their use is slightly different. Instead of a key file, you supply the name of an identification file:[93]IdentityFile my-key
[93]In SSH2 2.0.13 and earlier, the -i option and IdentityFile require the identity file to be in your SSH2 directory, ~/.ssh2. SSH2 2.1.0 and later accept absolute pathnames; any path that doesn't begin with a slash ( /) is treated as relative to ~/.ssh2.
Take note of this difference between ssh1 and ssh2. If you mistakenly provide a key filename to ssh2, the client attempts to read the key file as if it's an identification file, sending a random result to the SSH2 server. Authentication mysteriously fails, possibly with the log message "No further authentication methods available," or you may be prompted for your login password rather than your public key passphrase. Multiple identities can be quite useful. [Section 6.4, "Multiple Identities"] For example, you can set up your remote account to run specific programs when a second key is used. The ordinary command:$ ssh2 -i my-id-file server.example.com IdentityFile my-id-file
initiates a regular login session, but:$ ssh server.example.com
can run a complex batch process on server.example.com. Using configuration keywords, you can accomplish the same effect by specifying an alternative identity as shown in this table:$ ssh -i other_identity server.example.com
SSH1, OpenSSH | SSH2 |
---|---|
Host SomeComplexAction HostName server.example.com IdentityFile other_identity ... |
SomeComplexAction: Host server.example.com IdentityFile other_identity ... |
You can then invoke:
SSH1 and OpenSSH can specify multiple identities in a single command:[94]$ ssh SomeComplexAction
[94]SSH2 accomplishes the same thing with identification files, which may contain multiple keys.
or:# SSH1, OpenSSH $ ssh -i id1 -i id2 -i id3 server.example.com
Multiple identities are tried in order until one successfully authenticates. However, SSH1 and OpenSSH limit you to 100 identities per command. If you plan to use multiple identities frequently, remember that an SSH agent can eliminate hassle. Simply load each identity's key into the agent using ssh-add, and you won't have to remember multiple passphrases while you work.# SSH1, OpenSSH Host server.example.com IdentityFile id1 IdentityFile id2 IdentityFile id3
[95]OpenSSH additionally keeps SSH-2 known host keys in the file ~/.ssh/known_hosts2.
Table 7-1 summarizes SSH's StrictHostKeyChecking's behavior.# SSH1, SSH2, OpenSSH StrictHostKeyChecking yes
Key Found? | Match? | Strict? | Action |
---|---|---|---|
Yes | Yes | - | Connect |
Yes | No | Yes | Warn and fail |
Yes | No | No | Warn and connect |
Yes | No | Ask | Warn and ask whether to connect |
No | - | Yes | Warn and fail |
No | - | No | Add key and connect |
No | - | Ask | Ask whether to add key and to connect |
OpenSSH has an additional keyword, CheckHostIP, to make a client verify the IP address of an SSH server in the database. Its values may be yes (the default, to verify the address) or no. The value yes provides security against name service spoofing attacks. [Section 3.10.2, "Name Service and IP Spoofing"]
# OpenSSH only CheckHostIP no
Similarly, you can change the location of your per-user part of the database with the keyword UserKnownHostsFile:# SSH1, OpenSSH GlobalKnownHostsFile /users/smith/.ssh/my_global_hosts_file
# SSH1, OpenSSH UserKnownHostsFile /users/smith/.ssh/my_local_hosts_file
Enabling the Nagle Algorithm (TCP_NODELAY)
Requiring IP addresses to be Version 4 or 6
or the -p command-line option followed by the port number:# SSH1, SSH2, OpenSSH Port 2035
You can also specify an alternative port for scp, but the command-line option is -P instead of -p:[96]# SSH1, SSH2, OpenSSH $ ssh -p 2035 server.example.com
[96]scp also has a -p option with the same meaning as for rcp : "preserve file permissions."
