Annotation of src/usr.bin/ssh/ssh-agent.1, Revision 1.42.2.1
1.42.2.1! brad 1: .\" $OpenBSD: ssh-agent.1,v 1.43 2005/11/28 06:02:56 dtucker Exp $
1.7 markus 2: .\"
1.16 deraadt 3: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: .\" All rights reserved
1.1 deraadt 6: .\"
1.16 deraadt 7: .\" As far as I am concerned, the code I have written for this software
8: .\" can be used freely for any purpose. Any derived versions of this
9: .\" software must be clearly marked as such, and if the derived work is
10: .\" incompatible with the protocol description in the RFC file, it must be
11: .\" called by a name other than "ssh" or "Secure Shell".
1.1 deraadt 12: .\"
1.22 deraadt 13: .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14: .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15: .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
1.8 deraadt 16: .\"
1.16 deraadt 17: .\" Redistribution and use in source and binary forms, with or without
18: .\" modification, are permitted provided that the following conditions
19: .\" are met:
20: .\" 1. Redistributions of source code must retain the above copyright
21: .\" notice, this list of conditions and the following disclaimer.
22: .\" 2. Redistributions in binary form must reproduce the above copyright
23: .\" notice, this list of conditions and the following disclaimer in the
24: .\" documentation and/or other materials provided with the distribution.
1.1 deraadt 25: .\"
1.16 deraadt 26: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.1 deraadt 36: .\"
1.2 deraadt 37: .Dd September 25, 1999
38: .Dt SSH-AGENT 1
39: .Os
40: .Sh NAME
41: .Nm ssh-agent
42: .Nd authentication agent
43: .Sh SYNOPSIS
1.11 aaron 44: .Nm ssh-agent
1.32 markus 45: .Op Fl a Ar bind_address
1.27 stevesk 46: .Op Fl c Li | Fl s
1.36 marc 47: .Op Fl t Ar life
1.27 stevesk 48: .Op Fl d
49: .Op Ar command Op Ar args ...
1.18 markus 50: .Nm ssh-agent
1.7 markus 51: .Op Fl c Li | Fl s
1.18 markus 52: .Fl k
1.11 aaron 53: .Sh DESCRIPTION
1.2 deraadt 54: .Nm
1.14 markus 55: is a program to hold private keys used for public key authentication
56: (RSA, DSA).
1.10 aaron 57: The idea is that
1.2 deraadt 58: .Nm
1.1 deraadt 59: is started in the beginning of an X-session or a login session, and
1.7 markus 60: all other windows or programs are started as clients to the ssh-agent
1.10 aaron 61: program.
62: Through use of environment variables the agent can be located
1.14 markus 63: and automatically used for authentication when logging in to other
1.1 deraadt 64: machines using
1.2 deraadt 65: .Xr ssh 1 .
66: .Pp
1.7 markus 67: The options are as follows:
68: .Bl -tag -width Ds
1.32 markus 69: .It Fl a Ar bind_address
70: Bind the agent to the unix-domain socket
71: .Ar bind_address .
72: The default is
1.42.2.1! brad 73: .Pa /tmp/ssh-XXXXXXXXXX/agent.<ppid> .
1.7 markus 74: .It Fl c
75: Generate C-shell commands on
76: .Dv stdout .
77: This is the default if
78: .Ev SHELL
79: looks like it's a csh style of shell.
80: .It Fl s
81: Generate Bourne shell commands on
82: .Dv stdout .
83: This is the default if
84: .Ev SHELL
85: does not look like it's a csh style of shell.
86: .It Fl k
87: Kill the current agent (given by the
88: .Ev SSH_AGENT_PID
89: environment variable).
1.36 marc 90: .It Fl t Ar life
1.37 jmc 91: Set a default value for the maximum lifetime of identities added to the agent.
1.36 marc 92: The lifetime may be specified in seconds or in a time format specified in
1.42.2.1! brad 93: .Xr sshd_config 5 .
1.36 marc 94: A lifetime specified for an identity with
95: .Xr ssh-add 1
96: overrides this value.
97: Without this option the default maximum lifetime is forever.
1.25 markus 98: .It Fl d
1.37 jmc 99: Debug mode.
100: When this option is specified
1.25 markus 101: .Nm
1.26 stevesk 102: will not fork.
1.7 markus 103: .El
104: .Pp
105: If a commandline is given, this is executed as a subprocess of the agent.
106: When the command dies, so does the agent.
107: .Pp
1.10 aaron 108: The agent initially does not have any private keys.
109: Keys are added using
1.2 deraadt 110: .Xr ssh-add 1 .
