-.\" $OpenBSD: ssh-agent.1,v 1.22 2001/03/02 18:54:31 deraadt Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.49 2009/10/22 15:02:12 sobrado Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd September 25, 1999
+.Dd $Mdocdate$
.Dt SSH-AGENT 1
.Os
.Sh NAME
.Nd authentication agent
.Sh SYNOPSIS
.Nm ssh-agent
-.Ar command
-.Ar args ...
-.Nm ssh-agent
.Op Fl c Li | Fl s
+.Op Fl d
+.Op Fl a Ar bind_address
+.Op Fl t Ar life
+.Op Ar command Op Ar arg ...
.Nm ssh-agent
+.Op Fl c Li | Fl s
.Fl k
.Sh DESCRIPTION
.Nm
.Pp
The options are as follows:
.Bl -tag -width Ds
+.It Fl a Ar bind_address
+Bind the agent to the
+.Ux Ns -domain
+socket
+.Ar bind_address .
+The default is
+.Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt .
.It Fl c
Generate C-shell commands on
.Dv stdout .
This is the default if
.Ev SHELL
looks like it's a csh style of shell.
+.It Fl d
+Debug mode.
+When this option is specified
+.Nm
+will not fork.
+.It Fl k
+Kill the current agent (given by the
+.Ev SSH_AGENT_PID
+environment variable).
.It Fl s
Generate Bourne shell commands on
.Dv stdout .
This is the default if
.Ev SHELL
does not look like it's a csh style of shell.
-.It Fl k
-Kill the current agent (given by the
-.Ev SSH_AGENT_PID
-environment variable).
+.It Fl t Ar life
+Set a default value for the maximum lifetime of identities added to the agent.
+The lifetime may be specified in seconds or in a time format specified in
+.Xr sshd_config 5 .
+A lifetime specified for an identity with
+.Xr ssh-add 1
+overrides this value.
+Without this option the default maximum lifetime is forever.
.El
.Pp
If a commandline is given, this is executed as a subprocess of the agent.
.Xr ssh-add 1 .
When executed without arguments,
.Xr ssh-add 1
-adds the
-.Pa $HOME/.ssh/identity
-file.
+adds the files
+.Pa ~/.ssh/id_rsa ,
+.Pa ~/.ssh/id_dsa
+and
+.Pa ~/.ssh/identity .
If the identity has a passphrase,
.Xr ssh-add 1
asks for the passphrase (using a small X11 application if running
remote logins, and the user can thus use the privileges given by the
identities anywhere in the network in a secure way.
.Pp
-There are two main ways to get an agent setup:
-Either you let the agent
-start a new subcommand into which some environment variables are exported, or
-you let the agent print the needed shell commands (either
+There are two main ways to get an agent set up:
+The first is that the agent starts a new subcommand into which some environment
+variables are exported, eg
+.Cm ssh-agent xterm & .
+The second is that the agent prints the needed shell commands (either
+.Xr sh 1
+or
+.Xr csh 1
+syntax can be generated) which can be evaluated in the calling shell, eg
+.Cm eval `ssh-agent -s`
+for Bourne-type shells such as
.Xr sh 1
or
+.Xr ksh 1
+and
+.Cm eval `ssh-agent -c`
+for
.Xr csh 1
-syntax can be generated) which can be evalled in the calling shell.
+and derivatives.
+.Pp
Later
.Xr ssh 1
-look at these variables and use them to establish a connection to the agent.
+looks at these variables and uses them to establish a connection to the agent.
+.Pp
+The agent will never send a private key over its request channel.
+Instead, operations that require a private key will be performed
+by the agent, and the result will be returned to the requester.
+This way, private keys are not exposed to clients using the agent.
.Pp
-A unix-domain socket is created
-.Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
-and the name of this socket is stored in the
+A
+.Ux Ns -domain
+socket is created and the name of this socket is stored in the
.Ev SSH_AUTH_SOCK
environment
variable.
.Pp
The
.Ev SSH_AGENT_PID
-environment variable holds the agent's PID.
+environment variable holds the agent's process ID.
.Pp
The agent exits automatically when the command given on the command
line terminates.
.Sh FILES
.Bl -tag -width Ds
-.It Pa $HOME/.ssh/identity
-Contains the RSA authentication identity of the user.
-This file should not be readable by anyone but the user.
-It is possible to
-specify a passphrase when generating the key; that passphrase will be
-used to encrypt the private part of this file.
-This file is not used by
-.Nm
-but is normally added to the agent using
-.Xr ssh-add 1
-at login time.
-.It Pa $HOME/.ssh/id_dsa
-Contains the DSA authentication identity of the user.
-.It Pa /tmp/ssh-XXXXXXXX/agent.<pid>
-Unix-domain sockets used to contain the connection to the
-authentication agent.
+.It Pa ~/.ssh/identity
+Contains the protocol version 1 RSA authentication identity of the user.
+.It Pa ~/.ssh/id_dsa
+Contains the protocol version 2 DSA authentication identity of the user.
+.It Pa ~/.ssh/id_rsa
+Contains the protocol version 2 RSA authentication identity of the user.
+.It Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
+.Ux Ns -domain
+sockets used to contain the connection to the authentication agent.
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.El
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sshd 8
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
created OpenSSH.
Markus Friedl contributed the support for SSH
protocol versions 1.5 and 2.0.
-.Sh SEE ALSO
-.Xr ssh 1 ,
-.Xr ssh-add 1 ,
-.Xr ssh-keygen 1 ,
-.Xr sshd 8