2Apr il 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 415
24
Basic network
access: clients
In this chapter:
• The Wor ld Wide Web
• Webbrowsers
• ssh
• Access without a
password
• ssh tunnels
• Configur ing ssh
• Troubleshooting ssh
connections
• telnet
• Copying files
• scp
• ftp
• sftp
• rsync
• Using an rsync
ser ver
• The Networ k File
System
• NFS client
• NFS strangenesses
In this chapter:
• The Wor ld Wide Web
• Webbrowsers
• ssh
• Access without a

password
• ssh tunnels
• Configur ing ssh
• Troubleshooting ssh
connections
• telnet
• Copying files
• scp
• ftp
• sftp
• rsync
• Using an rsync
ser ver
• The Networ k File
System
• NFS client
• NFS strangenesses
Finally we have set up the network connections, and everything is working. What can we
do with the network? In this part of the book, we’ll takealook at some of the more
important services that makeupthe application layer.
The Internet protocols perform most services with a pair of processes: a client at one end
of the link that actively asks for services, and a server at the other end of the link that
responds to requests and performs the requested activity.These terms are also used to
describe computer systems, but here we’re talking about processes, not systems. In this
chapter,we’ll look at the client side of things, and in Chapter 25, Basic network access:
servers we’ll look at the corresponding servers.
Probably the single most important network service is the Hypertext Transfer Protocol or
HTTP,the service that web browsers use to access the Web.We’ll look at web browsers
in the next section.
The next most important service is probably the Simple Mail Transfer Protocol or SMTP,

the primary service for sending mail round the Internet. There’salso the Post Office
Protocol or POP,which is used by systems unable to run SMTP.This topic is so
important that we’ll devote Chapters 26 and 27 to it.
To use a remote machine effectively,you need better access than such specialized servers
can give you. The most powerful access is obviously when you can execute a shell on the
remote machine; that givesyou effectively the same control overthe machine as you have
overyour local machine. Anumber of services are available to do this. In the olden
days, you would use telnet or rlogin to log into another machine. These programs are
netclient.mm,v v4.12 (2003/04/02 03:42:50) 415
The Complete FreeBSD 416
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 416
still with us, but security concerns makethem effectively useless outside a trusted local
network. We’ll look at them briefly on page 428.
The preferred replacement is ssh,which stands for secureshell.Infact, it’snot a shell at
all, it’saservice to communicate with a remote shell. It encrypts the data sent overthe
network, thus making it more difficult for crackers to abuse. We’ll look at it in detail on
page 417.
Another important service is the ability to move data from one system to another.There
are a number of ways of doing this. The oldest programs are rcp and ftp.These
programs have the same security concerns as telnet and rlogin,though ftp still has some
uses. More modern copying programs use scp,which is based on ssh.We’ll look at file
copyprograms on page 429. In addition, rsync is a useful program for maintaining
identical copies files on different systems. We’lllook at it on page 435.
Asomewhat different approach is the Network File System or NFS,which mounts file
systems from another machine as if theywere local. We’lllook at NFS clients on page
438.
The World Wide Web
Forthe vast majority of the public, the Internet and the World Wide Web are the same
thing. FreeBSD is an important contender in this area. Some of the world’slargest web
sites, including Yahoo! ( )run FreeBSD. Even Microsoft runs

FreeBSD on its Hotmail service ( ), though theyhav e frequently
denied it, and for image reasons theyare moving to their own software.
Webbro wsers
A web browser is a program that retrievesdocuments from the Web and displays them.
The base FreeBSD system does not include a web browser,but a large number are
available in the Ports Collection. All web browsers seem to have one thing in common:
theyare buggy.Theyfrequently crash when presented with web pages designed for
Microsoft, and in other cases theydon’tdisplay the page correctly.Inmanycases this is
due to poorly designed web pages, of course.
Currently,the most important web browsers are:
• netscape wasonce the only game in town, but it’snow showing its age. In addition,
manyweb sites only test their software with Microsoft, and their bugs cause problems
with netscape.
• mozilla is derivedfrom the same sources as netscape,but comes in source form. It
has nowreached the stage where it is less buggy than netscape.Anumber of other
browsers, such as galeon and skipstone,are based on mozilla.They’re all available
in the Ports Collection. galeon is included in the instant-workstation port described
netclient.mm,v v4.12 (2003/04/02 03:42:50)
417 Chapter 24: Basic networ k access: clients
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 417
in Chapter 6.
• konqueror is included with the KDE port.
• Opera is a newbrowser that some people like. The version in the Ports Collection is
free, but it makes up for it by giving you evenmore advertisements than the web
pages give you anyway.You can buy a version that doesn’tdisplay the advertise-
ments.
• lynx is a web browser for people who don’tuse X. It displays text only.
Youmay note twoomissions from this list. Microsoft’s Internet Explorer is not available
for FreeBSD. Not manypeople have missed it. Also, mosaic,the original web browser,
is nowcompletely obsolete, and it has been removedfrom the Ports Collection.

