blob: df061df82ca63d0f0c29ce72595bb3296ccfe66e [file] [log] [blame]
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001.\" -*- nroff -*-
2.\"
3.\" ssh-agent.1
4.\"
5.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6.\"
7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8.\" All rights reserved
9.\"
10.\" Created: Sat Apr 23 20:10:43 1995 ylo
11.\"
Damien Miller06230761999-10-28 14:03:14 +100012.\" $Id: openssh-agent.1,v 1.1 1999/10/28 04:03:14 damien Exp $
Damien Millerd4a8b7e1999-10-27 13:42:43 +100013.\"
14.Dd September 25, 1999
15.Dt SSH-AGENT 1
16.Os
17.Sh NAME
18.Nm ssh-agent
19.Nd authentication agent
20.Sh SYNOPSIS
21.Nm ssh-agent
22.Ar command
23.Sh DESCRIPTION
24.Nm
25is a program to hold authentication private keys. The
26idea is that
27.Nm
28is started in the beginning of an X-session or a login session, and
29all other windows or programs are started as children of the ssh-agent
30program (the
31.Ar command
32normally starts X or is the user shell). Programs started under
33the agent inherit a connection to the agent, and the agent is
34automatically used for RSA authentication when logging to other
35machines using
36.Xr ssh 1 .
37.Pp
38The agent initially does not have any private keys. Keys are added
39using
40.Xr ssh-add 1 .
41When executed without arguments,
42.Xr ssh-add 1
43adds the
44.Pa $HOME/.ssh/identity
45file. If the identity has a passphrase,
46.Xr ssh-add 1
47asks for the passphrase (using a small X11 application if running
48under X11, or from the terminal if running without X). It then sends
49the identity to the agent. Several identities can be stored in the
50agent; the agent can automatically use any of these identities.
51.Ic ssh-add -l
52displays the identities currently held by the agent.
53.Pp
54The idea is that the agent is run in the user's local PC, laptop, or
55terminal. Authentication data need not be stored on any other
56machine, and authentication passphrases never go over the network.
57However, the connection to the agent is forwarded over SSH
58remote logins, and the user can thus use the privileges given by the
59identities anywhere in the network in a secure way.
60.Pp
61A connection to the agent is inherited by child programs:
62A unix-domain socket is created
63.Pq Pa /tmp/ssh-XXXX/agent.<pid> ,
64and the name of this socket is stored in the
65.Ev SSH_AUTH_SOCK
66environment
67variable. The socket is made accessible only to the current user.
68This method is easily abused by root or another instance of the same
69user.
70.Pp
71The agent exits automatically when the command given on the command
72line terminates.
73.Sh FILES
74.Bl -tag -width Ds
75.It Pa $HOME/.ssh/identity
76Contains the RSA authentication identity of the user. This file
77should not be readable by anyone but the user. It is possible to
78specify a passphrase when generating the key; that passphrase will be
79used to encrypt the private part of this file. This file
80is not used by
81.Nm
82but is normally added to the agent using
83.Xr ssh-add 1
84at login time.
85.It Pa /tmp/ssh-XXXX/agent.<pid> ,
86Unix-domain sockets used to contain the connection to the
87authentication agent. These sockets should only be readable by the
88owner. The sockets should get automatically removed when the agent
89exits.
90.Sh AUTHOR
91Tatu Ylonen <ylo@cs.hut.fi>
92.Pp
93OpenSSH
94is a derivative of the original (free) ssh 1.2.12 release, but with bugs
95removed and newer features re-added. Rapidly after the 1.2.12 release,
96newer versions bore successively more restrictive licenses. This version
97of OpenSSH
98.Bl -bullet
99.It
100has all components of a restrictive nature (ie. patents, see
101.Xr ssl 8 )
102directly removed from the source code; any licensed or patented components
103are chosen from
104external libraries.
105.It
106has been updated to support ssh protocol 1.5.
107.It
108contains added support for
109.Xr kerberos 8
110authentication and ticket passing.
111.It
112supports one-time password authentication with
113.Xr skey 1 .
114.El
115.Pp
116The libraries described in
117.Xr ssl 8
118are required for proper operation.
119.Sh SEE ALSO
120.Xr ssh 1 ,
121.Xr ssh-add 1 ,
122.Xr ssh-keygen 1 ,
123.Xr sshd 8 ,
124.Xr ssl 8