Damien Miller | e247cc4 | 2000-05-07 12:03:14 +1000 | [diff] [blame] | 1 | .\" $OpenBSD: ssh-agent.1,v 1.12 2000/05/03 18:04:39 markus Exp $ |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 2 | .\" |
| 3 | .\" -*- nroff -*- |
| 4 | .\" |
| 5 | .\" ssh-agent.1 |
| 6 | .\" |
| 7 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
Damien Miller | 10f6f6b | 1999-11-17 17:29:08 +1100 | [diff] [blame] | 8 | .\" |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 9 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 10 | .\" All rights reserved |
| 11 | .\" |
| 12 | .\" Created: Sat Apr 23 20:10:43 1995 ylo |
| 13 | .\" |
| 14 | .Dd September 25, 1999 |
| 15 | .Dt SSH-AGENT 1 |
| 16 | .Os |
| 17 | .Sh NAME |
| 18 | .Nm ssh-agent |
| 19 | .Nd authentication agent |
| 20 | .Sh SYNOPSIS |
Damien Miller | 22c7726 | 2000-04-13 12:26:34 +1000 | [diff] [blame] | 21 | .Nm ssh-agent |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 22 | .Op Fl c Li | Fl s |
| 23 | .Op Fl k |
| 24 | .Oo |
| 25 | .Ar command |
| 26 | .Op Ar args ... |
| 27 | .Oc |
Damien Miller | 22c7726 | 2000-04-13 12:26:34 +1000 | [diff] [blame] | 28 | .Sh DESCRIPTION |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 29 | .Nm |
Damien Miller | e247cc4 | 2000-05-07 12:03:14 +1000 | [diff] [blame] | 30 | is a program to hold private keys used for RSA authentication. |
Damien Miller | 450a7a1 | 2000-03-26 13:04:51 +1000 | [diff] [blame] | 31 | The idea is that |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 32 | .Nm |
| 33 | is started in the beginning of an X-session or a login session, and |
| 34 | all other windows or programs are started as clients to the ssh-agent |
Damien Miller | 450a7a1 | 2000-03-26 13:04:51 +1000 | [diff] [blame] | 35 | program. |
| 36 | Through use of environment variables the agent can be located |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 37 | and automatically used for RSA authentication when logging in to other |
| 38 | machines using |
| 39 | .Xr ssh 1 . |
| 40 | .Pp |
| 41 | The options are as follows: |
| 42 | .Bl -tag -width Ds |
| 43 | .It Fl c |
| 44 | Generate C-shell commands on |
| 45 | .Dv stdout . |
| 46 | This is the default if |
| 47 | .Ev SHELL |
| 48 | looks like it's a csh style of shell. |
| 49 | .It Fl s |
| 50 | Generate Bourne shell commands on |
| 51 | .Dv stdout . |
| 52 | This is the default if |
| 53 | .Ev SHELL |
| 54 | does not look like it's a csh style of shell. |
| 55 | .It Fl k |
| 56 | Kill the current agent (given by the |
| 57 | .Ev SSH_AGENT_PID |
| 58 | environment variable). |
| 59 | .El |
| 60 | .Pp |
| 61 | If a commandline is given, this is executed as a subprocess of the agent. |
| 62 | When the command dies, so does the agent. |
| 63 | .Pp |
Damien Miller | 450a7a1 | 2000-03-26 13:04:51 +1000 | [diff] [blame] | 64 | The agent initially does not have any private keys. |
| 65 | Keys are added using |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 66 | .Xr ssh-add 1 . |
Damien Miller | 22c7726 | 2000-04-13 12:26:34 +1000 | [diff] [blame] | 67 | When executed without arguments, |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 68 | .Xr ssh-add 1 |
Damien Miller | 22c7726 | 2000-04-13 12:26:34 +1000 | [diff] [blame] | 69 | adds the |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 70 | .Pa $HOME/.ssh/identity |
Damien Miller | 450a7a1 | 2000-03-26 13:04:51 +1000 | [diff] [blame] | 71 | file. |
Damien Miller | 22c7726 | 2000-04-13 12:26:34 +1000 | [diff] [blame] | 72 | If the identity has a passphrase, |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 73 | .Xr ssh-add 1 |
| 74 | asks for the passphrase (using a small X11 application if running |
Damien Miller | 450a7a1 | 2000-03-26 13:04:51 +1000 | [diff] [blame] | 75 | under X11, or from the terminal if running without X). |
| 76 | It then sends the identity to the agent. |
| 77 | Several identities can be stored in the |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 78 | agent; the agent can automatically use any of these identities. |
| 79 | .Ic ssh-add -l |
| 80 | displays the identities currently held by the agent. |
| 81 | .Pp |
| 82 | The idea is that the agent is run in the user's local PC, laptop, or |
Damien Miller | 450a7a1 | 2000-03-26 13:04:51 +1000 | [diff] [blame] | 83 | terminal. |