In SSH2 2.1.0 and later, you can also provide a port number as part of the user and host specification, preceded by a hash sign. For example, the commands:# SSH1, SSH2, OpenSSH $ scp -P 2035 myfile server.example.com:
each create SSH-2 connections to remote port 2035. (We don't see much use for this alternative syntax, but it's available.) After connecting to the server, ssh sets an environment variable in the remote shell to hold the port information. For SSH1 and OpenSSH, the variable is called SSH_CLIENT, and for SSH2 it is SSH2_CLIENT. The variable contains a string with three values, separated by a space character: the client's IP address, the client's TCP port, and the server's TCP port. For example, if your client originates from port 1016 on IP address 24.128.23.102, connecting to the server's port 22, the value is:# SSH2 only $ ssh2 server.example.com#2035 $ ssh2 [email protected]#2035 $ scp2 [email protected]#2035:myfile localfile
These variables are useful for scripting. In your shell's startup file (e.g., ~/.profile, ~/.login), you can test for the variable, and if it exists, take actions. For example:# SSH1, OpenSSH $ echo $SSH_CLIENT 24.128.23.102 1016 22 # SSH2 only $ echo $SSH2_CLIENT 24.128.23.102 1016 22
#!/bin/sh # Test for an SSH_CLIENT value of nonzero length if [ -n "$SSH_CLIENT" ] then # We logged in via SSH. echo 'Welcome, SSH-1 user!' # Extract the IP address from SSH_CLIENT IP=`echo $SSH_CLIENT | awk '{print $1}'` # Translate it to a hostname. HOSTNAME=`host $IP | grep Name: | awk '{print $2}'` echo "I see you are connecting from $HOSTNAME." else # We logged in not by SSH, but by some other means. echo 'Welcome, O clueless one. Feeling insecure today?' fi
The -P option makes ssh select a local port that is nonprivileged.[97] Let's watch this work by printing the value of SSH_CLIENT on the remote machine, with and without -P. Recall that SSH_CLIENT lists the client IP address, client port, and server port, in order.# SSH1, SSH2, OpenSSH $ ssh -P server.example.com
[97]Yes, it's counterintuitive for -P to mean nonprivileged, but that's life.
# Default: bind to privileged port. $ ssh server.example.com 'echo $SSH_CLIENT' 128.119.240.87 1022 22 1022 < 1024
The configuration keyword UsePrivilegedPort (SSH1, OpenSSH) has the same function as -P, with values yes (use a privileged port, the default) and no (use a nonprivileged port):# Bind to non-privileged port. $ ssh -P server.example.com 'echo $SSH_CLIENT' 128.119.240.87 36885 22 36885 >= 1024
scp also permits binding to nonprivileged ports with these configuration keywords. However, the command-line options are different from those of ssh. For scp1, the option -L means to bind to a nonprivileged port, the same as setting UsePrivilegedPort to no:[98]# SSH1, OpenSSH UsePrivilegedPort no
[98]The -P option was already taken for setting the port number. The source code suggests that -L can mean "large local port numbers."
scp2 has no command-line option for this feature. For trusted-host authentication you must use a privileged port. In other words, if you use -P or UsePrivilegedPort no, you disable Rhosts and RhostsRSA authentication. [Section 3.4.2.3, "Trusted-host authentication (Rhosts and RhostsRSA)"]# SSH1 only $ scp1 -L myfile server.example.com:
The value yes (the default) tells the client to transmit and expect periodic keepalive messages. If the client detects a lack of responses to these messages, it shuts down the connection. The value no means not to use keepalive messages. Keepalive messages represent a tradeoff. If they are enabled, a faulty connection is shut down, even if the problem is transient. However, the TCP keepalive timeout on which this feature is based is typically several hours, so this shouldn't be a big problem. If keepalive messages are disabled, an unused faulty connection can persist indefinitely. KeepAlive is generally more useful in the SSH server, since a user sitting on the client side will certainly notice if the connection becomes unresponsive. However, SSH can connect two programs together, with the one running the SSH client waiting for input from the other side. In such a situation, it can be necessary to have a dead connection be eventually detected. KeepAlive isn't intended to deal with the problem of SSH sessions being torn down because of firewall, proxying, NAT, or IP masquerading timeouts. [Section 5.4.3.4, "KeepAlive"]# SSH1, SSH2, OpenSSH KeepAlive yes
Legal values are yes (to disable the algorithm) and no (to enable it; the default).# SSH2 only NoDelay yes
http://www.ipv6.orgTo force IPv4 addressing, use the -4 flag:
or likewise for IPv6, use -6 :# OpenSSH only $ ssh -4 server.example.com
# OpenSSH only $ ssh -6 server.example.com
Whether or not to fall back to an insecure connection, if a secure one can't be established
In this example, ssh1 tries 10 times before admitting defeat, after which it either quits or falls back to an insecure connection. We'll come back to this when we discuss the keyword FallBackToRsh. [Section 7.4.5.8, "RSH issues"] Most people don't have much use for this keyword, but it might be helpful if your network is unreliable. Just for fun, you can force ssh1 to give up immediately by setting ConnectionAttempts equal to zero:# SSH1, OpenSSH ConnectionAttempts 10
