Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1 | .\" $OpenBSD: ssh-agent.1,v 1.57 2014/12/21 22:27:56 djm Exp $ |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2 | .\" |
| 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | .\" All rights reserved |
| 6 | .\" |
| 7 | .\" As far as I am concerned, the code I have written for this software |
| 8 | .\" can be used freely for any purpose. Any derived versions of this |
| 9 | .\" software must be clearly marked as such, and if the derived work is |
| 10 | .\" incompatible with the protocol description in the RFC file, it must be |
| 11 | .\" called by a name other than "ssh" or "Secure Shell". |
| 12 | .\" |
| 13 | .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. |
| 14 | .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. |
| 15 | .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. |
| 16 | .\" |
| 17 | .\" Redistribution and use in source and binary forms, with or without |
| 18 | .\" modification, are permitted provided that the following conditions |
| 19 | .\" are met: |
| 20 | .\" 1. Redistributions of source code must retain the above copyright |
| 21 | .\" notice, this list of conditions and the following disclaimer. |
| 22 | .\" 2. Redistributions in binary form must reproduce the above copyright |
| 23 | .\" notice, this list of conditions and the following disclaimer in the |
| 24 | .\" documentation and/or other materials provided with the distribution. |
| 25 | .\" |
| 26 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
| 27 | .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
| 28 | .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
| 29 | .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
| 30 | .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 31 | .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 32 | .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 33 | .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 36 | .\" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 37 | .Dd $Mdocdate: December 21 2014 $ |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 38 | .Dt SSH-AGENT 1 |
| 39 | .Os |
| 40 | .Sh NAME |
| 41 | .Nm ssh-agent |
| 42 | .Nd authentication agent |
| 43 | .Sh SYNOPSIS |
| 44 | .Nm ssh-agent |
| 45 | .Op Fl c | s |
| 46 | .Op Fl d |
| 47 | .Op Fl a Ar bind_address |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 48 | .Op Fl E Ar fingerprint_hash |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 49 | .Op Fl t Ar life |
| 50 | .Op Ar command Op Ar arg ... |
| 51 | .Nm ssh-agent |
| 52 | .Op Fl c | s |
| 53 | .Fl k |
| 54 | .Sh DESCRIPTION |
| 55 | .Nm |
| 56 | is a program to hold private keys used for public key authentication |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 57 | (RSA, DSA, ECDSA, Ed25519). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 58 | .Nm |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 59 | is usually started in the beginning of an X-session or a login session, and |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 60 | all other windows or programs are started as clients to the ssh-agent |
| 61 | program. |
| 62 | Through use of environment variables the agent can be located |
| 63 | and automatically used for authentication when logging in to other |
| 64 | machines using |
| 65 | .Xr ssh 1 . |
| 66 | .Pp |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 67 | The agent initially does not have any private keys. |
| 68 | Keys are added using |
| 69 | .Xr ssh-add 1 . |
| 70 | Multiple identities may be stored in |
| 71 | .Nm |
| 72 | concurrently and |
| 73 | .Xr ssh 1 |
| 74 | will automatically use them if present. |
| 75 | .Xr ssh-add 1 |
| 76 | is also used to remove keys from |
| 77 | .Nm |
| 78 | and to query the keys that are held in one. |
| 79 | .Pp |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 80 | The options are as follows: |
| 81 | .Bl -tag -width Ds |
| 82 | .It Fl a Ar bind_address |
| 83 | Bind the agent to the |
| 84 | .Ux Ns -domain |
| 85 | socket |
| 86 | .Ar bind_address . |
| 87 | The default is |
| 88 | .Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt . |
| 89 | .It Fl c |
| 90 | Generate C-shell commands on |
| 91 | .Dv stdout . |
| 92 | This is the default if |
| 93 | .Ev SHELL |
| 94 | looks like it's a csh style of shell. |
| 95 | .It Fl d |
| 96 | Debug mode. |
| 97 | When this option is specified |
| 98 | .Nm |
