=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-agent.1,v retrieving revision 1.16.2.5 retrieving revision 1.16.2.6 diff -u -r1.16.2.5 -r1.16.2.6 --- src/usr.bin/ssh/ssh-agent.1 2001/09/27 00:15:42 1.16.2.5 +++ src/usr.bin/ssh/ssh-agent.1 2002/03/08 17:04:43 1.16.2.6 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.16.2.5 2001/09/27 00:15:42 miod Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.16.2.6 2002/03/08 17:04:43 brad Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -94,9 +94,11 @@ .Xr ssh-add 1 . When executed without arguments, .Xr ssh-add 1 -adds the -.Pa $HOME/.ssh/identity -file. +adds the files +.Pa $HOME/.ssh/id_rsa , +.Pa $HOME/.ssh/id_dsa +and +.Pa $HOME/.ssh/identity . If the identity has a passphrase, .Xr ssh-add 1 asks for the passphrase (using a small X11 application if running @@ -127,6 +129,11 @@ .Xr ssh 1 looks at these variables and uses them to establish a connection to the agent. .Pp +The agent will never send a private key over its request channel. +Instead, operations that require a private key will be performed +by the agent, and the result will be returned to the requester. +This way, private keys are not exposed to clients using the agent. +.Pp A unix-domain socket is created .Pq Pa /tmp/ssh-XXXXXXXX/agent. , and the name of this socket is stored in the @@ -147,15 +154,6 @@ .Bl -tag -width Ds .It Pa $HOME/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. -This file should not be readable by anyone but the user. -It is possible to -specify a passphrase when generating the key; that passphrase will be -used to encrypt the private part of this file. -This file is not used by -.Nm -but is normally added to the agent using -.Xr ssh-add 1 -at login time. .It Pa $HOME/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. .It Pa $HOME/.ssh/id_rsa