version 1, including all changes.
.
| Rev |
Author |
# |
Line |
| 1 |
perry |
1 |
---- |
| |
|
2 |
__NAME__ |
| |
|
3 |
|
| |
|
4 |
|
| |
|
5 |
ssh-agent - authentication agent |
| |
|
6 |
__SYNOPSIS__ |
| |
|
7 |
|
| |
|
8 |
|
| |
|
9 |
ssh-agent [[-c | -s] [[-d] [[command [[args ...]] |
| |
|
10 |
|
| |
|
11 |
|
| |
|
12 |
ssh-agent [[-c | -s] -k |
| |
|
13 |
__DESCRIPTION__ |
| |
|
14 |
|
| |
|
15 |
|
| |
|
16 |
ssh-agent is a program to hold private keys used for public |
| |
|
17 |
key authentication (RSA, DSA). The idea is that ssh-agent is |
| |
|
18 |
started in the beginning of an X-session or a login ses- |
| |
|
19 |
sion, and all other windows or programs are started as |
| |
|
20 |
clients to the ssh-agent program. Through use of environ- |
| |
|
21 |
ment variables the agent can be located and automatically |
| |
|
22 |
used for authentication when logging in to other machines |
| |
|
23 |
using ssh(1). |
| |
|
24 |
|
| |
|
25 |
|
| |
|
26 |
The options are as follows: |
| |
|
27 |
-c Generate C-shell commands on stdout |
| |
|
28 |
. This is the default if SHELL looks like it's |
| |
|
29 |
a csh style of shell. |
| |
|
30 |
|
| |
|
31 |
|
| |
|
32 |
-s |
| |
|
33 |
Generate Bourne shell commands on stdout. This is the default if SHELL does not look like it's a csh style of shell. |
| |
|
34 |
|
| |
|
35 |
|
| |
|
36 |
-k |
| |
|
37 |
Kill the current agent (given by the SSH_AGENT_PID |
| |
|
38 |
environment variable). |
| |
|
39 |
|
| |
|
40 |
|
| |
|
41 |
-d |
| |
|
42 |
Debug mode. When this option is specified ssh-agent will not |
| |
|
43 |
fork. |
| |
|
44 |
|
| |
|
45 |
|
| |
|
46 |
If a commandline is given, this is executed as a subprocess |
| |
|
47 |
of the agent. When the command dies, so does the |
| |
|
48 |
agent. |
| |
|
49 |
|
| |
|
50 |
|
| |
|
51 |
The agent initially does not have any private keys. Keys are |
| |
|
52 |
added using ssh-add(1). When executed without argu- |
| |
|
53 |
ments, ssh-add(1) adds the |
| |
|
54 |
$HOME/.ssh/identity file. If the identity has a |
| |
|
55 |
passphrase, ssh-add(1) asks for the passphrase |
| |
|
56 |
(using a small X11 application if running under X11, or from |
| |
|
57 |
the terminal if running without X). It then sends the |
| |
|
58 |
identity to the agent. Several identities can be stored in |
| |
|
59 |
the agent; the agent can automatically use any of these |
| |
|
60 |
identities. ssh-add -l displays the identities cur- rently |
| |
|
61 |
held by the agent. |
| |
|
62 |
|
| |
|
63 |
|
| |
|
64 |
The idea is that the agent is run in the user's local PC, |
| |
|
65 |
laptop, or terminal. Authentication data need not be stored |
| |
|
66 |
on any other machine, and authentication passphrases never |
| |
|
67 |
go over the network. However, the connection to the agent is |
| |
|
68 |
forwarded over SSH remote logins, and the user can thus use |
| |
|
69 |
the privileges given by the identities anywhere in the |
| |
|
70 |
network in a secure way. |
| |
|
71 |
|
| |
|
72 |
|
| |
|
73 |
There are two main ways to get an agent setup: Either the |
| |
|
74 |
agent starts a new subcommand into which some environment |
| |
|
75 |
variables are exported, or the agent prints the needed shell |
| |
|
76 |
commands (either sh(1) or csh(1) syntax |
| |
|
77 |
can be generated) which can be evalled in the calling shell. |
| |
|
78 |
Later ssh(1) looks at these variables and uses them |
| |
|
79 |
to establish a con- nection to the agent. |
| |
|
80 |
|
| |
|
81 |
|
| |
|
82 |
A unix-domain socket is created |
| |
|
83 |
(/tmp/ssh-XXXXXXXX/agent.), and the name |
| |
|
84 |
of this socket is stored in the SSH_AUTH_SOCK |
| |
|
85 |
environment variable. The socket is made accessible only to |
| |
|
86 |
the current user. This method is easily abused by root or |
| |
|
87 |
another instance of the same user. |
| |
|
88 |
|
| |
|
89 |
|
| |
|
90 |
The SSH_AGENT_PID environment variable holds the |
| |
|
91 |
agent's PID. |
| |
|
92 |
|
| |
|
93 |
|
| |
|
94 |
The agent exits automatically when the command given on the |
| |
|
95 |
command line terminates. |
| |
|
96 |
|
| |
|
97 |
|
| |
|
98 |
__FILES__ |
| |
|
99 |
$HOME/.ssh/identity |
| |
|
100 |
|
| |
|
101 |
|
| |
|
102 |
Contains the protocol version 1 RSA authentication identity |
| |
|
103 |
of the user. This file should not be read- able by anyone |
| |
|
104 |
but the user. It is possible to spec- ify a passphrase when |
| |
|
105 |
generating the key; that passphrase will be used to encrypt |
| |
|
106 |
the private part of this file. This file is not used by |
| |
|
107 |
ssh-agent but is normally added to the agent using |
| |
|
108 |
ssh-add(1) at login time. |
| |
|
109 |
|
| |
|
110 |
|
| |
|
111 |
$HOME/.ssh/id_dsa |
| |
|
112 |
Contains the protocol version 2 DSA authentication identity |
| |
|
113 |
of the user. |
| |
|
114 |
|
| |
|
115 |
|
| |
|
116 |
$HOME/.ssh/id_rsa |
| |
|
117 |
Contains the protocol version 2 RSA authentication identity |
| |
|
118 |
of the user. |
| |
|
119 |
|
| |
|
120 |
|
| |
|
121 |
/tmp/ssh-XXXXXXXX/agent. |
| |
|
122 |
Unix-domain sockets used to contain the connection to the |
| |
|
123 |
authentication agent. These sockets should only be readable |
| |
|
124 |
by the owner. The sockets should get automatically removed |
| |
|
125 |
when the agent exits. |
| |
|
126 |
|
| |
|
127 |
|
| |
|
128 |
__AUTHORS__ |
| |
|
129 |
|
| |
|
130 |
|
| |
|
131 |
OpenSSH is a derivative of the original and free ssh 1.2.12 |
| |
|
132 |
release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus |
| |
|
133 |
Friedl, Niels Provos, Theo de Raadt and Dug Song removed |
| |
|
134 |
many bugs, re-added newer features and created OpenSSH. |
| |
|
135 |
Markus Friedl contributed the support for SSH protocol ver- |
| |
|
136 |
sions 1.5 and 2.0. |
| |
|
137 |
__SEE ALSO__ |
| |
|
138 |
|
| |
|
139 |
|
| |
|
140 |
ssh(1), ssh-add(1), |
| |
|
141 |
ssh-keygen(1), sshd(8) |
| |
|
142 |
|
| |
|
143 |
|
| |
|
144 |
BSD September 25, 1999 1 |
| |
|
145 |
---- |
