NOTE: click here if you get an empty page.


SSH-AGENT(1)		  BSD General Commands Manual		  SSH-AGENT(1)

NAME

ssh-agent - authentication agent

SYNOPSIS

ssh-agent [-a bind_address] [-c | -s] [-t life] [-d] [command [args ...]] ssh-agent [-c | -s] -k

DESCRIPTION

ssh-agent is a program to hold private keys used for public key authenti- cation (RSA, DSA). The idea is that ssh-agent is started in the begin- ning of an X-session or a login session, and all other windows or pro- grams are started as clients to the ssh-agent program. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh(1). The options are as follows: -a bind_address Bind the agent to the unix-domain socket bind_address. The default is /tmp/ssh-XXXXXXXXXX/agent.<ppid>. -c Generate C-shell commands on stdout. This is the default if SHELL looks like it's a csh style of shell. -s Generate Bourne shell commands on stdout. This is the default if SHELL does not look like it's a csh style of shell. -k Kill the current agent (given by the SSH_AGENT_PID environment variable). -t life Set a default value for the maximum lifetime of identities added to the agent. The lifetime may be specified in seconds or in a time format specified in sshd_config(5). A lifetime specified for an identity with ssh-add(1) overrides this value. Without this option the default maximum lifetime is forever. -d Debug mode. When this option is specified ssh-agent will not fork. If a commandline is given, this is executed as a subprocess of the agent. When the command dies, so does the agent. The agent initially does not have any private keys. Keys are added using ssh-add(1). When executed without arguments, ssh-add(1) adds the files ~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity. If the identity has a passphrase, ssh-add(1) asks for the passphrase (using a small X11 appli- cation if running under X11, or from the terminal if running without X). It then sends the identity to the agent. Several identities can be stored in the agent; the agent can automatically use any of these identi- ties. ssh-add -l displays the identities currently held by the agent. The idea is that the agent is run in the user's local PC, laptop, or ter- minal. Authentication data need not be stored on any other machine, and authentication passphrases never go over the network. However, the con- nection to the agent is forwarded over SSH remote logins, and the user can thus use the privileges given by the identities anywhere in the net- work in a secure way. There are two main ways to get an agent set up: The first is that the agent starts a new subcommand into which some environment variables are exported, eg ssh-agent xterm &. The second is that the agent prints the needed shell commands (either sh(1) or csh(1) syntax can be generated) which can be evalled in the calling shell, eg eval 'ssh-agent -s' for Bourne-type shells such as sh(1) or ksh(1) and eval 'ssh-agent -c' for csh(1) and derivatives. Later ssh(1) looks at these variables and uses them to establish a con- nection to the agent. The agent will never send a private key over its request channel. Instead, operations that require a private key will be performed by the agent, and the result will be returned to the requester. This way, pri- vate keys are not exposed to clients using the agent. A unix-domain socket is created and the name of this socket is stored in the SSH_AUTH_SOCK environment variable. The socket is made accessible only to the current user. This method is easily abused by root or another instance of the same user. The SSH_AGENT_PID environment variable holds the agent's process ID. The agent exits automatically when the command given on the command line terminates.

FILES

~/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. /tmp/ssh-XXXXXXXXXX/agent.<ppid> Unix-domain sockets used to contain the connection to the authen- tication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits.

ENVIRONMENT

SSH_USE_STRONG_RNG The reseeding of the OpenSSL random generator is usually done from /dev/urandom. If the SSH_USE_STRONG_RNG environment vari- able is set to value other than 0 the OpenSSL random generator is reseeded from /dev/random. The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes. This set- ting is not recommended on the computers without the hardware random generator because insufficient entropy causes the connec- tion to be blocked until enough entropy is available.

SEE ALSO

ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)

AUTHORS

OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and cre- ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. BSD September 25, 1999 BSD

1994 Man-cgi 1.15, Panagiotis Christias <christia@theseas.ntua.gr>