[openssh.git] / ssh-agent.1

.\" $OpenBSD: ssh-agent.1,v 1.14 2000/08/19 21:34:43 markus Exp $
.\"
.\"  -*- nroff -*-
.\"
.\" ssh-agent.1
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\"
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\"                    All rights reserved
.\"
.\" Created: Sat Apr 23 20:10:43 1995 ylo
.\"
.Dd September 25, 1999
.Dt SSH-AGENT 1
.Os
.Sh NAME
.Nm ssh-agent
.Nd authentication agent
.Sh SYNOPSIS
.Nm ssh-agent
.Op Fl c Li | Fl s
.Op Fl k
.Oo
.Ar command
.Op Ar args ...
.Oc
.Sh DESCRIPTION
.Nm
is a program to hold private keys used for public key authentication
(RSA, DSA).
The idea is that
.Nm
is started in the beginning of an X-session or a login session, and
all other windows or programs are started as clients to the ssh-agent
program.
Through use of environment variables the agent can be located
and automatically used for authentication when logging in to other
machines using
.Xr ssh 1 .
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl c
Generate C-shell commands on
.Dv stdout .
This is the default if
.Ev SHELL
looks like it's a csh style of shell.
.It Fl s
Generate Bourne shell commands on
.Dv stdout .
This is the default if
.Ev SHELL
does not look like it's a csh style of shell.
.It Fl k
Kill the current agent (given by the
.Ev SSH_AGENT_PID
environment variable).
.El
.Pp
If a commandline is given, this is executed as a subprocess of the agent.
When the command dies, so does the agent.
.Pp
The agent initially does not have any private keys.
Keys are added using
.Xr ssh-add 1 .
When executed without arguments,
.Xr ssh-add 1
adds the
.Pa $HOME/.ssh/identity
file.
If the identity has a passphrase,
.Xr ssh-add 1
asks for the passphrase (using a small X11 application if running
under X11, or from the terminal if running without X).
It then sends the identity to the agent.
Several identities can be stored in the
agent; the agent can automatically use any of these identities.
.Ic ssh-add -l
displays the identities currently held by the agent.
.Pp
The idea is that the agent is run in the user's local PC, laptop, or
terminal.
Authentication data need not be stored on any other
machine, and authentication passphrases never go over the network.
However, the connection to the agent is forwarded over SSH
remote logins, and the user can thus use the privileges given by the
identities anywhere in the network in a secure way.
.Pp
There are two main ways to get an agent setup:
Either you let the agent
start a new subcommand into which some environment variables are exported, or
you let the agent print the needed shell commands (either
.Xr sh 1
or
.Xr csh 1
syntax can be generated) which can be evalled in the calling shell.
Later
.Xr ssh 1
look at these variables and use them to establish a connection to the agent.
.Pp
A unix-domain socket is created
.Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
and the name of this socket is stored in the
.Ev SSH_AUTH_SOCK
environment
variable.
The socket is made accessible only to the current user.
This method is easily abused by root or another instance of the same
user.
.Pp
The
.Ev SSH_AGENT_PID
environment variable holds the agent's PID.
.Pp
The agent exits automatically when the command given on the command
line terminates.
.Sh FILES
.Bl -tag -width Ds
.It Pa $HOME/.ssh/identity
Contains the RSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
specify a passphrase when generating the key; that passphrase will be
used to encrypt the private part of this file.
This file is not used by
.Nm
but is normally added to the agent using
.Xr ssh-add 1
at login time.
.It Pa $HOME/.ssh/id_dsa
Contains the DSA authentication identity of the user.
.Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
Unix-domain sockets used to contain the connection to the
authentication agent.
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.El
.Sh AUTHOR
Tatu Ylonen <ylo@cs.hut.fi>
.Pp
OpenSSH
is a derivative of the original (free) ssh 1.2.12 release, but with bugs
removed and newer features re-added.
Rapidly after the 1.2.12 release,
newer versions bore successively more restrictive licenses.
This version of OpenSSH
.Bl -bullet
.It
has all components of a restrictive nature (i.e., patents)
directly removed from the source code; any licensed or patented components
are chosen from
external libraries.
.It
has been updated to support ssh protocol 1.5.
.It
contains added support for
.Xr kerberos 8
authentication and ticket passing.
.It
supports one-time password authentication with
.Xr skey 1 .
.El
.Pp
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-keygen 1 ,
.Xr sshd 8 ,
Commit	Line	Data
2e73a022	1	.\" $OpenBSD: ssh-agent.1,v 1.14 2000/08/19 21:34:43 markus Exp $
bf740959	2	.\"
	3	.\" -- nroff --
	4	.\"
	5	.\" ssh-agent.1
	6	.\"
	7	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
f095fcc7	8	.\"
bf740959	9	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	10	.\" All rights reserved
	11	.\"
	12	.\" Created: Sat Apr 23 20:10:43 1995 ylo
	13	.\"
	14	.Dd September 25, 1999
	15	.Dt SSH-AGENT 1
	16	.Os
	17	.Sh NAME
	18	.Nm ssh-agent
	19	.Nd authentication agent
	20	.Sh SYNOPSIS
f54651ce	21	.Nm ssh-agent
bf740959	22	.Op Fl c Li \| Fl s
	23	.Op Fl k
	24	.Oo
	25	.Ar command
	26	.Op Ar args ...
	27	.Oc
f54651ce	28	.Sh DESCRIPTION
bf740959	29	.Nm
2e73a022	30	is a program to hold private keys used for public key authentication
2e73a022	31	(RSA, DSA).
