ssh is used to log in to the remote host and execute commands on the remote host. Its purpose is to replace rlogin and rsh, and to provide encrypted and secure communication between two hosts that do not trust each other on an insecure network Connection. X11 connection and any TCP/IP port can be forwarded through this secure channel. When the user connects and logs in to the host hostname, according to the protocol version used, the user must prove to the remote host that he/ Her identity:
parameter
-a
Disable forwarding of connections to authentication proxies.
-A
Allows forwarding connections to authenticated proxies. This parameter can be set individually for each host in the configuration file.
Proxy forwarding should be done with caution. Certain users can bypass file access on remote hosts (due to proxy UNIX domain sockets) , they can access the local proxy through the forwarded connection. It is impossible for the attacker to obtain the key content from the proxy, but they can manipulate these keys and use the identity information loaded on the proxy to pass the authentication.
-b bind_address
Specifies the sending and receiving interface on machines with multiple interfaces or address aliases.
-c blowfish|3des|des
Select the cipher for encrypted sessions. 3des is the default algorithm. 3des (triple-des) uses three different keys for encryption-decryption-encryption three times, which is considered more reliable. blowfish is a Fast block cipher, very secure, and much faster than 3des. des only supports the client, the purpose is to be able to interoperate with the first version of the old-fashioned protocol that does not support 3des. Due to its encryption algorithm Weaknesses, strongly recommended to avoid use.
-c cipher_spec
In addition, for the second version of the protocol, here you can specify a set of ciphers separated by commas and arranged in order of priority. See Ciphers for details
-e ch|^ch|none
Set the escape character of the pty session (default character: ~' ) . escape 字符只在行首有效, escape 字符后面跟一个点 (.' ) to end the connection, followed by a control-Z to suspend the connection (suspend), and the escape character itself to indicate the output of this character. Put this character Set to ``none to disable the escape function, making the session completely transparent.
-f
tells the command to go to the background before executing the command. It is used when a password or passphrase is expected to be asked, but the user wants it to be done in the background. This option implies the -n option. The recommended way to start an X11 program on a remote machine is Similar to ssh -f host xterm command.
-g
allows remote hosts to connect to locally forwarded ports.
-i identity_file
specifies an identity (private key) file required for RSA or DSA authentication. The default file is $HOME/.ssh/identity for the first version of the protocol and $HOME/.ssh/id_rsa and $HOME for the second version of the protocol /.ssh/id_dsa file. You can also specify an identity file for each host in the configuration file. Multiple -i options can be used at the same time (you can also specify multiple identity files in the configuration file).
-I smartcard_device
specifies the smart card device. The parameter is a device file, which can be used to communicate with the smart card, and the user's RSA private key is stored in the smart card.
-k
Disable forwarding of Kerberos tickets and AFS tokens. This parameter can be set individually for each host in the configuration file.
-l login_name
specifies the user who logs in to the remote host. This parameter can be set individually for each host in the configuration file.
-m mac_spec
In addition, for the second version of the protocol, here you can specify a group of MAC (message authentication code) algorithms (message authentication code) separated by commas and arranged in order of priority. For details, use MACs as the keyword to query.
-n
redirects stdin to /dev/null (actually prevents reading from stdin). This option must be used when running in the background. Its common trick is to run X11 programs remotely. For example, ssh -n shadows. cs.hut.fi emacs will start emacs on shadows.cs.hut.fi, automatically forwarding X11 connections over an encrypted channel. Runs in the background. (But this won't work if a password or passphrase is required; see -f option.)
-N
Do not execute remote commands. For port forwarding. (Protocol version 2 only)
-o option
Some options can be given here, in the same format as in the configuration file. It is used to set options that do not have command line switches.
-p port
specifies the port of the remote host. This parameter can be set individually for each host in the configuration file.
-q
Quiet mode. Suppresses all warnings and diagnostics.
-s
requests the remote system to activate a subsystem. A subsystem is a feature of the SSH2 protocol that assists other applications (such as sftp) to use SSH as a secure channel. The subsystem is specified by the remote command.
-t
Forces the allocation of a pseudo-terminal. This is useful for executing any screen-based program on the remote machine, such as menu services. A parallel -t option forces the allocation of a terminal, even if there is no local terminal.
-T
disables the allocation of pseudo-terminals.
-v
Verbose mode. Enables printing of debug information about the operation. Useful when debugging connection, authentication and configuration problems. Parallel -v options can increase verbosity. Up to three.
-x
Disable X11 forwarding.
-X
allows X11 forwarding. This parameter can be set individually for each host in the configuration file.
X11 forwarding should be used with caution. If the user can bypass file access permissions on the remote host (according to the user's X authorization database), he will The local X11 display can be accessed through the forwarded connection. Attackers can take actions based on this, such as monitoring keyboard input, etc.
-C
requires data compression (including stdin, stdout, stderr and forwarding X11 and TCP/IP connection data). The compression algorithm is the same as gzip(1). In the first version of the protocol, the compression level ``level is controlled by the CompressionLevel option . Compression is useful on modem lines or other slow connections, but may slow down on high-speed networks. This parameter can be set individually for each host in the configuration file. See also the Compression option.
-F configfile
Specifies a user-level configuration file. If a configuration file is specified on the command line, the system-level configuration file (/etc/ssh/ssh_config) will be ignored. The default user-level configuration file is $HOME/.ssh/config
-L port:host:hostport
forwards a certain port of the local machine (client) to the specified port of the remote specified machine. Once there is a connection, the connection is forwarded through a secure channel, and the remote host establishes a connection with the hostport port of the host. Port forwarding can be specified in the configuration file. Only root can forward privileged ports. IPv6 addresses are described in another format: port/host/hostport
-R port:host:hostport
forwards a port of the remote host (server) to the specified port of the specified machine on the local side. After the connection is established, the connection will go out through the secure channel, and the local host will establish a connection with the hostport port of the host. You can specify the port forwarding in the configuration file. Only log in to the remote host as root to forward the privileged port. IPv6 address uses another Format specification: port/host/hostport
-D port
specifies a local machine``Dynamic application port forwarding. The working principle is this, a socket listening port is allocated on the local machine, and once there is a connection on this port, the connection will be forwarded through a secure channel , According to the protocol of the application, it can be judged where the remote host will connect to. Currently it supports the SOCKS4 protocol and will act as a SOCKS4 server. Only root can forward privileged ports. Dynamic port forwarding can be specified in the configuration file.
-1
forces only version 1 of the protocol to be used.
-2
forces only version 2 of the protocol to be used.
-4
forces only IPv4 addresses to be used.
-6
forces to use only IPv6 addresses.