]>
Commit | Line | Data |
---|---|---|
4fe2af09 | 1 | .\" $OpenBSD: ssh-agent.1,v 1.10 2000/03/23 21:10:10 aaron Exp $ |
bf740959 | 2 | .\" |
3 | .\" -*- nroff -*- | |
4 | .\" | |
5 | .\" ssh-agent.1 | |
6 | .\" | |
7 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | |
f095fcc7 | 8 | .\" |
bf740959 | 9 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
10 | .\" All rights reserved | |
11 | .\" | |
12 | .\" Created: Sat Apr 23 20:10:43 1995 ylo | |
13 | .\" | |
14 | .Dd September 25, 1999 | |
15 | .Dt SSH-AGENT 1 | |
16 | .Os | |
17 | .Sh NAME | |
18 | .Nm ssh-agent | |
19 | .Nd authentication agent | |
20 | .Sh SYNOPSIS | |
21 | .Nm ssh-agent | |
22 | .Op Fl c Li | Fl s | |
23 | .Op Fl k | |
24 | .Oo | |
25 | .Ar command | |
26 | .Op Ar args ... | |
27 | .Oc | |
28 | .Sh DESCRIPTION | |
29 | .Nm | |
4fe2af09 | 30 | is a program to hold authentication private keys. |
31 | The idea is that | |
bf740959 | 32 | .Nm |
33 | is started in the beginning of an X-session or a login session, and | |
34 | all other windows or programs are started as clients to the ssh-agent | |
4fe2af09 | 35 | program. |
36 | Through use of environment variables the agent can be located | |
bf740959 | 37 | and automatically used for RSA authentication when logging in to other |
38 | machines using | |
39 | .Xr ssh 1 . | |
40 | .Pp | |
41 | The options are as follows: | |
42 | .Bl -tag -width Ds | |
43 | .It Fl c | |
44 | Generate C-shell commands on | |
45 | .Dv stdout . | |
46 | This is the default if | |
47 | .Ev SHELL | |
48 | looks like it's a csh style of shell. | |
49 | .It Fl s | |
50 | Generate Bourne shell commands on | |
51 | .Dv stdout . | |
52 | This is the default if | |
53 | .Ev SHELL | |
54 | does not look like it's a csh style of shell. | |
55 | .It Fl k | |
56 | Kill the current agent (given by the | |
57 | .Ev SSH_AGENT_PID | |
58 | environment variable). | |
59 | .El | |
60 | .Pp | |
61 | If a commandline is given, this is executed as a subprocess of the agent. | |
62 | When the command dies, so does the agent. | |
63 | .Pp | |
4fe2af09 | 64 | The agent initially does not have any private keys. |
65 | Keys are added using | |
bf740959 | 66 | .Xr ssh-add 1 . |
67 | When executed without arguments, | |
68 | .Xr ssh-add 1 | |
69 | adds the | |
70 | .Pa $HOME/.ssh/identity | |
4fe2af09 | 71 | file. |
72 | If the identity has a passphrase, | |
bf740959 | 73 | .Xr ssh-add 1 |
74 | asks for the passphrase (using a small X11 application if running | |
4fe2af09 | 75 | under X11, or from the terminal if running without X). |
76 | It then sends the identity to the agent. | |
77 | Several identities can be stored in the | |
bf740959 | 78 | agent; the agent can automatically use any of these identities. |
79 | .Ic ssh-add -l | |
80 | displays the identities currently held by the agent. | |
81 | .Pp | |
82 | The idea is that the agent is run in the user's local PC, laptop, or | |
4fe2af09 | 83 | terminal. |
84 | Authentication data need not be stored on any other | |
bf740959 | 85 | machine, and authentication passphrases never go over the network. |
86 | However, the connection to the agent is forwarded over SSH | |
87 | remote logins, and the user can thus use the privileges given by the | |
88 | identities anywhere in the network in a secure way. | |
89 | .Pp | |
4fe2af09 | 90 | There are two main ways to get an agent setup: |
91 | Either you let the agent | |
bf740959 | 92 | start a new subcommand into which some environment variables are exported, or |
93 | you let the agent print the needed shell commands (either | |
94 | .Xr sh 1 | |
95 | or | |
96 | .Xr csh 1 | |
97 | syntax can be generated) which can be evalled in the calling shell. | |
98 | Later | |
99 | .Xr ssh 1 | |
100 | look at these variables and use them to establish a connection to the agent. | |
101 | .Pp | |
102 | A unix-domain socket is created | |
103 | .Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> , | |
104 | and the name of this socket is stored in the | |
105 | .Ev SSH_AUTH_SOCK | |
106 | environment | |
4fe2af09 | 107 | variable. |
108 | The socket is made accessible only to the current user. | |
bf740959 | 109 | This method is easily abused by root or another instance of the same |
110 | user. | |
111 | .Pp | |
112 | The | |
113 | .Ev SSH_AGENT_PID | |
114 | environment variable holds the agent's PID. | |
115 | .Pp | |
116 | The agent exits automatically when the command given on the command | |
117 | line terminates. | |
118 | .Sh FILES | |
119 | .Bl -tag -width Ds | |
120 | .It Pa $HOME/.ssh/identity | |
4fe2af09 | 121 | Contains the RSA authentication identity of the user. |
122 | This file should not be readable by anyone but the user. | |
123 | It is possible to | |
bf740959 | 124 | specify a passphrase when generating the key; that passphrase will be |
4fe2af09 | 125 | used to encrypt the private part of this file. |
126 | This file is not used by | |
bf740959 | 127 | .Nm |
128 | but is normally added to the agent using | |
129 | .Xr ssh-add 1 | |
130 | at login time. | |
131 | .It Pa /tmp/ssh-XXXX/agent.<pid> , | |
132 | Unix-domain sockets used to contain the connection to the | |
4fe2af09 | 133 | authentication agent. |
134 | These sockets should only be readable by the owner. | |
135 | The sockets should get automatically removed when the agent exits. | |
bf740959 | 136 | .Sh AUTHOR |
137 | Tatu Ylonen <ylo@cs.hut.fi> | |
138 | .Pp | |
139 | OpenSSH | |
140 | is a derivative of the original (free) ssh 1.2.12 release, but with bugs | |
4fe2af09 | 141 | removed and newer features re-added. |
142 | Rapidly after the 1.2.12 release, | |
143 | newer versions bore successively more restrictive licenses. | |
144 | This version of OpenSSH | |
bf740959 | 145 | .Bl -bullet |
146 | .It | |
399d9d44 | 147 | has all components of a restrictive nature (i.e., patents, see |
bf740959 | 148 | .Xr ssl 8 ) |
149 | directly removed from the source code; any licensed or patented components | |
150 | are chosen from | |
151 | external libraries. | |
152 | .It | |
153 | has been updated to support ssh protocol 1.5. | |
154 | .It | |
155 | contains added support for | |
156 | .Xr kerberos 8 | |
157 | authentication and ticket passing. | |
158 | .It | |
159 | supports one-time password authentication with | |
160 | .Xr skey 1 . | |
161 | .El | |
162 | .Pp | |
163 | The libraries described in | |
164 | .Xr ssl 8 | |
165 | are required for proper operation. | |
166 | .Sh SEE ALSO | |
167 | .Xr ssh 1 , | |
168 | .Xr ssh-add 1 , | |
169 | .Xr ssh-keygen 1 , | |
170 | .Xr sshd 8 , | |
171 | .Xr ssl 8 |