| 99 | will not fork. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 100 | .It Fl E Ar fingerprint_hash |
| 101 | Specifies the hash algorithm used when displaying key fingerprints. |
| 102 | Valid options are: |
| 103 | .Dq md5 |
| 104 | and |
| 105 | .Dq sha256 . |
| 106 | The default is |
| 107 | .Dq sha256 . |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 108 | .It Fl k |
| 109 | Kill the current agent (given by the |
| 110 | .Ev SSH_AGENT_PID |
| 111 | environment variable). |
| 112 | .It Fl s |
| 113 | Generate Bourne shell commands on |
| 114 | .Dv stdout . |
| 115 | This is the default if |
| 116 | .Ev SHELL |
| 117 | does not look like it's a csh style of shell. |
| 118 | .It Fl t Ar life |
| 119 | Set a default value for the maximum lifetime of identities added to the agent. |
| 120 | The lifetime may be specified in seconds or in a time format specified in |
| 121 | .Xr sshd_config 5 . |
| 122 | A lifetime specified for an identity with |
| 123 | .Xr ssh-add 1 |
| 124 | overrides this value. |
| 125 | Without this option the default maximum lifetime is forever. |
| 126 | .El |
| 127 | .Pp |
| 128 | If a commandline is given, this is executed as a subprocess of the agent. |
| 129 | When the command dies, so does the agent. |
| 130 | .Pp |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 131 | The idea is that the agent is run in the user's local PC, laptop, or |
| 132 | terminal. |
| 133 | Authentication data need not be stored on any other |
| 134 | machine, and authentication passphrases never go over the network. |
| 135 | However, the connection to the agent is forwarded over SSH |
| 136 | remote logins, and the user can thus use the privileges given by the |
| 137 | identities anywhere in the network in a secure way. |
| 138 | .Pp |
| 139 | There are two main ways to get an agent set up: |
| 140 | The first is that the agent starts a new subcommand into which some environment |
| 141 | variables are exported, eg |
| 142 | .Cm ssh-agent xterm & . |
| 143 | The second is that the agent prints the needed shell commands (either |
| 144 | .Xr sh 1 |
| 145 | or |
| 146 | .Xr csh 1 |
| 147 | syntax can be generated) which can be evaluated in the calling shell, eg |
| 148 | .Cm eval `ssh-agent -s` |
| 149 | for Bourne-type shells such as |
| 150 | .Xr sh 1 |
| 151 | or |
| 152 | .Xr ksh 1 |
| 153 | and |
| 154 | .Cm eval `ssh-agent -c` |
| 155 | for |
| 156 | .Xr csh 1 |
| 157 | and derivatives. |
| 158 | .Pp |
| 159 | Later |
| 160 | .Xr ssh 1 |
| 161 | looks at these variables and uses them to establish a connection to the agent. |
| 162 | .Pp |
| 163 | The agent will never send a private key over its request channel. |
| 164 | Instead, operations that require a private key will be performed |
| 165 | by the agent, and the result will be returned to the requester. |
| 166 | This way, private keys are not exposed to clients using the agent. |
| 167 | .Pp |
| 168 | A |
| 169 | .Ux Ns -domain |
| 170 | socket is created and the name of this socket is stored in the |
| 171 | .Ev SSH_AUTH_SOCK |
| 172 | environment |
| 173 | variable. |
| 174 | The socket is made accessible only to the current user. |
| 175 | This method is easily abused by root or another instance of the same |
| 176 | user. |
| 177 | .Pp |
| 178 | The |
| 179 | .Ev SSH_AGENT_PID |
| 180 | environment variable holds the agent's process ID. |
| 181 | .Pp |
| 182 | The agent exits automatically when the command given on the command |
| 183 | line terminates. |
| 184 | .Sh FILES |
| 185 | .Bl -tag -width Ds |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 186 | .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt |
| 187 | .Ux Ns -domain |
| 188 | sockets used to contain the connection to the authentication agent. |
| 189 | These sockets should only be readable by the owner. |
| 190 | The sockets should get automatically removed when the agent exits. |
| 191 | .El |
| 192 | .Sh SEE ALSO |
| 193 | .Xr ssh 1 , |
| 194 | .Xr ssh-add 1 , |
| 195 | .Xr ssh-keygen 1 , |
| 196 | .Xr sshd 8 |
| 197 | .Sh AUTHORS |
| 198 | OpenSSH is a derivative of the original and free |
| 199 | ssh 1.2.12 release by Tatu Ylonen. |
| 200 | Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
| 201 | Theo de Raadt and Dug Song |
| 202 | removed many bugs, re-added newer features and |
| 203 | created OpenSSH. |
| 204 | Markus Friedl contributed the support for SSH |
| 205 | protocol versions 1.5 and 2.0. |