[10563] | 1 | .\" -*- nroff -*- |
---|
| 2 | .\" |
---|
| 3 | .\" ssh-agent.1 |
---|
| 4 | .\" |
---|
| 5 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
---|
| 6 | .\" |
---|
| 7 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
---|
| 8 | .\" All rights reserved |
---|
| 9 | .\" |
---|
| 10 | .\" Created: Sat Apr 23 20:10:43 1995 ylo |
---|
| 11 | .\" |
---|
[12645] | 12 | .\" $Id: ssh-agent.1,v 1.1.1.3 1999-03-08 17:42:59 danw Exp $ |
---|
[10563] | 13 | .\" $Log: not supported by cvs2svn $ |
---|
[12645] | 14 | .\" Revision 1.8 1998/07/08 00:40:26 kivinen |
---|
| 15 | .\" Changed to do similar commercial #ifdef processing than other |
---|
| 16 | .\" files. |
---|
| 17 | .\" |
---|
| 18 | .\" Revision 1.7 1998/01/02 06:21:20 kivinen |
---|
[11071] | 19 | .\" Documented -k option. Renamed SSH_AUTHENCATION_SOCKET to |
---|
| 20 | .\" SSH_AUTH_SOCK. |
---|
| 21 | .\" |
---|
[10563] | 22 | .\" Revision 1.6 1997/04/27 21:48:50 kivinen |
---|
| 23 | .\" Added F-SECURE stuff. |
---|
| 24 | .\" |
---|
| 25 | .\" Revision 1.5 1997/03/25 05:42:01 kivinen |
---|
| 26 | .\" Added comment about ALTSHELL from napo. |
---|
| 27 | .\" Changed ylo's email to @ssh.fi. |
---|
| 28 | .\" |
---|
| 29 | .\" Revision 1.4 1997/03/19 17:38:20 kivinen |
---|
| 30 | .\" Added documentation for -c and -s options. |
---|
| 31 | .\" |
---|
| 32 | .\" Revision 1.3 1996/11/24 08:26:35 kivinen |
---|
| 33 | .\" Documented new usage of ssh-agent. |
---|
| 34 | .\" |
---|
| 35 | .\" Revision 1.2 1996/11/01 15:32:49 ttsalo |
---|
| 36 | .\" Updated the manpage |
---|
| 37 | .\" |
---|
| 38 | .\" Revision 1.1.1.1 1996/02/18 21:38:13 ylo |
---|
| 39 | .\" Imported ssh-1.2.13. |
---|
| 40 | .\" |
---|
| 41 | .\" Revision 1.4 1995/08/31 09:22:32 ylo |
---|
| 42 | .\" Minor cleanup. |
---|
| 43 | .\" |
---|
| 44 | .\" Revision 1.3 1995/08/29 22:30:57 ylo |
---|
| 45 | .\" *** empty log message *** |
---|
| 46 | .\" |
---|
| 47 | .\" Revision 1.2 1995/07/13 01:36:44 ylo |
---|
| 48 | .\" Removed "Last modified" header. |
---|
| 49 | .\" Added cvs log. |
---|
| 50 | .\" |
---|
| 51 | .\" $Endlog$ |
---|
| 52 | .\" |
---|
[12645] | 53 | .\" |
---|
| 54 | .\" |
---|
| 55 | .\" |
---|
| 56 | .\" #ifndef F_SECURE_COMMERCIAL |
---|
| 57 | .TH SSH-AGENT 1 "November 8, 1995" "SSH" "SSH" |
---|
| 58 | .\" #endif F_SECURE_COMMERCIAL |
---|
[10563] | 59 | |
---|
| 60 | .SH NAME |
---|
| 61 | ssh-agent \- authentication agent |
---|
| 62 | |
---|
| 63 | .SH SYNOPSIS |
---|
| 64 | .LP |
---|
| 65 | .B ssh-agent |
---|
| 66 | .I command |
---|
| 67 | |
---|
| 68 | .B eval `ssh-agent |
---|
| 69 | [\c |
---|
[11071] | 70 | .BR \-k \c |
---|
| 71 | ] |
---|
| 72 | [\c |
---|
[10563] | 73 | .BR \-s \c |
---|
| 74 | ] |
---|
| 75 | [\c |
---|
| 76 | .BR \-c \c |
---|
| 77 | ]` |
---|
| 78 | |
---|
| 79 | .SH DESCRIPTION |
---|
| 80 | .LP |
---|
| 81 | .B Ssh-agent |
---|
| 82 | is a program to hold authentication private keys. The |
---|
| 83 | idea is that |
---|
| 84 | .B ssh-agent |
---|
| 85 | is started in the beginning of an X-session or a login session, and |
---|
| 86 | all other windows or programs are started as children of the ssh-agent |
---|
| 87 | program (the |
---|
| 88 | .IR command |
---|
| 89 | normally starts X or is the user shell). Programs started under |
---|
| 90 | the agent inherit a connection to the agent, and the agent is |
---|
| 91 | automatically used for RSA authentication when logging to other |
---|
| 92 | machines using |
---|
| 93 | .B ssh. |
---|
| 94 | .LP |
---|
| 95 | If the ssh-agent is started without any arguments (no command) it will |
---|
| 96 | fork and start agent as background process. The agent also prints |
---|
| 97 | command that can be evaluated in sh or csh like shells, that will set |
---|
| 98 | the |
---|
[11071] | 99 | .B \s-1SSH_AUTH_SOCK\s0 |
---|
[10563] | 100 | and |
---|
| 101 | .B \s-1SSH_AGENT_PID\s0 |
---|
| 102 | environment variables. |
---|
| 103 | The |
---|
| 104 | .B \s-1SSH_AGENT_PID\s0 |
---|
| 105 | environment variable can be used to kill agent away |
---|
| 106 | when it is no longer needed (you logout from X-session etc). If no |
---|
| 107 | options are given the ssh-agent uses SHELL environment variable the |
---|
| 108 | detect what kind of shell you have (*csh or sh-style shell). The |
---|
| 109 | .BI \-c |
---|
| 110 | option will force csh-style shell, and |
---|
| 111 | .BI \-s |
---|
| 112 | option will force sh-style shell. |
---|
| 113 | .LP |
