Annotation of src/usr.bin/ssh/ssh-agent.1, Revision 1.27
1.27 ! stevesk 1: .\" $OpenBSD: ssh-agent.1,v 1.26 2001/07/15 16:57:21 stevesk Exp $
1.7 markus 2: .\"
1.16 deraadt 3: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: .\" All rights reserved
1.1 deraadt 6: .\"
1.16 deraadt 7: .\" As far as I am concerned, the code I have written for this software
8: .\" can be used freely for any purpose. Any derived versions of this
9: .\" software must be clearly marked as such, and if the derived work is
10: .\" incompatible with the protocol description in the RFC file, it must be
11: .\" called by a name other than "ssh" or "Secure Shell".
1.1 deraadt 12: .\"
1.22 deraadt 13: .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14: .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15: .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
1.8 deraadt 16: .\"
1.16 deraadt 17: .\" Redistribution and use in source and binary forms, with or without
18: .\" modification, are permitted provided that the following conditions
19: .\" are met:
20: .\" 1. Redistributions of source code must retain the above copyright
21: .\" notice, this list of conditions and the following disclaimer.
22: .\" 2. Redistributions in binary form must reproduce the above copyright
23: .\" notice, this list of conditions and the following disclaimer in the
24: .\" documentation and/or other materials provided with the distribution.
1.1 deraadt 25: .\"
1.16 deraadt 26: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.1 deraadt 36: .\"
1.2 deraadt 37: .Dd September 25, 1999
38: .Dt SSH-AGENT 1
39: .Os
40: .Sh NAME
41: .Nm ssh-agent
42: .Nd authentication agent
43: .Sh SYNOPSIS
1.11 aaron 44: .Nm ssh-agent
1.27 ! stevesk 45: .Op Fl c Li | Fl s
! 46: .Op Fl d
! 47: .Op Ar command Op Ar args ...
1.18 markus 48: .Nm ssh-agent
1.7 markus 49: .Op Fl c Li | Fl s
1.18 markus 50: .Fl k
1.11 aaron 51: .Sh DESCRIPTION
1.2 deraadt 52: .Nm
1.14 markus 53: is a program to hold private keys used for public key authentication
54: (RSA, DSA).
1.10 aaron 55: The idea is that
1.2 deraadt 56: .Nm
1.1 deraadt 57: is started in the beginning of an X-session or a login session, and
1.7 markus 58: all other windows or programs are started as clients to the ssh-agent
1.10 aaron 59: program.
60: Through use of environment variables the agent can be located
1.14 markus 61: and automatically used for authentication when logging in to other
1.1 deraadt 62: machines using
1.2 deraadt 63: .Xr ssh 1 .
64: .Pp
1.7 markus 65: The options are as follows:
66: .Bl -tag -width Ds
67: .It Fl c
68: Generate C-shell commands on
69: .Dv stdout .
70: This is the default if
71: .Ev SHELL
72: looks like it's a csh style of shell.
73: .It Fl s
74: Generate Bourne shell commands on
75: .Dv stdout .
76: This is the default if
77: .Ev SHELL
78: does not look like it's a csh style of shell.
79: .It Fl k
80: Kill the current agent (given by the
81: .Ev SSH_AGENT_PID
82: environment variable).
1.25 markus 83: .It Fl d
84: Debug mode. When this option is specified
85: .Nm
1.26 stevesk 86: will not fork.
1.7 markus 87: .El
88: .Pp
89: If a commandline is given, this is executed as a subprocess of the agent.
90: When the command dies, so does the agent.
91: .Pp
1.10 aaron 92: The agent initially does not have any private keys.
93: Keys are added using
1.2 deraadt 94: .Xr ssh-add 1 .
1.11 aaron 95: When executed without arguments,
1.2 deraadt 96: .Xr ssh-add 1
1.11 aaron 97: adds the
1.2 deraadt 98: .Pa $HOME/.ssh/identity
1.10 aaron 99: file.
