1 | .\" -*- nroff -*- |
---|
2 | .\" |
---|
3 | .\" ssh-agent.1 |
---|
4 | .\" |
---|
5 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
---|
6 | .\" |
---|
7 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
---|
8 | .\" All rights reserved |
---|
9 | .\" |
---|
10 | .\" Created: Sat Apr 23 20:10:43 1995 ylo |
---|
11 | .\" |
---|
12 | .\" $Id: ssh-agent.1,v 1.1.1.3 1999-03-08 17:42:59 danw Exp $ |
---|
13 | .\" $Log: not supported by cvs2svn $ |
---|
14 | .\" Revision 1.8 1998/07/08 00:40:26 kivinen |
---|
15 | .\" Changed to do similar commercial #ifdef processing than other |
---|
16 | .\" files. |
---|
17 | .\" |
---|
18 | .\" Revision 1.7 1998/01/02 06:21:20 kivinen |
---|
19 | .\" Documented -k option. Renamed SSH_AUTHENCATION_SOCKET to |
---|
20 | .\" SSH_AUTH_SOCK. |
---|
21 | .\" |
---|
22 | .\" Revision 1.6 1997/04/27 21:48:50 kivinen |
---|
23 | .\" Added F-SECURE stuff. |
---|
24 | .\" |
---|
25 | .\" Revision 1.5 1997/03/25 05:42:01 kivinen |
---|
26 | .\" Added comment about ALTSHELL from napo. |
---|
27 | .\" Changed ylo's email to @ssh.fi. |
---|
28 | .\" |
---|
29 | .\" Revision 1.4 1997/03/19 17:38:20 kivinen |
---|
30 | .\" Added documentation for -c and -s options. |
---|
31 | .\" |
---|
32 | .\" Revision 1.3 1996/11/24 08:26:35 kivinen |
---|
33 | .\" Documented new usage of ssh-agent. |
---|
34 | .\" |
---|
35 | .\" Revision 1.2 1996/11/01 15:32:49 ttsalo |
---|
36 | .\" Updated the manpage |
---|
37 | .\" |
---|
38 | .\" Revision 1.1.1.1 1996/02/18 21:38:13 ylo |
---|
39 | .\" Imported ssh-1.2.13. |
---|
40 | .\" |
---|
41 | .\" Revision 1.4 1995/08/31 09:22:32 ylo |
---|
42 | .\" Minor cleanup. |
---|
43 | .\" |
---|
44 | .\" Revision 1.3 1995/08/29 22:30:57 ylo |
---|
45 | .\" *** empty log message *** |
---|
46 | .\" |
---|
47 | .\" Revision 1.2 1995/07/13 01:36:44 ylo |
---|
48 | .\" Removed "Last modified" header. |
---|
49 | .\" Added cvs log. |
---|
50 | .\" |
---|
51 | .\" $Endlog$ |
---|
52 | .\" |
---|
53 | .\" |
---|
54 | .\" |
---|
55 | .\" |
---|
56 | .\" #ifndef F_SECURE_COMMERCIAL |
---|
57 | .TH SSH-AGENT 1 "November 8, 1995" "SSH" "SSH" |
---|
58 | .\" #endif F_SECURE_COMMERCIAL |
---|
59 | |
---|
60 | .SH NAME |
---|
61 | ssh-agent \- authentication agent |
---|
62 | |
---|
63 | .SH SYNOPSIS |
---|
64 | .LP |
---|
65 | .B ssh-agent |
---|
66 | .I command |
---|
67 | |
---|
68 | .B eval `ssh-agent |
---|
69 | [\c |
---|
70 | .BR \-k \c |
---|
71 | ] |
---|
72 | [\c |
---|
73 | .BR \-s \c |
---|
74 | ] |
---|
75 | [\c |
---|
76 | .BR \-c \c |
---|
77 | ]` |
---|
78 | |
---|
79 | .SH DESCRIPTION |
---|
80 | .LP |
---|
81 | .B Ssh-agent |
---|
82 | is a program to hold authentication private keys. The |
---|
83 | idea is that |
---|
84 | .B ssh-agent |
---|
85 | is started in the beginning of an X-session or a login session, and |
---|
86 | all other windows or programs are started as children of the ssh-agent |
---|
87 | program (the |
---|
88 | .IR command |
---|
89 | normally starts X or is the user shell). Programs started under |
---|
90 | the agent inherit a connection to the agent, and the agent is |
---|
91 | automatically used for RSA authentication when logging to other |
---|
92 | machines using |
---|
93 | .B ssh. |
---|
94 | .LP |
---|
95 | If the ssh-agent is started without any arguments (no command) it will |
---|
96 | fork and start agent as background process. The agent also prints |
---|
97 | command that can be evaluated in sh or csh like shells, that will set |
---|
98 | the |
---|
99 | .B \s-1SSH_AUTH_SOCK\s0 |
---|
100 | and |
---|
101 | .B \s-1SSH_AGENT_PID\s0 |
---|
102 | environment variables. |
---|
103 | The |
---|
104 | .B \s-1SSH_AGENT_PID\s0 |
---|
105 | environment variable can be used to kill agent away |
---|
106 | when it is no longer needed (you logout from X-session etc). If no |
---|
107 | options are given the ssh-agent uses SHELL environment variable the |
---|
108 | detect what kind of shell you have (*csh or sh-style shell). The |
---|
109 | .BI \-c |
---|
110 | option will force csh-style shell, and |
---|
111 | .BI \-s |
---|
112 | option will force sh-style shell. |
---|
113 | .LP |
---|
114 | Note that in SysV variants (at least IRIX and Solaris) |
