Overview of vsh


vsh is a SSH2 command-line connection [A data path or circuit between two computers over a phone line, network cable, or other means. ] utility accessed from the Windows command prompt.

Using vsh

The following is the format for vsh commands:

vsh [options] [user@[domain@]]host[:port]

Options

The following table lists the command-line options that can be used with vsh commands.

Option

Argument

Description

--accepthostkeys

 

Instructs vsh to automatically accept host keys.

--auth

authentication list

The authentication methods to be used in a comma separated list. Valid methods are keyboard-interactive, publickey, password, gss-ms-kerberos, and gssapi.

--autoreconnect

 

Instructs the application to automatically reconnecting after being disconnected from the server.

-c

cipher

The cipher [An algorithm used to encrypt data at varying levels of security. Examples include 3DES, AES, Blowfish, RC4, and Twofish.] that the SSH2 server will use. Protocol strings or display strings are permitted.

--check-crls

 

Instructs the application to check certificate revocation lists (CRLs) to ensure that certificates (and any in its chain) have not been listed as revoked.

-d

listen-addr[:port]

Specifies the address of the port to listen on.

-e

character or none

Sets the escape character, which takes you out of vsh without disconnecting, to the specified character (e.g., "~") or "none" (which disables escape handling). See the Escape Sequences section below for more information.

--http-proxy

hostname[:port]

Specifies the http proxy to be used during connection.

--hostkeyalgorithm

host key algorithm

Specifies which host key algorithm to use. Valid algorithms are ssh-rsa, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-dss, pgp, x509v3-sign-rsa, x509v3-ssh-rsa, x509v3-sign-dss, and x509v3-ssh-dss.

Note: The administrative policy for host key algorithms has precedence over the command line option.

-i

file

The identity file to use for public-key authentication or a PKCS #12 file to use for X.509 authentication.

vsh also supports accessing certificates through PKCS #11. The locator prefix (e.g., “pkcs11::”) and suffix (e.g., “::standard”) specify which public-key algorithm to use. To use this feature, specify a string similar to one of the following examples but using your PKCS #11 .dll file:

pkcs11::prov=c:\windows\system32\opensc-pkcs11.dll

pkcs11::prov=c:\windows\system32\pkcs11.dll::cert

The above examples use the x509v3-sign-rsa algorithm.

pkcs11::prov=c:\windows\system32\opensc-pkcs11.dll::standard

The above example uses the x509v3-sign-rsa-sha1 algorithm.

pkcs11key::prov=c:\windows\system32\pkcs11.dll

The above example uses the ssh-rsa algorithm, which can be used to send the certificate as a raw key.

--kex

KEX

Specifies which key exchange algorithm to use. Valid algorithms are diffie-hellman, diffie-hellman-group14, diffie-hellman-group, diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, Kerberos, and any OID in dotted number format) supported by the GSSAPI provider.

-l

username

The remote username.

--local

[ localip:] localport: remotehost: remoteport

The port forward for the connection.

--log

file

Specifies the file where vsh will log all output, in addition to sending it to the console. If the file does not exist, vsh will create it; or, if the file does exist, vsh will append the output to it. If used in combination with the -v (verbose) option, the extra verbose output will also be logged.

-m

MAC

The MAC that the SSH2 server will use.

--noprompt

 

Fails if prompted for user input.

--nopty

 

Causes vsh not to allocate a tty. By default, vsh requests a tty if no command is specified on the command line.

--noshell

 

Causes vsh not to request a shell; this is useful if the remote system does not allow shell access but does allow port forwarding.

-p

port

The port to be used during connection.

--passphrase

passphrase

The passphrase for your private key.

--pty

 

Causes vsh to allocate a tty even if a command is given. By default, vsh does not request a tty if a command is specified on the command line.

-pw

password

Your user password. Valid with password and keyboard-interactive authentication.

--remote

[remote-listen-addr:]

remote-listen-port:

dest-addr:

dest-port

The reverse port forward for the connection.

--socks4

server[:port]

Socks version 4 server to be used during connection.

--socks5

server[:port]

Socks version 5 server to be used during connection.

--spn

hostname

Allows you to manually specify the SPN (Service Principal Name). The SPN is almost always of the form host@<server canonical name>. An example of a valid string is "host@mail.mydomain.com". If the server is in a different Kerberos realm, the realm name may need to be appended (e.g., host@mail.mydomain.com@KRBS.MYDOMAIN.COM.

--subsystem

subsystem name

Starts named SSH subsystem when connection is established.

-v

 

Displays verbose connection debug information.

-x

 

Disable X11 forwarding [The process of transporting X11 data over an encrypted channel from a remote machine to a local machine.] .

-z

n

The compression level (0-9). By default, the compression level is set to 5. Setting the level to 0 turns off compression. When compression is on, vsh attempts to use zlib@openssh.com, zlib, and no compression, in that order, when making a connection.

-?
--help

 

Displays usage.

Escape Sequences

vsh supports a number of functions by using escape characters.  A single tilde character can be sent entering the sequence ~~ or by following a tilde with a character other than those listed below.  The escape sequences must always follow a newline.

Escape Sequence

Function

~~

Send a ~

~.

Disconnect

~^Z

Put Linux versions of vsh into the background

Note: This escape sequence will not work under vsh running on Windows.

~?

Display a list of escape characters

~R

Request re-keying of the connection (only useful for SSH protocol version 2 and only if the peer supports it)

~#

List open channels

Examples

The following are examples of remote execution operations using the vsh command-line.

Move Files (UNIX remote)

In this example, vsh will fail if user intervention is required. vsh will use the specified private key "C:\keys\Identity"  to authenticate with "redhat.com" using the " goodman" account. After successful authentication, the command "mv /test/*.dat /results" will be executed to move all files in the "/test" directory ending with ".dat" to the "/results" directory.

vsh –noprompt –i "C:\keys\Identity" goodman@redhat.com "mv /test/*.dat /results"

Delete Files (UNIX Remote)

In this example, vsh will use "password" authentication to authenticate the " johnson" account using the password "passw0rd" onto " chronos". Communication will occur over port "22". After authentication, all files beginning with "2003" and ending with ".dat" will be removed from the "/ dep" directory. A terminal session will then be requested.

vsh –auth password –l johnson –pw passw0rd –p 22 –pty chronos " rm / dep/2003*.dat"

Execute Shell Script (UNIX Remote)

vsh will authenticate "bleaker" on "redhat.com" using the private key "C:\keys\Identity" using public key authentication.  After authenticating, it will run the script "/ usr/scripts/validate"

vsh –i "C:\keys\Identity" bleaker@redhat.com / usr/scripts/validate