blob: 83b2b41c846cbbb6630ef99c227b3b618e7b1bcd [file] [log] [blame]
jmc@openbsd.org5d333132016-11-30 06:54:26 +00001.\" $OpenBSD: ssh-agent.1,v 1.64 2016/11/30 06:54:26 jmc Exp $
Damien Miller32aa1441999-10-29 09:15:49 +10002.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
Damien Miller32aa1441999-10-29 09:15:49 +10004.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
Damien Millere4340be2000-09-16 13:29:08 +11007.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
Ben Lindstrom92a2e382001-03-05 06:59:27 +000013.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
Damien Millere4340be2000-09-16 13:29:08 +110016.\"
17.\" Redistribution and use in source and binary forms, with or without
18.\" modification, are permitted provided that the following conditions
19.\" are met:
20.\" 1. Redistributions of source code must retain the above copyright
21.\" notice, this list of conditions and the following disclaimer.
22.\" 2. Redistributions in binary form must reproduce the above copyright
23.\" notice, this list of conditions and the following disclaimer in the
24.\" documentation and/or other materials provided with the distribution.
25.\"
26.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller32aa1441999-10-29 09:15:49 +100036.\"
djm@openbsd.org786d5992016-11-30 03:07:37 +000037.Dd $Mdocdate: November 30 2016 $
Damien Miller32aa1441999-10-29 09:15:49 +100038.Dt SSH-AGENT 1
39.Os
40.Sh NAME
41.Nm ssh-agent
42.Nd authentication agent
43.Sh SYNOPSIS
Damien Miller22c77262000-04-13 12:26:34 +100044.Nm ssh-agent
Damien Millerde735ea2010-09-10 11:12:38 +100045.Op Fl c | s
jmc@openbsd.org1a116702015-11-15 23:54:15 +000046.Op Fl \&Dd
Damien Miller5cbe7ca2007-09-17 16:05:50 +100047.Op Fl a Ar bind_address
djm@openbsd.org56d1c832014-12-21 22:27:55 +000048.Op Fl E Ar fingerprint_hash
djm@openbsd.org786d5992016-11-30 03:07:37 +000049.Op Fl P Ar pkcs11_whitelist
jmc@openbsd.org5d333132016-11-30 06:54:26 +000050.Op Fl t Ar life
Damien Miller5cbe7ca2007-09-17 16:05:50 +100051.Op Ar command Op Ar arg ...
Ben Lindstrom14920292000-11-21 21:24:55 +000052.Nm ssh-agent
Damien Millerde735ea2010-09-10 11:12:38 +100053.Op Fl c | s
Ben Lindstrom14920292000-11-21 21:24:55 +000054.Fl k
Damien Miller22c77262000-04-13 12:26:34 +100055.Sh DESCRIPTION
Damien Miller32aa1441999-10-29 09:15:49 +100056.Nm
Damien Millerad833b32000-08-23 10:46:23 +100057is a program to hold private keys used for public key authentication
sobrado@openbsd.orgf70b22b2014-08-30 15:33:50 +000058(RSA, DSA, ECDSA, Ed25519).
Damien Miller32aa1441999-10-29 09:15:49 +100059.Nm
Damien Miller8c492da2014-04-20 13:25:09 +100060is usually started in the beginning of an X-session or a login session, and
Damien Miller32aa1441999-10-29 09:15:49 +100061all other windows or programs are started as clients to the ssh-agent
Damien Miller450a7a12000-03-26 13:04:51 +100062program.
63Through use of environment variables the agent can be located
Damien Millerad833b32000-08-23 10:46:23 +100064and automatically used for authentication when logging in to other
Damien Miller32aa1441999-10-29 09:15:49 +100065machines using
66.Xr ssh 1 .
67.Pp
Damien Miller8c492da2014-04-20 13:25:09 +100068The agent initially does not have any private keys.
69Keys are added using
jcs@openbsd.orgf361df42015-11-15 22:26:49 +000070.Xr ssh 1
71(see
72.Cm AddKeysToAgent
73in
74.Xr ssh_config 5
75for details)
76or
Damien Miller8c492da2014-04-20 13:25:09 +100077.Xr ssh-add 1 .
78Multiple identities may be stored in
79.Nm
80concurrently and
81.Xr ssh 1
82will automatically use them if present.
83.Xr ssh-add 1
84is also used to remove keys from
85.Nm
86and to query the keys that are held in one.
87.Pp
Damien Miller32aa1441999-10-29 09:15:49 +100088The options are as follows:
89.Bl -tag -width Ds
Ben Lindstromb7788f32002-06-06 21:46:08 +000090.It Fl a Ar bind_address
Darren Tuckerae69e1d2009-10-24 11:41:34 +110091Bind the agent to the
Darren Tucker98c9aec2009-10-24 11:42:44 +110092.Ux Ns -domain
93socket
Ben Lindstromb7788f32002-06-06 21:46:08 +000094.Ar bind_address .
95The default is
Damien Miller2cd62932010-12-01 11:50:35 +110096.Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt .
Damien Miller32aa1441999-10-29 09:15:49 +100097.It Fl c
98Generate C-shell commands on
99.Dv stdout .
100This is the default if
101.Ev SHELL
102looks like it's a csh style of shell.
djm@openbsd.org2ea97462015-04-24 05:26:44 +0000103.It Fl D
104Foreground mode.
105When this option is specified
106.Nm
107will not fork.
Damien Miller5cbe7ca2007-09-17 16:05:50 +1000108.It Fl d
109Debug mode.
110When this option is specified
111.Nm
djm@openbsd.org2ea97462015-04-24 05:26:44 +0000112will not fork and will write debug information to standard error.
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000113.It Fl E Ar fingerprint_hash
114Specifies the hash algorithm used when displaying key fingerprints.
115Valid options are:
116.Dq md5
117and
118.Dq sha256 .
119The default is
120.Dq sha256 .
Damien Miller5cbe7ca2007-09-17 16:05:50 +1000121.It Fl k
122Kill the current agent (given by the
123.Ev SSH_AGENT_PID
124environment variable).
jmc@openbsd.org5d333132016-11-30 06:54:26 +0000125.It Fl P Ar pkcs11_whitelist
djm@openbsd.org786d5992016-11-30 03:07:37 +0000126Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
127that may be added using the
128.Fl s
129option to
130.Xr ssh-add 1 .
131The default is to allow loading PKCS#11 libraries from
132.Dq /usr/lib/*,/usr/local/lib/* .
133PKCS#11 libraries that do not match the whitelist will be refused.
134See PATTERNS in
135.Xr ssh_config 5
136for a description of pattern-list syntax.
Damien Miller32aa1441999-10-29 09:15:49 +1000137.It Fl s
138Generate Bourne shell commands on
139.Dv stdout .
140This is the default if
141.Ev SHELL
142does not look like it's a csh style of shell.
Damien Miller53d81482003-01-22 11:47:19 +1100143.It Fl t Ar life
Damien Miller495dca32003-04-01 21:42:14 +1000144Set a default value for the maximum lifetime of identities added to the agent.
Damien Miller53d81482003-01-22 11:47:19 +1100145The lifetime may be specified in seconds or in a time format specified in
Darren Tucker3a4634f2005-11-28 17:05:40 +1100146.Xr sshd_config 5 .
Damien Miller53d81482003-01-22 11:47:19 +1100147A lifetime specified for an identity with
148.Xr ssh-add 1
149overrides this value.
150Without this option the default maximum lifetime is forever.
Damien Miller32aa1441999-10-29 09:15:49 +1000151.El
152.Pp
jmc@openbsd.org8b290082015-11-05 09:48:05 +0000153If a command line is given, this is executed as a subprocess of the agent.
Damien Miller32aa1441999-10-29 09:15:49 +1000154When the command dies, so does the agent.
155.Pp
Damien Miller32aa1441999-10-29 09:15:49 +1000156The idea is that the agent is run in the user's local PC, laptop, or
Damien Miller450a7a12000-03-26 13:04:51 +1000157terminal.
158Authentication data need not be stored on any other
Damien Miller32aa1441999-10-29 09:15:49 +1000159machine, and authentication passphrases never go over the network.
