Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
gtlssh(1)		    General Commands Manual		     gtlssh(1)

NAME
       gtlssh -	Shell connection  over TLS

SYNOPSIS
       gtlssh [options]	<host> [<program>]

DESCRIPTION
       The  gtlssh  program connects to	a remote server, authenticates the re-
       mote server using SSL, then authenticates itself	with the server.

       gtlsshd will attempt an SCTP connection first, and fall back to TCP  if
       that doesn't work.

WINDOWS	HACKS
       See  "WINDOWS  HACKS"  in  the gtlssh-keygen.1 man page for information
       about special windows configuration.

OPTIONS
       -p|--port port
	      Use the given port instead of the	default	port.

       -i|--keyfile file
	      Use the given file for the key instead of	the default.   If  you
	      specify this, the	certfile will be the same name ending in .crt,
	      unless you specify it explicitly.

       --certfile file
	      Set the certificate to use.

       --cadir directory
	      Set  the	directory that holds the certificate authority used to
	      authenticate the server.

       -e|--escchar char
	      Specify a	character to use for the escape	character.  Setting it
	      to -1 disables the escape	character.  This can either be a deci-
	      mal or hexadeximal number	or ^x to set a control character.   By
	      default  it  is  ^\ if io1 is the	default	and stdin is a tty, or
	      disabled otherwise.  See ESCAPES below for more details  on  the
	      escape character.	 Only handled on io1.

       -r|--telnet
	      Do telnet	processing with	RFC2217	handling.

       --nosctp
	      Disable SCTP support.  It	is disabled by default.

       --sctp Enable SCTP support.

       --notcp
	      Disable TCP support

       --transport <connecter>
	      Instead of using SCTP or TCP, use	the given gensio connecter for
	      transport.   In this case, the host is required but the hostname
	      part is ignored.	This is	so the username	can  be	 set,  if  re-
	      quired.

       --mdns Look  up	the name using mDNS.  This will	fetch then IP address,
	      IPv4 or IPv6, the	port number and	whether	telnet is required and
	      make the connection

       --mdns-type
	      Set the type used	for the	lookup.	 See the gmdns(1) man page un-
	      der 'STRING VALUES FOR QUERIES' for detail on how	to  do	regex,
	      glob, etc.

       --nomux
	      Don't use	a mux gensio.  This may	cause issues with gtlsshd, but
	      is  useful  in  some  cases for talking with ser2net with	no mux
	      support.

       --privileged

       When logging onto a Windows server, don't drop privileges on a
	      privileged account.  Normally you	are logged in  and  run	 as  a
	      normal  user  (with  a privileged	linked token), this will allow
	      you just run privileged.	Requires --allow-root on  the  server.
	      -L  <accept  addr>:<connect addr>	Listen at the <accept addr> on
	      the local	machine, and if	a connection comes in  forward	it  to
	      the <connect addr> from the remote machine on the	gtlssh connec-
	      tion.	A    local    address	 is   in   the	 form	[<bind
	      addr>:][sctp|tcp,]port or	<unix socket path>.  Remote  addresses
	      are  in  the  form  <hostname>:[sctp|tcp,]port  or  <unix	socket
	      path>.  If a name	begins with '/'	it  is	a  unix	 socket	 path.
	      <hostname>  and  <bindaddr>  are	standard internet names	or ad-
	      dresses.

       -R <accept addr>:<connect addr>
	      Like -L, except the <accept addr>	is on the remote  machine  and
	      <connect addr> is	done from the local machine.

       -4     Do IPv4 only.

       -6     Do IPv6 only.

       -d|--debug
	      Generate	debugging output.  Specifying more than	once increases
	      the output.

       --version
	      Print the	version	number and exit.

       -h|--help
	      Help output

HOST AUTHENTICATION
       After connecting, the host is first validated using standard SSL.   The
       keys  used for validation are in	$HOME/.gtlssh/server_certs by default.
       If the given key	is not recognized, the user is prompted	with the  cer-
       tificate	 fingerprint  asking  if the user wants	to accept the certifi-
       cate.

       If the user accepts the certificate, then it is added into the  default
       directory.  If not, the connection is terminated.

       Certificates are	stored in the form "<hostname>,<port>.crt" and "<ipad-
       dress>,<port>.crt".  Both are created for a connection (unless connect-
       ing with	an IP address).	 A connection is verified as matching both en-
       tries,  if  the	certificate in the file	does not match the certificate
       from the	remote end, the	connection is  terminated  and	the  user  in-
       formed.

USER AUTHENTICATION
       If host authentication succeeds,	gtlssh authenticates itself with a key
       and   certificate.    These   files   are   fetch   by	default	  from
       $HOME/.gtlssh/keycerts	in   the    form    <host>[,<port>].key	   and
       <host>[,<port>].crt.   If  the form with	the host and port exists, that
       is taken.  Otherwise if the form	with  just  the	 host  exists,	it  is
       taken.	 Otherwise   it	  defaults  to	$HOME/.gtlssh/default.key  and
       $HOME/.gttlssh/default.crt.

       The remote end looks in $HOME/.gtlssh/allowed_certs  for	 the  certifi-
       cate.   If the remote end does not have the certificate presented, then
       password	authentication is tried.

ITERACTIVE MODE
       If the stdin for	gtlssh is a tty	and no program is given	to  run,  then
       the login is an interactive login.  Any sort of delay in	I/O processing
       is  disabled, and the local terminal is used for	I/O and	it is put into
       raw mode

       In non-interactive mode,	the local side uses stdio for  local  I/O  and
       I/O processing delay on the network side	is not disabled.  This is use-
       ful for programs	transferring data over the connection.

ESCAPES
       If the escape character is received from	the user, the character	is not
       transferred  and	the program waits for another character.  If the other
       character is also the escape character, a single	 escape	 character  is
       sent.   If  the other character is not recognized as a valid escape, it
       is ignore and not transferred.  Upper and lower case are	equivalent.

       Escape characters are:

       q      Quit the program.

       b      Send a break to io2.  Ignored if io2 does	not support break.

       d      Dump serial data for io2.	 Ignored if io2	is not a RFC2217 capa-
	      ble.

       s      Set the serial port (baud) rate for io2.	Ignored	if io2 is  not
	      RFC2177  capable.	  After	 this,	the  serial port speed must be
	      typed, terminated	by a new line.	Invalid	speeds are ignore, use
	      escchar-d	to know	if you set it right.

       n, o, e
	      Set the parity on	io2 to none, odd, or even.  Ignored if io2  is
	      not RFC2217 capable.

       7, 8   Set  the data size on io2	to 7 or	8 bits.	 Ignored if io2	is not
	      RFC2217 capable.

       1, 2   Set the number of	stop bits to 1 or 2 on io2 bits.   Ignored  if
	      io2 is not RFC2217 capable.

SEE ALSO
       gensio(5), gtlsshd(1), gtlssh-keygen(1),	gmdns(1)

KNOWN PROBLEMS
       None.

AUTHOR
       Corey Minyard <minyard@acm.org>

Shell connection over TLS	   01/02/19			     gtlssh(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=gtlssh&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help