| version 1.67, 2019/11/19 16:02:32 |
version 1.68, 2019/11/28 12:23:25 |
|
|
| .Fl k |
.Fl k |
| .Sh DESCRIPTION |
.Sh DESCRIPTION |
| .Nm |
.Nm |
| is a program to hold private keys used for public key authentication |
is a program to hold private keys used for public key authentication. |
| (RSA, DSA, ECDSA, Ed25519). |
|
| .Nm |
|
| is usually started in the beginning of an X-session or a login session, and |
|
| all other windows or programs are started as clients to the ssh-agent |
|
| program. |
|
| Through use of environment variables the agent can be located |
Through use of environment variables the agent can be located |
| and automatically used for authentication when logging in to other |
and automatically used for authentication when logging in to other |
| machines using |
machines using |
| .Xr ssh 1 . |
.Xr ssh 1 . |
| .Pp |
.Pp |
| The agent initially does not have any private keys. |
|
| Keys are added using |
|
| .Xr ssh 1 |
|
| (see |
|
| .Cm AddKeysToAgent |
|
| in |
|
| .Xr ssh_config 5 |
|
| for details) |
|
| or |
|
| .Xr ssh-add 1 . |
|
| Multiple identities may be stored in |
|
| .Nm |
|
| concurrently and |
|
| .Xr ssh 1 |
|
| will automatically use them if present. |
|
| .Xr ssh-add 1 |
|
| is also used to remove keys from |
|
| .Nm |
|
| and to query the keys that are held in one. |
|
| .Pp |
|
| The options are as follows: |
The options are as follows: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Fl a Ar bind_address |
.It Fl a Ar bind_address |
|
|
| .It Fl P Ar provider_whitelist |
.It Fl P Ar provider_whitelist |
| Specify a pattern-list of acceptable paths for PKCS#11 and security key shared |
Specify a pattern-list of acceptable paths for PKCS#11 and security key shared |
| libraries that may be used with the |
libraries that may be used with the |
| .Fl s |
|
| or |
|
| .Fl S |
.Fl S |
| |
or |
| |
.Fl s |
| options to |
options to |
| .Xr ssh-add 1 . |
.Xr ssh-add 1 . |
| The default is to allow loading libraries from |
|
| .Dq /usr/lib/*,/usr/local/lib/* . |
|
| Libraries that do not match the whitelist will be refused. |
Libraries that do not match the whitelist will be refused. |
| See PATTERNS in |
See PATTERNS in |
| .Xr ssh_config 5 |
.Xr ssh_config 5 |
| for a description of pattern-list syntax. |
for a description of pattern-list syntax. |
| |
The default whitelist is |
| |
.Dq /usr/lib/*,/usr/local/lib/* . |
| .It Fl s |
.It Fl s |
| Generate Bourne shell commands on |
Generate Bourne shell commands on |
| .Dv stdout . |
.Dv stdout . |
|
|
| .Xr ssh-add 1 |
.Xr ssh-add 1 |
| overrides this value. |
overrides this value. |
| Without this option the default maximum lifetime is forever. |
Without this option the default maximum lifetime is forever. |
| |
.It Ar command Op Ar arg ... |
| |
If a command (and optional arguments) is given, |
| |
this is executed as a subprocess of the agent. |
| |
The agent exits automatically when the command given on the command |
| |
line terminates. |
| .El |
.El |
| .Pp |
.Pp |
| If a command line is given, this is executed as a subprocess of the agent. |
There are two main ways to get an agent set up. |
| When the command dies, so does the agent. |
The first is at the start of an X session, |
| |
where all other windows or programs are started as children of the |
| |
.Nm |
| |
program. |
| |
The agent starts a command under which its environment |
| |
variables are exported, for example |
| |
.Cm ssh-agent xterm & . |
| |
When the command terminates, so does the agent. |
| .Pp |
.Pp |
| The idea is that the agent is run in the user's local PC, laptop, or |
The second method is used for a login session. |
| terminal. |
When |
| Authentication data need not be stored on any other |
.Nm |
| machine, and authentication passphrases never go over the network. |
is started, |
| However, the connection to the agent is forwarded over SSH |
