lsh.texinfo 50.4 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1
2
3
4
5
6
7
\input texinfo          @c -*-texinfo-*-

@c %**start of header
@setfilename lsh.info
@settitle lsh
@c %**end of header

8
9
10
11
12
@dircategory GNU Packages
@direntry
* LSH: (lsh).           Secure Shell and related utilities.
@end direntry

13
@set UPDATED-FOR 1.3.4
14

15
16
17
18
@c Latin-1 doesn't work with tex output.
@c Also lookout for é characters.

@set AUTHOR Niels Möller
Niels Möller's avatar
Niels Möller committed
19
@ifinfo
20
21
Draft manual for LSH. This manual corresponds to @command{lsh} version
@value{UPDATED-FOR}. 
Niels Möller's avatar
Niels Möller committed
22

23
Copyright 2000 @value{AUTHOR}
Niels Möller's avatar
Niels Möller committed
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

Permission is granted to make and distribute verbatim
copies of this manual provided the copyright notice and
this permission notice are preserved on all copies.

@ignore
Permission is granted to process this file through TeX
and print the results, provided the printed document
carries a copying permission notice identical to this
one except for the removal of this paragraph (this
paragraph not being relevant to the printed manual).

@end ignore
Permission is granted to copy and distribute modified
versions of this manual under the conditions for
verbatim copying, provided also that the sections
entitled ``Copying'' and ``GNU General Public License''
are included exactly as in the original, and provided
that the entire resulting derived work is distributed
under the terms of a permission notice identical to this
one.

Permission is granted to copy and distribute
translations of this manual into another language,
under the above conditions for modified versions,
except that this permission notice may be stated in a
translation approved by the Free Software Foundation.

@end ifinfo

@titlepage
@sp 10
56
57
58
59
@c @center @titlefont{LSH Manual}

@title LSH Manual
@subtitle For @command{lsh} version @value{UPDATED-FOR}
Niels Möller's avatar
Niels Möller committed
60

61
@author @value{AUTHOR}
Niels Möller's avatar
Niels Möller committed
62
63
64
65

@c The following two commands start the copyright page.
@page
@vskip 0pt plus 1filll
66
Copyright @copyright{} 2000 @value{AUTHOR}
Niels Möller's avatar
Niels Möller committed
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

Permission is granted to make and distribute verbatim
copies of this manual provided the copyright notice and
this permission notice are preserved on all copies.

Permission is granted to copy and distribute modified
versions of this manual under the conditions for
verbatim copying, provided also that the sections
entitled ``Copying'' and ``GNU General Public License''
are included exactly as in the original, and provided
that the entire resulting derived work is distributed
under the terms of a permission notice identical to this
one.

Permission is granted to copy and distribute
translations of this manual into another language,
under the above conditions for modified versions,
except that this permission notice may be stated in a
translation approved by the Free Software Foundation.

@end titlepage

89
@ifnottex
90
@node     Top, Introduction, (dir), (dir)
Niels Möller's avatar
Niels Möller committed
91
@comment  node-name,  next,  previous,  up
92
@top
93

94
95
This document describes @command{lsh} and related programs. The @command{lsh} suite
of programs is intended as a free replacement for the @command{ssh} suite of
96
97
98
programs. In turn, @command{ssh} was intended as a secure replacement for
the @command{rsh} and @command{rlogin} programs for remote login over the
Internet.
Niels Möller's avatar
Niels Möller committed
99

100
@command{lsh} is a component of the @acronym{GNU} system.
101

102
103
This manual explains how to use and hack @command{lsh}; it corresponds to
@command{lsh} version @value{UPDATED-FOR}.
Niels Möller's avatar
Niels Möller committed
104

105
106
@menu
* Introduction::                
107
108
109
110
* Installation::                
* Getting started::             
* Invoking lsh::                
* Invoking lshd::               
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
* Terminology::                 
* Concept Index::               

@detailmenu
 --- The Detailed Node Listing ---

Introduction

* Threats::                     
* Features::                    
* Related techniques::          

Related programs and techniques

* ssh1::                        SSH version 1
* ssh2::                        SSH version 2
* Kerberos::                    Kerberos
* ipsec::                       IP Sec

130
131
132
133
134
135
136
137
Getting started

* lsh basics::                  Connection with lsh
* tcpip forwarding::            Forwarding @acronym{TCP/IP} ports
* lshd basics::                 Starting the lshd deamon
* public-key::                  Using public-keys
* srp::                         Using SRP authentication
* sexp::                        Examining keys and other S-exp files.
138
* Converting keys::             
139
140

Invoking @command{lsh}
141

142
143
144
145
146
* Algorithms: Algorithm options.  Selecting algorithms.
* Hostauth options::            
* Userauth options::            
* Actions: Action options.      What to do after login.
* Messages: Verbosity options.  Tuning the amount of messages.
147

148
149
150
@end detailmenu
@end menu

151
152
@end ifnottex

153
@node Introduction, Installation, Top, Top
Niels Möller's avatar
Niels Möller committed
154
155
156
157
@comment  node-name,  next,  previous,  up
@chapter Introduction

What is this thing called computer security anyway? Why would you want
158
to use a program like @command{lsh}?
Niels Möller's avatar
Niels Möller committed
159

160
This chapter explains the threats @command{lsh} tries to protect you from,
Niels Möller's avatar
Niels Möller committed
161
and some of the threats that remain. It also describes some of the
162
technologies used in @command{lsh}.
Niels Möller's avatar
Niels Möller committed
163
164
165
166
167
168

From time to time in this manual, I will speak about the @dfn{enemy}.
This means anybody who is trying to eavesdrop or disturb your private
communication. This usage is technical, and it does not imply that the
enemy is somehow morally inferior to you: The enemy may be some awful
criminals trying to eavesdrop on you, or it may be the police trying to
169
eavesdrop on the same criminals.
Niels Möller's avatar
Niels Möller committed
170
171
172

The enemy can be a criminal, or a competitor, or your boss who's trying
to find out how much you tell collegues at competing firms. It may be
173
your own or somebody else's national security officials. Or your
Niels Möller's avatar
Niels Möller committed
174
175
176
ex-boyfriend who happens to be too curious.

So what can the enemy do to your communications and your privacy?
177
Remember that just because you're paranoid that doesn't mean that nobody
178
is trying to get you@dots{}
Niels Möller's avatar
Niels Möller committed
179
180


181
182
183
184
185
186
187
@menu
* Threats::                     
* Features::                    
* Related techniques::          
@end menu

@node Threats, Features, Introduction, Introduction
Niels Möller's avatar
Niels Möller committed
188
189
190
@comment  node-name,  next,  previous,  up
@section Threats

191
192
When logging in to some other machine via the Internet, either in the
same building or a few continents away, there are several things that
Niels Möller's avatar
Niels Möller committed
193
194
may be under enemy attack.

