Man Ssh

1/19/2022

Man-in-the-middle attacks against SSH. Imperfect forward secrecy - How Diffie-Hellman fails in practice. Automate with SSH keys, but manage them. SSH keys can be used to automate access to servers. They are commonly used in scripts, backup systems, configuration. Specifies the protocol versions ssh should support in order of preference. The possible values are 1 and 2.Multiple versions must be comma-separated. The default is 1,2.This means that ssh tries version 1 and falls back to version 2 if version 1 is not available.

scp — OpenSSH secure file copy

scp [-346ABCpqrTv] [-ccipher] [-Fssh_config] [-iidentity_file] [-Jdestination] [-llimit] [-ossh_option] [-Pport] [-Sprogram] source ... target

scp copies files between hosts on a network.

It uses ssh(1) for data transfer, and uses the same authentication and provides the same security as a login session. The scp protocol requires execution of the remote user's shell to perform glob(3) pattern matching.

scp will ask for passwords or passphrases if they are needed for authentication.

The source and target may be specified as a local pathname, a remote host with optional path in the form [[email protected]]host:[path], or a URI in the form scp://[[email protected]]host[:port][/path]. Local file names can be made explicit using absolute or relative pathnames to avoid scp treating file names containing ‘:’ as host specifiers.

When copying between two remote hosts, if the URI format is used, a port may only be specified on the target if the -3 option is used.

The options are as follows:

-3

Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. Note that this option disables the progress meter and selects batch mode for the second host, since scp cannot ask for passwords or passphrases for both hosts.

-4

Forces scp to use IPv4 addresses only.

-6

Forces scp to use IPv6 addresses only.

-A

Allows forwarding of ssh-agent(1) to the remote system. The default is not to forward an authentication agent.

-B

Selects batch mode (prevents asking for passwords or passphrases).

-C

Compression enable. Passes the -C flag to ssh(1) to enable compression.

-ccipher

Selects the cipher to use for encrypting the data transfer. This option is directly passed to ssh(1).

-Fssh_config

Specifies an alternative per-user configuration file for ssh. This option is directly passed to ssh(1).

-iidentity_file

Selects the file from which the identity (private key) for public key authentication is read. This option is directly passed to ssh(1).

-Jdestination

Connect to the target host by first making an scp connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there. Multiple jump hops may be specified separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive. This option is directly passed to ssh(1).

-llimit

Limits the used bandwidth, specified in Kbit/s.

-ossh_option

Can be used to pass options to ssh in the format used in ssh_config(5). This is useful for specifying options for which there is no separate scp command-line flag. For full details of the options listed below, and their possible values, see ssh_config(5).

AddressFamily
BatchMode
BindAddress
BindInterface
CanonicalDomains
CanonicalizeFallbackLocal
CanonicalizeHostname
CanonicalizeMaxDots
CanonicalizePermittedCNAMEs
CASignatureAlgorithms
CertificateFile
ChallengeResponseAuthentication
CheckHostIP
Ciphers
Compression
ConnectionAttempts
ConnectTimeout
ControlMaster
ControlPath
ControlPersist
GlobalKnownHostsFile
GSSAPIAuthentication
GSSAPIDelegateCredentials
HashKnownHosts
Host
HostbasedAcceptedAlgorithms
HostbasedAuthentication
HostKeyAlgorithms
HostKeyAlias
Hostname
IdentitiesOnly
IdentityAgent
IdentityFile
IPQoS
KbdInteractiveAuthentication
KbdInteractiveDevices
KexAlgorithms
KnownHostsCommand
LogLevel
MACs
NoHostAuthenticationForLocalhost
NumberOfPasswordPrompts
PasswordAuthentication
PKCS11Provider
Port
PreferredAuthentications
ProxyCommand
ProxyJump
PubkeyAcceptedAlgorithms
PubkeyAuthentication
RekeyLimit
SendEnv
ServerAliveInterval
ServerAliveCountMax
SetEnv
StrictHostKeyChecking
TCPKeepAlive
UpdateHostKeys
User
UserKnownHostsFile
VerifyHostKeyDNS

-Pport

Specifies the port to connect to on the remote host. Note that this option is written with a capital ‘P’, because -p is already reserved for preserving the times and modes of the file.

Man Sshd

-p

Preserves modification times, access times, and modes from the original file.

-q

Quiet mode: disables the progress meter as well as warning and diagnostic messages from ssh(1).

-r

Recursively copy entire directories. Note that scp follows symbolic links encountered in the tree traversal.

Man Ssh Command

-Sprogram

Name of program to use for the encrypted connection. The program must understand ssh(1) options.

-T

Disable strict filename checking. By default when copying files from a remote host to a local directory scp checks that the received filenames match those requested on the command-line to prevent the remote end from sending unexpected or unwanted files. Because of differences in how various operating systems and shells interpret filename wildcards, these checks may cause wanted files to be rejected. This option disables these checks at the expense of fully trusting that the server will not send unexpected filenames.

-v

Verbose mode. Causes scp and ssh(1) to print debugging messages about their progress. This is helpful in debugging connection, authentication, and configuration problems.

The scp utility exits 0 on success, and >0 if an error occurs.

sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh_config(5), sshd(8)

scp is based on the rcp program in BSD source code from the Regents of the University of California.

Timo Rinne <[email protected]>
Tatu Ylonen <[email protected]>

The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a host-specific key, used to identify the host. Whenever a client connects, the daemon responds with its public host key. The client compares the host key against its own database to verify that it has not changed. Forward secrecy is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. The rest of the session is encrypted using a symmetric cipher. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a cryptographic message authentication code (MAC).

Finally, the server and the client enter an authentication dialog. The client tries to authenticate itself using host-based authentication, public key authentication, challenge-response authentication, or password authentication.

If the client successfully authenticates itself, a dialog for preparing the session is entered. At this time the client may request things like allocating a pseudo-tty, forwarding X11 connections, forwarding TCP connections, or forwarding the authentication agent connection over the secure channel.

After this, the client either requests a shell or execution of a command. The sides then enter session mode. In this mode, either side may send data at any time, and such data is forwarded to/from the shell or command on the server side, and the user terminal in the client side.

Openssh Man Page

When the user program terminates and all forwarded X11 and other connections have been closed, the server sends command exit status to the client, and both sides exit.

Comments are closed.