# SSH1, OpenSSH $ ssh -o ConnectionAttempts=0 server.example.com Secure connection to server.example.com refused.
[email protected]'s password:
You may tailor the appearance of this prompt. Perhaps for privacy
reasons, you might not want your username or hostname appearing on
the screen. The configuration keyword
PasswordPromptLogin,
with a value of yes (the default) or
no, prints or suppresses the username. For
example:
causes this prompt to appear without the username:# SSH1 only PasswordPromptLogin no
Likewise, PasswordPromptHost prints or suppresses the hostname, again with values of yes (the default) or no. The line:server.example.com password:
makes the prompt appear without the hostname:# SSH1 only PasswordPromptHost no
If both keywords have value no, the prompt is reduced to:smith's password:
Remember, this applies only to password authentication. With public-key authentication, the prompt for a passphrase is completely different and not controlled by these keywords:Password:
You may also control the number of times you are prompted for your password if mistyped. By default, you're prompted only once, and if you mistype the password, the client exits. The keyword NumberOfPasswordPrompts may change this to between one and five prompts:[99]Enter passphrase for RSA key 'Dave Smith's Home PC':
[99]The upper limit of five prompts is enforced by the SSH server.
Now your SSH clients provides three chances to type your password correctly.# SSH1, OpenSSH NumberOfPasswordPrompts 3
You can insert the remote username or hostname with the symbols %U (remote username) or %H (remote hostname). For example, to emulate the SSH1 prompt:# SSH2 only PasswordPrompt Enter your password right now, infidel:
Or you can be fancier:# SSH2 only PasswordPrompt "%U@%H's password:"
# SSH2 only PasswordPrompt "Welcome %U! Please enter your %H password:"
Batch mode may enabled for scp also with the -B option:# SSH1, SSH2, OpenSSH BatchMode yes
Batch mode doesn't replace authentication. If a password or passphrase is required, you can't magically log in without it by suppressing the prompt. If you try, your client exits with an error message such as "permission denied." In order for batch mode to work, you must arrange for authentication to work without a password/passphrase, say, with trusted-host authentication or an SSH agent. [Section 11.1, "Unattended SSH: Batch or cron Jobs"]# SSH1, SSH2, OpenSSH $ scp1 -B myfile server.example.com:
no interactive terminal session is needed, just a quick dump of the output of ls. In fact, by default sshd doesn't allocate a pty for such a command. On the other hand, if you try running an interactive command like the text editor Emacs in this manner, you get an error message:$ ssh remote.server.com /bin/ls
because Emacs is a screen-based program intended for a terminal. In such cases, you can request that SSH allocate a pty using the -t option:$ ssh remote.server.com emacs -nw emacs: standard input is not a tty
SSH2 also has the keyword ForcePTTYAllocation, which does the same thing as -t .[100]# SSH1, SSH2, OpenSSH $ ssh -t server.example.com emacs
[100]In SSH1 and OpenSSH, the no-pty option in authorized_keys can override this request for a tty. [Section 8.2.9, "Disabling TTY Allocation"]If SSH allocates a pty, it also automatically defines an environment variable in the remote shell. The variable is SSH_TTY (for SSH1 and OpenSSH) or SSH2_TTY (for SSH2) and contains name of the character device file connected to the "slave" side of the pty, the side that emulates a real tty. We can see this in action with a few simple commands. Try printing the value of SSH_TTY on a remote machine. If no tty is allocated, the result is blank:
If you force allocation, the result is the name of the tty:$ ssh1 server.example.com 'echo $SSH_TTY' [no output]
Thanks to this variable, you can run shell scripts on the remote machine that use this information. For example, here's a script that runs your default editor only if a terminal is available:$ ssh1 -t server.example.com 'echo $SSH_TTY' /dev/pts/1
Place this script in your remote account, calling it myscript (or whatever), and run:#!/bin/sh if [ -n $SSH_TTY -o -n $SSH2_TTY ]; then echo 'Success!' exec $EDITOR else echo "Sorry, interactive commands require a tty" fi
$ ssh server.example.com myscript Sorry, interactive commands require a tty $ ssh -t server.example.com myscript Success! ...Emacs runs...