195
196
@table @dfn
@item Local attacks
197
The enemy controls your local environment. He or she may be looking over
Niels Möller's avatar
Niels Möller committed
198
199
200
201
202
203
your shoulder. Your local machine might be cracked. Or there may be some
device planted inside your keyboard transmitting everything you type to
the attacker. About the same problems occur if the attacker has taken
control over your target machine, i.e. the remote machine you have
logged in to.

204
@item Denial-of-service attacks
Niels Möller's avatar
Niels Möller committed
205
206
207
The enemy has cut your network cable, effectively stopping your
communication. Even without doing physical damage, the enemy may be able
to flood and overload computers or network equipment. Or disrupt network
208
traffic by sending fake packets to hangup your @acronym{TCP/IP}
Niels Möller's avatar
Niels Möller committed
209
210
connections.

211
@item Passive eavesdropping
Niels Möller's avatar
Niels Möller committed
212
The enemy may be able to listen to your communication somewhere along
213
its path. With the global Internet, it's difficult to predict who might
Niels Möller's avatar
Niels Möller committed
214
215
216
217
218
219
220
221
222
be able to listen. Internet traffic between buildings just a few hundred
meters apart have been observed temporarily being routed through half a
dozen countries, perhaps a few thousand kilometers.

And even without routing anomalies, it is possible that the enemy has
been able to take control of some nearby machine, and can listen in from
there. Of course, passive eavesdropping is most dangerous if you
transmit cleartext passwords. This is the main reason not to use vanilla
telnet to login to remote systems. Use a telnet with support for
223
224
@acronym{SSL} or Kerberos, or use a program like @command{lsh} or
@command{ssh}. 
Niels Möller's avatar
Niels Möller committed
225
226
227
228
229
230
231
232
233
234
235
236
237

A passive eavesdropper is assumed not to do anything nasty with your
packets beyond listening to them.

@item Name resolution attacks
The translation from symbolic @acronym{DNS} names to numeric
ip-addresses may be controlled by the attacker. In this case, you may
think that you are connecting to a friendly machine, when in fact you
are connecting somewhere else.

@item Fake packets
It is fairly easy to fake the source address of an @acronym{IP}-packet,
although it is more difficult to get hold on the replies to the faked
238
packets. But even without any replies, this can cause serious
Niels Möller's avatar
Niels Möller committed
239
240
problems. 

241
@item Man-in-the-middle attack
Niels Möller's avatar
Niels Möller committed
242
243
244
245
246
247
248
249
250
251
252
In this attack, the enemy sits between you and the target. When
communicating with you, he pretends to be the target. When communicating
with the target, he pretends to be you. He also passes all information
on more or less unmodified, so that he is invisible to you and the
target. To mount this attack, the enemy either needs physical access to
some network equipment on the path between you and the target, or he has
been able to fool you to connect to him rather than to the target, for
example by manipulating the @acronym{DNS}-system.

@end table

253
@command{lsh} makes no attempt to protect you from local attacks. You have
Niels Möller's avatar
Niels Möller committed
254
255
256
to trust the endpoint machines. It seems really difficult to uphold any
security if the local machine is compromised. This is important to keep
in mind in the ``visitor''-scenario, where you visit a friend or perhaps an
257
Internet café and want to connect to some of the machines at home or at
Niels Möller's avatar
Niels Möller committed
258
259
260
work. If the enemy has been able to compromize your friend's or the
café's equipment, you may well be in trouble.

261
262
Protection from denial-of-service attacks is also a very difficult
problem, and @command{lsh} makes no attempt to protect you from that.
Niels Möller's avatar
Niels Möller committed
263

264
Instead, the aim of @command{lsh}, and most serious tools for cryptographic
265
protection of communications across the net, is to isolate the
Niels Möller's avatar
Niels Möller committed
266
vulnerabilities to the communication endpoints. If you know that the
267
endpoints are safe, the enemy should not be able to compromize your
268
privacy or communications. Except for denial-of-service attacks (which
Niels Möller's avatar
Niels Möller committed
269
270
at least can't be performed without you noticing it).

271
First of all, @command{lsh} provides protection against passive
Niels Möller's avatar
Niels Möller committed
272
eavesdropping. In addition, if you take the appropriate steps to make
273
sure that hostkeys are properly authenticated, @command{lsh} also protects
Niels Möller's avatar
Niels Möller committed
274
275
276
277
against man-in-the-middle attacks and in particular against attacks on
the name resolution. In short, you need only trust the security at the
end points: Even if the enemy controls all other network equipment, name
resolution and routing infrastructure, etc, he can't do anything beyond
278
the denial-of-service attack.
Niels Möller's avatar
Niels Möller committed
279
280
281
282
283
284
285

And at last, remember that there is no such thing as absolute security.
You have to estimate the value of that which you are protecting, and
adjust the security measures so that your enemies will not find it worth
the effort to break them.


286
@node Features, Related techniques, Threats, Introduction
Niels Möller's avatar
Niels Möller committed
287
@comment  node-name,  next,  previous,  up
288
@section Features
Niels Möller's avatar
Niels Möller committed
289

290
@command{lsh} does not only provide more secure replacements for
291
292
293
294
295
296
@command{telnet}, @command{rsh} and @command{rlogin}, it also provides
some other features to make it convenient to communicate securely. This
section is expected to grow with time, as more features from the
wish-list are added to lsh. One goal for @command{lsh} is to make it
reasonable easy to extend it, without messing with the core security
functionality.
Niels Möller's avatar
Niels Möller committed
297

298
@command{lsh} can be configured to allow login based on a personal key-pair
Niels Möller's avatar
Niels Möller committed
299
consisting of a private and a public key, so that you can execute remote
300
commands without typing your password every time. You can also use
301
Thomas Wu's Secure Remote Password Protocol (@acronym{SRP}). Kerberos support is
302
on the wish list but not yet supported (@pxref{Kerberos}).
Niels Möller's avatar
Niels Möller committed
303

304
The public-key authentication methods should also be extended to support
305
Simple Public Key Infrastructure (@acronym{SPKI}) certificates, including some
Niels Möller's avatar
Niels Möller committed
306
307
mechanism to delegate restricted logins.

308
309
310
Forwarding of arbitrary @acronym{TCP/IP} connections is provided. This
is useful for tunneling otherwise insecure protocols, like telnet and
pop, through an encrypted @command{lsh} connection.
Niels Möller's avatar
Niels Möller committed
311

312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
Convenient tunneling of @acronym{X} was one of the most impressive
features of the original @command{ssh} programs. The current version of
@command{lsh} implements @acronym{X}-forwarding, although the
@command{lshd} server doesn't provide that service yet.

