Provided by: gensio-bin_2.6.6-6_amd64 bug

NAME

       gtlssh - Shell connection  over TLS

SYNOPSIS

       gtlssh [options] <host> [<program>]

DESCRIPTION

       The gtlssh program connects to a remote server, authenticates the remote server using SSL,
       then authenticates itself with the server.

       gtlsshd will attempt an SCTP connection first, and fall back to TCP if that doesn't work.

WINDOWS HACKS

       See "WINDOWS HACKS" in the gtlssh-keygen.1 man page for information about special  windows
       configuration.

OPTIONS

       -p|--port port
              Use the given port instead of the default port.

       -i|--keyfile file
              Use  the  given  file for the key instead of the default.  If you specify this, the
              certfile will be the same name ending in .crt, unless you specify it explicitly.

       --certfile file
              Set the certificate to use.

       --cadir directory
              Set the directory that holds the certificate authority  used  to  authenticate  the
              server.

       -e|--escchar char
              Specify a character to use for the escape character.  Setting it to -1 disables the
              escape character.  This can either be a decimal or hexadeximal number or ^x to  set
              a control character.  By default it is ^\ if io1 is the default and stdin is a tty,
              or disabled otherwise.  See ESCAPES below for more details on the escape character.
              Only handled on io1.

       -r|--telnet
              Do telnet processing with RFC2217 handling.

       --nosctp
              Disable SCTP support.  It is disabled by default.

       --sctp Enable SCTP support.

       --notcp
              Disable TCP support

       --transport <connecter>
              Instead  of  using  SCTP  or TCP, use the given gensio connecter for transport.  In
              this case, the host is required but the hostname part is ignored.  This is  so  the
              username can be set, if required.

       --mdns Look  up  the  name using mDNS.  This will fetch then IP address, IPv4 or IPv6, the
              port number and whether telnet is required and make the connection

       --mdns-type
              Set the type used for the lookup.  See the gmdns(1) man page under  'STRING  VALUES
              FOR QUERIES' for detail on how to do regex, glob, etc.

       --nomux
              Don't  use a mux gensio.  This may cause issues with gtlsshd, but is useful in some
              cases for talking with ser2net with no mux support.

       --privileged

       When logging onto a Windows server, don't drop privileges on a
              privileged account.  Normally you are logged in and run as a normal  user  (with  a
              privileged  linked  token),  this  will  allow  you  just run privileged.  Requires
              --allow-root on the server.  -L <accept addr>:<connect addr> Listen at the  <accept
              addr> on the local machine, and if a connection comes in forward it to the <connect
              addr> from the remote machine on the gtlssh connection.  A local address is in  the
              form  [<bind addr>:][sctp|tcp,]port or <unix socket path>.  Remote addresses are in
              the form <hostname>:[sctp|tcp,]port or <unix socket path>.  If a name  begins  with
              '/'  it  is  a  unix  socket path.  <hostname> and <bindaddr> are standard internet
              names or addresses.

       -R <accept addr>:<connect addr>
              Like -L, except the <accept addr> is on the remote machine and  <connect  addr>  is
              done from the local machine.

       -4     Do IPv4 only.

       -6     Do IPv6 only.

       -d|--debug
              Generate debugging output.  Specifying more than once increases the output.

       --version
              Print the version number and exit.

       -h|--help
              Help output

HOST AUTHENTICATION

       After  connecting,  the  host  is  first  validated using standard SSL.  The keys used for
       validation are in  $HOME/.gtlssh/server_certs  by  default.   If  the  given  key  is  not
       recognized, the user is prompted with the certificate fingerprint asking if the user wants
       to accept the certificate.

       If the user accepts the certificate, then it is added into the default directory.  If not,
       the connection is terminated.

       Certificates  are stored in the form "<hostname>,<port>.crt" and "<ipaddress>,<port>.crt".
       Both are created for a connection (unless connecting with an IP address).  A connection is
       verified  as  matching  both  entries,  if  the certificate in the file does not match the
       certificate from the remote end, the connection is terminated and the user informed.

USER AUTHENTICATION

       If host authentication succeeds, gtlssh authenticates itself with a key  and  certificate.
       These   files   are   fetch   by   default   from   $HOME/.gtlssh/keycerts   in  the  form
       <host>[,<port>].key and <host>[,<port>].crt.  If the form with the host and  port  exists,
       that  is  taken.  Otherwise if the form with just the host exists, it is taken.  Otherwise
       it defaults to $HOME/.gtlssh/default.key and $HOME/.gttlssh/default.crt.

       The remote end looks in $HOME/.gtlssh/allowed_certs for the certificate.   If  the  remote
       end does not have the certificate presented, then password authentication is tried.

ITERACTIVE MODE

       If  the  stdin  for  gtlssh  is a tty and no program is given to run, then the login is an
       interactive login.  Any sort of delay  in  I/O  processing  is  disabled,  and  the  local
       terminal is used for I/O and it is put into raw mode

       In  non-interactive mode, the local side uses stdio for local I/O and I/O processing delay
       on the network side is not disabled.  This is useful for programs transferring  data  over
       the connection.

ESCAPES

       If  the  escape  character is received from the user, the character is not transferred and
       the program waits for another character.  If  the  other  character  is  also  the  escape
       character, a single escape character is sent.  If the other character is not recognized as
       a valid escape, it is ignore and not transferred.  Upper and lower case are equivalent.

       Escape characters are:

       q      Quit the program.

       b      Send a break to io2.  Ignored if io2 does not support break.

       d      Dump serial data for io2.  Ignored if io2 is not a RFC2217 capable.

       s      Set the serial port (baud) rate for io2.  Ignored if io2 is  not  RFC2177  capable.
              After this, the serial port speed must be typed, terminated by a new line.  Invalid
              speeds are ignore, use escchar-d to know if you set it right.

       n, o, e
              Set the parity on io2 to none, odd,  or  even.   Ignored  if  io2  is  not  RFC2217
              capable.

       7, 8   Set the data size on io2 to 7 or 8 bits.  Ignored if io2 is not RFC2217 capable.

       1, 2   Set  the  number of stop bits to 1 or 2 on io2 bits.  Ignored if io2 is not RFC2217
              capable.

SEE ALSO

       gensio(5), gtlsshd(1), gtlssh-keygen(1), gmdns(1)

KNOWN PROBLEMS

       None.

AUTHOR

       Corey Minyard <minyard@acm.org>