1gtlssh(1)                   General Commands Manual                  gtlssh(1)
2
3
4

NAME

6       gtlssh - Shell connection  over TLS
7
8

SYNOPSIS

10       gtlssh [options] <host> [<program>]
11
12

DESCRIPTION

14       The  gtlssh  program connects to a remote server, authenticates the re‐
15       mote server using SSL, then authenticates itself with the server.
16
17       gtlsshd will attempt an SCTP connection first, and fall back to TCP  if
18       that doesn't work.
19

WINDOWS HACKS

21       See  "WINDOWS  HACKS"  in  the gtlssh-keygen.1 man page for information
22       about special windows configuration.
23

OPTIONS

25       -p|--port port
26              Use the given port instead of the default port.
27
28       -i|--keyfile file
29              Use the given file for the key instead of the default.   If  you
30              specify this, the certfile will be the same name ending in .crt,
31              unless you specify it explicitly.
32
33       --certfile file
34              Set the certificate to use.
35
36       --cadir directory
37              Set the directory that holds the certificate authority  used  to
38              authenticate the server.
39
40       -e|--escchar char
41              Specify a character to use for the escape character.  Setting it
42              to -1 disables the escape character.  This can either be a deci‐
43              mal  or hexadeximal number or ^x to set a control character.  By
44              default it is ^\ if io1 is the default and stdin is  a  tty,  or
45              disabled  otherwise.   See ESCAPES below for more details on the
46              escape character.  Only handled on io1.
47
48       -r|--telnet
49              Do telnet processing with RFC2217 handling.
50
51       --nosctp
52              Disable SCTP support.  It is disabled by default.
53
54       --sctp Enable SCTP support.
55
56       --notcp
57              Disable TCP support
58
59       --transport <connecter>
60              Instead of using SCTP or TCP, use the given gensio connecter for
61              transport.   In this case, the host is required but the hostname
62              part is ignored.  This is so the username can  be  set,  if  re‐
63              quired.
64
65       --mdns Look  up  the name using mDNS.  This will fetch then IP address,
66              IPv4 or IPv6, the port number and whether telnet is required and
67              make the connection
68
69       --mdns-type
70              Set the type used for the lookup.  See the gmdns(1) man page un‐
71              der 'STRING VALUES FOR QUERIES' for detail on how to  do  regex,
72              glob, etc.
73
74       --nomux
75              Don't use a mux gensio.  This may cause issues with gtlsshd, but
76              is useful in some cases for talking with  ser2net  with  no  mux
77              support.
78
79       --privileged
80
81       When logging onto a Windows server, don't drop privileges on a
82              privileged  account.   Normally  you  are logged in and run as a
83              normal user (with a privileged linked token),  this  will  allow
84              you  just  run privileged.  Requires --allow-root on the server.
85              -L <accept addr>:<connect addr> Listen at the <accept  addr>  on
86              the  local  machine,  and if a connection comes in forward it to
87              the <connect addr> from the remote machine on the gtlssh connec‐
88              tion.     A    local    address    is   in   the   form   [<bind
89              addr>:][sctp|tcp,]port or <unix socket path>.  Remote  addresses
90              are  in  the  form  <hostname>:[sctp|tcp,]port  or  <unix socket
91              path>.  If a name begins with '/' it  is  a  unix  socket  path.
92              <hostname>  and  <bindaddr>  are  standard internet names or ad‐
93              dresses.
94
95       -R <accept addr>:<connect addr>
96              Like -L, except the <accept addr> is on the remote  machine  and
97              <connect addr> is done from the local machine.
98
99       -4     Do IPv4 only.
100
101       -6     Do IPv6 only.
102
103       -d|--debug
104              Generate  debugging output.  Specifying more than once increases
105              the output.
106
107       --version
108              Print the version number and exit.
109
110       -h|--help
111              Help output
112
113

HOST AUTHENTICATION

115       After connecting, the host is first validated using standard SSL.   The
116       keys  used for validation are in $HOME/.gtlssh/server_certs by default.
117       If the given key is not recognized, the user is prompted with the  cer‐
118       tificate  fingerprint  asking  if the user wants to accept the certifi‐
119       cate.
120
121       If the user accepts the certificate, then it is added into the  default
122       directory.  If not, the connection is terminated.
123
124       Certificates are stored in the form "<hostname>,<port>.crt" and "<ipad‐
125       dress>,<port>.crt".  Both are created for a connection (unless connect‐
126       ing with an IP address).  A connection is verified as matching both en‐
127       tries, if the certificate in the file does not  match  the  certificate
128       from  the  remote  end,  the  connection is terminated and the user in‐
129       formed.
130
131

USER AUTHENTICATION

133       If host authentication succeeds, gtlssh authenticates itself with a key
134       and   certificate.    These   files   are   fetch   by   default   from
135       $HOME/.gtlssh/keycerts   in   the    form    <host>[,<port>].key    and
136       <host>[,<port>].crt.   If  the form with the host and port exists, that
137       is taken.  Otherwise if the form with  just  the  host  exists,  it  is
138       taken.    Otherwise   it   defaults  to  $HOME/.gtlssh/default.key  and
139       $HOME/.gttlssh/default.crt.
140
141       The remote end looks in $HOME/.gtlssh/allowed_certs  for  the  certifi‐
142       cate.   If the remote end does not have the certificate presented, then
143       password authentication is tried.
144
145

ITERACTIVE MODE

147       If the stdin for gtlssh is a tty and no program is given to  run,  then
148       the login is an interactive login.  Any sort of delay in I/O processing
149       is disabled, and the local terminal is used for I/O and it is put  into
150       raw mode
151
152       In  non-interactive  mode,  the local side uses stdio for local I/O and
153       I/O processing delay on the network side is not disabled.  This is use‐
154       ful for programs transferring data over the connection.
155
156

ESCAPES

158       If the escape character is received from the user, the character is not
159       transferred and the program waits for another character.  If the  other
160       character  is  also  the escape character, a single escape character is
161       sent.  If the other character is not recognized as a valid  escape,  it
162       is ignore and not transferred.  Upper and lower case are equivalent.
163
164       Escape characters are:
165
166       q      Quit the program.
167
168       b      Send a break to io2.  Ignored if io2 does not support break.
169
170       d      Dump serial data for io2.  Ignored if io2 is not a RFC2217 capa‐
171              ble.
172
173       s      Set the serial port (baud) rate for io2.  Ignored if io2 is  not
174              RFC2177  capable.   After  this,  the  serial port speed must be
175              typed, terminated by a new line.  Invalid speeds are ignore, use
176              escchar-d to know if you set it right.
177
178       n, o, e
179              Set  the parity on io2 to none, odd, or even.  Ignored if io2 is
180              not RFC2217 capable.
181
182       7, 8   Set the data size on io2 to 7 or 8 bits.  Ignored if io2 is  not
183              RFC2217 capable.
184
185       1, 2   Set  the  number of stop bits to 1 or 2 on io2 bits.  Ignored if
186              io2 is not RFC2217 capable.
187
188

SEE ALSO

190       gensio(5), gtlsshd(1), gtlssh-keygen(1), gmdns(1)
191
192

KNOWN PROBLEMS

194       None.
195
196

AUTHOR

198       Corey Minyard <minyard@acm.org>
199
200
201
202Shell connection over TLS          01/02/19                          gtlssh(1)
Impressum