---|
| 114 | Note that in SysV variants (at least IRIX and Solaris) |
---|
| 115 | the environment variable SHELL might not contain the |
---|
| 116 | actual value of the shell executing the evaluation. |
---|
| 117 | If ALTSHELL is set to YES in /etc/default/login, the SHELL |
---|
| 118 | environment variable is set to the login shell of the user. |
---|
| 119 | .LP |
---|
[11071] | 120 | The |
---|
| 121 | .BI \-k |
---|
| 122 | option can be used to kill agent automatically. It kills the agent (it |
---|
| 123 | uses the |
---|
| 124 | .B \s-1SSH_AGENT_PID\s0 |
---|
| 125 | to find it) and prints shell commands to stdout that will unset the |
---|
| 126 | .B \s-1SSH_AUTH_SOCKET\s0 |
---|
| 127 | and |
---|
| 128 | .B \s-1SSH_AGENT_PID\s0 |
---|
| 129 | enviroment variables. |
---|
| 130 | .LP |
---|
[10563] | 131 | The agent initially does not have any private keys. Keys are added |
---|
| 132 | using |
---|
| 133 | .B ssh-add. |
---|
| 134 | When executed without arguments, |
---|
| 135 | .B ssh-add |
---|
| 136 | adds the |
---|
| 137 | .I \&$HOME/\s+2.\s0ssh/identity |
---|
| 138 | file. If the identity has a passphrase, |
---|
| 139 | .B ssh-add |
---|
| 140 | asks for the passphrase (using a small X11 application if running |
---|
| 141 | under X11, or from the terminal if running without X). It then sends |
---|
| 142 | the identity to the agent. Several identities can be stored in the |
---|
| 143 | agent; the agent can automatically use any of these identities. |
---|
| 144 | .B "Ssh-add \-l |
---|
| 145 | displays the identities currently held by the agent. |
---|
| 146 | .LP |
---|
| 147 | The idea is that the agent is run in the user's local PC, laptop, or |
---|
| 148 | terminal. Authentication data need not be stored on any other |
---|
| 149 | machine, and authentication passphrases never go over the network. |
---|
| 150 | However, the connection to the agent is forwarded over |
---|
| 151 | .B ssh |
---|
| 152 | remote logins, and the user can thus use the privileges given by the |
---|
| 153 | identities anywhere in the network in a secure way. |
---|
| 154 | .LP |
---|
| 155 | A connection to the agent is inherited by child programs. A |
---|
| 156 | unix-domain socket is created |
---|
| 157 | (\fI/tmp/ssh-$USER/agent-socket-<pid>\fR), where the %d is the process |
---|
| 158 | id of the listener (agent or sshd proxying the agent). The name of |
---|
| 159 | this socket is stored in the |
---|
[11071] | 160 | .B \s-1SSH_AUTH_SOCK\s0 |
---|
[10563] | 161 | environment variable. The socket is made accessible only to the |
---|
| 162 | current user. This method is easily abused by root or another |
---|
| 163 | instance of the same user. Older versions of ssh used inherited |
---|
| 164 | file descriptors for contacting the agent and used the unix-domain |
---|
| 165 | sockets in an incompatible way. |
---|
| 166 | .LP |
---|
| 167 | If the command is given as argument to ssh-agent the agent exits |
---|
| 168 | automatically when the command given on the command line terminates. |
---|
| 169 | The command is executed even if agent fails to start it's key-storing |
---|
| 170 | and challenge-processing services. |
---|
| 171 | |
---|
| 172 | .SH FILES |
---|
| 173 | .TP |
---|
| 174 | .I \&$HOME/\s+2.\s0ssh/identity |
---|
| 175 | Contains the RSA authentication identity of the user. This file |
---|
| 176 | should not be readable by anyone but the user. It is possible to |
---|
| 177 | specify a passphrase when generating the key; that passphrase will be |
---|
| 178 | used to encrypt the private part of this file. This file |
---|
| 179 | is not used by |
---|
| 180 | .B ssh-agent, |
---|
| 181 | but is normally added to the agent using |
---|
| 182 | .B ssh-add |
---|
| 183 | at login time. |
---|
| 184 | .TP |
---|
| 185 | .I \&/tmp/ssh-$USER/agent-socket-<pid> |
---|
| 186 | Unix-domain sockets used to contain the connection to the |
---|
| 187 | authentication agent. These sockets should only be readable by the |
---|
| 188 | owner. The sockets should get automatically removed when the agent |
---|
| 189 | exits. The parent directory of ssh-$USER must have it's sticky bit |
---|
| 190 | set. |
---|
| 191 | |
---|
| 192 | .SH AUTHOR |
---|
| 193 | .LP |
---|
| 194 | Tatu Ylonen <ylo@ssh.fi> |
---|
| 195 | |
---|
| 196 | .SH SEE ALSO |
---|
| 197 | .BR ssh-add (1), |
---|
| 198 | .BR ssh-keygen (1), |
---|
| 199 | .BR ssh (1), |
---|
| 200 | .BR sshd (8) |
---|