]>
Commit | Line | Data |
---|---|---|
2e437378 | 1 | .\" $OpenBSD: ssh-agent.1,v 1.44 2006/07/18 08:03:09 jmc Exp $ |
3c0ef626 | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
5 | .\" All rights reserved | |
6 | .\" | |
7 | .\" As far as I am concerned, the code I have written for this software | |
8 | .\" can be used freely for any purpose. Any derived versions of this | |
9 | .\" software must be clearly marked as such, and if the derived work is | |
10 | .\" incompatible with the protocol description in the RFC file, it must be | |
11 | .\" called by a name other than "ssh" or "Secure Shell". | |
12 | .\" | |
13 | .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. | |
14 | .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. | |
15 | .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. | |
16 | .\" | |
17 | .\" Redistribution and use in source and binary forms, with or without | |
18 | .\" modification, are permitted provided that the following conditions | |
19 | .\" are met: | |
20 | .\" 1. Redistributions of source code must retain the above copyright | |
21 | .\" notice, this list of conditions and the following disclaimer. | |
22 | .\" 2. Redistributions in binary form must reproduce the above copyright | |
23 | .\" notice, this list of conditions and the following disclaimer in the | |
24 | .\" documentation and/or other materials provided with the distribution. | |
25 | .\" | |
26 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
27 | .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
28 | .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
29 | .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
30 | .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
31 | .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
32 | .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
33 | .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
36 | .\" | |
37 | .Dd September 25, 1999 | |
38 | .Dt SSH-AGENT 1 | |
39 | .Os | |
40 | .Sh NAME | |
41 | .Nm ssh-agent | |
42 | .Nd authentication agent | |
43 | .Sh SYNOPSIS | |
44 | .Nm ssh-agent | |
ff2d7a98 | 45 | .Op Fl a Ar bind_address |
3c0ef626 | 46 | .Op Fl c Li | Fl s |
1c14df9e | 47 | .Op Fl t Ar life |
3c0ef626 | 48 | .Op Fl d |
49 | .Op Ar command Op Ar args ... | |
50 | .Nm ssh-agent | |
51 | .Op Fl c Li | Fl s | |
52 | .Fl k | |
53 | .Sh DESCRIPTION | |
54 | .Nm | |
55 | is a program to hold private keys used for public key authentication | |
56 | (RSA, DSA). | |
57 | The idea is that | |
58 | .Nm | |
59 | is started in the beginning of an X-session or a login session, and | |
60 | all other windows or programs are started as clients to the ssh-agent | |
61 | program. | |
62 | Through use of environment variables the agent can be located | |
63 | and automatically used for authentication when logging in to other | |
64 | machines using | |
65 | .Xr ssh 1 . | |
66 | .Pp | |
67 | The options are as follows: | |
68 | .Bl -tag -width Ds | |
ff2d7a98 | 69 | .It Fl a Ar bind_address |
70 | Bind the agent to the unix-domain socket | |
71 | .Ar bind_address . | |
72 | The default is | |
2e437378 | 73 | .Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt . |
3c0ef626 | 74 | .It Fl c |
75 | Generate C-shell commands on | |
76 | .Dv stdout . | |
77 | This is the default if | |
78 | .Ev SHELL | |
79 | looks like it's a csh style of shell. | |
80 | .It Fl s | |
81 | Generate Bourne shell commands on | |
82 | .Dv stdout . | |
83 | This is the default if | |
84 | .Ev SHELL | |
85 | does not look like it's a csh style of shell. | |
86 | .It Fl k | |
87 | Kill the current agent (given by the | |
88 | .Ev SSH_AGENT_PID | |
89 | environment variable). | |
1c14df9e | 90 | .It Fl t Ar life |
91 | Set a default value for the maximum lifetime of identities added to the agent. | |
92 | The lifetime may be specified in seconds or in a time format specified in | |
e00da40d | 93 | .Xr sshd_config 5 . |
1c14df9e | 94 | A lifetime specified for an identity with |
95 | .Xr ssh-add 1 | |
96 | overrides this value. | |
97 | Without this option the default maximum lifetime is forever. | |
3c0ef626 | 98 | .It Fl d |
1c14df9e | 99 | Debug mode. |
100 | When this option is specified | |
3c0ef626 | 101 | .Nm |
102 | will not fork. | |
103 | .El | |
104 | .Pp | |
105 | If a commandline is given, this is executed as a subprocess of the agent. | |
106 | When the command dies, so does the agent. | |