160However, the connection to the agent is forwarded over SSH
161remote logins, and the user can thus use the privileges given by the
162identities anywhere in the network in a secure way.
163.Pp
Damien Millerabbae982003-05-15 10:16:21 +1000164There are two main ways to get an agent set up:
Darren Tuckera86b4532004-05-13 16:45:46 +1000165The first is that the agent starts a new subcommand into which some environment
166variables are exported, eg
167.Cm ssh-agent xterm & .
168The second is that the agent prints the needed shell commands (either
Damien Miller32aa1441999-10-29 09:15:49 +1000169.Xr sh 1
170or
171.Xr csh 1
Darren Tucker5837b512009-06-21 17:52:27 +1000172syntax can be generated) which can be evaluated in the calling shell, eg
Darren Tuckera86b4532004-05-13 16:45:46 +1000173.Cm eval `ssh-agent -s`
174for Bourne-type shells such as
175.Xr sh 1
176or
177.Xr ksh 1
178and
Darren Tuckerfc959702004-07-17 16:12:08 +1000179.Cm eval `ssh-agent -c`
Darren Tuckera86b4532004-05-13 16:45:46 +1000180for
181.Xr csh 1
182and derivatives.
183.Pp
Damien Miller32aa1441999-10-29 09:15:49 +1000184Later
185.Xr ssh 1
Ben Lindstrom0d3e8fa2001-04-04 01:51:25 +0000186looks at these variables and uses them to establish a connection to the agent.
Damien Miller32aa1441999-10-29 09:15:49 +1000187.Pp
Ben Lindstrom11f790b2001-12-06 16:37:51 +0000188The agent will never send a private key over its request channel.
189Instead, operations that require a private key will be performed
190by the agent, and the result will be returned to the requester.
191This way, private keys are not exposed to clients using the agent.
192.Pp
Darren Tuckerae69e1d2009-10-24 11:41:34 +1100193A
Darren Tucker98c9aec2009-10-24 11:42:44 +1100194.Ux Ns -domain
195socket is created and the name of this socket is stored in the
Damien Miller32aa1441999-10-29 09:15:49 +1000196.Ev SSH_AUTH_SOCK
197environment
Damien Miller450a7a12000-03-26 13:04:51 +1000198variable.
199The socket is made accessible only to the current user.
Damien Miller32aa1441999-10-29 09:15:49 +1000200This method is easily abused by root or another instance of the same
201user.
202.Pp
203The
204.Ev SSH_AGENT_PID
Ben Lindstrom959de992002-06-23 00:35:25 +0000205environment variable holds the agent's process ID.
Damien Miller32aa1441999-10-29 09:15:49 +1000206.Pp
207The agent exits automatically when the command given on the command
208line terminates.
Damien Miller32aa1441999-10-29 09:15:49 +1000209.Sh FILES
210.Bl -tag -width Ds
jmc@openbsd.org5d333132016-11-30 06:54:26 +0000211.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
Darren Tucker98c9aec2009-10-24 11:42:44 +1100212.Ux Ns -domain
213sockets used to contain the connection to the authentication agent.
Damien Miller450a7a12000-03-26 13:04:51 +1000214These sockets should only be readable by the owner.
215The sockets should get automatically removed when the agent exits.
Damien Miller37023962000-07-11 17:31:38 +1000216.El
Damien Millerf1ce5052003-06-11 22:04:39 +1000217.Sh SEE ALSO
218.Xr ssh 1 ,
219.Xr ssh-add 1 ,
220.Xr ssh-keygen 1 ,
221.Xr sshd 8
Damien Miller0bc1bd82000-11-13 22:57:25 +1100222.Sh AUTHORS
jmc@openbsd.org5d333132016-11-30 06:54:26 +0000223.An -nosplit
224OpenSSH is a derivative of the original and free ssh 1.2.12 release by
225.An Tatu Ylonen .
226.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos , Theo de Raadt
227and
228.An Dug Song
229removed many bugs, re-added newer features and created OpenSSH.
230.An Markus Friedl
231contributed the support for SSH protocol versions 1.5 and 2.0.