Remote Login and Command Execution with the SSH Command

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP TCP/IP Services for OpenVMS Guide to SSH

SSH Command Reference

Copying Files

Using the SSH_KEYGEN Utility

Remote Login and Command Execution with the SSH Command

The SSH command creates a secure network connection for remote login and remote command execution. This command is intended as a secure replacement for the RLOGIN and RSH commands. When the user enters the SSH command, the SSH client establishes a session with the server and proves the user's identity to the server using a chosen authentication method, as described in Chapter 3. When the user's identity has been accepted by the SSH server, all communication with the remote SSH server is automatically encrypted.

On the client, you can use the SSH command to securely log in remotely and execute remote commands.

Command Synopsis

SSH [-l login_name] [-i file] [-F file] [-v][-d debug-level] [-V] [-q] [-e char] [-c cipher] [-m MAC]
[-p port] [+C] [-C] [-h] [username@]host[#port] [command]

Parameters

The username@host#port parameter specifies the user name, the remote host, and the port on the remote host to which to make a connection. The command parameter specifies one or more commands to be executed on the remote host.Options

You can use the options in SSH Command Options with the SSH command.

Table 3 SSH Command Options
Options Description

-l login_name
Specifies the user for login to the remote system (same as login_name@host).

-i file
Specifies the identity file for public-key authentication. This option takes the file name as a parameter. It is assumed that the file resides in the user's [.SSH2] directory. This option can also be specified in the configuration file.

-F file
Specifies an alternative client host configuration file instead of the default file. The specified file name must include the directory where the file resides. For example: [.SSH2]MY_SSH2_CONFIG. Information from this file supersedes information from TCPIP$SSH_DEVICE:[TCPIP$SSH]SSH2_CONFIG. and the user's [.SSH2]SSH2_CONFIG. file.

-v
Enables verbose mode. Displays verbose debugging messages. Equivalent to the -d2 option. This option can also be specified in the client's configuration file.

-d debug-level
Displays debug information. The debug-level value is a number from 0 to 99, where 99 specifies that all debug information or a comma-separated list of assignments should be displayed.

-q
Disables warning messages. This option can also be specified in the client's configuration file.

-V
Displays the version of SSH.

-c cipher
Specifies the encryption algorithm to use. For more information, see the cipher keyword in the SSH2_CONFIG. configuration file. A single -c option can specify only one cipher. Multiple -c options are allowed.

-m mac
Specifies the MAC (Message Authentication Code) algorithm. For more information, see the MAC keyword in the SSH2_CONFIG. configuration file. Each -m option can have only one MAC; multiple -m options are allowed.

-p port
Specifies the port to connect to on the remote system. This option can also be specified in the client's configuration file.

+C
Enables compression.

-C
Disables compression (default).

-o option
Specifies an option in the format used in the SSH2_CONFIG. configuration file. This is useful for specifying an option for which there is no command-line option. Comment lines are not accepted with this option.

-L [protocol/] port:host:hostport
Specifies that the given port on the local (client) system is to be forwarded to the specified host and port on the remote system. This allocates a socket to listen to the port on the local system. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to the specified host on the specified port from the remote system.
Only privileged user accounts can forward privileged ports. The protocol enables the forwarding for the specified protocol. The protocols implemented are TCP and FTP; the default is no specific processing.
Temporary forwardings are created for the FTP data channel, effectively securing the whole FTP session. This option can also be specified in the client configuration file (see Appendix B). FTP data channel forwarding works in passive mode only. Be sure to set passive mode for FTP data channel connections (see Chapter 7).

-R [protocol/] port:host:hostport
Specifies that the given port on the remote (server) system is to be forwarded to the specified host and port on the local system. This allocates a socket to listen to the port on the remote system. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to the specified host and port from the local system.
Only privileged user accounts can forward privileged ports on the remote system. The protocol argument enables protocol-specific forwarding. The protocols implemented are TCP and FTP; the default is no specific processing.
Temporary forwardings are created for FTP data channel, effectively securing the whole FTP session.
This option can also be specified in the client's configuration file (see Appendix B).
The FTP data channel forwarding works in passive mode. Be sure to set passive mode for FTP data channel connections (see Chapter 7).