This happens because ssh is attempting to read from standard input while in the background, which causes the shell to suspend ssh. To see the resulting output, you must bring ssh into the foreground:$ ssh server.example.com ls & [1] 11910 $ ... time passes ... [1] + Stopped (SIGTTIN) ssh server.example.com ls &
ssh provides the -n command-line option to get around this problem. It redirects standard input to come from /dev/null, which prevents ssh from blocking for input. Now when the remote command finishes, the output is printed immediately:$ fg README myfile myfile2
SSH2 has a keyword DontReadStdin that does the same thing as -n, accepting the values yes or no (the default is no):# SSH1, SSH2, OpenSSH $ ssh -n server.example.com ls & [1] 11912 $ ... time passes ... README myfile myfile2
# SSH2 only DontReadStdin yes
$ ssh -n server.example.com ls & $ Enter passphrase for RSA key 'smith@client':
WARNING: STOP! Don't type your passphrase! Because the command is run in the background with -n, the prompt is also printed in the background. If you respond, you will be typing to the shell, not the ssh prompt, and anything you type will be visible.You need a solution that not only disables input and sends the process into the background, but also permits ssh to prompt you. This is the purpose of the -f command-line option, which instructs ssh to do the following in order:
SSH2 has a keyword GoBackground that does the same thing, accepting the values yes or no (the default):$ ssh -f server.example.com ls Enter passphrase for RSA key 'smith@client': ******** $ ... time passes... README myfile myfile2
GoBackground and -f also set up any port forwardings you may have specified on the command line. [Section 9.2.6, "Port Forwarding Without a Remote Login"] The setup occurs after authentication but before backgrounding.# SSH2 only GoBackground yes
[101]Only if ssh is compiled with support for rsh, using the compile-time flag --with-rsh. [Section 4.1.5.12, "R-commands (rsh) compatibility"] If not, Scenario 2, fail and stop, is the only possibility.
$ ssh no-ssh-server.com Secure connection to no-ssh-server.com on port 22 refused; reverting to insecure method. Using rsh. WARNING: Connection will not be encrypted.
$ ssh no-ssh-server.com Secure connection to no-ssh-server.com on port 22 refused.
[102]Again, only if ssh is compiled with -- with-rsh.
$ ssh no-ssh-server.com Using rsh. WARNING: Connection will not be encrypted.
