glenda.party
term% ls -F
term% pwd
$home/manuals/9front/1/ssh
term% cat index.txt
SSH(1)                      General Commands Manual                     SSH(1)



NAME
       ssh, sshnet, scp, sshserve - secure login and file copy from/to Unix or
       Plan 9

SYNOPSIS
       ssh [ -CfiImPpRrw ] [ -A authlist ] [ -c cipherlist ] [  -[lu]  user  ]
       [user@]host [ cmd [ args ... ]]

       sshnet  [  -A  authlist  ] [ -c cipherlist ] [ -m mtpt ] [ -s service ]
       [user@]host

       scp [host:]file [host:]file
       scp [host:]file ... [host:]dir

       aux/sshserve [ -p ] address

DESCRIPTION
       Ssh allows authenticated login over an encrypted channel to hosts  that
       support  the ssh protocol (see the RFCs listed below for encryption and
       authentication details).

       Ssh takes the host name of the machine to connect to as  its  mandatory
       argument.  It may be specified as a domain name or an IP address.  Nor‐
       mally, login is attempted using the user name from /dev/user.

       Command-line options are:

       -C     force input to be read in cooked mode: ``line at a  time''  with
              local echo.

       -f     enable  agent  forwarding.  With this flag, ssh uses SSH's agent
              forwarding protocol to allow  programs  running  on  the  remote
              server  to  interact with factotum(4) to perform RSA authentica‐
              tion.

       -i     force interactive mode.  In interactive mode,  ssh  prompts  for
              passwords  and  confirmations  of  new host keys when necessary.
              (In non-interactive mode, password requests are rejected and un‐
              recognized  host keys are cause for disconnecting.)  By default,
              ssh runs in interactive mode only when its input file descriptor
              is /dev/cons.

       -I     force non-interactive mode.

       -m     disable the control-\ menu, described below.

       -p     force  pseudoterminal  request.   The  ssh protocol, grounded in
              Unix tradition, differentiates between connections that  request
              controlling  pseudoterminals and those that do not.  By default,
              ssh requests a pseudoterminal only when no command is given.

       -P     force no pseudoterminal request.

       -r     strip carriage returns.

       -R     put the allocated pseudoterminal, if any, in raw mode.

       -w     notify the remote side whenever the window changes size.

       -[lu] user
              specify user name.  This option is deprecated in  favor  of  the
              user@hostname syntax.

       -A authlist
              specify an ordered space-separated list of authentication proto‐
              cols to try.  The full set of authentication  protocols  is  rsa
              (RSA  using  factotum(4) to moderate key usage), password (use a
              password gathered from factotum), and tis  (challenge-response).
              The default list is all three in that order.

       -c cipherlist
              specify  an  ordered  space-separated list of allowed ciphers to
              use when encrypting the channel.  The full set of ciphers is des
              (standard  DES),  3des  (a somewhat doubtful variation on triple
              DES), blowfish (Bruce Schneier's Blowfish), rc4 (RC4), and  none
              (no encryption).  The default cipher list is blowfish rc4 3des.

       The  control-\  character  is a local escape, as in con(1).  It prompts
       with >>>.  Legitimate responses to the prompt are

       q      Exit.

       .      Return from the escape.

       !cmd   Run the command with the network connection as its standard  in‐
              put and standard output.  Standard error will go to the screen.

       r      Toggle printing of carriage returns.

       If  no  command  is specified, a login session is started on the remote
       host.  Otherwise, the command is executed with its arguments.

       Ssh establishes a connection with an ssh daemon  on  the  remote  host.
       The daemon sends to ssh its RSA public host key and session key.  Using
       these, ssh sends a session key which, presumably, only the  daemon  can
       decipher.  After this, both sides start encrypting their data with this
       session key.

       When the daemon's host key has  been  received,  ssh  looks  it  up  in
       $home/lib/keyring  and  in  /sys/lib/ssh/keyring.   If the key is found
       there, and it matches the received key, ssh is satisfied.  If not,  ssh
       reports this and offers to add the key to $home/lib/keyring.

       Over  the encrypted channel, ssh attempts to convince the daemon to ac‐
       cept the call using the listed authentication protocols (see the -A op‐
       tion above).

       The  preferred way to authenticate is a netkey-style challenge/response
       or via a SecurID token.  Ssh users on other systems than Plan 9  should
       enable TIS_Authentication.

       When  the  connection is authenticated, the given command line, (by de‐
       fault, a login shell) is executed on the remote host.

       The SSH protocol allows clients to make  outgoing  TCP  calls  via  the
       server.   Sshnet establishes an SSH connection and, rather than execute
       a remote command, presents the remote server's TCP stack as  a  network
       stack  (see  the  discussion  of TCP in ip(3)) mounted at mtpt (default
       /net), optionally posting a 9P service descriptor for the new file sys‐
       tem as /srv/service.  The -A and -c arguments are as in ssh.

       Scp  uses ssh to copy files from one host to another.  A remote file is
       identified by a host name, a colon and a file name  (no  spaces).   Scp
       can copy files from remote hosts and to remote hosts.

       Sshserve  is the server that services ssh calls from remote hosts.  The
       -A and -c options set valid authentication methods and  ciphers  as  in
       ssh, except that there is no rsa authentication method.  Unlike in ssh,
       the list is not ordered: the server presents a set and the client makes
       the  choice.   The  default sets are tis and blowfish rc4 3des.  By de‐
       fault, users start with the namespace defined in /lib/namespace.  Users
       in  group  noworld  in  /adm/users  start with the namespace defined in
       /lib/namespace.noworld.  Sshserve does not provide the  TCP  forwarding
       functionality  used  by  sshnet, because many Unix clients present this
       capability in an insecure manner.

       Sshserve requires that factotum(4) hold the  host  key,  identified  by
       having attributes proto=rsa service=sshserve.  To generate a host key:

              auth/rsagen -t 'service=sshserve' >/mnt/factotum/ctl

       To  extract the public part of the host key in the form used by SSH key
       rings:

              grep 'service=sshserve' /mnt/factotum/ctl | auth/rsa2ssh

FILES
       /sys/lib/ssh/keyring
              System key ring file  containing  public  keys  for  remote  ssh
              clients and servers.

       /usr/user/lib/keyring
              Personal  key  ring  file  containing public keys for remote ssh
              clients and servers.

SOURCE
       /sys/src/cmd/ssh

SEE ALSO
       /lib/rfc/rfc425[0-6]
       factotum(4), authsrv(6), rsa(8)

BUGS
       Only version 1 of the SSH protocol is implemented.



                                                                        SSH(1)