-h
Displays information about using the SSH utility.

**Table 3** **SSH Command Options**
Options	Description
-l login_name	Specifies the user for login to the remote system (same as login_name@host).
-i file	Specifies the identity file for public-key authentication. This option takes the file name as a parameter. It is assumed that the file resides in the user's [.SSH2] directory. This option can also be specified in the configuration file.
-F file	Specifies an alternative client host configuration file instead of the default file. The specified file name must include the directory where the file resides. For example: [.SSH2]MY_SSH2_CONFIG. Information from this file supersedes information from TCPIP$SSH_DEVICE:[TCPIP$SSH]SSH2_CONFIG. and the user's [.SSH2]SSH2_CONFIG. file.
-v	Enables verbose mode. Displays verbose debugging messages. Equivalent to the -d2 option. This option can also be specified in the client's configuration file.
-d debug-level	Displays debug information. The debug-level value is a number from 0 to 99, where 99 specifies that all debug information or a comma-separated list of assignments should be displayed.
-q	Disables warning messages. This option can also be specified in the client's configuration file.
-V	Displays the version of SSH.
-c cipher	Specifies the encryption algorithm to use. For more information, see the cipher keyword in the SSH2_CONFIG. configuration file. A single -c option can specify only one cipher. Multiple -c options are allowed.
-m mac	Specifies the MAC (Message Authentication Code) algorithm. For more information, see the MAC keyword in the SSH2_CONFIG. configuration file. Each -m option can have only one MAC; multiple -m options are allowed.
-p port	Specifies the port to connect to on the remote system. This option can also be specified in the client's configuration file.
+C	Enables compression.
-C	Disables compression (default).
-o option	Specifies an option in the format used in the SSH2_CONFIG. configuration file. This is useful for specifying an option for which there is no command-line option. Comment lines are not accepted with this option.
-L [protocol/] port:host:hostport	Specifies that the given port on the local (client) system is to be forwarded to the specified host and port on the remote system. This allocates a socket to listen to the port on the local system. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to the specified host on the specified port from the remote system. Only privileged user accounts can forward privileged ports. The protocol enables the forwarding for the specified protocol. The protocols implemented are TCP and FTP; the default is no specific processing. Temporary forwardings are created for the FTP data channel, effectively securing the whole FTP session. This option can also be specified in the client configuration file (see Appendix B). FTP data channel forwarding works in passive mode only. Be sure to set passive mode for FTP data channel connections (see Chapter 7).
-R [protocol/] port:host:hostport	Specifies that the given port on the remote (server) system is to be forwarded to the specified host and port on the local system. This allocates a socket to listen to the port on the remote system. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to the specified host and port from the local system. Only privileged user accounts can forward privileged ports on the remote system. The protocol argument enables protocol-specific forwarding. The protocols implemented are TCP and FTP; the default is no specific processing. Temporary forwardings are created for FTP data channel, effectively securing the whole FTP session. This option can also be specified in the client's configuration file (see Appendix B). The FTP data channel forwarding works in passive mode. Be sure to set passive mode for FTP data channel connections (see Chapter 7).
-h	Displays information about using the SSH utility.

To execute remote commands, enter the SSH command in this format:SSH [options] server_name [command]

When a user successfully logs in, the SSH server process does the following:

Runs with the user's privileges.

Sets up a user environment.

Sets default to the user's home directory.

Executes the requested command.

Example

The following example shows how to execute the SHOW SYSTEM command on the remote host VMSHOST.

$ SSH VMSHOST SHOW SYSTEM

Copying Files

Using the SSH_KEYGEN Utility