1 | SSH-AGENT(1) System General Commands Manual SSH-AGENT(1) |
---|
2 | |
---|
3 | NAME |
---|
4 | ssh-agent - authentication agent |
---|
5 | |
---|
6 | SYNOPSIS |
---|
7 | ssh-agent [-a bind_address] [-c | -s] [-d] [command [args ...]] |
---|
8 | ssh-agent [-c | -s] -k |
---|
9 | |
---|
10 | DESCRIPTION |
---|
11 | ssh-agent is a program to hold private keys used for public key authentiM-- |
---|
12 | cation (RSA, DSA). The idea is that ssh-agent is started in the beginM-- |
---|
13 | ning of an X-session or a login session, and all other windows or proM-- |
---|
14 | grams are started as clients to the ssh-agent program. Through use of |
---|
15 | environment variables the agent can be located and automatically used for |
---|
16 | authentication when logging in to other machines using ssh(1). |
---|
17 | |
---|
18 | The options are as follows: |
---|
19 | |
---|
20 | -a bind_address |
---|
21 | Bind the agent to the unix-domain socket bind_address. The |
---|
22 | default is /tmp/ssh-XXXXXXXX/agent.<ppid>. |
---|
23 | |
---|
24 | -c Generate C-shell commands on stdout. This is the default if |
---|
25 | SHELL looks like it's a csh style of shell. |
---|
26 | |
---|
27 | -s Generate Bourne shell commands on stdout. This is the default if |
---|
28 | SHELL does not look like it's a csh style of shell. |
---|
29 | |
---|
30 | -k Kill the current agent (given by the SSH_AGENT_PID environment |
---|
31 | variable). |
---|
32 | |
---|
33 | -d Debug mode. When this option is specified ssh-agent will not |
---|
34 | fork. |
---|
35 | |
---|
36 | If a commandline is given, this is executed as a subprocess of the agent. |
---|
37 | When the command dies, so does the agent. |
---|
38 | |
---|
39 | The agent initially does not have any private keys. Keys are added using |
---|
40 | ssh-add(1). When executed without arguments, ssh-add(1) adds the files |
---|
41 | $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. If the |
---|
42 | identity has a passphrase, ssh-add(1) asks for the passphrase (using a |
---|
43 | small X11 application if running under X11, or from the terminal if runM-- |
---|
44 | ning without X). It then sends the identity to the agent. Several idenM-- |
---|
45 | tities can be stored in the agent; the agent can automatically use any of |
---|
46 | these identities. ssh-add -l displays the identities currently held by |
---|
47 | the agent. |
---|
48 | |
---|
49 | The idea is that the agent is run in the user's local PC, laptop, or terM-- |
---|
50 | minal. Authentication data need not be stored on any other machine, and |
---|
51 | authentication passphrases never go over the network. However, the conM-- |
---|
52 | nection to the agent is forwarded over SSH remote logins, and the user |
---|
53 | can thus use the privileges given by the identities anywhere in the netM-- |
---|
54 | work in a secure way. |
---|
55 | |
---|
56 | There are two main ways to get an agent setup: Either the agent starts a |
---|
57 | new subcommand into which some environment variables are exported, or the |
---|
58 | agent prints the needed shell commands (either sh(1) or csh(1) syntax can |
---|
59 | be generated) which can be evalled in the calling shell. Later ssh(1) |
---|
60 | looks at these variables and uses them to establish a connection to the |
---|
61 | agent. |
---|
62 | |
---|
63 | The agent will never send a private key over its request channel. |
---|
64 | Instead, operations that require a private key will be performed by the |
---|
65 | agent, and the result will be returned to the requester. This way, priM-- |
---|
66 | vate keys are not exposed to clients using the agent. |
---|
67 | |
---|
68 | A unix-domain socket is created and the name of this socket is stored in |
---|
69 | the SSH_AUTH_SOCK environment variable. The socket is made accessible |
---|
70 | only to the current user. This method is easily abused by root or |
---|
71 | another instance of the same user. |
---|
72 | |
---|
73 | The SSH_AGENT_PID environment variable holds the agent's process ID. |
---|
74 | |
---|
75 | The agent exits automatically when the command given on the command line |
---|
76 | terminates. |
---|
77 | |
---|
78 | FILES |
---|
79 | $HOME/.ssh/identity |
---|
80 | Contains the protocol version 1 RSA authentication identity of |
---|
81 | the user. |
---|
82 | |
---|
83 | $HOME/.ssh/id_dsa |
---|
84 | Contains the protocol version 2 DSA authentication identity of |
---|
85 | the user. |
---|
86 | |
---|
87 | $HOME/.ssh/id_rsa |
---|
88 | Contains the protocol version 2 RSA authentication identity of |
---|
89 | the user. |
---|
90 | |
---|
91 | /tmp/ssh-XXXXXXXX/agent.<ppid> |
---|
92 | Unix-domain sockets used to contain the connection to the authenM-- |
---|
93 | tication agent. These sockets should only be readable by the |
---|
94 | owner. The sockets should get automatically removed when the |
---|
95 | agent exits. |
---|
96 | |
---|
97 | AUTHORS |
---|
98 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
---|
99 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
---|
100 | de Raadt and Dug Song removed many bugs, re-added newer features and creM-- |
---|
101 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
---|
102 | versions 1.5 and 2.0. |
---|
103 | |
---|
104 | SEE ALSO |
---|
105 | ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) |
---|
106 | |
---|
107 | BSD September 25, 1999 BSD |
---|