107 | .Pp | |
108 | The agent initially does not have any private keys. | |
109 | Keys are added using | |
110 | .Xr ssh-add 1 . | |
111 | When executed without arguments, | |
112 | .Xr ssh-add 1 | |
e9a17296 | 113 | adds the files |
34fee935 | 114 | .Pa ~/.ssh/id_rsa , |
115 | .Pa ~/.ssh/id_dsa | |
e9a17296 | 116 | and |
34fee935 | 117 | .Pa ~/.ssh/identity . |
3c0ef626 | 118 | If the identity has a passphrase, |
119 | .Xr ssh-add 1 | |
120 | asks for the passphrase (using a small X11 application if running | |
121 | under X11, or from the terminal if running without X). | |
122 | It then sends the identity to the agent. | |
123 | Several identities can be stored in the | |
124 | agent; the agent can automatically use any of these identities. | |
125 | .Ic ssh-add -l | |
126 | displays the identities currently held by the agent. | |
127 | .Pp | |
128 | The idea is that the agent is run in the user's local PC, laptop, or | |
129 | terminal. | |
130 | Authentication data need not be stored on any other | |
131 | machine, and authentication passphrases never go over the network. | |
132 | However, the connection to the agent is forwarded over SSH | |
133 | remote logins, and the user can thus use the privileges given by the | |
134 | identities anywhere in the network in a secure way. | |
135 | .Pp | |
70791e56 | 136 | There are two main ways to get an agent set up: |
1b56ff3d | 137 | The first is that the agent starts a new subcommand into which some environment |
138 | variables are exported, eg | |
139 | .Cm ssh-agent xterm & . | |
140 | The second is that the agent prints the needed shell commands (either | |
3c0ef626 | 141 | .Xr sh 1 |
142 | or | |
143 | .Xr csh 1 | |
1b56ff3d | 144 | syntax can be generated) which can be evalled in the calling shell, eg |
145 | .Cm eval `ssh-agent -s` | |
146 | for Bourne-type shells such as | |
147 | .Xr sh 1 | |
148 | or | |
149 | .Xr ksh 1 | |
150 | and | |
151 | .Cm eval `ssh-agent -c` | |
152 | for | |
153 | .Xr csh 1 | |
154 | and derivatives. | |
155 | .Pp | |
3c0ef626 | 156 | Later |
157 | .Xr ssh 1 | |
158 | looks at these variables and uses them to establish a connection to the agent. | |
159 | .Pp | |
e9a17296 | 160 | The agent will never send a private key over its request channel. |
161 | Instead, operations that require a private key will be performed | |
162 | by the agent, and the result will be returned to the requester. | |
163 | This way, private keys are not exposed to clients using the agent. | |
164 | .Pp | |
3c0ef626 | 165 | A unix-domain socket is created |
3c0ef626 | 166 | and the name of this socket is stored in the |
167 | .Ev SSH_AUTH_SOCK | |
168 | environment | |
169 | variable. | |
170 | The socket is made accessible only to the current user. | |
171 | This method is easily abused by root or another instance of the same | |
172 | user. | |
173 | .Pp | |
174 | The | |
175 | .Ev SSH_AGENT_PID | |
ff2d7a98 | 176 | environment variable holds the agent's process ID. |
3c0ef626 | 177 | .Pp |
178 | The agent exits automatically when the command given on the command | |
179 | line terminates. | |
180 | .Sh FILES | |
181 | .Bl -tag -width Ds | |
34fee935 | 182 | .It Pa ~/.ssh/identity |
3c0ef626 | 183 | Contains the protocol version 1 RSA authentication identity of the user. |
34fee935 | 184 | .It Pa ~/.ssh/id_dsa |
3c0ef626 | 185 | Contains the protocol version 2 DSA authentication identity of the user. |
34fee935 | 186 | .It Pa ~/.ssh/id_rsa |
3c0ef626 | 187 | Contains the protocol version 2 RSA authentication identity of the user. |
2e437378 | 188 | .It Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt |
3c0ef626 | 189 | Unix-domain sockets used to contain the connection to the |
190 | authentication agent. | |
191 | These sockets should only be readable by the owner. | |
192 | The sockets should get automatically removed when the agent exits. | |
193 | .El | |
70791e56 | 194 | .Sh SEE ALSO |
195 | .Xr ssh 1 , | |
196 | .Xr ssh-add 1 , | |
197 | .Xr ssh-keygen 1 , | |
198 | .Xr sshd 8 | |
3c0ef626 | 199 | .Sh AUTHORS |
200 | OpenSSH is a derivative of the original and free | |
201 | ssh 1.2.12 release by Tatu Ylonen. | |
202 | Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, | |
203 | Theo de Raadt and Dug Song | |
204 | removed many bugs, re-added newer features and | |
205 | created OpenSSH. | |
206 | Markus Friedl contributed the support for SSH | |
207 | protocol versions 1.5 and 2.0. |