[openssh.git] / ssh-agent.1

.\" $OpenBSD: ssh-agent.1,v 1.10 2000/03/23 21:10:10 aaron Exp $
.\"
.\"  -*- nroff -*-
.\"
.\" ssh-agent.1
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\"
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\"                    All rights reserved
.\"
.\" Created: Sat Apr 23 20:10:43 1995 ylo
.\"
.Dd September 25, 1999
.Dt SSH-AGENT 1
.Os
.Sh NAME
.Nm ssh-agent
.Nd authentication agent
.Sh SYNOPSIS
.Nm ssh-agent 
.Op Fl c Li | Fl s
.Op Fl k
.Oo
.Ar command
.Op Ar args ...
.Oc
.Sh DESCRIPTION 
.Nm
is a program to hold authentication private keys.
The idea is that
.Nm
is started in the beginning of an X-session or a login session, and
all other windows or programs are started as clients to the ssh-agent
program.
Through use of environment variables the agent can be located
and automatically used for RSA authentication when logging in to other
machines using
.Xr ssh 1 .
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl c
Generate C-shell commands on
.Dv stdout .
This is the default if
.Ev SHELL
looks like it's a csh style of shell.
.It Fl s
Generate Bourne shell commands on
.Dv stdout .
This is the default if
.Ev SHELL
does not look like it's a csh style of shell.
.It Fl k
Kill the current agent (given by the
.Ev SSH_AGENT_PID
environment variable).
.El
.Pp
If a commandline is given, this is executed as a subprocess of the agent.
When the command dies, so does the agent.
.Pp
The agent initially does not have any private keys.
Keys are added using
.Xr ssh-add 1 .
When executed without arguments, 
.Xr ssh-add 1
adds the 
.Pa $HOME/.ssh/identity
file.
If the identity has a passphrase, 
.Xr ssh-add 1
asks for the passphrase (using a small X11 application if running
under X11, or from the terminal if running without X).
It then sends the identity to the agent.
Several identities can be stored in the
agent; the agent can automatically use any of these identities.
.Ic ssh-add -l
displays the identities currently held by the agent.
.Pp
The idea is that the agent is run in the user's local PC, laptop, or
terminal.
Authentication data need not be stored on any other
machine, and authentication passphrases never go over the network.
However, the connection to the agent is forwarded over SSH
remote logins, and the user can thus use the privileges given by the
identities anywhere in the network in a secure way.
.Pp
There are two main ways to get an agent setup:
Either you let the agent
start a new subcommand into which some environment variables are exported, or
you let the agent print the needed shell commands (either
.Xr sh 1
or
.Xr csh 1
syntax can be generated) which can be evalled in the calling shell.
Later
.Xr ssh 1
look at these variables and use them to establish a connection to the agent.
.Pp
A unix-domain socket is created
.Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
and the name of this socket is stored in the
.Ev SSH_AUTH_SOCK
environment
variable.
The socket is made accessible only to the current user.
This method is easily abused by root or another instance of the same
user.
.Pp
The
.Ev SSH_AGENT_PID
environment variable holds the agent's PID.
.Pp
The agent exits automatically when the command given on the command
line terminates.
.Sh FILES
.Bl -tag -width Ds
.It Pa $HOME/.ssh/identity
Contains the RSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
specify a passphrase when generating the key; that passphrase will be
used to encrypt the private part of this file.
This file is not used by
.Nm
but is normally added to the agent using
.Xr ssh-add 1
at login time.
.It Pa /tmp/ssh-XXXX/agent.<pid> ,
Unix-domain sockets used to contain the connection to the
authentication agent.
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.Sh AUTHOR
Tatu Ylonen <ylo@cs.hut.fi>
.Pp
OpenSSH
is a derivative of the original (free) ssh 1.2.12 release, but with bugs
removed and newer features re-added.
Rapidly after the 1.2.12 release,
newer versions bore successively more restrictive licenses.
This version of OpenSSH
.Bl -bullet
.It
has all components of a restrictive nature (i.e., patents, see
.Xr ssl 8 )
directly removed from the source code; any licensed or patented components
are chosen from
external libraries.
.It
has been updated to support ssh protocol 1.5.
.It
contains added support for 
.Xr kerberos 8
authentication and ticket passing.
.It
supports one-time password authentication with
.Xr skey 1 .
.El
.Pp
The libraries described in
.Xr ssl 8
are required for proper operation.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-keygen 1 ,
.Xr sshd 8 ,
.Xr ssl 8
Commit	Line	Data
4fe2af09	1	.\" $OpenBSD: ssh-agent.1,v 1.10 2000/03/23 21:10:10 aaron Exp $
bf740959	2	.\"
	3	.\" -- nroff --
	4	.\"
	5	.\" ssh-agent.1
	6	.\"
	7	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
f095fcc7	8	.\"
bf740959	9	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	10	.\" All rights reserved
	11	.\"
	12	.\" Created: Sat Apr 23 20:10:43 1995 ylo
	13	.\"
	14	.Dd September 25, 1999
	15	.Dt SSH-AGENT 1
	16	.Os
	17	.Sh NAME
	18	.Nm ssh-agent
	19	.Nd authentication agent
	20	.Sh SYNOPSIS
	21	.Nm ssh-agent
	22	.Op Fl c Li \| Fl s
	23	.Op Fl k
	24	.Oo
	25	.Ar command
	26	.Op Ar args ...
	27	.Oc
	28	.Sh DESCRIPTION
	29	.Nm
4fe2af09	30	is a program to hold authentication private keys.