1.11 aaron 111: When executed without arguments,
1.2 deraadt 112: .Xr ssh-add 1
1.30 stevesk 113: adds the files
1.42 djm 114: .Pa ~/.ssh/id_rsa ,
115: .Pa ~/.ssh/id_dsa
1.30 stevesk 116: and
1.42 djm 117: .Pa ~/.ssh/identity .
1.11 aaron 118: If the identity has a passphrase,
1.2 deraadt 119: .Xr ssh-add 1
1.1 deraadt 120: asks for the passphrase (using a small X11 application if running
1.10 aaron 121: under X11, or from the terminal if running without X).
122: It then sends the identity to the agent.
123: Several identities can be stored in the
1.1 deraadt 124: agent; the agent can automatically use any of these identities.
1.2 deraadt 125: .Ic ssh-add -l
1.1 deraadt 126: displays the identities currently held by the agent.
1.2 deraadt 127: .Pp
1.1 deraadt 128: The idea is that the agent is run in the user's local PC, laptop, or
1.10 aaron 129: terminal.
130: Authentication data need not be stored on any other
1.1 deraadt 131: machine, and authentication passphrases never go over the network.
1.2 deraadt 132: However, the connection to the agent is forwarded over SSH
1.1 deraadt 133: remote logins, and the user can thus use the privileges given by the
134: identities anywhere in the network in a secure way.
1.2 deraadt 135: .Pp
1.38 jmc 136: There are two main ways to get an agent set up:
1.40 dtucker 137: The first is that the agent starts a new subcommand into which some environment
138: variables are exported, eg
139: .Cm ssh-agent xterm & .
140: The second is that the agent prints the needed shell commands (either
1.7 markus 141: .Xr sh 1
142: or
143: .Xr csh 1
1.40 dtucker 144: syntax can be generated) which can be evalled in the calling shell, eg
145: .Cm eval `ssh-agent -s`
146: for Bourne-type shells such as
147: .Xr sh 1
148: or
149: .Xr ksh 1
150: and
1.41 deraadt 151: .Cm eval `ssh-agent -c`
1.40 dtucker 152: for
153: .Xr csh 1
154: and derivatives.
155: .Pp
1.7 markus 156: Later
157: .Xr ssh 1
1.23 deraadt 158: looks at these variables and uses them to establish a connection to the agent.
1.29 stevesk 159: .Pp
160: The agent will never send a private key over its request channel.
161: Instead, operations that require a private key will be performed
162: by the agent, and the result will be returned to the requester.
163: This way, private keys are not exposed to clients using the agent.
1.7 markus 164: .Pp
1.4 markus 165: A unix-domain socket is created
1.2 deraadt 166: and the name of this socket is stored in the
1.5 markus 167: .Ev SSH_AUTH_SOCK
1.1 deraadt 168: environment
1.10 aaron 169: variable.
170: The socket is made accessible only to the current user.
1.1 deraadt 171: This method is easily abused by root or another instance of the same
1.4 markus 172: user.
1.7 markus 173: .Pp
174: The
175: .Ev SSH_AGENT_PID
1.34 stevesk 176: environment variable holds the agent's process ID.
1.2 deraadt 177: .Pp
1.1 deraadt 178: The agent exits automatically when the command given on the command
179: line terminates.
1.2 deraadt 180: .Sh FILES
181: .Bl -tag -width Ds
1.42 djm 182: .It Pa ~/.ssh/identity
1.24 itojun 183: Contains the protocol version 1 RSA authentication identity of the user.
1.42 djm 184: .It Pa ~/.ssh/id_dsa
1.24 itojun 185: Contains the protocol version 2 DSA authentication identity of the user.
1.42 djm 186: .It Pa ~/.ssh/id_rsa
1.24 itojun 187: Contains the protocol version 2 RSA authentication identity of the user.
1.42.2.1! brad 188: .It Pa /tmp/ssh-XXXXXXXXXX/agent.<ppid>
1.1 deraadt 189: Unix-domain sockets used to contain the connection to the
1.10 aaron 190: authentication agent.
191: These sockets should only be readable by the owner.
192: The sockets should get automatically removed when the agent exits.
1.13 aaron 193: .El
1.39 jmc 194: .Sh SEE ALSO
195: .Xr ssh 1 ,
196: .Xr ssh-add 1 ,
197: .Xr ssh-keygen 1 ,
198: .Xr sshd 8
1.17 aaron 199: .Sh AUTHORS
1.20 markus 200: OpenSSH is a derivative of the original and free
201: ssh 1.2.12 release by Tatu Ylonen.
202: Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
203: Theo de Raadt and Dug Song
204: removed many bugs, re-added newer features and
205: created OpenSSH.
206: Markus Friedl contributed the support for SSH
207: protocol versions 1.5 and 2.0.
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-agent.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh