5 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
7 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8 .\" All rights reserved
10 .\" Created: Sat Apr 23 20:10:43 1995 ylo
14 .Dd September 25, 1999
19 .Nd authentication agent
25 is a program to hold authentication private keys. The
28 is started in the beginning of an X-session or a login session, and
29 all other windows or programs are started as children of the ssh-agent
32 normally starts X or is the user shell). Programs started under
33 the agent inherit a connection to the agent, and the agent is
34 automatically used for RSA authentication when logging to other
38 The agent initially does not have any private keys. Keys are added
41 When executed without arguments,
44 .Pa $HOME/.ssh/identity
45 file. If the identity has a passphrase,
47 asks for the passphrase (using a small X11 application if running
48 under X11, or from the terminal if running without X). It then sends
49 the identity to the agent. Several identities can be stored in the
50 agent; the agent can automatically use any of these identities.
52 displays the identities currently held by the agent.
54 The idea is that the agent is run in the user's local PC, laptop, or
55 terminal. Authentication data need not be stored on any other
56 machine, and authentication passphrases never go over the network.
57 However, the connection to the agent is forwarded over SSH
58 remote logins, and the user can thus use the privileges given by the
59 identities anywhere in the network in a secure way.
61 A connection to the agent is inherited by child programs:
62 A unix-domain socket is created
63 .Pq Pa /tmp/ssh-XXXX/agent.<pid> ,
64 and the name of this socket is stored in the
67 variable. The socket is made accessible only to the current user.
68 This method is easily abused by root or another instance of the same
71 The agent exits automatically when the command given on the command
75 .It Pa $HOME/.ssh/identity
76 Contains the RSA authentication identity of the user. This file
77 should not be readable by anyone but the user. It is possible to
78 specify a passphrase when generating the key; that passphrase will be
79 used to encrypt the private part of this file. This file
82 but is normally added to the agent using
85 .It Pa /tmp/ssh-XXXX/agent.<pid> ,
86 Unix-domain sockets used to contain the connection to the
87 authentication agent. These sockets should only be readable by the
88 owner. The sockets should get automatically removed when the agent
91 Tatu Ylonen <ylo@cs.hut.fi>
94 is a derivative of the original (free) ssh 1.2.12 release, but with bugs
95 removed and newer features re-added. Rapidly after the 1.2.12 release,
96 newer versions bore successively more restrictive licenses. This version
100 has all components of a restrictive nature (ie. patents, see
102 directly removed from the source code; any licensed or patented components
106 has been updated to support ssh protocol 1.5.
108 contains added support for
110 authentication and ticket passing.
112 supports one-time password authentication with
116 The libraries described in
118 are required for proper operation.