The keyword UseRsh instructs ssh to use rsh immediately, not even attempting an SSH connection. Permissible values are yes (to use rsh) and no (the default, to use ssh):# SSH1, SSH2, OpenSSH FallBackToRsh no
Therefore, here is how to create these three scenarios:.# SSH1, SSH2, OpenSSH UseRsh yes
# SSH1, SSH2, OpenSSH FallBackToRsh yes UseRsh no
# SSH1, SSH2, OpenSSH FallBackToRsh no UseRsh no
# SSH1, SSH2, OpenSSH UseRsh yes
SSH1, OpenSSH | SSH2 |
---|---|
# Never do this! Security risk!! Host * UseRsh yes |
# Never do this! Security risk!! *: UseRsh yes |
While logged onto host D, you press the Return key, then ~ ^Z (tilde followed by Control-Z) to suspend the connection temporarily. Well, you've got three ssh connections active, so which one gets suspended? The first one does, and this escape sequence brings you back to the host A prompt. Well, what if you want to escape back to host B or C ? There are two methods, one with forethought and one on the spur of the moment. If you prepare in advance, you may change the escape character for each connection with the configuration keyword EscapeChar, followed by a character:A$ ssh B ... B$ ssh C ... C$ ssh D ... D$
or the -e command-line option, followed again by the desired character (quoted if necessary to protect it from expansion by the shell):# SSH1, SSH2, OpenSSH EscapeChar %
So, going back to our example of hosts A through D, you want a different escape character for each segment of this chain of connections. For example,# SSH1, SSH2, OpenSSH $ ssh -e '%' server.example.com
Now, while logged onto host D, a tilde still brings you back to host A, but a dollar sign brings you back to host B, and a percent sign back to host C. The same effect can be achieved with the EscapeChar keyword, but the following table shows that more forethought is required to set up configuration files on three hosts.# SSH1, SSH2, OpenSSH A$ ssh B ... B$ ssh -e '$' C ... C$ ssh -e '%' D ... D$
SSH1, OpenSSH | SSH2 |
---|---|
# Host A configuration file Host B EscapeChar ~ # Host B configuration file Host C EscapeChar ^ # Host C configuration file Host D EscapeChar % |
# Host A configuration file B: EscapeChar ~ # Host B configuration file C: EscapeChar ^ # Host C configuration file D: EscapeChar % |
Even if you don't normally make chains of SSH connections, you might still want to change the escape character. For example, your work might require you to type a lot of tildes for other reasons, and you might accidentally type an escape sequence such as ~. (tilde period) and disconnect your session. Oops!
The second method requires no forethought. Recall that typing the escape character twice sends it literally across the SSH connection. [Section 2.3.2, "The Escape Character"] Therefore, you can suspend the second SSH connection by typing two escapes, the third by typing three escapes, and so on. Remember you must precede your escape characters by pressing the Return key. While logged onto host D, you could escape back to host B, for example, by hitting the Return key, then typing two tildes, and Control-Z.The documentation mentions debugging levels only up to 3, but in fact the code uses higher ones that are sometimes crucial to understanding a problem. Try cranking up the value if you're not getting enough information.#!/bin/csh setenv SOCKS5_DEBUG 3 setenv SOCKS5_LOG_STDERR
Here, gateway is the machine running the SOCKS server, user is the username you supply for identification to SOCKS, and port is the TCP port for the SOCKS server (by default, 1080). The net/mask entries indicate netblocks that are to be considered local; that is, ssh2 uses SOCKS only for connections lying outside the given network ranges. The mask is given as a number of bits, not an explicit mask, i.e., 192.168.10.0/24 instead of 192.168.10.0/255.255.255.0. The parts of the string enclosed in square brackets are optional. So an SSH_SOCKS_SERVER value can be as simple as this:socks://[user]@gateway[:port]/[net1/mask1,net2/mask2,...]
With this value, ssh2 uses SOCKS for all connections. It connects to a SOCKS server running on laces.shoes.net, port 1080, and it doesn't supply a username. You might wonder why there's a username but no password field. Recall that SOCKS4 doesn't support user authentication. The username is advisory only; the SOCKS server has no way of verifying your claimed identity. You'll probably never want to use an SSH_SOCKS_SERVER setting as simple as this one, which uses the SOCKS server for all ssh2 connections, even those connecting back to the same machine or to a machine on the same network. A better setup is to use SOCKS only for hosts on the other side of the gateway from you. Here's a more complete example:socks://laces.shoes.net
socks://[email protected]:4321/127.0.0.0/8,192.168.10.0/24
With this value, ssh2 connects directly to itself
via its loopback address (127.0.0.1), or to hosts on the class C
network 192.168.10.0. It uses SOCKS for all other connections,
supplying the username "dan" and looking for the SOCKS
server on port 4321.
caused OpenSSH to work seamlessly through our SOCKS server. One caveat, though: in order to work, the OpenSSH client must not be setuid. For obvious security reasons, shared-library loaders ignore the shenanigans of runsocks if the executable in question is setuid. And remember that setuid is required for trusted-host authentication. [Section 3.4.2.3, "Trusted-host authentication (Rhosts and RhostsRSA)"] At one time, there was some code in OpenSSH for SOCKS support. However, it was removed and replaced by a recommendation to use the ProxyCommand feature instead. The idea is to have a little program that just takes a hostname and port number on the command line, connects to that socket via SOCKS, then acts as a pipe, passing data back and forth between the TCP connection and its standard input and output. If this program were called ssh-proxy, it can be used with OpenSSH like so:% runsocks ssh ...