---|
115 | the environment variable SHELL might not contain the |
---|
116 | actual value of the shell executing the evaluation. |
---|
117 | If ALTSHELL is set to YES in /etc/default/login, the SHELL |
---|
118 | environment variable is set to the login shell of the user. |
---|
119 | .LP |
---|
120 | The |
---|
121 | .BI \-k |
---|
122 | option can be used to kill agent automatically. It kills the agent (it |
---|
123 | uses the |
---|
124 | .B \s-1SSH_AGENT_PID\s0 |
---|
125 | to find it) and prints shell commands to stdout that will unset the |
---|
126 | .B \s-1SSH_AUTH_SOCKET\s0 |
---|
127 | and |
---|
128 | .B \s-1SSH_AGENT_PID\s0 |
---|
129 | enviroment variables. |
---|
130 | .LP |
---|
131 | The agent initially does not have any private keys. Keys are added |
---|
132 | using |
---|
133 | .B ssh-add. |
---|
134 | When executed without arguments, |
---|
135 | .B ssh-add |
---|
136 | adds the |
---|
137 | .I \&$HOME/\s+2.\s0ssh/identity |
---|
138 | file. If the identity has a passphrase, |
---|
139 | .B ssh-add |
---|
140 | asks for the passphrase (using a small X11 application if running |
---|
141 | under X11, or from the terminal if running without X). It then sends |
---|
142 | the identity to the agent. Several identities can be stored in the |
---|
143 | agent; the agent can automatically use any of these identities. |
---|
144 | .B "Ssh-add \-l |
---|
145 | displays the identities currently held by the agent. |
---|
146 | .LP |
---|
147 | The idea is that the agent is run in the user's local PC, laptop, or |
---|
148 | terminal. Authentication data need not be stored on any other |
---|
149 | machine, and authentication passphrases never go over the network. |
---|
150 | However, the connection to the agent is forwarded over |
---|
151 | .B ssh |
---|
152 | remote logins, and the user can thus use the privileges given by the |
---|
153 | identities anywhere in the network in a secure way. |
---|
154 | .LP |
---|
155 | A connection to the agent is inherited by child programs. A |
---|
156 | unix-domain socket is created |
---|
157 | (\fI/tmp/ssh-$USER/agent-socket-<pid>\fR), where the %d is the process |
---|
158 | id of the listener (agent or sshd proxying the agent). The name of |
---|
159 | this socket is stored in the |
---|
160 | .B \s-1SSH_AUTH_SOCK\s0 |
---|
161 | environment variable. The socket is made accessible only to the |
---|
162 | current user. This method is easily abused by root or another |
---|
163 | instance of the same user. Older versions of ssh used inherited |
---|
164 | file descriptors for contacting the agent and used the unix-domain |
---|
165 | sockets in an incompatible way. |
---|
166 | .LP |
---|
167 | If the command is given as argument to ssh-agent the agent exits |
---|
168 | automatically when the command given on the command line terminates. |
---|
169 | The command is executed even if agent fails to start it's key-storing |
---|
170 | and challenge-processing services. |
---|
171 | |
---|
172 | .SH FILES |
---|
173 | .TP |
---|
174 | .I \&$HOME/\s+2.\s0ssh/identity |
---|
175 | Contains the RSA authentication identity of the user. This file |
---|
176 | should not be readable by anyone but the user. It is possible to |
---|
177 | specify a passphrase when generating the key; that passphrase will be |
---|
178 | used to encrypt the private part of this file. This file |
---|
179 | is not used by |
---|
180 | .B ssh-agent, |
---|
181 | but is normally added to the agent using |
---|
182 | .B ssh-add |
---|
183 | at login time. |
---|
184 | .TP |
---|
185 | .I \&/tmp/ssh-$USER/agent-socket-<pid> |
---|
186 | Unix-domain sockets used to contain the connection to the |
---|
187 | authentication agent. These sockets should only be readable by the |
---|
188 | owner. The sockets should get automatically removed when the agent |
---|
189 | exits. The parent directory of ssh-$USER must have it's sticky bit |
---|
190 | set. |
---|
191 | |
---|
192 | .SH AUTHOR |
---|
193 | .LP |
---|
194 | Tatu Ylonen <ylo@ssh.fi> |
---|
195 | |
---|
196 | .SH SEE ALSO |
---|
197 | .BR ssh-add (1), |
---|
198 | .BR ssh-keygen (1), |
---|
199 | .BR ssh (1), |
---|
200 | .BR sshd (8) |
---|