Annotation of src/usr.bin/ssh/ssh-agent.1, Revision 1.30
1.30 ! stevesk 1: .\" $OpenBSD: ssh-agent.1,v 1.29 2001/11/19 18:40:46 stevesk Exp $
1.7 markus 2: .\"
1.16 deraadt 3: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: .\" All rights reserved
1.1 deraadt 6: .\"
1.16 deraadt 7: .\" As far as I am concerned, the code I have written for this software
8: .\" can be used freely for any purpose. Any derived versions of this
9: .\" software must be clearly marked as such, and if the derived work is
10: .\" incompatible with the protocol description in the RFC file, it must be
11: .\" called by a name other than "ssh" or "Secure Shell".
1.1 deraadt 12: .\"
1.22 deraadt 13: .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14: .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15: .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
1.8 deraadt 16: .\"
1.16 deraadt 17: .\" Redistribution and use in source and binary forms, with or without
18: .\" modification, are permitted provided that the following conditions
19: .\" are met:
20: .\" 1. Redistributions of source code must retain the above copyright
21: .\" notice, this list of conditions and the following disclaimer.
22: .\" 2. Redistributions in binary form must reproduce the above copyright
23: .\" notice, this list of conditions and the following disclaimer in the
24: .\" documentation and/or other materials provided with the distribution.
1.1 deraadt 25: .\"
1.16 deraadt 26: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.1 deraadt 36: .\"
1.2 deraadt 37: .Dd September 25, 1999
38: .Dt SSH-AGENT 1
39: .Os
40: .Sh NAME
41: .Nm ssh-agent
42: .Nd authentication agent
43: .Sh SYNOPSIS
1.11 aaron 44: .Nm ssh-agent
1.27 stevesk 45: .Op Fl c Li | Fl s
46: .Op Fl d
47: .Op Ar command Op Ar args ...
1.18 markus 48: .Nm ssh-agent
1.7 markus 49: .Op Fl c Li | Fl s
1.18 markus 50: .Fl k
1.11 aaron 51: .Sh DESCRIPTION
1.2 deraadt 52: .Nm
1.14 markus 53: is a program to hold private keys used for public key authentication
54: (RSA, DSA).
1.10 aaron 55: The idea is that
1.2 deraadt 56: .Nm
1.1 deraadt 57: is started in the beginning of an X-session or a login session, and
1.7 markus 58: all other windows or programs are started as clients to the ssh-agent
1.10 aaron 59: program.
60: Through use of environment variables the agent can be located
1.14 markus 61: and automatically used for authentication when logging in to other
1.1 deraadt 62: machines using
1.2 deraadt 63: .Xr ssh 1 .
64: .Pp
1.7 markus 65: The options are as follows:
66: .Bl -tag -width Ds
67: .It Fl c
68: Generate C-shell commands on
69: .Dv stdout .
70: This is the default if
71: .Ev SHELL
72: looks like it's a csh style of shell.
73: .It Fl s
74: Generate Bourne shell commands on
75: .Dv stdout .
76: This is the default if
77: .Ev SHELL
78: does not look like it's a csh style of shell.
79: .It Fl k
80: Kill the current agent (given by the
81: .Ev SSH_AGENT_PID
82: environment variable).
1.25 markus 83: .It Fl d
84: Debug mode. When this option is specified
85: .Nm
1.26 stevesk 86: will not fork.
1.7 markus 87: .El
88: .Pp
89: If a commandline is given, this is executed as a subprocess of the agent.
90: When the command dies, so does the agent.
91: .Pp
1.10 aaron 92: The agent initially does not have any private keys.
93: Keys are added using
1.2 deraadt 94: .Xr ssh-add 1 .
1.11 aaron 95: When executed without arguments,
1.2 deraadt 96: .Xr ssh-add 1
1.30 ! stevesk 97: adds the files
! 98: .Pa $HOME/.ssh/id_rsa ,
! 99: .Pa $HOME/.ssh/id_dsa
! 100: and
! 101: .Pa $HOME/.ssh/identity .
1.11 aaron 102: If the identity has a passphrase,
1.2 deraadt 103: .Xr ssh-add 1
1.1 deraadt 104: asks for the passphrase (using a small X11 application if running
1.10 aaron 105: under X11, or from the terminal if running without X).
106: It then sends the identity to the agent.
107: Several identities can be stored in the
1.1 deraadt 108: agent; the agent can automatically use any of these identities.
1.2 deraadt 109: .Ic ssh-add -l
1.1 deraadt 110: displays the identities currently held by the agent.
1.2 deraadt 111: .Pp
1.1 deraadt 112: The idea is that the agent is run in the user's local PC, laptop, or
1.10 aaron 113: terminal.
114: Authentication data need not be stored on any other
1.1 deraadt 115: machine, and authentication passphrases never go over the network.
1.2 deraadt 116: However, the connection to the agent is forwarded over SSH
1.1 deraadt 117: remote logins, and the user can thus use the privileges given by the
118: identities anywhere in the network in a secure way.
1.2 deraadt 119: .Pp
1.10 aaron 120: There are two main ways to get an agent setup:
1.28 deraadt 121: Either the agent starts a new subcommand into which some environment
122: variables are exported, or the agent prints the needed shell commands
123: (either
1.7 markus 124: .Xr sh 1
125: or
126: .Xr csh 1
127: syntax can be generated) which can be evalled in the calling shell.
128: Later
129: .Xr ssh 1
1.23 deraadt 130: looks at these variables and uses them to establish a connection to the agent.
1.29 stevesk 131: .Pp
132: The agent will never send a private key over its request channel.
133: Instead, operations that require a private key will be performed
134: by the agent, and the result will be returned to the requester.
135: This way, private keys are not exposed to clients using the agent.
1.7 markus 136: .Pp
1.4 markus 137: A unix-domain socket is created
1.7 markus 138: .Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
1.2 deraadt 139: and the name of this socket is stored in the
1.5 markus 140: .Ev SSH_AUTH_SOCK
1.1 deraadt 141: environment
1.10 aaron 142: variable.
143: The socket is made accessible only to the current user.
1.1 deraadt 144: This method is easily abused by root or another instance of the same
1.4 markus 145: user.
1.7 markus 146: .Pp
147: The
148: .Ev SSH_AGENT_PID
149: environment variable holds the agent's PID.
1.2 deraadt 150: .Pp
1.1 deraadt 151: The agent exits automatically when the command given on the command
152: line terminates.
1.2 deraadt 153: .Sh FILES
154: .Bl -tag -width Ds
155: .It Pa $HOME/.ssh/identity
1.24 itojun 156: Contains the protocol version 1 RSA authentication identity of the user.
1.10 aaron 157: This file should not be readable by anyone but the user.
158: It is possible to
1.1 deraadt 159: specify a passphrase when generating the key; that passphrase will be
1.10 aaron 160: used to encrypt the private part of this file.
161: This file is not used by
1.2 deraadt 162: .Nm
1.1 deraadt 163: but is normally added to the agent using
1.2 deraadt 164: .Xr ssh-add 1
1.1 deraadt 165: at login time.
1.14 markus 166: .It Pa $HOME/.ssh/id_dsa
1.24 itojun 167: Contains the protocol version 2 DSA authentication identity of the user.
168: .It Pa $HOME/.ssh/id_rsa
169: Contains the protocol version 2 RSA authentication identity of the user.
1.19 markus 170: .It Pa /tmp/ssh-XXXXXXXX/agent.<pid>
1.1 deraadt 171: Unix-domain sockets used to contain the connection to the
1.10 aaron 172: authentication agent.
173: These sockets should only be readable by the owner.
174: The sockets should get automatically removed when the agent exits.
1.13 aaron 175: .El
1.17 aaron 176: .Sh AUTHORS
1.20 markus 177: OpenSSH is a derivative of the original and free
178: ssh 1.2.12 release by Tatu Ylonen.
179: Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
180: Theo de Raadt and Dug Song
181: removed many bugs, re-added newer features and
182: created OpenSSH.
183: Markus Friedl contributed the support for SSH
184: protocol versions 1.5 and 2.0.
1.2 deraadt 185: .Sh SEE ALSO
186: .Xr ssh 1 ,
187: .Xr ssh-add 1 ,
188: .Xr ssh-keygen 1 ,
1.21 itojun 189: .Xr sshd 8
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-agent.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh