NAME¶
conch —
Conch SSH client
SYNOPSIS¶
conch |
[-AaCfINnrsTtVvx]
[-c
cipher_spec]
[-e
escape_char]
[-i
identity_file]
[-K
connection_spec]
[-L
port:host:hostport]
[-l user]
[-m
mac_spec]
[-o
openssh_option]
[-p port]
[-R
port:host:hostport]
[user@]
hostname
[command] |
DESCRIPTION¶
conch is a SSHv2 client for logging into a remote machine and
executing commands. It provides encrypted and secure communications across a
possibly insecure network. Arbitrary TCP/IP ports can also be forwarded over
the secure connection.
conch connects and logs into
hostname
(as
user or the current username). The user must prove
her/his identity through a public-key or a password. Alternatively, if a
connection is already open to a server, a new shell can be opened over the
connection without having to reauthenticate.
If
command is specified,
command is
executed instead of a shell. If the
-s option is given,
command is treated as an SSHv2 subsystem name.
Authentication¶
Conch supports the public-key, keyboard-interactive, and password
authentications.
The public-key method allows the RSA or DSA algorithm to be used. The client
uses his/her private key,
$HOME/.ssh/id_rsa or
$HOME/.ssh/id_dsa to sign the session identifier, known only
by the client and server. The server checks that the matching public key is
valid for the user, and that the signature is correct.
If public-key authentication fails,
conch can authenticate by
sending an encrypted password over the connection.
Connection sharing¶
conch has the ability to multiplex multiple shells, commands
and TCP/IP ports over the same secure connection. To disable multiplexing for
a connection, use the
-I flag.
The
-K option determines how the client connects to the remote
host. It is a comma-separated list of the methods to use, in order of
preference. The two connection methods are
‘
unix
’ (for connecting over a multiplexed
connection) and ‘
direct
’ (to connect
directly). To disable connecting over a multiplexed connection, do not include
‘
unix
’ in the preference list.
As an example of how connection sharing works, to speed up CVS over SSH:
conch --noshell --fork -l cvs_user cvs_host
set CVS_RSH=
conch
Now, when CVS connects to cvs_host as cvs_user, instead of making a new
connection to the server,
conch will add a new channel to
the existing connection. This saves the cost of repeatedly negotiating the
cryptography and authentication.
The options are as follows:
- -A
- Enables authentication agent forwarding.
- -a
- Disables authentication agent forwarding (default).
- -C
- Enable compression.
- -c
cipher_spec
- Selects encryption algorithms to be used for this
connection, as a comma-separated list of ciphers in order of preference.
The list that conch supports is (in order of default
preference): aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr,
aes128-cbc, cast128-ctr, cast128-cbc, blowfish-ctr, blowfish, idea-ctr,
idea-cbc, 3des-ctr, 3des-cbc.
- -e
ch | ^ch |
none
- Sets the escape character for sessions with a PTY (default:
‘
~
’). The escape character is only
recognized at the beginning of a line (after a newline). The escape
character followed by a dot (‘.
’)
closes the connection; followed by ^Z suspends the connection; and
followed by the escape character sends the escape character once. Setting
the character to “none” disables any escapes.
- -f
- Fork to background after authentication.
- -I
- Do not allow connection sharing over this connection.
- -i
identity_spec
- The file from which the identity (private key) for RSA or
DSA authentication is read. The defaults are
$HOME/.ssh/id_rsa and
$HOME/.ssh/id_dsa. It is possible to use this option
more than once to use more than one private key.
- -K
connection_spec
- Selects methods for connection to the server, as a
comma-separated list of methods in order of preference. See
Connection sharing for more information.
- -L
port:host:hostport
- Specifies that the given port on the client host is to be
forwarded to the given host and port on the remote side. This allocates a
socket to listen to port on the local side, and when
connections are made to that socket, they are forwarded over the secure
channel and a connection is made to host port
hostport from the remote machine. Only root can
forward privieged ports.
- -l
user
- Log in using this username.
- -m
mac_spec
- Selects MAC (message authentication code) algorithms, as a
comma-separated list in order of preference. The list that
conch supports is (in order of preference): hmac-sha1,
hmac-md5.
- -N
- Do not execute a shell or command.
- -n
- Redirect input from /dev/null.
- -o
openssh_option
- Ignored OpenSSH options.
- -p
port
- The port to connect to on the server.
- -R
port:host:hostport
- Specifies that the given port on the remote host is to be
forwarded to the given host and port on the local side. This allocates a
socket to listen to port on the remote side, and
when connections are made to that socket, they are forwarded over the
secure channel and a connection is made to host port
hostport from the client host. Only root can forward
privieged ports.
- -s
- Reconnect to the server if the connection is lost.
- -s
- Invoke command (mandatory) as a SSHv2
subsystem.
- -T
- Do not allocate a TTY.
- -t
- Allocate a TTY even if command is given.
- -V
- Display version number only.
- -v
- Log to stderr.
- -x
- Disable X11 connection forwarding (default).
AUTHOR¶
Written by Paul Swartz <z3p@twistedmatrix.com>.
REPORTING BUGS¶
To report a bug, visit
http://twistedmatrix.com/bugs/
COPYRIGHT¶
Copyright © 2002-2008 Twisted Matrix Laboratories.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
SEE ALSO¶
ssh(1)