4fe2af09	32	The idea is that
bf740959	33	.Nm
	34	is started in the beginning of an X-session or a login session, and
	35	all other windows or programs are started as clients to the ssh-agent
4fe2af09	36	program.
4fe2af09	37	Through use of environment variables the agent can be located
2e73a022	38	and automatically used for authentication when logging in to other
bf740959	39	machines using
	40	.Xr ssh 1 .
	41	.Pp
	42	The options are as follows:
	43	.Bl -tag -width Ds
	44	.It Fl c
	45	Generate C-shell commands on
	46	.Dv stdout .
	47	This is the default if
	48	.Ev SHELL
	49	looks like it's a csh style of shell.
	50	.It Fl s
	51	Generate Bourne shell commands on
	52	.Dv stdout .
	53	This is the default if
	54	.Ev SHELL
	55	does not look like it's a csh style of shell.
	56	.It Fl k
	57	Kill the current agent (given by the
	58	.Ev SSH_AGENT_PID
	59	environment variable).
	60	.El
	61	.Pp
	62	If a commandline is given, this is executed as a subprocess of the agent.
	63	When the command dies, so does the agent.
	64	.Pp
4fe2af09	65	The agent initially does not have any private keys.
4fe2af09	66	Keys are added using
bf740959	67	.Xr ssh-add 1 .
f54651ce	68	When executed without arguments,
bf740959	69	.Xr ssh-add 1
f54651ce	70	adds the
bf740959	71	.Pa $HOME/.ssh/identity
4fe2af09	72	file.
f54651ce	73	If the identity has a passphrase,
bf740959	74	.Xr ssh-add 1
bf740959	75	asks for the passphrase (using a small X11 application if running
4fe2af09	76	under X11, or from the terminal if running without X).
	77	It then sends the identity to the agent.
	78	Several identities can be stored in the
bf740959	79	agent; the agent can automatically use any of these identities.
	80	.Ic ssh-add -l
	81	displays the identities currently held by the agent.
	82	.Pp
	83	The idea is that the agent is run in the user's local PC, laptop, or
4fe2af09	84	terminal.
4fe2af09	85	Authentication data need not be stored on any other
bf740959	86	machine, and authentication passphrases never go over the network.
	87	However, the connection to the agent is forwarded over SSH
	88	remote logins, and the user can thus use the privileges given by the
	89	identities anywhere in the network in a secure way.
	90	.Pp
4fe2af09	91	There are two main ways to get an agent setup:
4fe2af09	92	Either you let the agent
bf740959	93	start a new subcommand into which some environment variables are exported, or
	94	you let the agent print the needed shell commands (either
	95	.Xr sh 1
	96	or
	97	.Xr csh 1
	98	syntax can be generated) which can be evalled in the calling shell.
	99	Later
	100	.Xr ssh 1
	101	look at these variables and use them to establish a connection to the agent.
	102	.Pp
	103	A unix-domain socket is created
	104	.Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
	105	and the name of this socket is stored in the
	106	.Ev SSH_AUTH_SOCK
	107	environment
4fe2af09	108	variable.
4fe2af09	109	The socket is made accessible only to the current user.
bf740959	110	This method is easily abused by root or another instance of the same
	111	user.
	112	.Pp
	113	The
	114	.Ev SSH_AGENT_PID
	115	environment variable holds the agent's PID.
	116	.Pp
	117	The agent exits automatically when the command given on the command
	118	line terminates.
	119	.Sh FILES
	120	.Bl -tag -width Ds
	121	.It Pa $HOME/.ssh/identity
4fe2af09	122	Contains the RSA authentication identity of the user.
	123	This file should not be readable by anyone but the user.
	124	It is possible to
bf740959	125	specify a passphrase when generating the key; that passphrase will be
4fe2af09	126	used to encrypt the private part of this file.
4fe2af09	127	This file is not used by
bf740959	128	.Nm
	129	but is normally added to the agent using
	130	.Xr ssh-add 1
	131	at login time.
2e73a022	132	.It Pa $HOME/.ssh/id_dsa
	133	Contains the DSA authentication identity of the user.
	134	.Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
bf740959	135	Unix-domain sockets used to contain the connection to the
4fe2af09	136	authentication agent.
	137	These sockets should only be readable by the owner.
	138	The sockets should get automatically removed when the agent exits.
089fbbd2	139	.El
bf740959	140	.Sh AUTHOR
	141	Tatu Ylonen <ylo@cs.hut.fi>
	142	.Pp
	143	OpenSSH
	144	is a derivative of the original (free) ssh 1.2.12 release, but with bugs
4fe2af09	145	removed and newer features re-added.
	146	Rapidly after the 1.2.12 release,
	147	newer versions bore successively more restrictive licenses.
	148	This version of OpenSSH
bf740959	149	.Bl -bullet
bf740959	150	.It
371ecff9	151	has all components of a restrictive nature (i.e., patents)
bf740959	152	directly removed from the source code; any licensed or patented components
	153	are chosen from
	154	external libraries.
	155	.It
	156	has been updated to support ssh protocol 1.5.
	157	.It
f54651ce	158	contains added support for
bf740959	159	.Xr kerberos 8
	160	authentication and ticket passing.
	161	.It
	162	supports one-time password authentication with
	163	.Xr skey 1 .
	164	.El
	165	.Pp
bf740959	166	.Sh SEE ALSO
	167	.Xr ssh 1 ,
	168	.Xr ssh-add 1 ,
	169	.Xr ssh-keygen 1 ,
	170	.Xr sshd 8 ,