In addition to these browsers, StarOffice and OpenOffice include integrated browsers.
Youmay find you prefer them.
This book does not deal with howtouse a web browser: just about everybody knows how
to use one. Youcan also get help from just about anybrowser; just click on the text or
icon marked Help or ?.
ssh
ssh is a secureshell,ameans of executing programs remotely using encrypted data
transfers. There are a number of different implementations of ssh:there are twodifferent
protocols, and the implementations are complicated both by bugs and license conditions.
FreeBSD comes with an implementation of ssh called OpenSSH,originally developed as
part of the OpenBSD project.
Using ssh is simple:
$ ssh freebie
The authenticity of host ’freebie.example.org (223.147.37.1)’ can’t be established.
DSA key fingerprint is 08:f7:c4:14:48:0b:14:06:0e:2c:93:4b:1f:f6:ce:b5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’freebie.example.org’ (DSA) to the list of known hosts.
’s password: as usual, doesn’techo
Last login: Mon May 13 14:21:11 2002
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.0-RELEASE (FREEBIE) #3: Sun Jan 513:25:02 CST 2003
Welcome to FreeBSD!
$ tty
/dev/ttyp3
$
Once you get this far,you are connected to the machine in almost the same manner as if
you were directly connected. This is particularly true if you are running X. As the output
of the tty command shows, your ‘‘terminal’’isapseudo-tty or pty (pronounced ‘‘pity’’).
This is the same interface that you have with an xterm.

netclient.mm,v v4.12 (2003/04/02 03:42:50)
ssh 418
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 418
It’sworth looking in more detail at howthe connection is established:
• The first line (The authenticity...)appears once ssh has established preliminary
contact with the remote system. It indicates that you’re connected, but that the local
system has no information about the remote system. Theoretically you could be
connected to a different machine masquerading as the machine you want to connect
to. ssh savesthe fingerprint in ˜/.ssh/known_hosts and checks it every time you
connect to that machine thereafter.
• The reference to DSA keysindicates that ssh is using the ssh Version 2 protocol.
We’lllook at the differences between the protocols below.
• The password prompt is for the same password as you would see locally.The
slightly different format is to clarify exactly which password you should enter.
Again, a number of exploits are possible where you might find yourself giving awaya
password to an intruder,sothis caution is justified.
When you log in via ssh,there’sachance that your TERM environment variable is set
incorrectly.See table 7-3 on page 130 for more details. Remember that TERM describes
the display at your end of the link. There is no display at the other end, but the other end
needs to knowthe termcap parameters for your display.Ifyou’re running an xterm,this
shouldn’tbeaproblem: the name xterm propagates to the other end. If you’re using a
character-oriented display (/dev/ttyvx), however, your TERM variable is probably set to
cons25,which manysystems don’tknow. Ifyou have problems where systems refuse to
start full-screen modes when you connect from a virtual terminal, try setting the TERM
variable to ansi.
To exit ssh,just log out. If you run into problems, however, likeahung network, you can
also hit the combination Enter ˜. Enter,which always drops the connection.
Access without a password
Sending passwords across the Net, evenifthey’re encrypted, is not a complete guarantee
that nobody else can get in: there are a number of brute-force ways to crack an encrypted