Whan @acronym{X} forwarding is in effect, the remote process is started
in an environment where the @env{DISPLAY} variable in the environment
points to a fake @acronym{X} server, connection to which are forwarded
to the @acronym{X} server in your local environment. @command{lsh} also
creates a new ``fake'' @samp{MIT-MAGIC-COOKIE-1} for controlling access
control. Your real @acronym{X} authentication data is never sent to the
remote machine.

Other kinds of tunneling that may turn out to be useful include
authentication (i.e. @command{ssh-agent}), general forwarding of
@acronym{UDP}, and why not also general @acronym{IP}-tunneling.
Niels Möller's avatar
Niels Möller committed
328
329


330
@node Related techniques,  , Features, Introduction
Niels Möller's avatar
Niels Möller committed
331
332
333
334
@comment  node-name,  next,  previous,  up
@section Related programs and techniques

This sections describes some other programs and techniques related to
335
336
@command{lsh}. The ssh family of programs use mostly the same kind of
security as @command{lsh}. Kerberos and @acronym{IPSEC} operate quite
Niels Möller's avatar
Niels Möller committed
337
differently, in particular when it comes to protection against
338
man-in-the-middle attacks.
Niels Möller's avatar
Niels Möller committed
339

340
341
342
343
344
345
346
347
@menu
* ssh1::                        SSH version 1
* ssh2::                        SSH version 2
* Kerberos::                    Kerberos
* ipsec::                       IP Sec
@end menu

@node ssh1, ssh2, Related techniques, Related techniques
Niels Möller's avatar
Niels Möller committed
348
@comment  node-name,  next,  previous,  up
349
@subsection @code{ssh-1.x}
Niels Möller's avatar
Niels Möller committed
350

351
The first of the Secure shell programs was Tatu Ylönen's @command{ssh}.
352
353
354
355
356
The latest of the version 1 series is @code{ssh-1.27} which speaks
version 1.5 of the protocol. The ``free'' version of @code{ssh-1.27}
does not allow commercial use without additional licensing, which makes
@code{ssh-1.27} non-free software according to Debian's Free Software
Guidelines and the Open Source Definition.
Niels Möller's avatar
Niels Möller committed
357
358
359
360
361

The version 1 protocol has some minor weaknesses, in particular, all
support for using stream ciphers was disabled by default a few versions
back, for security reasons.

362
363
There also exists free implementations of @code{ssh-1}, for both Unix
and Windows. @command{ossh} and later OpenSSH are derived from earlier
364
version av Tatu Ylönen's @command{ssh}, and are free software.
Niels Möller's avatar
Niels Möller committed
365

366
@node ssh2, Kerberos, ssh1, Related techniques
Niels Möller's avatar
Niels Möller committed
367
@comment  node-name,  next,  previous,  up
368
@subsection @code{ssh-2.x}
Niels Möller's avatar
Niels Möller committed
369

370
@command{ssh2} implements the next generation of the Secure Shell
Niels Möller's avatar
Niels Möller committed
371
protocol, the development of which is supervised by the @acronym{IETF}
372
373
secsh Working Group. @command{lsh} implements the required subset of
this protocol. It is intended to be compatible with the @command{ssh2}
374
series of programs distributed by F-Secure Corporation.
Niels Möller's avatar
Niels Möller committed
375

376
However, the existing versions of @command{ssh2} gets some details of the
Niels Möller's avatar
Niels Möller committed
377
378
379
protocol wrong (probably because it predates the protocol
specification), so there is some amount of bug-compatibility required.

380
381
Interoperability between independently developed implementations is one
necessary condition for the @code{ssh-2} protocol to become a Proposed
Niels Möller's avatar
Niels Möller committed
382
383
Standard.

384
The license for F-Secure's @command{ssh2} programs is similar to that
385
for recent versions of @command{ssh1}, but with a narrower definition of
Niels Möller's avatar
Niels Möller committed
386
387
``non-commercial use''.

388
Besides @command{lsh} there are few free implementations of the
389
@code{ssh-2} protocols. Since May 2000 it is supported also by
390
391
392
OpenSSH.


393
@node Kerberos, ipsec, ssh2, Related techniques
Niels Möller's avatar
Niels Möller committed
394
395
396
397
398
399
400
401
402
403
404
405
406
407
@comment  node-name,  next,  previous,  up
@subsection Kerberos

Kerberos is a key distribution system originally developed in the late
1980:s as a part of Project Athena at @acronym{MIT}. Recent development
have been done at The Royal Institute of Technology, Stockholm
(@acronym{KTH}).

Kerberos uses a central trusted ticket-granting server, and requires
less trust on the local machines in the system. It does not use
public-key technology.

Usually, Kerberos support is compiled into applications such as telnet,
ftp and X-clients. The ssh family of programs, on the other hand, tries
408
to do all needed magic, for instance to forward @acronym{X} securely, and then
409
provides general @acronym{TCP/IP} forwarding as a kitchen sink.
Niels Möller's avatar
Niels Möller committed
410

411
412
I believe Kerberos' and lsh's protection against passive eavesdropping
are mostly equivalent. The difference is in the set of machines and
413
414
assumptions you have to trust in order to be safe from a
man-in-the-middle attack.
Niels Möller's avatar
Niels Möller committed
415

416
I think the main advantage of @command{lsh} over Kerberos is that it is
Niels Möller's avatar
Niels Möller committed
417
418
419
easier to install and use for on ordinary mortal user. In order to set
up key exchange between two different Kerberos systems (or @dfn{Kerberos
realms}), the respective system operators need to exchange keys. In the
420
case of two random users at two random sites, setting up @command{lsh} or
421
some other program in the ssh family is likely easier than to get the
422
423
operators to spend time and attention. So @command{lsh} should be easier to
use in an anarchistic grass-roots environment.
Niels Möller's avatar
Niels Möller committed
424

425
Another perspective is to combine ssh features like @acronym{X} and
426
427
428
@acronym{TCP/IP} forwarding with authentication based on Kerberos. Such
an arrangement may provide the best of two worlds for those who happen
to have an account at a suitable ticket-granting server.
Niels Möller's avatar
Niels Möller committed
429

430
@node ipsec,  , Kerberos, Related techniques
Niels Möller's avatar
Niels Möller committed
431
432
433
@comment  node-name,  next,  previous,  up
@subsection @acronym{IPSEC}

434
435
436
@acronym{IPSEC} is a set of protocols for protecting general
@acronym{IP} traffic. It is developed by another @acronym{IETF} working
group, and is also a required part of @acronym{IP} version 6.
Niels Möller's avatar
Niels Möller committed
437

438
Again, the main difference between @acronym{IPSEC} and Kerberos and ssh
Niels Möller's avatar
Niels Möller committed
439
is the set of machines that have to be secure and the keys that have to
440
be exchanged in order to avoid man-in-the-middle attacks.
Niels Möller's avatar
Niels Möller committed
441
442
443
444
445
446
447
448
449
450
451
452
453
454

Current protocols and implementations of @acronym{IPSEC} only provide
authentication of machines; there's nothing analogous to the user
authentication in ssh or Kerberos.

On the other hand, @acronym{IPSEC} provides one distinct advantage over
application level encryption. Because @acronym{IP} and @acronym{TCP}
headers are authenticated, it provides protection against some
denial-of-service attacks. In particular, it makes attacks that cause
hangup of a @acronym{TCP} connection considerably more difficult.

So it makes sense to use both @acronym{IPSEC} and some application
level cryptographic protocol.

455
456
457
458
459
Also note that it is possible to use the @dfn{Point-to-Point Protocol}
(@acronym{PPP}) to tunnel arbitrary @acronym{IP} traffic accross an ssh
connection. This arrangement provides some of the functionality of
@acronym{IPSEC}, and is sometimes referred to as ``a poor man's Virtual
Private Network''.
Niels Möller's avatar
Niels Möller committed
460

461
462
463
464
@node Installation, Getting started, Introduction, Top
@comment  node-name,  next,  previous,  up
@chapter Installation

465
You install @command{lsh} with the usual @code{./configure && make &&
466
make install}. For a full listing of the options you can give to
467
@command{configure}, use @code{./configure --help}. For example, use
468
469
470
471
@option{--without-pty} to disable pty-support.

The most commonly used option is @option{--prefix}, which tells
configure where lsh should be installed. Default prefix is
472
@file{/usr/local}. The @command{lshd} server is installed in
473
474
475
@file{$prefix/sbin}, all other programs and scripts are installed in
@file{$prefix/bin}. 

476
The configure script tries to figure out if the linker needs any special
477
478
479
flags specifying where to find dynamically linked libraries at run time
(one case where this matters is if you have a dynamic libz.so installed
in a non -standard place). Usually, you can use
480

481
482
483
@example
./configure --with-lib-path=/opt/lib:/other/place
@end example
484

485
@noindent
486
487
to specify extra library directories, and the configure script should do
the right thing. If it doesn't work, or you believe that you know your
488
system better than @command{./configure}, just set LDFLAGS and/or
489
LD_LIBRARY_PATH to the right values instead.
490
491
492
493


@node Getting started, Invoking lsh, Installation, Top
@comment  node-name,  next,  previous,  up
494
495
@chapter Getting started
This section tells you how to perform some common tasks using the
496
@command{lsh} suite of programs, without covering all options and
497
498
499
500
501
502
503
504
505
possibilities.

@menu
* lsh basics::                  Connection with lsh
* tcpip forwarding::            Forwarding @acronym{TCP/IP} ports
* lshd basics::                 Starting the lshd deamon
* public-key::                  Using public-keys
* srp::                         Using SRP authentication
* sexp::                        Examining keys and other S-exp files.
506
* Converting keys::             
507
508
509
510
511
512
513
514
515
@end menu

@node lsh basics, tcpip forwarding, Getting started, Getting started
@comment  node-name,  next,  previous,  up
@section @command{lsh} basics

@command{lsh} is the program you use for connection to a remote machine. A
few examples are:

516
517
518
@example
lsh sara.lysator.liu.se
@end example
519

520
@noindent
521
522
523
524
525
526
Connects to @samp{sara.lysator.liu.se} and starts an interactive shell.
In this example, and in the rest of the examples in this section, lsh
will ask for your password, unless you have public-key user
authentication set up.

The first time you try to connect between two machines, @command{lsh}
527
528
typically complains about an ``unknown host key''. This is because it
has no reason to believe that it was the right machine that answered,
529
530
and not a machine controlled by the enemy (@pxref{Threats}). The default
behaviour is to never ever accept a server that is not properly
531
authenticated. A machine is considered authentic if it follows the
532
533
534
535
protocol and has its public hostkey listed in @file{~/.lsh/known_hosts}.

To make lsh less paranoid, use

536
537
538
@example
lsh --sloppy-host-authentication sara.lysator.liu.se
@end example
539

540
@noindent
541
542
543
544
545
546
547
548
Then @command{lsh} will display a @dfn{fingerprint} of the host key of the
remote machine, and ask you if it is correct. If so, the machine is
considered authentic and its key is appended to the file
@file{~/.lsh/captured_keys}. You can copy keys you have verified to
@file{~/.lsh/known_hosts}.

You can even use

549
550
551
@example
lsh --sloppy-host-authentication --capture-to ~/.lsh/known_hosts
@end example
552

553
@noindent
554
555
556
557
558
to get @command{lsh} to behave more like the traditional @command{ssh} program.

You can create fingerprints for the hostkeys you need regularly, and
keep with you (@pxref{sexp}).

559
560
561
@example
lsh -l omar sara.lysator.liu.se
@end example
562

563
@noindent
564
565
Connects, like above, but tries to log in as the user ``omar''.

566
567
568
@example
lsh sara.lysator.liu.se tar cf - some/dir | (cd /target/dir && tar -xf -)
@end example
569
570
571
572

Copies a directory from the remote machine, by executing one remote and
one local @command{tar} process and piping them together.

573
574
575
@example
CVS_RSH=lsh cvs -d sara.lysator.liu.se:/lysator/cvsroot co lsh
@end example
576

577
578
579
@noindent
Checks out the @command{lsh} source code from the @acronym{CVS}
repository.
580
581
582
583
584
585
586
587
588
589
590
591


@node  tcpip forwarding, lshd basics, lsh basics, Getting started
@comment  node-name,  next,  previous,  up
@section Port forwarding

One useful feature of @command{lsh} and other ssh-like programs is the
ability to forward arbitrary connections inside the encrypted
connection. There are two flavors: ``local'' and ``remote'' forwarding.

An example of local forwarding is

592
593
594
@example
lsh -L 4000:kom.lysator.liu.se:4894 sara.lysator.liu.se
@end example
595

596
@noindent
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
This makes @command{lsh} listen on port 4000 on the @emph{local} machine. When
someone connects, @command{lsh} asks the server to open a connection from
the @emph{remote} machine (i.e. @samp{sara}) to port 4894 on another machine
(i.e. @samp{kom}). The two connections are piped together using an
encrypted channel.

There are a few things that should be noted here:

@itemize @bullet
@item
By default, @command{lsh} only listens on the loopback interface, so only
clients on the same machine can use the tunnel. To listen on all
interfaces, use the @option{-g} flag.

@item
A connection through the tunnel consists of three parts:

@enumerate
@item
From a client socket to the local port (4000 in this example) that
@command{lsh} listens on.

@item
The tunnel itself, from the local machine to the tunnel endpoint,
which is @samp{sara} in this example.

@item
The connection from the tunnel endpoint to the ultimate target, in this
example from @samp{sara} to @samp{kom}.

@end enumerate
628

629
630
631
632
633
634
Only the middle part is protected by @command{lsh}: all data flowing
through the tunnel is sent across the first and last part @emph{in the
clear}. So forwarding doesn't offer much protection unless the tunnel
endpoint and the ultimate target machine are close to eachother. They
should usually be either the same machine, or two machines connected by
a local network that is trusted.
635
636
637
638
639
640
641
642

@item
Port forwarding is very useful for traversing firewalls. Of course, you
don't need to use lsh-style forwarding just to get out, there are other
tools like HTTPTunnel for that. But @command{lsh} helps you get out through
the firewall in a secure way.

@item
643
644
Port forwarding is done in addition to anything else @command{lsh} is
doing. In the example above, a tunnel is set up, but @command{lsh} will
645
646
647
also start an interactive shell for you. Just as if the @option{-L}
option was not present. If this is not what you want, the @option{-N} or
@option{-B} option is for you (@pxref{Invoking lsh})
648
649
650
651
652
@end itemize

Remote forwarding is similar, but asks the @emph{remote} machine to
listen on a port. An example of remote forwarding is

653
654
655
@example
lsh -g -R 8080:localhost:80 sara.lysator.liu.se
@end example
656

657
@noindent
658
This asks the remote machine to listen on port 8080 (note that you are
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
probably not authorized to listen on port 80). Whenever someone
connects, the connection is tunnelled to your local machine, and
directed to port 80 on the same machine. Note the use of @option{-g};
the effect is to allow anybody in the world to use the tunnel to connect
to your local webserver.

The same considerations that apply to forwarded local ports apply also to
forwarded remote ports.

At last, you can use any number of @option{-L} and @option{-R} options
on the same command line.


@node lshd basics, public-key, tcpip forwarding, Getting started
@comment  node-name,  next,  previous,  up
674
@section @command{lshd} basics
675
There are no global configuration files for @command{lshd}; all
676
configuration is done with command line options (@pxref{Invoking lshd}).
677

678
To run @command{lshd}, you must first create a hostkey, usually stored in
679
680
@file{/etc/lsh_host_key}. To do this, run

681
@example
682
lsh-keygen | lsh-writekey -o /etc/lsh_host_key
683
@end example
684

685
@noindent
686
This will also create a file @file{/etc/lsh_host_key.pub},
687
containing the corresponding public key. 
688
689
690

A typical command line for starting lshd in daemon mode is simply

691
692
693
@example
lshd --daemonic
@end example
694

695
696
697
698
You can find init script for @command{lshd} tailored for Debian's and
RedHat's GNU/Linux systems in the @file{contrib} directory. 

It is also possible to let @command{init} start @command{lshd}, by adding it in
699
700
@file{/etc/inittab}.

701
702
703
704
705
706
707
708
709
710
711
712

@node public-key, srp, lshd basics, Getting started
@comment  node-name,  next,  previous,  up
@section Using public-key user authentication

Public-key user authentication is a way to authenticate for login,
without having to type any passwords. There are two steps: Creating a
key pair, and authorizing the public key to the systems where you want
to log in.

To create a keypair, run

713
@example
714
lsh-keygen | lsh-writekey
715
@end example
716

717
@noindent
718
719
720
721
722
723
This can take some time, but in the end it creates two files
@file{~/.lsh/identity} and @file{~/.lsh/identity.pub}.

If you want to use the key to login to some other machine, say
@samp{sara}, you can do that by first copying the key,

724
725
726
@example
lsh sara.lysator.liu.se '>my-key.pub' <~/.lsh/identity.pub
@end example
727

728
@noindent
729
730
then authorizing it by executing, on @samp{sara},

731
732
733
@example
lsh-authorize my-key.pub
@end example
734
735
736
737
738
739

For security reasons, you should keep the private key
@file{~/.lsh/identity} secret. Anybody who can read that file will be
able to login in your name to any machine where the corresponding public
key is registered as an authorized key.

740
Naturally, you should also make sure not to authorize any keys but your
741
742
743
744
745
746
own. For instance, it is inappropriate to use an insecure mechanism such
as unauthenticated email, @code{ftp} or @code{http} to transfer your
public key to the machines where you want to authorize it.

If you have accounts on several systems, you usually create a single
keypair on each of the systems, and on each system you authorize some or
747
all of your other public keys for login.
748

749
750
751
752
753
Note that @command{lsh-writekey} does @emph{not} currently encrypt your
private key in any way. That means that you can lose it if a backup tape
gets into the wrong hands, and if you use NFS it will likely be sent in
the clear across your local network. To encrypt the key using a pass
phrase, give the @option{-c 3des} option to @command{lsh-writekey}.
754
755
756
757


@node srp, sexp, public-key, Getting started
@comment  node-name,  next,  previous,  up
758
@section Using @acronym{SRP} authentication
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774

The Secure Remote Password protocol is a fairly new protocol that
provides mutual authentication based on a password. To use it, you must
first choose a secret password. Next, you create a @dfn{password
verifier} that is derived from the password. The verifier is stored on
the target machine (i.e. the machine you want to log in to).

To create a verifier, you run the @command{srp-gen} program and type
your new password. You have to do it on either the target machine,
redirecting the output to ~/.lsh/srp-verifier, or you can generate it on
some other machine and copy it to the target.

The main advantage of using @acronym{SRP} is that you use the password
not only to get access to the remote machine, but you also use it to
authenticate the remote machine. I.e. you can use it to connect
securely, @emph{without} having to know any hostkeys or fingerprints
775
beforehand!
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810

For instance, you could connect using @acronym{SRP} to fetch the hostkey
fingerprint for the remote machine, as a kind of bootstrapping
procedure, and then use traditional authentication methods for further
connections.

For this to work, the verifier @emph{must} be kept @emph{secret}. If the
enemy gets your verifier, he can mount some attacks:

@itemize @bullet
@item
He can mount a @dfn{dictionary attack} on your password, i.e. generate a large
list of likely password and check if any of them matches yours.

@item
He can impersonate the server. That means that if you try to connect to
the remote machine using @acronym{SRP}, and the attacker can intercept
your connection (e.g. by attacking the name resolution or routing
system) he can successfully pretend to be the real server.
@end itemize

If you use @acronym{SRP} to get the hostkey or fingerprint for the
remote machine, as outlined above, the impersonation attack destroys
security, you could just as well connect the hostkey presented by the
remote server without verifying it at all.

If you use @acronym{SRP} exclusively, the situation seems somewhat
different. As far as I can see, an attacker knowing your verifier can
not mount a traditional man-in-the-middle-attack: He can play the
server's part when talking to you, but in order to play your part when
talking to the real server, he needs to know your password as well.

@acronym{SRP} support is disabled by default, but can be enabled by the
@option{--srp-keyexchange} option to @command{lshd} and @command{lsh}
(naturally, it won't be used unless enabled on both sides). At the time
811
812
813
of this writing, @acronym{SRP} is too new to be trusted by conservative
cryptographers (and remember that conservatism is a virtue when it comes
to security).
814
815

And even if @acronym{SRP} in itself is secure, the way @command{lsh}
816
integrates it into the @code{ssh} protocol has not had much peer review.
817
818
819
The bottom line of this disclaimer is that the @acronym{SRP} support in
@command{lsh} should be considered experimental.

820
821
822
823
824
As far as I know, using @acronym{SRP} as a host authentication mechanism
is not supported by any other @code{ssh} implementation. The protocol
@command{lsh} uses is described in the @file{doc/srp-spec.txt}.
Implementations that use @acronym{SRP} only as a user authentication
mechanism are not compatible with @command{lsh}.
825

826
@node sexp, Converting keys, srp, Getting started
827
@comment  node-name,  next,  previous,  up
828
@section Examining keys and other sexp files
829
830

Keys and most other objects @command{lsh} needs to store on disk are
831
represented as so called S-expressions or @dfn{sexps} for short.
832
S-expressions have their roots in the Lisp world, and a variant of them
833
in used in the Simple Public Key Infrastructure (@acronym{SPKI}).
834
835
836
Currently, @command{lsh}'s support for @acronym{SPKI} is quite limited,
but it uses @acronym{SPKI}'s formats for keys and Access Control Lists
(@acronym{ACL}:s).
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851

There are several flavours of the sexp syntax:

@itemize @bullet
@item
The canonical syntax is somewhere between a text and a binary format,
and is extremely easy for programs to read and write.

@item
The transport syntax, which is suitable when embedding sexps in text
files. It is essentially the canonical representation, encoded using
base64.

@item
The advanced syntax, which is intended for humans to read and write, and
852
bears some resemblance to Lisp expressions.
853
854
855
856
@end itemize

To see what your @file{~/.lsh/known_hosts} file really contains, try

857
858
859
@example
sexp-conv -i advanced < ~/.lsh/known_hosts
@end example
860
861
862
863
864

The @command{sexp-conv} program can also be used to computes
fingerprints. The fingerprint of a key (or any sexp, for that matter) is
simply the hash of its canonical representation. For example,

865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
@example
sexp-conv --raw-hash </etc/lsh_host_key.pub
@end example


@node  Converting keys,  , sexp, Getting started
@comment  node-name,  next,  previous,  up
@section Converting keys from @command{ssh2} and OpenSSH

If you are already using @command{ssh2} or OpenSSH, and have creating
one or more personal keypairs, you need to convert the public keys to
@command{lsh}'s format before you can authorize them. Use the supplied
@command{ssh-conv} script,

@example
ssh-conv <openssh-key.pub >new-key.pub
@end example

You can then use the usual @command{lsh-authorize} on the converted
884
keys. @command{ssh-conv} supports both @acronym{DSA} and @command{RSA} keys.
885

886
There are currently no tools for converting private keys.
887
888


889
890
@node Invoking lsh, Invoking lshd, Getting started, Top
@comment  node-name,  next,  previous,  up
891
@chapter Invoking @command{lsh}
892
@anchor{lsh-usage}
893

894
You use @command{lsh} to login to a remote machine. Basic usage is
895
896
897
898

@samp{lsh [-p @var{port number}] sara.lysator.liu.se}

which attempts to connect, login, and start an interactive shell on the
899
remote machine. Default @var{port number} is whatever your system's
900
@file{/etc/services} lists for @command{ssh}. Usually, that is port 22.
901

902
There is a plethora of options to @command{lsh}, to let you configure where
903
and how to connect, how to authenticate, and what you want to do once
904
905
906
properly logged in to the remote host. Many options have both long and
short forms. This manual does not list all variants; for a full listing
of supported options, use @samp{lsh --help}.
907

908
909
910
Note that for many of the options to @command{lsh}, the ordering of the
options on the command line is important.

911
@menu
912
913
914
915
916
* Algorithms: Algorithm options.  Selecting algorithms.
* Hostauth options::            
* Userauth options::            
* Actions: Action options.      What to do after login.
* Messages: Verbosity options.  Tuning the amount of messages.
917
918
919
920
921
922
@end menu

@node Algorithm options, Hostauth options, Invoking lsh, Invoking lsh
@comment  node-name,  next,  previous,  up
@section Algorithm options

923
Before a packet is sent, each packet can be compressed, encrypted
924
925
926
927
928
929
930
931
and authenticated, in that order. When the packet is received, it is
first decrypted, next it is checked that it is authenticated properly,
and finally it is decompressed. The algorithms used for this are
negotiated with the peer at the other end of the connection, as a part
of the initial handshake and key exchange.

Each party provides a list of supported algorithms, and the first
algorithm listed by the client, which is also found on the server's
932
933
934
935
936
937
938
939
940
941
942
list, is selected. Note that this implies that order in which algorithms
are listed on the server's list doesn't matter: if several algorithms
are present on both the server's and the client's lists, it's the
client's order that determines which algorithm is selected.

Algorithms of different types, e.g. data compression and message
authentication, are negotiated independently. Furthermore, algorithms
used for transmission from the client to the server are independent of
the algorithms used for transmission from the server to the client.
There are therefore no less than six different lists that could be
configured at each end.
943
944
945
946
947

The command line options for lsh and lshd don't let you specify
arbitrary lists. For instance, you can't specify different preferences
for sending and receiving.

948
There is a set of default algorithm preferences. When you use a command
949
950
951
952
953
954
line option to say that you want to use @var{algorithm} for one of the
algorithms, the default list is replaced with a list containing the
single element @var{algorithm}. For example, if you use @option{-c
arcfour} to say that you want to use @code{arcfour} as the encryption
algorithm, the connection will either end up using @code{arcfour}, or
algorithm negotiation will fail because the peer doesn't support
955
@code{arcfour}.
956

957
@multitable @columnfractions 0.1 0.2 0.2 0.5
958
959
960
961
@item Option
  @tab Algorithm type @tab Default @tab
@item @option{-z} @tab Data compression
  @tab @code{none}, @code{zlib}
962

963
964
  @tab The default preference list supports zlib compression, but
prefers not to use it. 
965

966
@item @option{-c} @tab Encryption
Niels Möller's avatar
Niels Möller committed
967
  @tab @code{3dec-cbc}, @code{blowfish-cbc}, @code{arcfour}
968
@code{arcfour}
969

970
  @tab The default encryption algorithm is triple-DES in CBC mode. This
971
seems to be the algorithm of choice among conservative cryptographers.
Niels Möller's avatar
Niels Möller committed
972
973
974
The default list includes only quite old and well studied algorithms.
There is a special algorithm name @code{all} to enable all supported
encryption algorithms (except @code{none}). 
975

976
977
@item @option{-m} @tab Message Authentication
  @tab @code{hmac-sha1}, @code{hmac-md5}
978

979
  @tab Both supported message authentication algorithms are of the
980
@acronym{HMAC} family.
981
982
@end multitable

983
984
As a special case, @option{-z} with no argument changes the compression
algorithm list to @code{zlib}, @code{none}, which means that you want to
985
986
987
use @code{zlib} if the other end supports it. This is different from
@option{-zzlib} which causes the negotiation to fail if the other end
doesn't support @code{zlib}. A somewhat unobvious consequence of
988
@option{-z} having an @emph{optional} argument is that if you provide an
989
990
argument, it must follow directly after the option letter, no spaces
allowed. 
991
992


993
994
995
996
@node Hostauth options, Userauth options, Algorithm options, Invoking lsh
@comment  node-name,  next,  previous,  up
@section Host authentication options

997
As described earlier (@pxref{Threats}), proper authentication of the
Niels Möller's avatar
Niels Möller committed
998
remote host is crucial to protect the connection against
999
man-in-the-middle attacks. By default, @command{lsh} verifies the server's
1000
claimed host key against the @dfn{Access Control Lists} in
Niels Möller's avatar
Niels Möller committed
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
@file{~/.lsh/known_hosts}. If the remote host cannot be authenticated,
the connection is dropped.

The options that change this behaviour are

@table @option
@item --host-db
Specifies the location of the @acronym{ACL} file.

@item --sloppy-host-authentication
1011
Tell @command{lsh} not to drop the connection if the server's key can not
1012
1013
be authenticated. Instead, it displays the fingerprint of the key, and
asks if it is trusted. The received key is also appended to the file
1014
@file{~/.lsh/captured_keys}. If run in quiet mode, @samp{lsh -q
1015
--sloppy-host-authentication}, @command{lsh} connects to any host, no
1016
1017
questions asked.

Niels Möller's avatar
Niels Möller committed
1018
@item --strict-host-authentication
1019
1020
Disable sloppy operation (this is the default behaviour).

Niels Möller's avatar
Niels Möller committed
1021
@item --capture-to
1022
Use some other file than @file{~/.lsh/captured_keys}. For example,
1023
1024
1025
1026
1027
1028

@example
lsh --sloppy-host-authentication --capture-to ~/.lsh/known_hosts
@end example

@noindent
1029
makes @command{lsh} behave more like the @command{ssh} program.
Niels Möller's avatar
Niels Möller committed
1030

1031
1032
1033
@item --srp-keyexchange
Try using @acronym{SRP} for keyexchange and mutual authentication.

Niels Möller's avatar
Niels Möller committed
1034
1035
@end table

1036
1037
1038
1039
@node Userauth options, Action options, Hostauth options, Invoking lsh
@comment  node-name,  next,  previous,  up
@section User authentication options

1040
1041
1042
1043
@table @option

@item -l
Provide a name to use when logging in. By default, the value of the
1044
@env{LOGNAME} environment variable is used.
1045
1046

@item -i
1047
Try the keys from this file to log in. By default, @command{lsh} uses
1048
1049
1050
1051
1052
1053
1054
1055
1056
@file{~/.lsh/identity}, if it exists. It ought to be possible to use
several @option{-i} options to use more than one file, but that is
currently not implemented.

@item --no-publickey
Don't attempt to log in using public key authentication.

@end table

1057
1058
1059
1060
@node Action options, Verbosity options, Userauth options, Invoking lsh
@comment  node-name,  next,  previous,  up
@section Action options

1061
There are many things @command{lsh} can do once you are logged in. There
1062
1063
1064
1065
1066
are two types of options that control this: @dfn{actions} and
@dfn{action modifiers}. For short options, actions use uppercase letters
and modifiers use lowercase.

For each modifier @option{--foo} there's also a negated form
1067
@option{--no-foo}. Options can also be negated by preceding it with the
1068
special option @option{-n}. This is mainly useful for negating short
1069
options. For instance, use @option{-nt} to tell @command{lsh} not to
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
request a remote pseudo terminal. Each modifier and its negation can be
used several times on the command line. For each action, the latest
previous modifier of each pair apply.

First, the actions:

@table @option

@item -L
Requests forwarding of a local port. This option takes mandatory
argument of the form
@var{listen-port}:@var{target-host}:@var{target-port}. This option tells
1082
1083
@command{lsh} to listen on @var{listen-port} on the local machine. When
someone conects to that port, @command{lsh} asks the remote server to open
1084
1085
a connection to @var{target-port} on @var{target-host}, and if it
succeeds, the two connections are joined together through an the
1086
@command{lsh} connection. Both port numbers should be given in decimal.
1087
1088
1089

@item -R
Requests forwarding of a remote port. It takes one mandatory argument,
1090
just like @option{-L}. But in this case @command{lsh} asks the
1091
1092
@emph{remote} server to listen on @var{listen-port}. When someone
connects to the remote hosts, the server will inform the local
1093
@command{lsh}. The local @command{lsh} then connects to @var{target-port} on
1094
1095
1096
@var{target-host}.

@item -E
1097
1098
This option takes one mandatory argument, which is a command line to be
executed on the remote machine.
1099
1100

@item -S
1101
Start an interactive shell on the remote machine. 
1102
1103
1104
1105

@item -G
Open a gateway on the local machine. A gateway is a local socket,
located under /tmp, that can be used for controlling and using the ssh
1106
connection. It is protected using the ordinary file permissions.
1107
1108
1109
1110

@item -N
This is a no-operation action. It inhibits the default action, which is
to start an interactive shell on the remote machine. It is useful if you
1111
want to set up a few forwarded tunnels or a gateway, and nothing more.
1112

Niels Möller's avatar
Niels Möller committed
1113
@item -B
1114
1115
Put the client into the background after key exchange and
user authentication. Implies @option{-N}
1116
1117
1118
1119
@end table

If there are trailing arguments after the name of the remote system,
this is equivalent to a @option{-E} option, with a command string
1120
1121
1122
1123
constructed by catenating all the remaining arguments, separated by
spaces. This implies that the arguments are usually expanded first by
the local shell, and then the resulting command string is interpreted
again by the remote system.
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134

If there are no trailing arguments after the name of the remote system,
and the @option{-N} option is not given, the default action is to start
a shell on the remote machine. I.e. this is equivalent to the
@option{-S} option.

