1CONCH(1)                  BSD General Commands Manual                 CONCH(1)
2

NAME

4     conch — Conch SSH client
5

SYNOPSIS

7     conch [-AaCfINnrsTtVvx] [-c cipher_spec] [-e escape_char]
8           [-i identity_file] [-K connection_spec] [-L port:host:hostport]
9           [-l user] [-m mac_spec] [-o openssh_option] [-p port]
10           [-R port:host:hostport] [user@] hostname [command]
11

DESCRIPTION

13     conch is a SSHv2 client for logging into a remote machine and executing
14     commands.  It provides encrypted and secure communications across a pos‐
15     sibly insecure network.  Arbitrary TCP/IP ports can also be forwarded
16     over the secure connection.
17
18     conch connects and logs into hostname (as user or the current username).
19     The user must prove her/his identity through a public-key or a password.
20     Alternatively, if a connection is already open to a server, a new shell
21     can be opened over the connection without having to reauthenticate.
22
23     If command is specified, command is executed instead of a shell.  If the
24     -s option is given, command is treated as an SSHv2 subsystem name.
25
26   Authentication
27     Conch supports the public-key, keyboard-interactive, and password authen‐
28     tications.
29
30     The public-key method allows the RSA or DSA algorithm to be used.  The
31     client uses his/her private key, $HOME/.ssh/id_rsa or $HOME/.ssh/id_dsa
32     to sign the session identifier, known only by the client and server.  The
33     server checks that the matching public key is valid for the user, and
34     that the signature is correct.
35
36     If public-key authentication fails, conch can authenticate by sending an
37     encrypted password over the connection.
38
39   Connection sharing
40     conch has the ability to multiplex multiple shells, commands and TCP/IP
41     ports over the same secure connection.  To disable multiplexing for a
42     connection, use the -I flag.
43
44     The -K option determines how the client connects to the remote host.  It
45     is a comma-separated list of the methods to use, in order of preference.
46     The two connection methods are ‘unix’ (for connecting over a multiplexed
47     connection) and ‘direct’ (to connect directly).  To disable connecting
48     over a multiplexed connection, do not include ‘unix’ in the preference
49     list.
50
51     As an example of how connection sharing works, to speed up CVS over SSH:
52
53     conch --noshell --fork -l cvs_user cvs_host
54     set CVS_RSH=conch
55
56     Now, when CVS connects to cvs_host as cvs_user, instead of making a new
57     connection to the server, conch will add a new channel to the existing
58     connection.  This saves the cost of repeatedly negotiating the cryptogra‐
59     phy and authentication.
60
61     The options are as follows:
62
63     -A      Enables authentication agent forwarding.
64
65     -a      Disables authentication agent forwarding (default).
66
67     -C      Enable compression.
68
69     -c cipher_spec
70             Selects encryption algorithms to be used for this connection, as
71             a comma-separated list of ciphers in order of preference.  The
72             list that conch supports is (in order of default preference):
73             aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr,
74             aes128-cbc, cast128-ctr, cast128-cbc, blowfish-ctr, blowfish,
75             idea-ctr, idea-cbc, 3des-ctr, 3des-cbc.
76
77     -e ch | ^ch | none
78             Sets the escape character for sessions with a PTY (default: ‘~’).
79             The escape character is only recognized at the beginning of a
80             line (after a newline).  The escape character followed by a dot
81             (‘.’) closes the connection; followed by ^Z suspends the connec‐
82             tion; and followed by the escape character sends the escape char‐
83             acter once.  Setting the character to “none” disables any
84             escapes.
85
86     -f      Fork to background after authentication.
87
88     -I      Do not allow connection sharing over this connection.
89
90     -i identity_spec
91             The file from which the identity (private key) for RSA or DSA
92             authentication is read.  The defaults are $HOME/.ssh/id_rsa and
93             $HOME/.ssh/id_dsa.  It is possible to use this option more than
94             once to use more than one private key.
95
96     -K connection_spec
97             Selects methods for connection to the server, as a comma-sepa‐
98             rated list of methods in order of preference.  See Connection
99             sharing for more information.
100
101     -L port:host:hostport
102             Specifies that the given port on the client host is to be for‐
103             warded to the given host and port on the remote side.  This allo‐
104             cates a socket to listen to port on the local side, and when con‐
105             nections are made to that socket, they are forwarded over the
106             secure channel and a connection is made to host port hostport
107             from the remote machine.  Only root can forward privieged ports.
108
109     -l user
110             Log in using this username.
111
112     -m mac_spec
113             Selects MAC (message authentication code) algorithms, as a comma-
114             separated list in order of preference.  The list that conch sup‐
115             ports is (in order of preference): hmac-sha2-512, hmac-sha2-384,
116             hmac-sha2-256, hmac-sha1, hmac-md5.
117
118     -N      Do not execute a shell or command.
119
120     -n      Redirect input from /dev/null.
121
122     -o openssh_option
123             Ignored OpenSSH options.
124
125     -p port
126             The port to connect to on the server.
127
128     -R port:host:hostport
129             Specifies that the given port on the remote host is to be for‐
130             warded to the given host and port on the local side.  This allo‐
131             cates a socket to listen to port on the remote side, and when
132             connections are made to that socket, they are forwarded over the
133             secure channel and a connection is made to host port hostport
134             from the client host.  Only root can forward privieged ports.
135
136     -s      Reconnect to the server if the connection is lost.
137
138     -s      Invoke command (mandatory) as a SSHv2 subsystem.
139
140     -T      Do not allocate a TTY.
141
142     -t      Allocate a TTY even if command is given.
143
144     -V      Display version number only.
145
146     -v      Log to stderr.
147
148     -x      Disable X11 connection forwarding (default).
149

AUTHOR

151     Written by Paul Swartz <z3p@twistedmatrix.com>.
152

REPORTING BUGS

154     To report a bug, visit http://twistedmatrix.com/trac/
155
157     Copyright © 2002-2008 Twisted Matrix Laboratories.
158     This is free software; see the source for copying conditions.  There is
159     NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
160     PURPOSE.
161

SEE ALSO

163     ssh(1)
164
165BSD                              May 22, 2004                              BSD
Impressum