]>
Commit | Line | Data |
---|---|---|
8efc0c15 | 1 | .\" -*- nroff -*- |
2 | .\" | |
3 | .\" ssh-agent.1 | |
4 | .\" | |
5 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | |
6 | .\" | |
7 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
8 | .\" All rights reserved | |
9 | .\" | |
10 | .\" Created: Sat Apr 23 20:10:43 1995 ylo | |
11 | .\" | |
12 | .\" $Id$ | |
13 | .\" | |
14 | .Dd September 25, 1999 | |
15 | .Dt SSH-AGENT 1 | |
16 | .Os | |
17 | .Sh NAME | |
18 | .Nm ssh-agent | |
19 | .Nd authentication agent | |
20 | .Sh SYNOPSIS | |
21 | .Nm ssh-agent | |
22 | .Ar command | |
23 | .Sh DESCRIPTION | |
24 | .Nm | |
25 | is a program to hold authentication private keys. The | |
26 | idea is that | |
27 | .Nm | |
28 | is started in the beginning of an X-session or a login session, and | |
29 | all other windows or programs are started as children of the ssh-agent | |
30 | program (the | |
31 | .Ar command | |
32 | normally starts X or is the user shell). Programs started under | |
33 | the agent inherit a connection to the agent, and the agent is | |
34 | automatically used for RSA authentication when logging to other | |
35 | machines using | |
36 | .Xr ssh 1 . | |
37 | .Pp | |
38 | The agent initially does not have any private keys. Keys are added | |
39 | using | |
40 | .Xr ssh-add 1 . | |
41 | When executed without arguments, | |
42 | .Xr ssh-add 1 | |
43 | adds the | |
44 | .Pa $HOME/.ssh/identity | |
45 | file. If the identity has a passphrase, | |
46 | .Xr ssh-add 1 | |
47 | asks for the passphrase (using a small X11 application if running | |
48 | under X11, or from the terminal if running without X). It then sends | |
49 | the identity to the agent. Several identities can be stored in the | |
50 | agent; the agent can automatically use any of these identities. | |
51 | .Ic ssh-add -l | |
52 | displays the identities currently held by the agent. | |
53 | .Pp | |
54 | The idea is that the agent is run in the user's local PC, laptop, or | |
55 | terminal. Authentication data need not be stored on any other | |
56 | machine, and authentication passphrases never go over the network. | |
57 | However, the connection to the agent is forwarded over SSH | |
58 | remote logins, and the user can thus use the privileges given by the | |
59 | identities anywhere in the network in a secure way. | |
60 | .Pp | |
61 | A connection to the agent is inherited by child programs: | |
62 | A unix-domain socket is created | |
63 | .Pq Pa /tmp/ssh-XXXX/agent.<pid> , | |
64 | and the name of this socket is stored in the | |
65 | .Ev SSH_AUTH_SOCK | |
66 | environment | |
67 | variable. The socket is made accessible only to the current user. | |
68 | This method is easily abused by root or another instance of the same | |
69 | user. | |
70 | .Pp | |
71 | The agent exits automatically when the command given on the command | |
72 | line terminates. | |
73 | .Sh FILES | |
74 | .Bl -tag -width Ds | |
75 | .It Pa $HOME/.ssh/identity | |
76 | Contains the RSA authentication identity of the user. This file | |
77 | should not be readable by anyone but the user. It is possible to | |
78 | specify a passphrase when generating the key; that passphrase will be | |
79 | used to encrypt the private part of this file. This file | |
80 | is not used by | |
81 | .Nm | |
82 | but is normally added to the agent using | |
83 | .Xr ssh-add 1 | |
84 | at login time. | |
85 | .It Pa /tmp/ssh-XXXX/agent.<pid> , | |
86 | Unix-domain sockets used to contain the connection to the | |
87 | authentication agent. These sockets should only be readable by the | |
88 | owner. The sockets should get automatically removed when the agent | |
89 | exits. | |
90 | .Sh AUTHOR | |
91 | Tatu Ylonen <ylo@cs.hut.fi> | |
92 | .Pp | |
93 | OpenSSH | |
94 | is a derivative of the original (free) ssh 1.2.12 release, but with bugs | |
95 | removed and newer features re-added. Rapidly after the 1.2.12 release, | |
96 | newer versions bore successively more restrictive licenses. This version | |
97 | of OpenSSH | |
98 | .Bl -bullet | |
99 | .It | |
100 | has all components of a restrictive nature (ie. patents, see | |
101 | .Xr ssl 8 ) | |
102 | directly removed from the source code; any licensed or patented components | |
103 | are chosen from | |
104 | external libraries. | |
105 | .It | |
106 | has been updated to support ssh protocol 1.5. | |
107 | .It | |
108 | contains added support for | |
109 | .Xr kerberos 8 | |
110 | authentication and ticket passing. | |
111 | .It | |
112 | supports one-time password authentication with | |
113 | .Xr skey 1 . | |
114 | .El | |
115 | .Pp | |
116 | The libraries described in | |
117 | .Xr ssl 8 | |
118 | are required for proper operation. | |
119 | .Sh SEE ALSO | |
120 | .Xr ssh 1 , | |
121 | .Xr ssh-add 1 , | |
122 | .Xr ssh-keygen 1 , | |
123 | .Xr sshd 8 , | |
124 | .Xr ssl 8 |