it prints the shell commands required to set its environment variables, |
| remote logins, and the user can thus use the privileges given by the |
which in turn can be evaluated in the calling shell, for example |
| identities anywhere in the network in a secure way. |
.Cm eval `ssh-agent -s` . |
| .Pp |
.Pp |
| There are two main ways to get an agent set up: |
In both cases, |
| The first is that the agent starts a new subcommand into which some environment |
.Xr ssh 1 |
| variables are exported, eg |
looks at these environment variables and uses them to establish a connection to the agent. |
| .Cm ssh-agent xterm & . |
|
| The second is that the agent prints the needed shell commands (either |
|
| .Xr sh 1 |
|
| or |
|
| .Xr csh 1 |
|
| syntax can be generated) which can be evaluated in the calling shell, eg |
|
| .Cm eval `ssh-agent -s` |
|
| for Bourne-type shells such as |
|
| .Xr sh 1 |
|
| or |
|
| .Xr ksh 1 |
|
| and |
|
| .Cm eval `ssh-agent -c` |
|
| for |
|
| .Xr csh 1 |
|
| and derivatives. |
|
| .Pp |
.Pp |
| Later |
The agent initially does not have any private keys. |
| |
Keys are added using |
| |
.Xr ssh-add 1 |
| |
or by |
| .Xr ssh 1 |
.Xr ssh 1 |
| looks at these variables and uses them to establish a connection to the agent. |
when |
| |
.Cm AddKeysToAgent |
| |
is set in |
| |
.Xr ssh_config 5 . |
| |
Multiple identities may be stored in |
| |
.Nm |
| |
concurrently and |
| |
.Xr ssh 1 |
| |
will automatically use them if present. |
| |
.Xr ssh-add 1 |
| |
is also used to remove keys from |
| |
.Nm |
| |
and to query the keys that are held in one. |
| .Pp |
.Pp |
| The agent will never send a private key over its request channel. |
Connections to |
| Instead, operations that require a private key will be performed |
.Nm |
| by the agent, and the result will be returned to the requester. |
may be forwarded from further remote hosts using the |
| This way, private keys are not exposed to clients using the agent. |
.Fl A |
| .Pp |
option to |
| A |
.Xr ssh 1 |
| |
(but see the caveats documented therein), |
| |
avoiding the need for authentication data to be stored on other machines. |
| |
Authentication passphrases and private keys never go over the network: |
| |
the connection to the agent is forwarded over SSH remote connections |
| |
and the result is returned to the requester, |
| |
allowing the user access to their identities anywhere in the network |
| |
in a secure fashion. |
| |
.Sh ENVIRONMENT |
| |
.Bl -tag -width "SSH_AGENT_PID" |
| |
.It Ev SSH_AGENT_PID |
| |
When |
| |
.Nm |
| |
starts, it stores the name of the agent's process ID (PID) in this variable. |
| |
.It Ev SSH_AUTH_SOCK |
| |
When |
| |
.Nm |
| |
starts, it creates a |
| .Ux Ns -domain |
.Ux Ns -domain |
| socket is created and the name of this socket is stored in the |
socket and stores its pathname in this variable. |
| .Ev SSH_AUTH_SOCK |
It is accessible only to the current user, |
| environment |
but is easily abused by root or another instance of the same user. |
| variable. |
.El |
| The socket is made accessible only to the current user. |
|
| This method is easily abused by root or another instance of the same |
|
| user. |
|
| .Pp |
|
| The |
|
| .Ev SSH_AGENT_PID |
|
| environment variable holds the agent's process ID. |
|
| .Pp |
|
| The agent exits automatically when the command given on the command |
|
| line terminates. |
|
| .Sh FILES |
.Sh FILES |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> |
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> |
|
|
| .Xr ssh 1 , |
.Xr ssh 1 , |
| .Xr ssh-add 1 , |
.Xr ssh-add 1 , |
| .Xr ssh-keygen 1 , |
.Xr ssh-keygen 1 , |
| |
.Xr ssh_config 5 , |
| .Xr sshd 8 |
.Xr sshd 8 |
| .Sh AUTHORS |
.Sh AUTHORS |
| .An -nosplit |
.An -nosplit |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-agent.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh