source: trunk/third/ssh/ssh-agent.1 @ 12646

Revision 12646, 5.9 KB checked in by danw, 26 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r12645, which included commits to RCS files with non-trunk default branches.
Line 
1.\"  -*- nroff -*-
2.\"
3.\" ssh-agent.1
4.\"
5.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6.\"
7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8.\"                    All rights reserved
9.\"
10.\" Created: Sat Apr 23 20:10:43 1995 ylo
11.\"
12.\" $Id: ssh-agent.1,v 1.1.1.3 1999-03-08 17:42:59 danw Exp $
13.\" $Log: not supported by cvs2svn $
14.\" Revision 1.8  1998/07/08 00:40:26  kivinen
15.\"     Changed to do similar commercial #ifdef processing than other
16.\"     files.
17.\"
18.\" Revision 1.7  1998/01/02  06:21:20  kivinen
19.\"     Documented -k option. Renamed SSH_AUTHENCATION_SOCKET to
20.\"     SSH_AUTH_SOCK.
21.\"
22.\" Revision 1.6  1997/04/27 21:48:50  kivinen
23.\"     Added F-SECURE stuff.
24.\"
25.\" Revision 1.5  1997/03/25 05:42:01  kivinen
26.\"     Added comment about ALTSHELL from napo.
27.\"     Changed ylo's email to @ssh.fi.
28.\"
29.\" Revision 1.4  1997/03/19 17:38:20  kivinen
30.\"     Added documentation for -c and -s options.
31.\"
32.\" Revision 1.3  1996/11/24 08:26:35  kivinen
33.\"     Documented new usage of ssh-agent.
34.\"
35.\" Revision 1.2  1996/11/01 15:32:49  ttsalo
36.\"       Updated the manpage
37.\"
38.\" Revision 1.1.1.1  1996/02/18 21:38:13  ylo
39.\"     Imported ssh-1.2.13.
40.\"
41.\" Revision 1.4  1995/08/31  09:22:32  ylo
42.\"     Minor cleanup.
43.\"
44.\" Revision 1.3  1995/08/29  22:30:57  ylo
45.\" *** empty log message ***
46.\"
47.\" Revision 1.2  1995/07/13  01:36:44  ylo
48.\"     Removed "Last modified" header.
49.\"     Added cvs log.
50.\"
51.\" $Endlog$
52.\"
53.\"
54.\"
55.\"
56.\" #ifndef F_SECURE_COMMERCIAL
57.TH SSH-AGENT 1 "November 8, 1995" "SSH" "SSH"
58.\" #endif F_SECURE_COMMERCIAL
59
60.SH NAME
61ssh-agent \- authentication agent
62
63.SH SYNOPSIS
64.LP
65.B ssh-agent
66.I command
67
68.B eval `ssh-agent
69[\c
70.BR \-k \c
71]
72[\c
73.BR \-s \c
74]
75[\c
76.BR \-c \c
77]`
78
79.SH DESCRIPTION
80.LP
81.B Ssh-agent
82is a program to hold authentication private keys.  The
83idea is that
84.B ssh-agent
85is started in the beginning of an X-session or a login session, and
86all other windows or programs are started as children of the ssh-agent
87program (the
88.IR command
89normally starts X or is the user shell).  Programs started under
90the agent inherit a connection to the agent, and the agent is
91automatically used for RSA authentication when logging to other
92machines using
93.B ssh.
94.LP
95If the ssh-agent is started without any arguments (no command) it will
96fork and start agent as background process. The agent also prints
97command that can be evaluated in sh or csh like shells, that will set
98the
99.B \s-1SSH_AUTH_SOCK\s0
100and
101.B \s-1SSH_AGENT_PID\s0
102environment variables.
103The
104.B \s-1SSH_AGENT_PID\s0
105environment variable can be used to kill agent away
106when it is no longer needed (you logout from X-session etc). If no
107options are given the ssh-agent uses SHELL environment variable the
108detect what kind of shell you have (*csh or sh-style shell). The
109.BI \-c
110option will force csh-style shell, and
111.BI \-s
112option will force sh-style shell.
113.LP
114Note that in SysV variants (at least IRIX and Solaris)
115the environment variable SHELL might not contain the
116actual value of the shell executing the evaluation.
117If ALTSHELL is set to YES in /etc/default/login, the SHELL
118environment variable is set to the login shell of the user.
119.LP
120The
121.BI \-k
122option can be used to kill agent automatically. It kills the agent (it
123uses the
124.B \s-1SSH_AGENT_PID\s0
125to find it) and prints shell commands to stdout that will unset the
126.B \s-1SSH_AUTH_SOCKET\s0
127and
128.B \s-1SSH_AGENT_PID\s0
129enviroment variables.
130.LP
131The agent initially does not have any private keys.  Keys are added
132using
133.B ssh-add.
134When executed without arguments,
135.B ssh-add
136adds the
137.I \&$HOME/\s+2.\s0ssh/identity
138file.  If the identity has a passphrase,
139.B ssh-add
140asks for the passphrase (using a small X11 application if running
141under X11, or from the terminal if running without X).  It then sends
142the identity to the agent.  Several identities can be stored in the
143agent; the agent can automatically use any of these identities.
144.B "Ssh-add \-l
145displays the identities currently held by the agent.
146.LP
147The idea is that the agent is run in the user's local PC, laptop, or
148terminal.  Authentication data need not be stored on any other
149machine, and authentication passphrases never go over the network.
150However, the connection to the agent is forwarded over
151.B ssh
152remote logins, and the user can thus use the privileges given by the
153identities anywhere in the network in a secure way.
154.LP
155A connection to the agent is inherited by child programs.  A
156unix-domain socket is created
157(\fI/tmp/ssh-$USER/agent-socket-<pid>\fR), where the %d is the process
158id of the listener (agent or sshd proxying the agent). The name of
159this socket is stored in the
160.B \s-1SSH_AUTH_SOCK\s0
161environment variable.  The socket is made accessible only to the
162current user.  This method is easily abused by root or another
163instance of the same user. Older versions of ssh used inherited
164file descriptors for contacting the agent and used the unix-domain
165sockets in an incompatible way.
166.LP
167If the command is given as argument to ssh-agent the agent exits
168automatically when the command given on the command line terminates.
169The command is executed even if agent fails to start it's key-storing
170and challenge-processing services.
171
172.SH FILES
173.TP
174.I \&$HOME/\s+2.\s0ssh/identity
175Contains the RSA authentication identity of the user.  This file
176should not be readable by anyone but the user.  It is possible to
177specify a passphrase when generating the key; that passphrase will be
178used to encrypt the private part of this file.  This file
179is not used by
180.B ssh-agent,
181but is normally added to the agent using
182.B ssh-add
183at login time.
184.TP
185.I \&/tmp/ssh-$USER/agent-socket-<pid>
186Unix-domain sockets used to contain the connection to the
187authentication agent.  These sockets should only be readable by the
188owner.  The sockets should get automatically removed when the agent
189exits. The parent directory of ssh-$USER must have it's sticky bit
190set.
191
192.SH AUTHOR
193.LP
194Tatu Ylonen <ylo@ssh.fi>
195
196.SH SEE ALSO
197.BR ssh-add (1),
198.BR ssh-keygen (1),
199.BR ssh (1),
200.BR sshd (8)
Note: See TracBrowser for help on using the repository browser.