1.11 aaron 100: If the identity has a passphrase,
1.2 deraadt 101: .Xr ssh-add 1
1.1 deraadt 102: asks for the passphrase (using a small X11 application if running
1.10 aaron 103: under X11, or from the terminal if running without X).
104: It then sends the identity to the agent.
105: Several identities can be stored in the
1.1 deraadt 106: agent; the agent can automatically use any of these identities.
1.2 deraadt 107: .Ic ssh-add -l
1.1 deraadt 108: displays the identities currently held by the agent.
1.2 deraadt 109: .Pp
1.1 deraadt 110: The idea is that the agent is run in the user's local PC, laptop, or
1.10 aaron 111: terminal.
112: Authentication data need not be stored on any other
1.1 deraadt 113: machine, and authentication passphrases never go over the network.
1.2 deraadt 114: However, the connection to the agent is forwarded over SSH
1.1 deraadt 115: remote logins, and the user can thus use the privileges given by the
116: identities anywhere in the network in a secure way.
1.2 deraadt 117: .Pp
1.10 aaron 118: There are two main ways to get an agent setup:
119: Either you let the agent
1.7 markus 120: start a new subcommand into which some environment variables are exported, or
121: you let the agent print the needed shell commands (either
122: .Xr sh 1
123: or
124: .Xr csh 1
125: syntax can be generated) which can be evalled in the calling shell.
126: Later
127: .Xr ssh 1
1.23 deraadt 128: looks at these variables and uses them to establish a connection to the agent.
1.7 markus 129: .Pp
1.4 markus 130: A unix-domain socket is created
1.7 markus 131: .Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
1.2 deraadt 132: and the name of this socket is stored in the
1.5 markus 133: .Ev SSH_AUTH_SOCK
1.1 deraadt 134: environment
1.10 aaron 135: variable.
136: The socket is made accessible only to the current user.
1.1 deraadt 137: This method is easily abused by root or another instance of the same
1.4 markus 138: user.
1.7 markus 139: .Pp
140: The
141: .Ev SSH_AGENT_PID
142: environment variable holds the agent's PID.
1.2 deraadt 143: .Pp
1.1 deraadt 144: The agent exits automatically when the command given on the command
145: line terminates.
1.2 deraadt 146: .Sh FILES
147: .Bl -tag -width Ds
148: .It Pa $HOME/.ssh/identity
1.24 itojun 149: Contains the protocol version 1 RSA authentication identity of the user.
1.10 aaron 150: This file should not be readable by anyone but the user.
151: It is possible to
1.1 deraadt 152: specify a passphrase when generating the key; that passphrase will be
1.10 aaron 153: used to encrypt the private part of this file.
154: This file is not used by
1.2 deraadt 155: .Nm
1.1 deraadt 156: but is normally added to the agent using
1.2 deraadt 157: .Xr ssh-add 1
1.1 deraadt 158: at login time.
1.14 markus 159: .It Pa $HOME/.ssh/id_dsa
1.24 itojun 160: Contains the protocol version 2 DSA authentication identity of the user.
161: .It Pa $HOME/.ssh/id_rsa
162: Contains the protocol version 2 RSA authentication identity of the user.
1.19 markus 163: .It Pa /tmp/ssh-XXXXXXXX/agent.<pid>
1.1 deraadt 164: Unix-domain sockets used to contain the connection to the
1.10 aaron 165: authentication agent.
166: These sockets should only be readable by the owner.
167: The sockets should get automatically removed when the agent exits.
1.13 aaron 168: .El
1.17 aaron 169: .Sh AUTHORS
1.20 markus 170: OpenSSH is a derivative of the original and free
171: ssh 1.2.12 release by Tatu Ylonen.
172: Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
173: Theo de Raadt and Dug Song
174: removed many bugs, re-added newer features and
175: created OpenSSH.
176: Markus Friedl contributed the support for SSH
177: protocol versions 1.5 and 2.0.
1.2 deraadt 178: .Sh SEE ALSO
179: .Xr ssh 1 ,
180: .Xr ssh-add 1 ,
181: .Xr ssh-keygen 1 ,
1.21 itojun 182: .Xr sshd 8