Scroll to navigation

gtlssh(1) General Commands Manual gtlssh(1)


gtlssh - Shell connection over TLS


gtlssh [options] <host> [<program>]


The gtlssh program connects to a remote server, authenticates the remote server using SSL, then authenticates itself with the server.

gtlsshd will attempt an SCTP connection first, and fall back to TCP if that doesn't work.


-p|--port port
Use the given port instead of the default port.
-i|--keyfile file
Use the given file for the key instead of the default. If you specify this, the certfile will be the same name ending in .crt, unless you specify it explicitly.
--certfile file
Set the certificate to use
-e|--escchar char
Specify a character to use for the escape character. Setting it to -1 disables the escape character. This can either be a decimal or hexadeximal number or ^x to set a control character. By default it is ^\ if io1 is the default and stdin is a tty, or disabled otherwise. See ESCAPES below for more details on the escape character. Only handled on io1.
Do telnet processing with RFC2217 handling.
Disable SCTP support. It is disabled by default.
Enable SCTP support.
Disable TCP support
--transport <connecter>
Instead of using SCTP or TCP, use the given gensio connecter for transport. In this case, the host is required but the hostname part is ignored. This is so the username can be set, if required.
Look up the name using mDNS. This will fetch then IP address, IPv4 or IPv6, the port number and whether telnet is required and make the connection
Set the type used for the lookup. See the gmdns(1) man page under 'STRING VALUES FOR QUERIES' for detail on how to do regex, glob, etc.
Don't use a mux gensio. This may cause issues with gtlsshd, but is useful in some cases for talking with ser2net with no mux support.
-L <accept addr>:<connect addr>
Listen at the <accept addr> on the local machine, and if a connection comes in forward it to the <connect addr> from the remote machine on the gtlssh connection. A local address is in the form [<bind addr>:][sctp|tcp,]port or <unix socket path>. Remote addresses are in the form <hostname>:[sctp|tcp,]port or <unix socket path>. If a name begins with '/' it is a unix socket path. <hostname> and <bindaddr> are standard internet names or addresses.
-R <accept addr>:<connect addr>
Like -L, except the <accept addr> is on the remote machine and <connect addr> is done from the local machine.
Do IPv4 only.
Do IPv6 only.
Generate debugging output. Specifying more than once increases the output.
Help output


After connecting, the host is first validated using standard SSL. The keys used for validation are in $HOME/.gtlssh/server_certs by default. If the given key is not recognized, the user is prompted with the certificate fingerprint asking if the user wants to acccept the certificate.

If the user accepts the certificate, then it is added into the default directory. If not, the connection is terminated.

Certificates are stored in the form "<hostname>,<port>.crt" and "<ipaddress>,<port>.crt". Both are created for a connection (unless connecting with an IP address). A connection is verified as matching both entries, if the certificate in the file does not match the certificate from the remote end, the connection is terminated and the user informed.


If host authentication succeeds, gtlssh authenticates itself with a key and certificate. These files are fetch by default from $HOME/.gtlssh/keycerts in the form <host>[,<port>].key and <host>[,<port>].crt. If the form with the host and port exists, that is taken. Otherwise if the form with just the host exists, it is taken. Otherwise it defaults to $HOME/.gtlssh/default.key and $HOME/.gttlssh/default.crt.

The remote end looks in $HOME/.gtlssh/allowed_certs for the certificate. If the remote end does not have the certificate presented, then password authentication is tried.


If the stdin for gtlssh is a tty and no program is given to run, then the login is an interactive login. Any sort of delay in I/O processing is disabled, and the local terminal is used for I/O and it is put into raw mode

In non-interactive mode, the local side uses stdio for local I/O and I/O processing delay on the network side is not disabled. This is useful for programs transferring data over the connection.


If the escape character is received from the user, the character is not transferred and the program waits for another character. If the other character is also the escape character, a single escape character is sent. If the other character is not recognized as a valid escape, it is ignore and not transferred. Upper and lower case are equivalent.

Escape characters are:

Quit the program.
Send a break to io2. Ignored if io2 does not support break.
Dump serial data for io2. Ignored if io2 is not a RFC2217 capable.
Set the serial port (baud) rate for io2. Ignored if io2 is not RFC2177 capable. After this, the serial port speed must be typed, terminated by a new line. Invalid speeds are ignore, use escchar-d to know if you set it right.
n, o, e
Set the parity on io2 to none, odd, or even. Ignored if io2 is not RFC2217 capable.
7, 8
Set the data size on io2 to 7 or 8 bits. Ignored if io2 is not RFC2217 capable.
1, 2
Set the number of stop bits to 1 or 2 on io2 bits. Ignored if io2 is not RFC2217 capable.


gensio(5), gtlsshd(1), gtlssh-keygen(1), gmdns(1)




Corey Minyard <>
01/02/19 Shell connection over TLS