There are a few supported modifiers:

@table @option

@item -t
1135
Request a pseudo terminal. @command{lsh} asks the remote system to allocate
1136
1137
a pseudo terminal. If it succeeds, the local terminal is set to raw
mode. The default behaviour is to request a pty if and only if the
1138
local @command{lsh} process has a controlling terminal. This modifier
1139
1140
1141
1142
1143
applies to actions that create remote processes, i.e. @option{-E} and
@option{-S}, as well as the default actions.

Currently, this option is ignored if there is no local terminal.

1144
1145
1146
1147
@item -x
Request @acronym{X} forwarding. Applies to the @acronym{-E} and
@option{S} and the default actions.

1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
@item --stdin
Redirect the stdin of a remote process from a given, local, file.
Default is to use @command{lsh}'s stdin for the first process, and
@file{/dev/null} for the rest. This option applies to the @option{-E}
and @option{-S} options as well as to the default actions. The option
applies to only one process; as soon as it is used it is reset to the
default.

@item --stdout
Redirect the stdout of a remote process to a given, local, file. Default
is to use @command{lsh}'s stdout. Like @option{--stdin}, it is reset
after it is used.

@item --stderr
Redirect the stdout of a remote process to a given, local, file.
Analogous to the @option{--stdout} option.

1165
@item -g
1166
Remote peers, aka global forwarding. This option applies to the
1167
1168
1169
1170
1171
forwarding actions, i.e. @option{-L} and @option{-R}. By default, only
connections to the loopback interface, ip 127.0.0.1, are forwared. This
implies that only processes on the same machine can use the forwarded
tunnel directly. If the -g modifier is in effect, the forwarding party
will listen on @emph{all} network interfaces.
1172
1173
1174

@end table

1175
1176
1177
1178
@node Verbosity options,  , Action options, Invoking lsh
@comment  node-name,  next,  previous,  up
@section Verbosity options

1179
These options determines what messages @command{lsh} writes on
1180
1181
1182
1183
1184
its stderr.

@table @option

@item -q
1185
Quiet mode. Disables all messages and all questions, except password
1186
1187
1188
prompts and fatal internal errors.

@item -v
1189
Verbose mode. Makes @command{lsh} a little more verbose. The intention is
1190
to provide information that is useful for ordinary trouble shooting,
1191
and makes sense also to those not familiar with @command{lsh} internals.
1192
1193
1194

@item --trace
Trace mode. Prints some internal information to aid tracking
1195
@command{lsh}'s flow of control.
1196
1197
1198
1199
1200
1201
1202

@item --debug.
Debug mode. Dumps @emph{a lot} of information, including dumps of all
sent and received packets. It tries to avoid dumping highly sensitive data,
such as private keys and the contents of @code{SSH_MSG_USERAUTH_REQUEST}
messages, but you should still use it with care.

1203
1204
1205
1206
@item --log-file
This option redirects all messages to a file. Takes one mandatory
argument: The name of that file.

1207
1208
@end table

1209
1210
1211
1212
Note that all these options are orthogonal. If you use @option{--trace},
you usually want to add @option{-v} as well; @option{--trace} does not
do that automatically.

1213
1214
@node Invoking lshd, Terminology, Invoking lsh, Top
@comment  node-name,  next,  previous,  up
1215
@chapter Invoking @command{lshd}
1216
@anchor{lshd-usage}
1217

1218
1219
1220
1221
1222
@command{lshd} is a server that accepts connections from clients
speaking the Secure Shell Protocol. It is usually started automatically
when the systems boots, and runs with root privileges. However, it is
also possible to start @command{lshd} manually, and with user
privileges.
1223

1224
There are currently no configuration files. Instead, command line options
1225
are used to tell @command{lshd} what to do. Many options have @option{--foo}
1226
1227
1228
and @option{--no-foo} variants. Options specifying the default behaviour
are not listed here.

1229
Some of the options are the shared with @command{lsh}. In particular, see
1230
1231
@ref{Algorithm options} and @ref{Verbosity options}.

1232
Options specific to the @command{lshd} server are:
1233
1234
1235
1236
1237
1238
1239
1240

@table @option

@item -p
Port to listen to. The mandatory argument is a decimal port number or a
service name. Default is "ssh", usually port 22.

@item --interface
1241
Network interface to listen on. By default, @command{lshd} listens on all
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
interfaces.

@item -h
Location of the server's private key file. By default,
@file{/etc/lsh_host_key}.

@item -i
Variant of the s-expression syntax to use when reading the host key.
Default is to use transport format. Not a terribly useful option.

@item --ssh1-fallback
1253
This options enables fallback to @command{ssh1}. @command{lshd} doesn't
1254
1255
1256
1257
implement version 1 of the Secure Shell Protocol. But it can fork an
@command{ssh1} server when an old client connects. Falling back to
@command{ssh1} is inefficient, and requires some special features of the
server fallen back to. It should work with the @command{sshd} daemon
1258
supplied with reasonably new versions of F-Secure's @command{sshd1},
1259
and with OpenSSH.
1260
1261

The optional argument provides the filename of the ssh1 daemon to use.
1262
1263
The default name is @file{/usr/local/sbin/sshd1}, unless something else
was configured at compile time.
1264
1265

@item --daemonic
1266
1267
1268
1269
Enables daemonic mode. @command{lshd} forks into the background,
redirects its stdio file descriptors to @file{/dev/null}, changes its
working directory to @file{/}, and redirects any diagnostic or debugging
messages via syslog.
1270

1271
1272
1273
@command{lshd} should be able to deal with the environment it inherits
if it is started by @command{init} or @command{inetd}, but this is not
really tested.
1274
1275
1276

@item --pid-file
Creates a locked pid file, to make it easier to write start and stop
1277
scripts for @command{lshd}. The mandatory argument provides the filename.
1278
1279
1280
1281
This option is enabled by default when operating in daemonic mode, and
the default filename is @file{/var/run/lshd.pid}.

@item --enable-core
1282
1283
By default, @command{lshd} disables core dumps, to avoid leaking sensitive
information. This option changes that behaviour, and allows @command{lshd}
1284
1285
1286
1287
1288
1289
1290
1291
to dump core on fatal errors.

@item --no-password
Disable the "password" user authentication mechanism. 

@item --no-publickey
Disable the "publickey" user authentication mechanism.

1292
@item --root-login
1293
Enable root login. By default, root can not log in using @command{lshd}.
1294

Niels Möller's avatar