Damien Miller | d4a8b7e | 1999-10-27 13:42:43 +1000 | [diff] [blame] | 1 | .\" -*- nroff -*- |
| 2 | .\" |
| 3 | .\" ssh-agent.1 |
| 4 | .\" |
| 5 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 6 | .\" |
| 7 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 8 | .\" All rights reserved |
| 9 | .\" |
| 10 | .\" Created: Sat Apr 23 20:10:43 1995 ylo |
| 11 | .\" |
Damien Miller | 0623076 | 1999-10-28 14:03:14 +1000 | [diff] [blame] | 12 | .\" $Id: openssh-agent.1,v 1.1 1999/10/28 04:03:14 damien Exp $ |
Damien Miller | d4a8b7e | 1999-10-27 13:42:43 +1000 | [diff] [blame] | 13 | .\" |
| 14 | .Dd September 25, 1999 |
| 15 | .Dt SSH-AGENT 1 |
| 16 | .Os |
| 17 | .Sh NAME |
| 18 | .Nm ssh-agent |
| 19 | .Nd authentication agent |
| 20 | .Sh SYNOPSIS |
| 21 | .Nm ssh-agent |
| 22 | .Ar command |
| 23 | .Sh DESCRIPTION |
| 24 | .Nm |
| 25 | is a program to hold authentication private keys. The |
| 26 | idea is that |
| 27 | .Nm |
| 28 | is started in the beginning of an X-session or a login session, and |
| 29 | all other windows or programs are started as children of the ssh-agent |
| 30 | program (the |
| 31 | .Ar command |
| 32 | normally starts X or is the user shell). Programs started under |
| 33 | the agent inherit a connection to the agent, and the agent is |
| 34 | automatically used for RSA authentication when logging to other |
| 35 | machines using |
| 36 | .Xr ssh 1 . |
| 37 | .Pp |
| 38 | The agent initially does not have any private keys. Keys are added |
| 39 | using |
| 40 | .Xr ssh-add 1 . |
| 41 | When executed without arguments, |
| 42 | .Xr ssh-add 1 |
| 43 | adds the |
| 44 | .Pa $HOME/.ssh/identity |
| 45 | file. If the identity has a passphrase, |
| 46 | .Xr ssh-add 1 |
| 47 | asks for the passphrase (using a small X11 application if running |
| 48 | under X11, or from the terminal if running without X). It then sends |
| 49 | the identity to the agent. Several identities can be stored in the |
| 50 | agent; the agent can automatically use any of these identities. |
| 51 | .Ic ssh-add -l |
| 52 | displays the identities currently held by the agent. |
| 53 | .Pp |
| 54 | The idea is that the agent is run in the user's local PC, laptop, or |
| 55 | terminal. Authentication data need not be stored on any other |
| 56 | machine, and authentication passphrases never go over the network. |
| 57 | However, the connection to the agent is forwarded over SSH |
| 58 | remote logins, and the user can thus use the privileges given by the |
| 59 | identities anywhere in the network in a secure way. |
| 60 | .Pp |
| 61 | A connection to the agent is inherited by child programs: |
| 62 | A unix-domain socket is created |
| 63 | .Pq Pa /tmp/ssh-XXXX/agent.<pid> , |
| 64 | and the name of this socket is stored in the |
| 65 | .Ev SSH_AUTH_SOCK |
| 66 | environment |
| 67 | variable. The socket is made accessible only to the current user. |
| 68 | This method is easily abused by root or another instance of the same |
| 69 | user. |
| 70 | .Pp |
| 71 | The agent exits automatically when the command given on the command |
| 72 | line terminates. |
| 73 | .Sh FILES |
| 74 | .Bl -tag -width Ds |
| 75 | .It Pa $HOME/.ssh/identity |
| 76 | Contains the RSA authentication identity of the user. This file |
| 77 | should not be readable by anyone but the user. It is possible to |
| 78 | specify a passphrase when generating the key; that passphrase will be |
| 79 | used to encrypt the private part of this file. This file |
| 80 | is not used by |
| 81 | .Nm |
| 82 | but is normally added to the agent using |
| 83 | .Xr ssh-add 1 |
| 84 | at login time. |
| 85 | .It Pa /tmp/ssh-XXXX/agent.<pid> , |
| 86 | Unix-domain sockets used to contain the connection to the |
| 87 | authentication agent. These sockets should only be readable by the |
| 88 | owner. The sockets should get automatically removed when the agent |
| 89 | exits. |
| 90 | .Sh AUTHOR |
| 91 | Tatu Ylonen <ylo@cs.hut.fi> |
| 92 | .Pp |
| 93 | OpenSSH |
| 94 | is a derivative of the original (free) ssh 1.2.12 release, but with bugs |
| 95 | removed and newer features re-added. Rapidly after the 1.2.12 release, |
| 96 | newer versions bore successively more restrictive licenses. This version |
| 97 | of OpenSSH |
| 98 | .Bl -bullet |
| 99 | .It |
| 100 | has all components of a restrictive nature (ie. patents, see |
| 101 | .Xr ssl 8 ) |
| 102 | directly removed from the source code; any licensed or patented components |
| 103 | are chosen from |
| 104 | external libraries. |
| 105 | .It |
| 106 | has been updated to support ssh protocol 1.5. |
| 107 | .It |
| 108 | contains added support for |
| 109 | .Xr kerberos 8 |
| 110 | authentication and ticket passing. |
| 111 | .It |
| 112 | supports one-time password authentication with |
| 113 | .Xr skey 1 . |
| 114 | .El |
| 115 | .Pp |
| 116 | The libraries described in |
| 117 | .Xr ssl 8 |
| 118 | are required for proper operation. |
| 119 | .Sh SEE ALSO |
| 120 | .Xr ssh 1 , |
| 121 | .Xr ssh-add 1 , |
| 122 | .Xr ssh-keygen 1 , |
| 123 | .Xr sshd 8 , |
| 124 | .Xr ssl 8 |