Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
lsh
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
1
Issues
1
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
Operations
Operations
Incidents
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
LSH
lsh
Commits
12d50bd3
Commit
12d50bd3
authored
Nov 04, 2008
by
Niels Möller
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Initial updates for version 3.0.
Rev: doc/lsh.texinfo:1.46
parent
2ec8acc3
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
36 additions
and
23 deletions
+36
-23
doc/lsh.texinfo
doc/lsh.texinfo
+36
-23
No files found.
doc/lsh.texinfo
View file @
12d50bd3
...
...
@@ -19,10 +19,10 @@
@set AUTHOR Niels Möller
@ifinfo
Draft m
anual for LSH. This manual corresponds to @command
{
lsh
}
version
M
anual for LSH. This manual corresponds to @command
{
lsh
}
version
@value
{
UPDATED-FOR
}
.
Copyright 2000, 2004 @value
{
AUTHOR
}
Copyright 2000, 2004
, 2008
@value
{
AUTHOR
}
Permission is granted to make and distribute verbatim
copies of this manual provided the copyright notice and
...
...
@@ -306,15 +306,14 @@ functionality.
@command
{
lsh
}
can also be used in something called gateway mode, in
which you can authenticate once and set up a connection that can
later be used for quickly setting up new sessions with @command
{
lshg
}
(@pxref
{
Invoking lshg
}
).
later be reused for quickly setting up new sessions.
@command
{
lsh
}
can be configured to allow login based on a personal
key-pair consisting of a private and a public key, so that you can
execute remote commands without typing your password every time.
There
is also experimental
support for Thomas Wu's Secure Remote Password
Protocol (@acronym
{
SRP
}
)
. Kerberos support is on the wish list but not
yet supported
(@pxref
{
Kerberos
}
).
execute remote commands without typing your password every time.
Kerberos support and
support for Thomas Wu's Secure Remote Password
Protocol (@acronym
{
SRP
}
)
is on the wish list but not yet supported
(@pxref
{
Kerberos
}
).
The public-key authentication methods should also be extended to support
Simple Public Key Infrastructure (@acronym
{
SPKI
}
) certificates,
...
...
@@ -324,23 +323,22 @@ Forwarding of arbitrary @acronym{TCP/IP} connections is provided. This
is useful for tunneling otherwise insecure protocols, like telnet and
pop, through an encrypted @command
{
lsh
}
connection.
@command
{
lsh
}
also features a @acronym
{
SOCKS
}
-proxy which also
provides tunneling of @acronym
{
TCP/IP
}
connections, but can be easily
used, e.g. from within popular web browsers like Mozilla and Firefox
for tunneling web traffic. There are also programs lik
e
@command
{
tsocks
}
that performs transparent redirection of network
access through a @acronym
{
SOCKS
}
proxy.
@command
{
lsh
}
also features a @acronym
{
SOCKS
}
-proxy which also
provides
tunneling of @acronym
{
TCP/IP
}
connections, but without specifying the
remote targets in advance. E.g., web browsers like Firefox can be
configured to use @acronym
{
SOCKS
}
for tunneling web traffic. There ar
e
also programs like @command
{
tsocks
}
that performs transparent
redirection of network
access through a @acronym
{
SOCKS
}
proxy.
Convenient tunneling of @acronym
{
X
}
was one of the most impressive
features of the original @command
{
ssh
}
programs. Both @command
{
lsh
}
and
@command
{
lshd
}
support @acronym
{
X
}
-forwarding, although @command
{
lshg
}
does not.
@command
{
lshd
}
support @acronym
{
X
}
-forwarding.
Whan @acronym
{
X
}
forwarding is in effect, the remote process is started
in an environment where the @env
{
DISPLAY
}
variable in the environment
points to a fake @acronym
{
X
}
server, connections to which are forwarded
to the @acronym
{
X
}
server in your local environment. @command
{
lsh
}
also
creates a new ``fake'' @samp
{
MIT-MAGIC-COOKIE-1
}
for
controlling
access
creates a new ``fake'' @samp
{
MIT-MAGIC-COOKIE-1
}
for access
control. Your real @acronym
{
X
}
authentication data is never sent to the
remote machine.
...
...
@@ -441,7 +439,7 @@ assumptions you have to trust in order to be safe from a
man-in-the-middle attack.
I think the main advantage of @command
{
lsh
}
over Kerberos is that it is
easier to install and use for
o
n ordinary mortal user. In order to set
easier to install and use for
a
n ordinary mortal user. In order to set
up key exchange between two different Kerberos systems (or @dfn
{
Kerberos
realms
}
), the respective system operators need to exchange keys. In the
case of two random users at two random sites, setting up @command
{
lsh
}
or
...
...
@@ -497,8 +495,19 @@ make install}. For a full listing of the options you can give to
The most commonly used option is @option
{
--prefix
}
, which tells
configure where lsh should be installed. Default prefix is
@file
{
/usr/local
}
. The @command
{
lshd
}
server is installed in
@file
{$
prefix
/
sbin
}
, all other programs and scripts are installed in
@file
{$
prefix/bin
}
.
@file
{$
prefix
/
sbin
}
, various helper programs are installed in
@file
{$
prefix/libexec
}
, and all other programs and scripts are
installed in @file
{$
prefix
/
bin
}
.
Note that by default, all lsh
-
related files are stored under
@file
{
prefix
}
@, including configuration files, and the host key and
seed file used by the server. You may want to use
@example
.
/
configure
--
sysconfdir
=/
etc
--
localstatedir
=/
var
@end example
@noindent
to place these files on the root and @file
{
/
var
}
partitions.
The configure script tries to figure out if the linker needs any special
flags specifying where to find dynamically linked libraries at run time
...
...
@@ -540,14 +549,16 @@ possibilities.
Several of the lsh programs requires a good pseudorandomness generator
for secure operation. The first thing you need to do is to create a
seed file for the generator. T
o create a
personal seed file, stored as
@file
{
~/.lsh/yarrow-seed-file
}
,
run
seed file for the generator. T
he
personal seed file, stored as
@file
{
~
/
.lsh
/
yarrow
-
seed
-
file
}
,
is created by
@example
lsh
-
make
-
seed
@end example
To create a seed file for use by @command
{
lshd
}
, run
Client programs that need the pseudorandomness generator will offer to
run this command for you, if the seed file doesn't exist. To create a
seed file for use by @command
{
lshd
}
, run
@example
lsh
-
make
-
seed
--
server
...
...
@@ -589,6 +600,8 @@ To make lsh less paranoid, use
lsh
--
sloppy
-
host
-
authentication sara.lysator.liu.se
@end example
@comment XXX
@noindent
Then @command
{
lsh
}
will display a @dfn
{
fingerprint
}
of the host key of
the remote machine, and ask you if it is correct. If so, the machine is
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment