Annotation of src/usr.bin/ssh/ssh-agent.1, Revision 1.26
1.26 ! stevesk 1: .\" $OpenBSD: ssh-agent.1,v 1.25 2001/06/26 04:07:06 markus Exp $
1.7 markus 2: .\"
1.16 deraadt 3: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: .\" All rights reserved
1.1 deraadt 6: .\"
1.16 deraadt 7: .\" As far as I am concerned, the code I have written for this software
8: .\" can be used freely for any purpose. Any derived versions of this
9: .\" software must be clearly marked as such, and if the derived work is
10: .\" incompatible with the protocol description in the RFC file, it must be
11: .\" called by a name other than "ssh" or "Secure Shell".
1.1 deraadt 12: .\"
1.22 deraadt 13: .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14: .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15: .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
1.8 deraadt 16: .\"
1.16 deraadt 17: .\" Redistribution and use in source and binary forms, with or without
18: .\" modification, are permitted provided that the following conditions
19: .\" are met:
20: .\" 1. Redistributions of source code must retain the above copyright
21: .\" notice, this list of conditions and the following disclaimer.
22: .\" 2. Redistributions in binary form must reproduce the above copyright
23: .\" notice, this list of conditions and the following disclaimer in the
24: .\" documentation and/or other materials provided with the distribution.
1.1 deraadt 25: .\"
1.16 deraadt 26: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.1 deraadt 36: .\"
1.2 deraadt 37: .Dd September 25, 1999
38: .Dt SSH-AGENT 1
39: .Os
40: .Sh NAME
41: .Nm ssh-agent
42: .Nd authentication agent
43: .Sh SYNOPSIS
1.11 aaron 44: .Nm ssh-agent
1.18 markus 45: .Ar command
46: .Ar args ...
47: .Nm ssh-agent
1.7 markus 48: .Op Fl c Li | Fl s
1.18 markus 49: .Nm ssh-agent
50: .Fl k
1.25 markus 51: .Nm ssh-agent
52: .Fl d
1.11 aaron 53: .Sh DESCRIPTION
1.2 deraadt 54: .Nm
1.14 markus 55: is a program to hold private keys used for public key authentication
56: (RSA, DSA).
1.10 aaron 57: The idea is that
1.2 deraadt 58: .Nm
1.1 deraadt 59: is started in the beginning of an X-session or a login session, and
1.7 markus 60: all other windows or programs are started as clients to the ssh-agent
1.10 aaron 61: program.
62: Through use of environment variables the agent can be located
1.14 markus 63: and automatically used for authentication when logging in to other
1.1 deraadt 64: machines using
1.2 deraadt 65: .Xr ssh 1 .
66: .Pp
1.7 markus 67: The options are as follows:
68: .Bl -tag -width Ds
69: .It Fl c
70: Generate C-shell commands on
71: .Dv stdout .
72: This is the default if
73: .Ev SHELL
74: looks like it's a csh style of shell.
75: .It Fl s
76: Generate Bourne shell commands on
77: .Dv stdout .
78: This is the default if
79: .Ev SHELL
80: does not look like it's a csh style of shell.
81: .It Fl k
82: Kill the current agent (given by the
83: .Ev SSH_AGENT_PID
84: environment variable).
1.25 markus 85: .It Fl d
86: Debug mode. When this option is specified
87: .Nm
1.26 ! stevesk 88: will not fork.
1.7 markus 89: .El
90: .Pp
91: If a commandline is given, this is executed as a subprocess of the agent.
92: When the command dies, so does the agent.
93: .Pp
1.10 aaron 94: The agent initially does not have any private keys.
95: Keys are added using
1.2 deraadt 96: .Xr ssh-add 1 .
1.11 aaron 97: When executed without arguments,
1.2 deraadt 98: .Xr ssh-add 1
1.11 aaron 99: adds the
1.2 deraadt 100: .Pa $HOME/.ssh/identity
1.10 aaron 101: file.
1.11 aaron 102: If the identity has a passphrase,
1.2 deraadt 103: .Xr ssh-add 1
1.1 deraadt 104: asks for the passphrase (using a small X11 application if running
1.10 aaron 105: under X11, or from the terminal if running without X).
106: It then sends the identity to the agent.
107: Several identities can be stored in the
1.1 deraadt 108: agent; the agent can automatically use any of these identities.
1.2 deraadt 109: .Ic ssh-add -l
1.1 deraadt 110: displays the identities currently held by the agent.
1.2 deraadt 111: .Pp
1.1 deraadt 112: The idea is that the agent is run in the user's local PC, laptop, or
1.10 aaron 113: terminal.
114: Authentication data need not be stored on any other
1.1 deraadt 115: machine, and authentication passphrases never go over the network.
1.2 deraadt 116: However, the connection to the agent is forwarded over SSH
1.1 deraadt 117: remote logins, and the user can thus use the privileges given by the
118: identities anywhere in the network in a secure way.
1.2 deraadt 119: .Pp
1.10 aaron 120: There are two main ways to get an agent setup:
121: Either you let the agent
1.7 markus 122: start a new subcommand into which some environment variables are exported, or
123: you let the agent print the needed shell commands (either
124: .Xr sh 1
125: or
126: .Xr csh 1
127: syntax can be generated) which can be evalled in the calling shell.
128: Later
129: .Xr ssh 1
1.23 deraadt 130: looks at these variables and uses them to establish a connection to the agent.
1.7 markus 131: .Pp
1.4 markus 132: A unix-domain socket is created
1.7 markus 133: .Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
1.2 deraadt 134: and the name of this socket is stored in the
1.5 markus 135: .Ev SSH_AUTH_SOCK
1.1 deraadt 136: environment
1.10 aaron 137: variable.
138: The socket is made accessible only to the current user.
1.1 deraadt 139: This method is easily abused by root or another instance of the same
1.4 markus 140: user.
1.7 markus 141: .Pp
142: The
143: .Ev SSH_AGENT_PID
144: environment variable holds the agent's PID.
1.2 deraadt 145: .Pp
1.1 deraadt 146: The agent exits automatically when the command given on the command
147: line terminates.
1.2 deraadt 148: .Sh FILES
149: .Bl -tag -width Ds
150: .It Pa $HOME/.ssh/identity
1.24 itojun 151: Contains the protocol version 1 RSA authentication identity of the user.
1.10 aaron 152: This file should not be readable by anyone but the user.
153: It is possible to
1.1 deraadt 154: specify a passphrase when generating the key; that passphrase will be
1.10 aaron 155: used to encrypt the private part of this file.
156: This file is not used by
1.2 deraadt 157: .Nm
1.1 deraadt 158: but is normally added to the agent using
1.2 deraadt 159: .Xr ssh-add 1
1.1 deraadt 160: at login time.
1.14 markus 161: .It Pa $HOME/.ssh/id_dsa
1.24 itojun 162: Contains the protocol version 2 DSA authentication identity of the user.
163: .It Pa $HOME/.ssh/id_rsa
164: Contains the protocol version 2 RSA authentication identity of the user.
1.19 markus 165: .It Pa /tmp/ssh-XXXXXXXX/agent.<pid>
1.1 deraadt 166: Unix-domain sockets used to contain the connection to the
1.10 aaron 167: authentication agent.
168: These sockets should only be readable by the owner.
169: The sockets should get automatically removed when the agent exits.
1.13 aaron 170: .El
1.17 aaron 171: .Sh AUTHORS
1.20 markus 172: OpenSSH is a derivative of the original and free
173: ssh 1.2.12 release by Tatu Ylonen.
174: Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
175: Theo de Raadt and Dug Song
176: removed many bugs, re-added newer features and
177: created OpenSSH.
178: Markus Friedl contributed the support for SSH
179: protocol versions 1.5 and 2.0.
1.2 deraadt 180: .Sh SEE ALSO
181: .Xr ssh 1 ,
182: .Xr ssh-add 1 ,
183: .Xr ssh-keygen 1 ,
1.21 itojun 184: .Xr sshd 8