password. Toaddress this issue, ssh has an access method that doesn’trequire
passwords: instead it uses a technique called public key cryptography.You have two
keys, one of which you can give away freely,and the other of which you guard carefully.
Youcan encrypt or decrypt with either key:data encrypted with the public key can be
decrypted with the private key,and data encrypted with the private key can be decrypted
with the public key.
Once you have these keysinplace, you can use the challenge-response method for
authentication. Toinitiate an ssh connection, ssh sends your public key tothe sshd
process on the remote system. The remote system must already have a copyofthis key.
It uses it to encrypt a random text, a challenge,which it sends back to your system. The
ssh process on your system decrypts it with your private key,which is not stored
anywhere else, and sends the decrypted key back to the remote sshd.Only your system
can decode the challenge, so this is evidence to the remote sshd that it’sreally you.
netclient.mm,v v4.12 (2003/04/02 03:42:50)
419 Chapter 24: Basic networ k access: clients
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 419
By default, the private key for Version 1 of the protocol is stored in the file ˜/.ssh/identity,
and the public key isstored in the file ˜/.ssh/identity_pub.For Version 2, you have a
choice of twodifferent encryption schemes, DSA and RSA.The corresponding private
and public keysare stored in the files ˜/.ssh/id_dsa, ˜/.ssh/id_dsa.pub, ˜/.ssh/id_rsa and
˜/.ssh/id_rsa.pub respectively.Ifyou have the choice between DSA keysand RSA keys
for protocol Version 2, use DSA keys, which are considered somewhat more secure. You
still should have anRSA key pair in case you want to connect to a system that doesn’t
support DSA keys.
There’sstill an issue of unauthorized local access, of course. To ensure that somebody
doesn’tcompromise one system and then use it to compromise others, you need a kind of
password for your private keys. Toavoid confusion, ssh refers to it as a passphrase.If
ssh finds keysinthe ˜/.ssh directory,itattempts to use them:
$ ssh hub
Enter passphrase for key ’/home/grog/.ssh/id_rsa’: (no echo)

Last login: Sat Jul 13 17:27:33 2002 from wantadilla.lemis
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.0-STABLE (HUB) #7: Thu Jun 26 12:44:34 PDT 2003
(etc)
Creating and distributing keys
Youcreate keyswith the program ssh-keygen.Here’sanexample of generating all three
keys:
$ ssh-keygen -t rsa1
Generating public/private rsa1 key pair.
Enter file in which to save the key (/home/grog/.ssh/identity): (ENTER pressed)
Enter passphrase (empty for no passphrase): (no echo)
Enter same passphrase again: (no echo)
Your identification has been saved in /home/grog/.ssh/identity.
Your public key has been saved in /home/grog/.ssh/identity.pub.
The key fingerprint is:
02:20:1d:50:78:c5:7c:56:7b:1d:e3:54:02:2c:99:76
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/grog/.ssh/id_rsa): (ENTER pressed)
Enter passphrase (empty for no passphrase): (no echo)
Enter same passphrase again: (no echo)
Your identification has been saved in /home/grog/.ssh/id_rsa.
Your public key has been saved in /home/grog/.ssh/id_rsa.pub.
The key fingerprint is:
95:d5:01:ca:90:04:7d:84:f6:00:32:7a:ea:a6:57:2d
$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/grog/.ssh/id_dsa): (ENTER pressed)
Enter passphrase (empty for no passphrase): (no echo)

Enter same passphrase again: (no echo)
Your identification has been saved in /home/grog/.ssh/id_dsa.
Your public key has been saved in /home/grog/.ssh/id_dsa.pub.
The key fingerprint is:
53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f
Before you can use these keys, you need to get the public keysonthe remote site in the
file ˜/.ssh/authorized_keys.Older versions of ssh used a second file, ˜/.ssh/autho-
rized_keys2,for protocol Version 2, but modern versions store all the keysinthe one file
netclient.mm,v v4.12 (2003/04/02 03:42:50)
Access without a password 420
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 420
˜/.ssh/authorized_keys.There are a number of ways to get the keysinthese files. If you
already have access to the machine (via password-based authentication, for example), you
can put them there yourself. Typically,though, you’ll have toget somebody else
involved. Tomakeiteasier,the public keysare in ASCII, so you can send them by mail.
The three public keysgenerated above look likethis:
1024 35 1101242842742748033454498238668225412306578450520406221165673293206460199556
751223553035331118710873315456577313425763305854786629592671460454493321979564518976
839276314768175285909667395039795936492323578351726210382756436676090411475643317216
92291413130012157442638303275673247163400686283060339457790686649
e.org
ssh-dss AAAAB3NzaC1kc3MAAACBAIltWeRXnqD9HqOLn5kugPSWHicJiu1r0I9dHg8F5m2PpmupyRYSmDzs
cAcsxifo50+1yXk3Vf4P1+EDsAwkyqFlujuMVeKoTYcOi1yrnLDWIDiAeIzt1BQ6ONwbXqxwWKCq1eo1tXxO
rTxw84VboHUuq4XFdt+yPJs8QdxLhj+jAAAAFQC1JL+tU19+UR+c45JGom6ae29d7wAAAIAvNgdN6rTitMjD
CglN7Rq3/8WgI1kzh20XURbCe1n2yYsFifcImKb0sUYD2qsB5++gogzsse2IxyIECRCuyCOOFXIQ7WqkvjTp
/T+fuwGPIlho8eeNDRKKABUhHjkuApnoYLIC1O5uyciJ+dIbGaRtGFJr0da7KlkjOLkiv3sR1gAAAIAwgKfW
sRSQJyRZTkKGIHxn3EWTvSicnIRYza+HTaMuMFHMTkNMZBjhei6EoCFpV9B1QB9MlIZgf6WXM2DlmtdUbpm7
KFA669/LZT2LvxbtGP/B++7s0PMs0AgKrKgUxnhVweufMZlPvPPPOz4QS1ZZ5kYhN+lu0S8yuioXYNlDtA==

