source: trunk/third/ssh/ssh-agent.1 @ 11072

Revision 11072, 5.8 KB checked in by danw, 27 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r11071, which included commits to RCS files with non-trunk default branches.
Line 
1.\"  -*- nroff -*-
2.\"
3.\" ssh-agent.1
4.\"
5.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6.\"
7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8.\"                    All rights reserved
9.\"
10.\" Created: Sat Apr 23 20:10:43 1995 ylo
11.\"
12.\" $Id: ssh-agent.1,v 1.1.1.2 1998-01-24 01:25:16 danw Exp $
13.\" $Log: not supported by cvs2svn $
14.\" Revision 1.7  1998/01/02 06:21:20  kivinen
15.\"     Documented -k option. Renamed SSH_AUTHENCATION_SOCKET to
16.\"     SSH_AUTH_SOCK.
17.\"
18.\" Revision 1.6  1997/04/27 21:48:50  kivinen
19.\"     Added F-SECURE stuff.
20.\"
21.\" Revision 1.5  1997/03/25 05:42:01  kivinen
22.\"     Added comment about ALTSHELL from napo.
23.\"     Changed ylo's email to @ssh.fi.
24.\"
25.\" Revision 1.4  1997/03/19 17:38:20  kivinen
26.\"     Added documentation for -c and -s options.
27.\"
28.\" Revision 1.3  1996/11/24 08:26:35  kivinen
29.\"     Documented new usage of ssh-agent.
30.\"
31.\" Revision 1.2  1996/11/01 15:32:49  ttsalo
32.\"       Updated the manpage
33.\"
34.\" Revision 1.1.1.1  1996/02/18 21:38:13  ylo
35.\"     Imported ssh-1.2.13.
36.\"
37.\" Revision 1.4  1995/08/31  09:22:32  ylo
38.\"     Minor cleanup.
39.\"
40.\" Revision 1.3  1995/08/29  22:30:57  ylo
41.\" *** empty log message ***
42.\"
43.\" Revision 1.2  1995/07/13  01:36:44  ylo
44.\"     Removed "Last modified" header.
45.\"     Added cvs log.
46.\"
47.\" $Endlog$
48.\"
49.nr CO 0
50.ie \n(CO .TH SSH-AGENT 1 "November 8, 1995" "F-SECURE SSH" "F-SECURE SSH"
51.el .TH SSH-AGENT 1 "November 8, 1995" "SSH" "SSH"
52
53.SH NAME
54ssh-agent \- authentication agent
55
56.SH SYNOPSIS
57.LP
58.B ssh-agent
59.I command
60
61.B eval `ssh-agent
62[\c
63.BR \-k \c
64]
65[\c
66.BR \-s \c
67]
68[\c
69.BR \-c \c
70]`
71
72.SH DESCRIPTION
73.LP
74.B Ssh-agent
75is a program to hold authentication private keys.  The
76idea is that
77.B ssh-agent
78is started in the beginning of an X-session or a login session, and
79all other windows or programs are started as children of the ssh-agent
80program (the
81.IR command
82normally starts X or is the user shell).  Programs started under
83the agent inherit a connection to the agent, and the agent is
84automatically used for RSA authentication when logging to other
85machines using
86.B ssh.
87.LP
88If the ssh-agent is started without any arguments (no command) it will
89fork and start agent as background process. The agent also prints
90command that can be evaluated in sh or csh like shells, that will set
91the
92.B \s-1SSH_AUTH_SOCK\s0
93and
94.B \s-1SSH_AGENT_PID\s0
95environment variables.
96The
97.B \s-1SSH_AGENT_PID\s0
98environment variable can be used to kill agent away
99when it is no longer needed (you logout from X-session etc). If no
100options are given the ssh-agent uses SHELL environment variable the
101detect what kind of shell you have (*csh or sh-style shell). The
102.BI \-c
103option will force csh-style shell, and
104.BI \-s
105option will force sh-style shell.
106.LP
107Note that in SysV variants (at least IRIX and Solaris)
108the environment variable SHELL might not contain the
109actual value of the shell executing the evaluation.
110If ALTSHELL is set to YES in /etc/default/login, the SHELL
111environment variable is set to the login shell of the user.
112.LP
113The
114.BI \-k
115option can be used to kill agent automatically. It kills the agent (it
116uses the
117.B \s-1SSH_AGENT_PID\s0
118to find it) and prints shell commands to stdout that will unset the
119.B \s-1SSH_AUTH_SOCKET\s0
120and
121.B \s-1SSH_AGENT_PID\s0
122enviroment variables.
123.LP
124The agent initially does not have any private keys.  Keys are added
125using
126.B ssh-add.
127When executed without arguments,
128.B ssh-add
129adds the
130.I \&$HOME/\s+2.\s0ssh/identity
131file.  If the identity has a passphrase,
132.B ssh-add
133asks for the passphrase (using a small X11 application if running
134under X11, or from the terminal if running without X).  It then sends
135the identity to the agent.  Several identities can be stored in the
136agent; the agent can automatically use any of these identities.
137.B "Ssh-add \-l
138displays the identities currently held by the agent.
139.LP
140The idea is that the agent is run in the user's local PC, laptop, or
141terminal.  Authentication data need not be stored on any other
142machine, and authentication passphrases never go over the network.
143However, the connection to the agent is forwarded over
144.B ssh
145remote logins, and the user can thus use the privileges given by the
146identities anywhere in the network in a secure way.
147.LP
148A connection to the agent is inherited by child programs.  A
149unix-domain socket is created
150(\fI/tmp/ssh-$USER/agent-socket-<pid>\fR), where the %d is the process
151id of the listener (agent or sshd proxying the agent). The name of
152this socket is stored in the
153.B \s-1SSH_AUTH_SOCK\s0
154environment variable.  The socket is made accessible only to the
155current user.  This method is easily abused by root or another
156instance of the same user. Older versions of ssh used inherited
157file descriptors for contacting the agent and used the unix-domain
158sockets in an incompatible way.
159.LP
160If the command is given as argument to ssh-agent the agent exits
161automatically when the command given on the command line terminates.
162The command is executed even if agent fails to start it's key-storing
163and challenge-processing services.
164
165.SH FILES
166.TP
167.I \&$HOME/\s+2.\s0ssh/identity
168Contains the RSA authentication identity of the user.  This file
169should not be readable by anyone but the user.  It is possible to
170specify a passphrase when generating the key; that passphrase will be
171used to encrypt the private part of this file.  This file
172is not used by
173.B ssh-agent,
174but is normally added to the agent using
175.B ssh-add
176at login time.
177.TP
178.I \&/tmp/ssh-$USER/agent-socket-<pid>
179Unix-domain sockets used to contain the connection to the
180authentication agent.  These sockets should only be readable by the
181owner.  The sockets should get automatically removed when the agent
182exits. The parent directory of ssh-$USER must have it's sticky bit
183set.
184
185.SH AUTHOR
186.LP
187Tatu Ylonen <ylo@ssh.fi>
188
189.SH SEE ALSO
190.BR ssh-add (1),
191.BR ssh-keygen (1),
192.BR ssh (1),
193.BR sshd (8)
Note: See TracBrowser for help on using the repository browser.