Yolinux.com

ssh-agent manpage

Search topic Section
Get manual page for the search topic
List all commands matching the search topic
List all topics in the manpage index

SSH-AGENT(1)		  BSD General Commands Manual		  SSH-AGENT(1)

NAME
     ssh-agent - authentication agent

SYNOPSIS
     ssh-agent [-a bind_address] [-c | -s] [-t life] [-d] [command [args ...]]
     ssh-agent [-c | -s] -k

DESCRIPTION
     ssh-agent is a program to hold private keys used for public key authenti-
     cation (RSA, DSA).	 The idea is that ssh-agent is started in the begin-
     ning of an X-session or a login session, and all other windows or pro-
     grams are started as clients to the ssh-agent program.  Through use of
     environment variables the agent can be located and automatically used for
     authentication when logging in to other machines using ssh(1).

     The options are as follows:

     -a bind_address
	     Bind the agent to the unix-domain socket bind_address.  The
	     default is /tmp/ssh-XXXXXXXXXX/agent.<ppid>.

     -c	     Generate C-shell commands on stdout.  This is the default if
	     SHELL looks like it's a csh style of shell.

     -s	     Generate Bourne shell commands on stdout.	This is the default if
	     SHELL does not look like it's a csh style of shell.

     -k	     Kill the current agent (given by the SSH_AGENT_PID environment
	     variable).

     -t life
	     Set a default value for the maximum lifetime of identities added
	     to the agent.  The lifetime may be specified in seconds or in a
	     time format specified in sshd_config(5).  A lifetime specified
	     for an identity with ssh-add(1) overrides this value.  Without
	     this option the default maximum lifetime is forever.

     -d	     Debug mode.  When this option is specified ssh-agent will not
	     fork.

     If a commandline is given, this is executed as a subprocess of the agent.
     When the command dies, so does the agent.

     The agent initially does not have any private keys.  Keys are added using
     ssh-add(1).  When executed without arguments, ssh-add(1) adds the files
     ~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity.	If the identity has a
     passphrase, ssh-add(1) asks for the passphrase (using a small X11 appli-
     cation if running under X11, or from the terminal if running without X).
     It then sends the identity to the agent.  Several identities can be
     stored in the agent; the agent can automatically use any of these identi-
     ties.  ssh-add -l displays the identities currently held by the agent.

     The idea is that the agent is run in the user's local PC, laptop, or ter-
     minal.  Authentication data need not be stored on any other machine, and
     authentication passphrases never go over the network.  However, the con-
     nection to the agent is forwarded over SSH remote logins, and the user
     can thus use the privileges given by the identities anywhere in the net-
     work in a secure way.

     There are two main ways to get an agent set up: The first is that the
     agent starts a new subcommand into which some environment variables are
     exported, eg ssh-agent xterm &.  The second is that the agent prints the
     needed shell commands (either sh(1) or csh(1) syntax can be generated)
     which can be evalled in the calling shell, eg eval 'ssh-agent -s' for
     Bourne-type shells such as sh(1) or ksh(1) and eval 'ssh-agent -c' for
     csh(1) and derivatives.

     Later ssh(1) looks at these variables and uses them to establish a con-
     nection to the agent.

     The agent will never send a private key over its request channel.
     Instead, operations that require a private key will be performed by the
     agent, and the result will be returned to the requester.  This way, pri-
     vate keys are not exposed to clients using the agent.

     A unix-domain socket is created and the name of this socket is stored in
     the SSH_AUTH_SOCK environment variable.  The socket is made accessible
     only to the current user.	This method is easily abused by root or
     another instance of the same user.

     The SSH_AGENT_PID environment variable holds the agent's process ID.

     The agent exits automatically when the command given on the command line
     terminates.

FILES
     ~/.ssh/identity
	     Contains the protocol version 1 RSA authentication identity of
	     the user.

     ~/.ssh/id_dsa
	     Contains the protocol version 2 DSA authentication identity of
	     the user.

     ~/.ssh/id_rsa
	     Contains the protocol version 2 RSA authentication identity of
	     the user.

     /tmp/ssh-XXXXXXXXXX/agent.<ppid>
	     Unix-domain sockets used to contain the connection to the authen-
	     tication agent.  These sockets should only be readable by the
	     owner.  The sockets should get automatically removed when the
	     agent exits.

ENVIRONMENT
     SSH_USE_STRONG_RNG
	     The reseeding of the OpenSSL random generator is usually done
	     from /dev/urandom.	 If the SSH_USE_STRONG_RNG environment vari-
	     able is set to value other than 0 the OpenSSL random generator is
	     reseeded from /dev/random.	 The number of bytes read is defined
	     by the SSH_USE_STRONG_RNG value.  Minimum is 6 bytes.  This set-
	     ting is not recommended on the computers without the hardware
	     random generator because insufficient entropy causes the connec-
	     tion to be blocked until enough entropy is available.

SEE ALSO
     ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)

AUTHORS
     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
     de Raadt and Dug Song removed many bugs, re-added newer features and cre-
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.

BSD			      September 25, 1999			   BSD
YoLinux.com Home Page
YoLinux Tutorial Index
Privacy Policy | Advertise with us | Feedback Form |
Unauthorized copying or redistribution prohibited.
    Bookmark and Share