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1/W3oa1ZEs58KRWMzsrZWMXzPfwoqQ+Z59p6SJlzhevsXG1P

AVWra2wcRz1utKFBjkDpJfEe+09L7h8VAx1aYCHji50tKI8F8YT8OuWGH+UqF/37Wl292SsXsb8g80yyymSf
xgOM/HegvOuHQu46MfaPj9ddfcgY06z3ufcmXts=
In the original, each key isonasingle line.
Obviously you don’twant anybody messing with your authorized_keys files, so ssh
requires that the files belong to you and are only writeable by you. These twofiles
typically contain multiple keys; to add a newone, just append it to the end of the file. For
example, if you receive a new key and store it in the file newkey,copyitlikethis:
$ cat newkey >> ˜/.ssh/authorized_keys
Authenticating automatically
Having to supply the passphrase can become a nuisance and evenaserious problem. If
you want to run ssh from scripts, it may not evenbepossible to supply the passphrase.
ssh has another feature available here: it has an authentication agent that keeps track of
the keys.
The authentication agent is called ssh-agent,and you add keyswith ssh-add.Due to the
manner in which it is started, ssh-agent needs to be the ancestor of the shell you are
running, and of the ssh-add command. Otherwise you see error messages likethis:
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-cwT9aBbV/agent.42902; export SSH_AUTH_SOCK;
SSH_AGENT_PID=42903; export SSH_AGENT_PID;
echo Agent pid 42903;
$ ssh-add
Could not open a connection to your authentication agent.
netclient.mm,v v4.12 (2003/04/02 03:42:50)
421 Chapter 24: Basic networ k access: clients
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 421
To solvethis problem, execute the agent in your current environment with eval,then run
ssh-add:
$ eval ‘ssh-agent‘
$ ssh-add
Enter passphrase for /home/grog/.ssh/id_rsa: (enter the passphrase)

Identity added: /home/grog/.ssh/id_rsa (/home/grog/.ssh/id_rsa)
Identity added: /home/grog/.ssh/id_dsa (/home/grog/.ssh/id_dsa)
Identity added: /home/grog/.ssh/identity ()
Youcan use ssh-add’s -l flag to list which keysthe authentication agent currently knows
about:
$ ssh-add -l
1024 02:20:1d:50:78:c5:7c:56:7b:1d:e3:54:02:2c:99:76 (RSA1)
1024 95:d5:01:ca:90:04:7d:84:f6:00:32:7a:ea:a6:57:2d /home/grog/.ssh/id_rsa (RSA)
1024 53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f /home/grog/.ssh/id_dsa (DSA)
If you’re using a Bourne-style shell such as bash,you can automate a lot of this by
putting the following commands in your .bashrc or .profile file:
if tty >/dev/null
ssh-add -l > /dev/null
if [ $? -ne 0 ]; then
eval ‘ssh-agent‘
fi
fi
This first uses the tty command to check if this is an interactive shell, then checks if you
already have anauthentication agent. If it doesn’t, it starts one. Don’tstart a new
authentication agent if you already have one: you’dlose anykeysthat the agent already
knows. This script doesn’tadd keys, because this requires your intervention and could be
annoying if you had to do it every time you start a shell.
Setting up X to use ssh
If you work with X, you have the opportunity to start a large number of concurrent ssh
sessions. It would be annoying to have toenter keysfor each session, so there’san
alternative method: start X with an ssh-agent,and it will pass the information on to any
xtermsthat it starts. Add the following commands to your .xinitrc:
eval ‘ssh-agent‘
ssh-add < /dev/null
When you run ssh-add in this manner,without an input file, it runs a program to prompt