| 84 | Authentication data need not be stored on any other |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 85 | machine, and authentication passphrases never go over the network. |
| 86 | However, the connection to the agent is forwarded over SSH |
| 87 | remote logins, and the user can thus use the privileges given by the |
| 88 | identities anywhere in the network in a secure way. |
| 89 | .Pp |
Damien Miller | 450a7a1 | 2000-03-26 13:04:51 +1000 | [diff] [blame] | 90 | There are two main ways to get an agent setup: |
| 91 | Either you let the agent |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 92 | start a new subcommand into which some environment variables are exported, or |
| 93 | you let the agent print the needed shell commands (either |
| 94 | .Xr sh 1 |
| 95 | or |
| 96 | .Xr csh 1 |
| 97 | syntax can be generated) which can be evalled in the calling shell. |
| 98 | Later |
| 99 | .Xr ssh 1 |
| 100 | look at these variables and use them to establish a connection to the agent. |
| 101 | .Pp |
| 102 | A unix-domain socket is created |
| 103 | .Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> , |
| 104 | and the name of this socket is stored in the |
| 105 | .Ev SSH_AUTH_SOCK |
| 106 | environment |
Damien Miller | 450a7a1 | 2000-03-26 13:04:51 +1000 | [diff] [blame] | 107 | variable. |
| 108 | The socket is made accessible only to the current user. |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 109 | This method is easily abused by root or another instance of the same |
| 110 | user. |
| 111 | .Pp |
| 112 | The |
| 113 | .Ev SSH_AGENT_PID |
| 114 | environment variable holds the agent's PID. |
| 115 | .Pp |
| 116 | The agent exits automatically when the command given on the command |
| 117 | line terminates. |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 118 | .Sh FILES |
| 119 | .Bl -tag -width Ds |
| 120 | .It Pa $HOME/.ssh/identity |
Damien Miller | 450a7a1 | 2000-03-26 13:04:51 +1000 | [diff] [blame] | 121 | Contains the RSA authentication identity of the user. |
| 122 | This file should not be readable by anyone but the user. |
| 123 | It is possible to |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 124 | specify a passphrase when generating the key; that passphrase will be |
Damien Miller | 450a7a1 | 2000-03-26 13:04:51 +1000 | [diff] [blame] | 125 | used to encrypt the private part of this file. |
| 126 | This file is not used by |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 127 | .Nm |
| 128 | but is normally added to the agent using |
| 129 | .Xr ssh-add 1 |
| 130 | at login time. |
| 131 | .It Pa /tmp/ssh-XXXX/agent.<pid> , |
| 132 | Unix-domain sockets used to contain the connection to the |
Damien Miller | 450a7a1 | 2000-03-26 13:04:51 +1000 | [diff] [blame] | 133 | authentication agent. |
| 134 | These sockets should only be readable by the owner. |
| 135 | The sockets should get automatically removed when the agent exits. |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 136 | .Sh AUTHOR |
| 137 | Tatu Ylonen <ylo@cs.hut.fi> |
| 138 | .Pp |
| 139 | OpenSSH |
| 140 | is a derivative of the original (free) ssh 1.2.12 release, but with bugs |
Damien Miller | 450a7a1 | 2000-03-26 13:04:51 +1000 | [diff] [blame] | 141 | removed and newer features re-added. |
| 142 | Rapidly after the 1.2.12 release, |
| 143 | newer versions bore successively more restrictive licenses. |
| 144 | This version of OpenSSH |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 145 | .Bl -bullet |
| 146 | .It |
Damien Miller | cfabe86 | 2000-04-20 23:27:27 +1000 | [diff] [blame] | 147 | has all components of a restrictive nature (i.e., patents) |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 148 | directly removed from the source code; any licensed or patented components |
| 149 | are chosen from |
| 150 | external libraries. |
| 151 | .It |
| 152 | has been updated to support ssh protocol 1.5. |
| 153 | .It |
Damien Miller | 22c7726 | 2000-04-13 12:26:34 +1000 | [diff] [blame] | 154 | contains added support for |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 155 | .Xr kerberos 8 |
| 156 | authentication and ticket passing. |
| 157 | .It |
| 158 | supports one-time password authentication with |
| 159 | .Xr skey 1 . |
| 160 | .El |
| 161 | .Pp |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 162 | .Sh SEE ALSO |
| 163 | .Xr ssh 1 , |
| 164 | .Xr ssh-add 1 , |
| 165 | .Xr ssh-keygen 1 , |
| 166 | .Xr sshd 8 , |