This still doesn't work with SSH1 RhostsRSA authentication unless ssh-proxy is setuid root and written to use a privileged source port. It doesn't by itself interfere with SSH2 hostbased authentication, but it has a separate problem. [Section 7.4.6.4, "Other SOCKS issues"] We're sure such a SOCKS proxying widget must be available somewhere, but we haven't turned one up. You can't use the SOCKS-ified telnet that comes with socks5 because it isn't transparent; bytes in the binary SSH protocol stream are interpreted as Telnet escape sequences and are munged. The authors did prove the concept, though, by taking a copy of netcat (http://www.l0pht.com/~weld/netcat/), and SOCKS-ifying it by linking against the socks5 libraries. The netcat executable is named nc; using our altered version, the following worked for us, sending the SSH connection through our SOCKS gateway:% ssh -o 'ProxyCommand ssh-proxy %h %p' ...
Perhaps the OpenSSH folks will see fit to include such a utility at some point.% ssh -o 'ProxyCommand nc %h %p' ...
or the -c command-line option:# SSH1, OpenSSH Cipher blowfish
SSH2 is almost the same, but the keyword is Ciphers (note the final "s") and is followed by one or more encryption algorithms, separated by commas, indicating that any of these algorithms is acceptable:# SSH1, SSH2, OpenSSH $ ssh -c blowfish server.example.com $ scp -c blowfish myfile server.example.com:
SSH2 also supports the -c command-line option as previously, but it may appear multiple times to specify several acceptable ciphers:# SSH2, OpenSSH/2 Ciphers blowfish,3des
OpenSSH/2 permits multiple algorithms to follow a single -c, separated by commas, to achieve the same effect:# SSH2 only $ ssh2 -c blowfish -c 3des -c idea server.example.com $ scp2 -c blowfish -c 3des -c idea myfile server.example.com:
All ciphers acceptable by a server may be specified for the client. [Section 5.4.5, "Encryption Algorithms"] Check the latest SSH documentation for a current list of supported ciphers.# OpenSSH/2 only $ ssh -c 3des-cbc,blowfish-cbc,arcfour server.example.com
You can specify multiple algorithms on the command line, each preceded by a separate -m option:# SSH2 only $ ssh2 -m hmac-sha1 server.example.com
and the SSH2 server selects one to use.# SSH2 only $ ssh2 -m hmac-sha1 -m another-one server.example.com
[103]Note that at press time, you must disable session rekeying in the SSH2 client if you wish to use it with the OpenSSH server, because the latter doesn't yet support session rekeying. The connection dies with an error once the rekeying interval expires. This feature will likely be implemented soon, however.