for the passphrase. By default it’s /usr/X11R6/bin/ssh-askpass,but you can change it by
setting the SSH_ASKPASS environment variable. /usr/X11R6/bin/ssh-askpass opens a
windowand prompts for a passphrase. From then on, anything started under the X
session will automatically inherit the keys.
netclient.mm,v v4.12 (2003/04/02 03:42:50)
Access without a password 422
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 422
ssh tunnels
Tunneling is a technique for encapsulating an IP connection inside another IP connection.
Whywould you want to do that? One reason is to add encryption to an otherwise
unencrypted connection, such as telnet or POP.Another is to get access to a service on a
system that does not generally supply this service to the Internet.
Let’sconsider using http first. Assume you are travelling, and you want to access your
private web server back home. Normally a connection to the http port of presto.exam-
ple.com might have the following parameters:
andante presto
IP 192.1.7.245
Port 9132
IP 223.147.37.2
Port 80
But what if the server is firewalled from the global Internet, so you can’taccess it
directly? That’swhen you need the ssh tunnel. The ssh tunnel creates a local
connection at each end and a separate secure connection across the Internet:
andante
Tunnel A Tunnel B
presto
127.1
4096
192.1.7.245
3312

150.101.248.57
22
127.1
80
The ssh connection is shown in fixed italic font. It looks just likeany other ssh
connection. The difference are the local connections at each end: instead of talking to
presto port 80 (http), you talk to port 4096 on your local machine. Why4096? It’syour
choice; you can use anyport above 1024. If you’re on andante,you can set up this tunnel
with the command:
$ ssh -L 4096:presto.example.org:80 presto.example.org
To dothe same thing from the presto end, you’dset up a re verse tunnel with the -R
option:
$ ssh -R 4096:presto.example.org:80 andante.example.org
These commands both set up a tunnel from port 4096 on andante to port 80 on the host
presto.example.org.You still need to supply the name of the system to connect to; it
doesn’thav e to be the same. Forexample, you might not be able to log in to the web
server,but you could access your machine back home, and it has access to the web server.
In this case, you could connect to your machine at home:
$ ssh -L 4096:presto.example.org:80 freebie.example.org
In addition to setting up the tunnel, ssh creates a normal interactive session. If you don’t
want this, you can use the -f option tell ssh to go into the background after
authentication. You also need a command to execute; in case of doubt, use sleep,which
netclient.mm,v v4.12 (2003/04/02 03:42:50)
423 Chapter 24: Basic networ k access: clients
2April 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 423
simply sleeps for a specified time. If this is what you want to do, you could enter a
command like:
$ ssh -L 4096:presto.example.org:80 presto.example.org -f sleep 3600
The command sleep 3600 suspends execution for an hour (3600 seconds) and then
exits. At this point, your tunnel also shuts down, so you should choose the time to be

long enough.
Tunneling X
Running X clients on the remote machine is special enough that ssh provides a special
form of tunneling to deal with it. To use it, you must tell ssh the location of an
.Xauthority file. Do this by adding the following line to the file ˜/.ssh/environment:
XAUTHORITY=/home/yourname/.Xauthority
The name must be in fully qualified form: ssh does not understand the shortcut ˜/ to
represent your home directory.You don’tneed to create ˜/.Xauthority,though: ssh can
do that for you.
Once you have this in place, you can set up X tunneling in twodifferent ways. Tostart it
from the command line, enter something like:
$ ssh -X -f website xterm
As before, the -f option tells ssh to go into the background. The -X option specifies X
tunneling, and ssh runs an xterm on the local machine. The DISPLAY environment
variable points to the (remote) local host:
$ echo $DISPLAY
localhost:13.1
Other uses of tunnels
Tunneling has manyother uses. Another interesting one is bridging networks. For
example, describes
howtoset up a VPN (Virtual Private Network) using User PPP and an ssh tunnel.
Configuring ssh
It can be a bit of a nuisance to have tosupply all these parameters to ssh,but you don’t
have to: you can supply information for frequently accessed hosts in a configuration file.
On startup, ssh checks for configuration information in a number of places. It checks for
them first in the command-line options, then in you configuration file ˜/.ssh/config,and
finally in the system-wide configuration file /etc/ssh/ssh_config.The way it treats
duplicate information is pretty much the opposite of what you’dexpect: unlikemost other
netclient.mm,v v4.12 (2003/04/02 03:42:50)
Configur ing ssh 424

