SSH2(1)SSH2(1)NAME
ssh2, sshsession, rsa2ssh2 - encrypted login and copy with foreign sys‐
tems via SSHv2
SYNOPSISssh2 [ -adIiKkmrvx ] [ -l user ] [ -n dir ] [ -z attribute=value ] sys‐
tem [ cmd [ args ] ]
aux/sshsession [ -t ] [ -n namespace ] [ -R dir ] [ -r dir ] [ -s com‐
mand ] [ -S srvpt ]
rsa2ssh2 [ file ]
DESCRIPTION
These programs collectively implement communication via SSH v2 over
TCP. All of the encryption, authentication, and SSH protocol are han‐
dled by ssh(4).
Ssh2 dials a remote system and runs a shell (or some other command)
there. will result in a command prompt on the machine hannibal logged
in as root. If ssh2 does not find an SSH server in /net, it runs
netssh (see ssh(4)) to start one. Ssh2 dials the remote SSH server and
exchanges encryption keys with the server using Diffie-Hellman key
exchange.
A clone file and connect message protocol similar to that of ip(3) cre‐
ates a session in the established connection. In the course of session
creation, ssh2 first attempts to authenticate the user with the server
using public key authentication. If that fails, it prompts for a pass‐
word, and attempts to authenticate with password authentication. It
also passes across the value of the environment variable TERM as would
be set if ssh2 is run inside of vt(1).
Per con(1), typing a control-\ will result in a >>> prompt. There are
currently only four commands that can be issued at that prompt: c to
continue the session, h to print a list of the available commands, r to
toggle the suppression of carriage returns, and q to close the session.
Options are:
-a -v -x
No-ops included for compatibility with scp (see ssh1(1)).
-d Increase the amount of debugging output.
-i -I Sets ssh2 to interactive (-i) or non-interactive (-I) mode.
This determines whether the user is prompted for a password if
none is found in factotum. Without either of these options,
ssh2 uses interactive mode if run in a term window.
-k Skip the attempt to authenticate using public key authentica‐
tion.
-K Don't fall back to password authentication. If the public key
authentication fails, ssh2 will exit.
-l Use user name on the remote system (deprecated).
-m Remove the special meaning of control-\. This is needed by scp
to prevent that character in files being copied from triggering
the special command mode.
-n Specify the network directory of an alternate network to use.
The default is /net.
-r Strip carriage return characters coming from the remote system.
This will normally be desired when running in a rio(1) window or
from within win(1) in acme(1). It is normally not used when
running ssh2 from within vt(1).
-z Used to specify which of several possible keys to use.
Server-side Daemon
Sshsession implements the server side of an SSH connection and is suit‐
able for running by listen(8) or listen1; it is not normally run
directly by the user. Like ssh2, it does all of its SSH communication
through ssh(4). Sshsession starts a shell or a requested command when
a remote system authenticates and requests a new connection and ses‐
sion.
A system-wide SSH listener can be run by creating a file /rc/bin/ser‐
vice.auth/ssh22 that invokes sshsession:
#!/bin/rc
# ssh22
exec aux/sshsession $3 >>/sys/log/sshdebug >[2=1]
then ensuring that /rc/bin/cpurc contains
netssh -s ssh
aux/listen -t /rc/bin/service.auth -d /rc/bin/service ssh
When invoked with no options, sshsession runs as an SSH server.
Options are:
-n Use a namespace other than the default /lib/namespace when
starting the shell or running the requested command.
-r Run the SSH session in dir.
-R Like -r but also prevent any arguments, in the command to be
executed, from accessing files outside this directory; primarily
used to limit what scp can access.
-s Execute command instead of /bin/rc.
-S Create /srv/srvpt if an SSH server is not already mounted in
/net.
-t Trust sshsession and run it in the same namespace as the listen
that started it.
A private SSH listener can be run by starting netssh (see ssh(4)) then
running listen1:
if (! test -e /net/ssh) netssh -s ssh
aux/listen1 -t 'ssh!*!2222' aux/sshsession
Keys
Rsa2ssh2 converts an RSA key to one suitable for use with SSH v2 on
Unix systems. The following command will extract the public part of
the key and add it to the authorized_keys file on a remote Unix system:
grep 'proto=rsa' /mnt/factotum/ctl | rsa2ssh2 |
ssh2 user@unix 'cat >>.ssh/authorized_keys'
FILES
/sys/lib/ssh/keyring
System-wide known host public keys.
$home/lib/keyring
Per-user known host public keys.
/env/nosshkeyverify
SOURCE
/sys/src/cmd/ssh2
SEE ALSOcon(1), cpu(1), secstore(1), ssh1(1), vt(1), factotum(4), ssh(4), lis‐
ten(8),
RFCs 4250, 4251, 4252, 4253, 4254, and 4419
BUGS
Sshsession shouldn't have to run as the host owner and using facto‐
tum(4) correctly would permit this.
The SSH v2 protocol is a classic second system: over-engineered, overly
complicated, misdesigned and jammed full of pointless goodies.
SSH2(1)