4fe2af09	31	The idea is that
bf740959	32	.Nm
	33	is started in the beginning of an X-session or a login session, and
	34	all other windows or programs are started as clients to the ssh-agent
4fe2af09	35	program.
4fe2af09	36	Through use of environment variables the agent can be located
bf740959	37	and automatically used for RSA authentication when logging in to other
	38	machines using
	39	.Xr ssh 1 .
	40	.Pp
	41	The options are as follows:
	42	.Bl -tag -width Ds
	43	.It Fl c
	44	Generate C-shell commands on
	45	.Dv stdout .
	46	This is the default if
	47	.Ev SHELL
	48	looks like it's a csh style of shell.
	49	.It Fl s
	50	Generate Bourne shell commands on
	51	.Dv stdout .
	52	This is the default if
	53	.Ev SHELL
	54	does not look like it's a csh style of shell.
	55	.It Fl k
	56	Kill the current agent (given by the
	57	.Ev SSH_AGENT_PID
	58	environment variable).
	59	.El
	60	.Pp
	61	If a commandline is given, this is executed as a subprocess of the agent.
	62	When the command dies, so does the agent.
	63	.Pp
4fe2af09	64	The agent initially does not have any private keys.
4fe2af09	65	Keys are added using
bf740959	66	.Xr ssh-add 1 .
	67	When executed without arguments,
	68	.Xr ssh-add 1
	69	adds the
	70	.Pa $HOME/.ssh/identity
4fe2af09	71	file.
4fe2af09	72	If the identity has a passphrase,
bf740959	73	.Xr ssh-add 1
bf740959	74	asks for the passphrase (using a small X11 application if running
4fe2af09	75	under X11, or from the terminal if running without X).
	76	It then sends the identity to the agent.
	77	Several identities can be stored in the
bf740959	78	agent; the agent can automatically use any of these identities.
	79	.Ic ssh-add -l
	80	displays the identities currently held by the agent.
	81	.Pp
	82	The idea is that the agent is run in the user's local PC, laptop, or
4fe2af09	83	terminal.
4fe2af09	84	Authentication data need not be stored on any other
bf740959	85	machine, and authentication passphrases never go over the network.
	86	However, the connection to the agent is forwarded over SSH
	87	remote logins, and the user can thus use the privileges given by the
	88	identities anywhere in the network in a secure way.
	89	.Pp
4fe2af09	90	There are two main ways to get an agent setup:
4fe2af09	91	Either you let the agent
bf740959	92	start a new subcommand into which some environment variables are exported, or
	93	you let the agent print the needed shell commands (either
	94	.Xr sh 1
	95	or
	96	.Xr csh 1
	97	syntax can be generated) which can be evalled in the calling shell.
	98	Later
	99	.Xr ssh 1
	100	look at these variables and use them to establish a connection to the agent.
	101	.Pp
	102	A unix-domain socket is created
	103	.Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
	104	and the name of this socket is stored in the
	105	.Ev SSH_AUTH_SOCK
	106	environment
4fe2af09	107	variable.
4fe2af09	108	The socket is made accessible only to the current user.
bf740959	109	This method is easily abused by root or another instance of the same
	110	user.
	111	.Pp
	112	The
	113	.Ev SSH_AGENT_PID
	114	environment variable holds the agent's PID.
	115	.Pp
	116	The agent exits automatically when the command given on the command
	117	line terminates.
	118	.Sh FILES
	119	.Bl -tag -width Ds
	120	.It Pa $HOME/.ssh/identity
4fe2af09	121	Contains the RSA authentication identity of the user.
	122	This file should not be readable by anyone but the user.
	123	It is possible to
bf740959	124	specify a passphrase when generating the key; that passphrase will be
4fe2af09	125	used to encrypt the private part of this file.
4fe2af09	126	This file is not used by
bf740959	127	.Nm
	128	but is normally added to the agent using
	129	.Xr ssh-add 1
	130	at login time.
	131	.It Pa /tmp/ssh-XXXX/agent.<pid> ,
	132	Unix-domain sockets used to contain the connection to the
4fe2af09	133	authentication agent.
	134	These sockets should only be readable by the owner.
	135	The sockets should get automatically removed when the agent exits.
bf740959	136	.Sh AUTHOR
	137	Tatu Ylonen <ylo@cs.hut.fi>
	138	.Pp
	139	OpenSSH
	140	is a derivative of the original (free) ssh 1.2.12 release, but with bugs
4fe2af09	141	removed and newer features re-added.
	142	Rapidly after the 1.2.12 release,
	143	newer versions bore successively more restrictive licenses.
	144	This version of OpenSSH
bf740959	145	.Bl -bullet
bf740959	146	.It
399d9d44	147	has all components of a restrictive nature (i.e., patents, see
bf740959	148	.Xr ssl 8 )
	149	directly removed from the source code; any licensed or patented components
	150	are chosen from
	151	external libraries.
	152	.It
	153	has been updated to support ssh protocol 1.5.
	154	.It
	155	contains added support for
	156	.Xr kerberos 8
	157	authentication and ticket passing.
	158	.It
	159	supports one-time password authentication with
	160	.Xr skey 1 .
	161	.El
	162	.Pp
	163	The libraries described in
	164	.Xr ssl 8
	165	are required for proper operation.
	166	.Sh SEE ALSO
	167	.Xr ssh 1 ,
	168	.Xr ssh-add 1 ,
	169	.Xr ssh-keygen 1 ,
	170	.Xr sshd 8 ,
	171	.Xr ssl 8