SSH2(1)                                                   SSH2(1)

     NAME
          ssh2, sshsession, rsa2ssh2 - encrypted login and copy with
          foreign systems via SSHv2

     SYNOPSIS
          ssh2 [ -adIiKkmrvx ] [ -l user ] [ -n dir ] [ -z
          attribute=value ] system [ cmd [ args ] ]

          aux/sshsession [ -t ] [ -n namespace ] [ -R dir ] [ -r dir ]
          [ -s command ] [ -S srvpt ]

          rsa2ssh2 [ file ]

     DESCRIPTION
          These programs collectively implement communication via SSH
          v2 over TCP.  All of the encryption, authentication, and SSH
          protocol are handled by ssh(4).

          Ssh2 dials a remote system and runs a shell (or some other
          command) there.  `ssh2 root@hannibal' will result in a com-
          mand prompt on the machine hannibal logged in as root.  If
          ssh2 does not find an SSH server in /net, it runs netssh
          (see ssh(4)) to start one.  Ssh2 dials the remote SSH server
          and exchanges encryption keys with the server using Diffie-
          Hellman key exchange.

          A clone file and connect message protocol similar to that of
          ip(3) creates a session in the established connection.  In
          the course of session creation, ssh2 first attempts to
          authenticate the user with the server using public key
          authentication.  If that fails, it prompts for a password,
          and attempts to authenticate with password authentication.
          It also passes across the value of the environment variable
          TERM as would be set if ssh2 is run inside of vt(1).

          Per con(1), typing a control-\ will result in a >>> prompt.
          There are currently only four commands that can be issued at
          that prompt: c to continue the session, h to print a list of
          the available commands, r to toggle the suppression of car-
          riage returns, and q to close the session.

          Options are:

          -a -v -x
                No-ops included for compatibility with scp (see
                ssh1(1)).
          -d    Increase the amount of debugging output.
          -i -I Sets ssh2 to interactive (-i) or non-interactive (-I)
                mode.  This determines whether the user is prompted
                for a password if none is found in factotum.  Without

     Page 1                       Plan 9            (printed 12/21/24)

     SSH2(1)                                                   SSH2(1)

                either of these options, ssh2 uses interactive mode if
                run in a term window.
          -k    Skip the attempt to authenticate using public key
                authentication.
          -K    Don't fall back to password authentication.  If the
                public key authentication fails, ssh2 will exit.
          -l    Use user name on the remote system (deprecated).
          -m    Remove the special meaning of control-\.  This is
                needed by scp to prevent that character in files being
                copied from triggering the special command mode.
          -n    Specify the network directory of an alternate network
                to use.  The default is /net.
          -r    Strip carriage return characters coming from the
                remote system.  This will normally be desired when
                running in a rio(1) window or from within win(1) in
                acme(1). It is normally not used when running ssh2
                from within vt(1).
          -z    Used to specify which of several possible keys to use.

        Server-side Daemon
          Sshsession implements the server side of an SSH connection
          and is suitable for running by listen(8) or listen1; it is
          not normally run directly by the user.  Like ssh2, it does
          all of its SSH communication through ssh(4). Sshsession
          starts a shell or a requested command when a remote system
          authenticates and requests a new connection and session.

          A system-wide SSH listener can be run by creating a file
          /rc/bin/service.auth/ssh22 that invokes sshsession:

               #!/bin/rc
               # ssh22
               exec aux/sshsession $3 >>/sys/log/sshdebug >[2=1]

          then ensuring that /rc/bin/cpurc contains

               netssh -s ssh
               aux/listen -t /rc/bin/service.auth -d /rc/bin/service ssh

          When invoked with no options, sshsession runs as an SSH
          server.  Options are:

          -n  Use a namespace other than the default /lib/namespace
              when starting the shell or running the requested com-
              mand.
          -r  Run the SSH session in dir.
          -R  Like -r but also prevent any arguments, in the command
              to be executed, from accessing files outside this direc-
              tory; primarily used to limit what scp can access.
          -s  Execute command instead of /bin/rc.
          -S  Create /srv/srvpt if an SSH server is not already
              mounted in /net.

     Page 2                       Plan 9            (printed 12/21/24)

     SSH2(1)                                                   SSH2(1)

          -t  Trust sshsession and run it in the same namespace as the
              listen that started it.

          A private SSH listener can be run by starting netssh (see
          ssh(4)) then running listen1:

               if (! test -e /net/ssh) netssh -s ssh
               aux/listen1 -t 'ssh!*!2222' aux/sshsession

        Keys
          Rsa2ssh2 converts an RSA key to one suitable for use with
          SSH v2 on Unix systems.  The following command will extract
          the public part of the key and add it to the authorized_keys
          file on a remote Unix system:

               grep 'proto=rsa' /mnt/factotum/ctl | rsa2ssh2 |
                    ssh2 user@unix 'cat >>.ssh/authorized_keys'

     FILES
          /sys/lib/ssh/keyring  System-wide known host public keys.
          $home/lib/keyring     Per-user known host public keys.
          /env/nosshkeyverify

     SOURCE
          /sys/src/cmd/ssh2

     SEE ALSO
          con(1), cpu(1), secstore(1), ssh1(1), vt(1), factotum(4),
          ssh(4), listen(8),
          RFCs 4250, 4251, 4252, 4253, 4254, and 4419

     BUGS
          Sshsession shouldn't have to run as the host owner and using
          factotum(4) correctly would permit this.

          The SSH v2 protocol is a classic second system: over-
          engineered, overly complicated, misdesigned and jammed full
          of pointless goodies.

     Page 3                       Plan 9            (printed 12/21/24)