# SSH2 only RekeyIntervalSeconds 7200
PasswordAuthentication RhostsAuthentication RhostsRSAAuthentication RSAAuthentication TISAuthentication KerberosAuthentication(The latter two keywords require TIS or Kerberos support compiled in, respectively.) Any or all of these keywords may appear with the value yes or no. For SSH2, the AllowedAuthentications keyword selects one or more authentication techniques. Again, the keyword has the same use here as for the SSH2 server. [Section 5.5.1, "Authentication"] OpenSSH accepts the same keywords as SSH1 except for TISAuthentication, and it adds SkeyAuthentication for one-time passwords. [Section 5.5.1.10, "S/Key authentication"]
informs the SSH server that you, the client, agree to participate in password authentication. It doesn't guarantee that you will authenticate by password, just that you are willing to do it if the server agrees. The server makes the decision and might still authenticate you by another method. If a client wants to require an authentication technique, it must tell the server that one, and only one, technique is acceptable. To do this, the client must deselect every other authentication technique. For example, to force password authentication in SSH1 or OpenSSH:PasswordAuthentication yes
If the server doesn't support password authentication, however, this connection attempt will fail. SSH2 has a better system: the AllowedAuthentications keyword, which has the same syntax and meaning as the server keyword of the same name: [Section 5.5.1, "Authentication"]# SSH1, OpenSSH # This guarantees password authentication, if the server supports it. PasswordAuthentication yes RSAAuthentication no RhostsRSAAuthentication no RhostsAuthentication no KerberosAuthentication no # ... Add any other authentication methods, with value "no"
# SSH2 only AllowedAuthentications password
AuthenticationNotify, an undocumented keyword, causes ssh2 to print a different message, this time on standard output. If the authentication is successful, the message is "AUTHENTICATED YES", otherwise it's "AUTHENTICATED NO". Values may be yes (print the message) or no (the default):$ ssh2 server.example.com Authentication successful. Last login: Sat Jun 24 2000 14:53:28 -0400 ... $ ssh2 -p221 -o 'AuthenticationSuccessMsg no' server.example.com Last login: Sat Jun 24 2000 14:53:28 -0400 ...
The behavior of these two keywords differs in the following ways:$ ssh2 -q -o 'AuthenticationNotify yes' server.example.com AUTHENTICATED YES Last login: Sat Jun 24 2000 14:53:35 -0400 ...
In fact, AuthenticationNotify is used precisely in this manner by scp2 and sftp, then these programs run ssh2 in the background to connect to the remote host for file transfers. They wait for the appearance of the "AUTHENTICATED YES" message to know that the connection was successful, and they can now start speaking to the sftp-server.#!/bin/csh # Get the AUTHENTICATION line set line = `ssh2 -q -o 'AuthenticationNotify yes' server.example.com exit` # Capture the second word set result = `echo $line | awk '{print $2}'` if ( $result == "YES" ) then ...
You then see, to your surprise, a second passphrase prompt:$ ssh2 server.example.com Passphrase for key "mykey": ********
You might conclude that you mistyped your passphrase the first time and type it again. But what if the second prompt came not from your ssh2 client, but from the server, which has been hacked by a evil intruder? Your passphrase has just been stolen! To counteract this potential threat, ssh2 prints "Authentication successful" after authentication, so the previous session actually looks like this:Passphrase for key "mykey":
The second passphrase prompt is now revealed as a fraud.$ ssh2 server.example.com Passphrase for key "mykey": ******** Authentication successful. Passphrase for key "mykey":
For SSH2, however, -C means the opposite, turning compression off:# SSH1, OpenSSH: turn compression ON $ ssh1 -C server.example.com $ scp1 -C myfile server.example.com:
and +C turns it on:# SSH2 only: turn compression OFF $ ssh2 -C server.example.com
(There is no compression option for scp2.) To enable or disable compression for all sessions, use the Compression keyword, given a value of yes or no (the default):# SSH2 only: turn compression ON $ ssh2 +C server.example.com
SSH1 and OpenSSH may also set an integer compression level to indicate how much the data should be compressed. Higher levels mean better compression but slower performance. Levels may be from to 9 inclusive, and the default level is 6.[104] The CompressionLevel keyword modifies the level:# SSH1, SSH2, OpenSSH Compression yes
[104]SSH's compression functionality comes from GNU Zip, a.k.a., gzip, a compression utility popular in the Unix world. The nine CompressionLevel values correspond to the nine methods supported by gzip.
Changing the CompressionLevel can have a drastic effect on performance. Our earlier 12-MB test was run with the default compression level, 6, and took 42 seconds. With compression at various levels, the time ranged from 25 seconds to nearly two minutes (see Table 7-2). With fast processors and network connections, CompressionLevel 1 seems an obvious win. Experiment with CompressionLevel to see which value yields the best performance for your setup.# SSH1, OpenSSH CompressionLevel 2
Level | Bytes Sent | Time Spent (sec.) | Size Reduced (%) | Time Reduced (%) |
---|---|---|---|---|
None | 12112880 | 55 | 0 | 0 |
1 | 2116435 | 25 | 82.5 | 55 |
2 | 2091292 | 25 | 82.5 | 55 |
3 | 2079467 | 27 | 82.8 | 51 |
4 | 1881366 | 33 | 84.4 | 40 |
5 | 1833850 | 36 | 84.8 | 35 |
6 | 1824180 | 42 | 84.9 | 24 |
7 | 1785725 | 48 | 85.2 | 13 |
8 | 1756048 | 102 | 85.5 | -46 |
9 | 1755636 | 118 | 85.5 | -53 |
If you use this keyword, be sure to set it to the fully qualified path of the program. If you use a relative path, hostbased authentication works only for users who have ssh-signer2 in their search path, and cron jobs fail without ssh-signer2 in their path.# SSH2 only SshSignerPath /usr/alternative/bin/ssh-signer2
[105]Or examine the server machine's configuration file /etc/ssh2/sshd2_config yourself for lines beginning with subsystem-.The -s option of ssh2, undocumented at press time, invokes a subsystem on a remote machine. For example, if the SSH2 server running on server.example.com has a "backups" subsystem defined, you run it as:
$ ssh2 -s backups server.example.com
The keyword Ssh1Path locates the executable for ssh1, which by default is set during compile-time configuration:# SSH2 only Ssh1Compatibility yes
If you want SSH2 agents to store and retrieve SSH1 keys, turn on agent compatibility with the keyword Ssh1AgentCompatibility: [Section 6.3.2.4, "SSH-1 and SSH-2 agent compatibility"]# SSH2 only Ssh1Path /usr/local/bin/ssh1
Finally, scp2 invokes scp1 if the -1 command-line option is present:# SSH2 only Ssh1AgentCompatibility yes
In this case, scp2 -1 simply invokes scp1, passing along all its arguments (except for the -1 of course). We don't see much point to this option: if scp1 is available, why not invoke it directly? But the option is there if you need it.# SSH2 only scp2 -1 myfile server.example.com:
Verbose mode can also be turned on for SSH2 with the (surprise!) VerboseMode keyword:# SSH1, OpenSSH $ ssh -v server.example.com SSH Version 1.2.27 [sparc-sun-solaris2.5.1], protocol version 1.5. client: Connecting to server.example.com [128.9.176.249] port 22. client: Connection established. ...
If you ever encounter problems or strange behavior from SSH, your first instinct should be to turn on verbose mode. SSH2 has multiple levels of debug messages; verbose mode corresponds to level 2. You can specify greater or less debugging with the -d command-line option, followed by an integer from to 99:# SSH2 only VerboseMode yes
The analogous feature in OpenSSH is the LogLevel directive, which takes one of six levels as an argument: QUIET, FATAL, ERROR, INFO, VERBOSE, and DEBUG (in order of increasing verbosity). So for example:$ ssh2 -d0 No debugging messages $ ssh2 -d1 Just a little debugging $ ssh2 -d2 Same as-v $ ssh2 -d3 A little more detailed $ ssh2 -d# And so on...
is equivalent to ssh -v. The -d option may also use the same module-based syntax as for server debugging: [Section 5.8.2.2, "SSH2 Debug mode (module-based)"]# OpenSSH $ ssh -o LogLevel=DEBUG
scp2 also supports this level of debugging, but the option is -D instead of -d since scp -d is already used to mean something else:$ ssh2 -d Ssh2AuthPasswdServer=2 server.example.com
To disable all debug messages, use -q:$ scp2 -D Ssh2AuthPasswdServer=2 myfile server.example.com
or the QuietMode keyword:# SSH1, SSH2, OpenSSH $ ssh -q server.example.com # SSH2 only $ scp2 -q myfile server.example.com:
Finally, to print the program version number, use -V:# SSH2 only QuietMode yes
# SSH1, SSH2, OpenSSH $ ssh -V # SSH2 only $ scp2 -V
# SSH2 only RandomSeedFile /u/smith/.ssh2/new_seed
7.3. Introduction to Verbose Mode | 7.5. Secure Copy with scp |
Copyright © 2002 O'Reilly & Associates. All rights reserved.