Provided by: gensio-bin_2.8.2-6.1build1_amd64 
NAME
gtlssh - Shell connection over TLS
SYNOPSIS
gtlssh [options] <host> [<program>]
DESCRIPTION
The gtlssh program connects to a remote server, authenticates the remote server using SSL, then
authenticates itself with the server.
gtlsshd will attempt an SCTP connection first, and fall back to TCP if that doesn't work.
WINDOWS HACKS
See "WINDOWS HACKS" in the gtlssh-keygen.1 man page for information about special windows configuration.
OPTIONS
-p|--port port
Use the given port instead of the default port.
-i|--keyfile file
Use the given file for the key instead of the default. If you specify this, the certfile will be
the same name ending in .crt, unless you specify it explicitly.
--certfile file
Set the certificate to use.
--cadir directory
Set the directory that holds the certificate authority used to authenticate the server.
-e|--escchar char
Specify a character to use for the escape character. Setting it to -1 disables the escape
character. This can either be a decimal or hexadeximal number or ^x to set a control character.
By default it is ^\ if io1 is the default and stdin is a tty, or disabled otherwise. See ESCAPES
below for more details on the escape character. Only handled on io1.
-r|--telnet
Do telnet processing with RFC2217 handling.
--nosctp
Disable SCTP support. It is disabled by default.
--sctp Enable SCTP support.
--notcp
Disable TCP support
--transport <connecter>
Instead of using SCTP or TCP, use the given gensio connecter for transport. In this case, the
host is required but the hostname part is ignored. This is so the username can be set, if
required.
--mdns Look up the name using mDNS. This will fetch then IP address, IPv4 or IPv6, the port number and
whether telnet is required and make the connection
--mdns-type
Set the type used for the lookup. See the gmdns(1) man page under 'STRING VALUES FOR QUERIES' for
detail on how to do regex, glob, etc.
--nomux
Don't use a mux gensio. This may cause issues with gtlsshd, but is useful in some cases for
talking with ser2net with no mux support.
--privileged
When logging onto a Windows server, don't drop privileges on a
privileged account. Normally you are logged in and run as a normal user (with a privileged linked
token), this will allow you just run privileged. Requires --allow-root on the server. -L <accept
addr>:<connect addr> Listen at the <accept addr> on the local machine, and if a connection comes
in forward it to the <connect addr> from the remote machine on the gtlssh connection. A local
address is in the form [<bind addr>:][sctp|tcp,]port or <unix socket path>. Remote addresses are
in the form <hostname>:[sctp|tcp,]port or <unix socket path>. If a name begins with '/' it is a
unix socket path. <hostname> and <bindaddr> are standard internet names or addresses.
-R <accept addr>:<connect addr>
Like -L, except the <accept addr> is on the remote machine and <connect addr> is done from the
local machine.
-4 Do IPv4 only.
-6 Do IPv6 only.
-d|--debug
Generate debugging output. Specifying more than once increases the output.
--version
Print the version number and exit.
-h|--help
Help output
HOST AUTHENTICATION
After connecting, the host is first validated using standard SSL. The keys used for validation are in
$HOME/.gtlssh/server_certs by default. If the given key is not recognized, the user is prompted with the
certificate fingerprint asking if the user wants to accept the certificate.
If the user accepts the certificate, then it is added into the default directory. If not, the connection
is terminated.
Certificates are stored in the form "<hostname>,<port>.crt" and "<ipaddress>,<port>.crt". Both are
created for a connection (unless connecting with an IP address). A connection is verified as matching
both entries, if the certificate in the file does not match the certificate from the remote end, the
connection is terminated and the user informed.
USER AUTHENTICATION
If host authentication succeeds, gtlssh authenticates itself with a key and certificate. These files are
fetch by default from $HOME/.gtlssh/keycerts in the form <host>[,<port>].key and <host>[,<port>].crt. If
the form with the host and port exists, that is taken. Otherwise if the form with just the host exists,
it is taken. Otherwise it defaults to $HOME/.gtlssh/default.key and $HOME/.gttlssh/default.crt.
The remote end looks in $HOME/.gtlssh/allowed_certs for the certificate. If the remote end does not have
the certificate presented, then password authentication is tried.
ITERACTIVE MODE
If the stdin for gtlssh is a tty and no program is given to run, then the login is an interactive login.
Any sort of delay in I/O processing is disabled, and the local terminal is used for I/O and it is put
into raw mode
In non-interactive mode, the local side uses stdio for local I/O and I/O processing delay on the network
side is not disabled. This is useful for programs transferring data over the connection.
ESCAPES
If the escape character is received from the user, the character is not transferred and the program waits
for another character. If the other character is also the escape character, a single escape character is
sent. If the other character is not recognized as a valid escape, it is ignore and not transferred.
Upper and lower case are equivalent.
Escape characters are:
q Quit the program.
b Send a break to io2. Ignored if io2 does not support break.
d Dump serial data for io2. Ignored if io2 is not a RFC2217 capable.
s Set the serial port (baud) rate for io2. Ignored if io2 is not RFC2177 capable. After this, the
serial port speed must be typed, terminated by a new line. Invalid speeds are ignore, use
escchar-d to know if you set it right.
n, o, e
Set the parity on io2 to none, odd, or even. Ignored if io2 is not RFC2217 capable.
7, 8 Set the data size on io2 to 7 or 8 bits. Ignored if io2 is not RFC2217 capable.
1, 2 Set the number of stop bits to 1 or 2 on io2 bits. Ignored if io2 is not RFC2217 capable.
SEE ALSO
gensio(5), gtlsshd(1), gtlssh-keygen(1), gmdns(1)
KNOWN PROBLEMS
None.
AUTHOR
Corey Minyard <minyard@acm.org>
Shell connection over TLS 01/02/19 gtlssh(1)