ssh-agent [-a bind_address] [-c | -s] [-t life] [-d] [com-
mand [args ...]]
ssh-agent [-c | -s] -k
DESCRIPTION
ssh-agent is a program to hold private keys used for public
key authenti-
cation (RSA, DSA). The idea is that ssh-agent is started in
the begin-
ning of an X-session or a login session, and all other win-
dows or pro-
grams are started as clients to the ssh-agent program.
Through use of
environment variables the agent can be located and automati-
cally used for
authentication when logging in to other machines using
ssh(1).
The options are as follows:
-a bind_address
Bind the agent to the unix-domain socket bind_ad-
dress. The de-
fault is /tmp/ssh-XXXXXXXX/agent.<ppid>.
-c Generate C-shell commands on stdout. This is the
default if
SHELL looks like it's a csh style of shell.
-s Generate Bourne shell commands on stdout. This is
the default if
SHELL does not look like it's a csh style of shell.
-k Kill the current agent (given by the SSH_AGENT_PID
environment
variable).
-t life
Set a default value for the maximum lifetime of
identities added
to the agent. The lifetime may be specified in sec-
onds or in a
time format specified in sshd(8). A lifetime speci-
fied for an
identity with ssh-add(1) overrides this value.
Without this op-
tion the default maximum lifetime is forever.
-d Debug mode. When this option is specified ssh-agent
will not
fork.
It then sends the identity to the agent. Several identities
can be
stored in the agent; the agent can automatically use any of
these identi-
ties. ssh-add -l displays the identities currently held by
the agent.
The idea is that the agent is run in the user's local PC,
laptop, or ter-
minal. Authentication data need not be stored on any other
machine, and
authentication passphrases never go over the network. How-
ever, the con-
nection to the agent is forwarded over SSH remote logins,
and the user
can thus use the privileges given by the identities anywhere
in the net-
work in a secure way.
There are two main ways to get an agent set up: The first is
that the
agent starts a new subcommand into which some environment
variables are
exported, eg ssh-agent xterm &. The second is that the
agent prints the
needed shell commands (either sh(1) or csh(1) syntax can be
generated)
which can be evalled in the calling shell, eg eval `ssh-
agent -s` for
Bourne-type shells such as sh(1) or ksh(1) and eval `ssh-
agent -c` for
csh(1) and derivatives.
Later ssh(1) looks at these variables and uses them to es-
tablish a con-
nection to the agent.
The agent will never send a private key over its request
channel. In-
stead, operations that require a private key will be per-
formed by the
agent, and the result will be returned to the requester.
This way, pri-
vate keys are not exposed to clients using the agent.
A unix-domain socket is created and the name of this socket
is stored in
the SSH_AUTH_SOCK environment variable. The socket is made
accessible
only to the current user. This method is easily abused by
root or anoth-
er instance of the same user.
~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication
identity of
the user.
~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication
identity of
the user.
/tmp/ssh-XXXXXXXX/agent.<ppid>
Unix-domain sockets used to contain the connection
to the authen-
tication agent. These sockets should only be read-
able by the
owner. The sockets should get automatically removed
when the
agent exits.
SEE ALSO
ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12
release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels
Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer fea-
tures and cre-
ated OpenSSH. Markus Friedl contributed the support for SSH
protocol
versions 1.5 and 2.0.
OpenBSD 3.8 September 25, 1999
2
Man(1) output converted with man2html