2April 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 424
programs, options found in a configuration file read in later do not replace the options
found in an earlier file. Options on the command line replace those givenin
configuration files.
In practice, such conflicts happen less often than you might expect. The file
/etc/ssh/ssh_config,the main configuration file for the system, normally contains only
comments, and by default you don’tevenget a local ˜/.ssh/config.
ssh_config can contain a large number of options. They’re all described in the man page
ssh_config(8),but it’sworth looking at some of the more common ones. In this section
we’ll look at some of the more common configuration options.
• The entry Host is special: the options that follow, uptothe end of the file or the next
following Host argument, relate only to hosts that match the arguments on the Host
line.
• Optionally, ssh can compress the data streams. This can save a lot of traffic, but it
can also increase CPU usage, so by default it is disabled. Youcan do this by passing
the -C flag to ssh,but you can also do so by setting Compression yes in the
configuration file.
• Youcan escape out of an ssh session to issue commands to ssh with the
EscapeChar.Bydefault it’sthe tilde character, ˜.Other programs, notably rlogin,
use this character as well, so you may want to change it. Youcan set this value from
the ssh command line with the -e option.
• To forward an X11 connection, as shown above,you can also set the ForwardX11
variable to yes.This may be useful if you frequently access a remote machine and
require X forwarding. This also sets the DISPLAY environment variable correctly to
go overthe secure channel.
• By default, ssh sends regular messages to the remote sshd server to check if the
remote system has gone down. This can cause connections to be dropped on a flaky
connection. Set the KeepAlive option to no to disable this behaviour.
• Use the LocalForward parameter to set up a tunnel. The syntax is similar to that of
the -L option above:onandante,instead of the command line:

$ ssh -L 4096:presto.example.org:80 presto.example.org
you would put the following in your ˜/.ssh/config:
host presto.example.org
LocalForward 4096 presto.example.org:80
Note that the first port is separated from the other twoparameters by a space, not a
colon.
netclient.mm,v v4.12 (2003/04/02 03:42:50)
425 Chapter 24: Basic networ k access: clients
2April 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 425
• Similarly,you can set up a reverse tunnel with the RemoteForward parameter.On
presto,instead of the command line:
$ ssh -R 4096:presto.example.org:80 andante.example.org
you would put the following in your ˜/.ssh/config:
host andante.example.org
RemoteForward 4096 presto.example.org:80
• By default, ssh uses password authentication if it can’tnegotiate a key pair.Set
PasswordAuthentication to no if you don’twant this.
• Normally ssh connects to the server on port 22 (ssh). If the remote server uses a
different port, specify it with the Port keyword. You can also use the -p option on
the ssh command line.
• By default, ssh attempts to connect using protocol 2, and if that doesn’twork, it tries
to connect using protocol 1. Youcan override this default with the Protocol
keyword. For example, to reverse the default and try first protocol 1, then protocol 2,
you would write:
Protocol 1,2
• By default, ssh refuses to connect to a known host if its key fingerprint changes.
Instead, you must manually remove the entry for the system from the
˜/.ssh/known_hosts or ˜/.ssh/known_hosts2 file. This can indicate that somebody is
faking the remote machine, but more often it’sbecause the remote machine has really
changed its host key,which it might do at every reboot. If this gets on your nerves,

you can add this line to your configuration file:
StrictHostKeyChecking no
This doesn’tstop the warnings, but ssh continues:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the DSA host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
95:80:4c:fb:cc:96:1b:36:c5:c9:2b:cb:d1:d4:16:68.
Please contact your system administrator.
Add correct host key in /home/grog/.ssh/known_hosts2 to get rid of this message.
Offending key in /home/grog/.ssh/known_hosts2:39
• ssh assumes that your user name on the remote system is the same as the name on
the local system. If that’snot the case, you can use the User keyword to specify the
remote user name. Alternatively,you can use the format:
$ ssh
netclient.mm,v v4.12 (2003/04/02 03:42:50)