2015-01-05 16:09:55 +00:00
|
|
|
SSH-AGENT(1) General Commands Manual SSH-AGENT(1)
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
NAME
|
2015-07-02 13:15:34 +00:00
|
|
|
ssh-agent M-bM-^@M-^S authentication agent
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
SYNOPSIS
|
2015-07-02 13:18:50 +00:00
|
|
|
ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]
|
2017-01-31 12:33:47 +00:00
|
|
|
[-P pkcs11_whitelist] [-t life] [command [arg ...]]
|
2008-07-23 09:15:38 +00:00
|
|
|
ssh-agent [-c | -s] -k
|
|
|
|
|
|
|
|
DESCRIPTION
|
2010-11-08 10:45:44 +00:00
|
|
|
ssh-agent is a program to hold private keys used for public key
|
2015-07-02 13:15:34 +00:00
|
|
|
authentication (RSA, DSA, ECDSA, Ed25519). ssh-agent is usually started
|
2015-01-05 16:09:55 +00:00
|
|
|
in the beginning of an X-session or a login session, and all other
|
|
|
|
windows or programs are started as clients to the ssh-agent program.
|
|
|
|
Through use of environment variables the agent can be located and
|
|
|
|
automatically used for authentication when logging in to other machines
|
|
|
|
using ssh(1).
|
|
|
|
|
|
|
|
The agent initially does not have any private keys. Keys are added using
|
2016-03-10 20:10:25 +00:00
|
|
|
ssh(1) (see AddKeysToAgent in ssh_config(5) for details) or ssh-add(1).
|
|
|
|
Multiple identities may be stored in ssh-agent concurrently and ssh(1)
|
|
|
|
will automatically use them if present. ssh-add(1) is also used to
|
|
|
|
remove keys from ssh-agent and to query the keys that are held in one.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
The options are as follows:
|
|
|
|
|
|
|
|
-a bind_address
|
2010-11-08 10:45:44 +00:00
|
|
|
Bind the agent to the UNIX-domain socket bind_address. The
|
2011-02-17 11:47:40 +00:00
|
|
|
default is $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
-c Generate C-shell commands on stdout. This is the default if
|
|
|
|
SHELL looks like it's a csh style of shell.
|
|
|
|
|
2015-07-02 13:18:50 +00:00
|
|
|
-D Foreground mode. When this option is specified ssh-agent will
|
|
|
|
not fork.
|
|
|
|
|
2008-07-23 09:28:49 +00:00
|
|
|
-d Debug mode. When this option is specified ssh-agent will not
|
2015-07-02 13:18:50 +00:00
|
|
|
fork and will write debug information to standard error.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
2015-07-02 13:15:34 +00:00
|
|
|
-E fingerprint_hash
|
|
|
|
Specifies the hash algorithm used when displaying key
|
|
|
|
fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The
|
|
|
|
default is M-bM-^@M-^\sha256M-bM-^@M-^].
|
|
|
|
|
2008-07-23 09:15:38 +00:00
|
|
|
-k Kill the current agent (given by the SSH_AGENT_PID environment
|
|
|
|
variable).
|
|
|
|
|
2017-01-31 12:33:47 +00:00
|
|
|
-P pkcs11_whitelist
|
|
|
|
Specify a pattern-list of acceptable paths for PKCS#11 shared
|
|
|
|
libraries that may be added using the -s option to ssh-add(1).
|
|
|
|
The default is to allow loading PKCS#11 libraries from
|
|
|
|
M-bM-^@M-^\/usr/lib/*,/usr/local/lib/*M-bM-^@M-^]. PKCS#11 libraries that do not
|
|
|
|
match the whitelist will be refused. See PATTERNS in
|
|
|
|
ssh_config(5) for a description of pattern-list syntax.
|
|
|
|
|
2008-07-23 09:28:49 +00:00
|
|
|
-s Generate Bourne shell commands on stdout. This is the default if
|
|
|
|
SHELL does not look like it's a csh style of shell.
|
|
|
|
|
2008-07-23 09:15:38 +00:00
|
|
|
-t life
|
|
|
|
Set a default value for the maximum lifetime of identities added
|
|
|
|
to the agent. The lifetime may be specified in seconds or in a
|
|
|
|
time format specified in sshd_config(5). A lifetime specified
|
|
|
|
for an identity with ssh-add(1) overrides this value. Without
|
|
|
|
this option the default maximum lifetime is forever.
|
|
|
|
|
2016-03-10 20:10:25 +00:00
|
|
|
If a command line is given, this is executed as a subprocess of the
|
|
|
|
agent. When the command dies, so does the agent.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
2010-11-08 10:45:44 +00:00
|
|
|
The idea is that the agent is run in the user's local PC, laptop, or
|
|
|
|
terminal. Authentication data need not be stored on any other machine,
|
|
|
|
and authentication passphrases never go over the network. However, the
|
|
|
|
connection to the agent is forwarded over SSH remote logins, and the user
|
|
|
|
can thus use the privileges given by the identities anywhere in the
|
|
|
|
network in a secure way.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
There are two main ways to get an agent set up: The first is that the
|
|
|
|
agent starts a new subcommand into which some environment variables are
|
|
|
|
exported, eg ssh-agent xterm &. The second is that the agent prints the
|
|
|
|
needed shell commands (either sh(1) or csh(1) syntax can be generated)
|
2009-10-01 15:19:37 +00:00
|
|
|
which can be evaluated in the calling shell, eg eval `ssh-agent -s` for
|
2008-07-23 09:15:38 +00:00
|
|
|
Bourne-type shells such as sh(1) or ksh(1) and eval `ssh-agent -c` for
|
|
|
|
csh(1) and derivatives.
|
|
|
|
|
2010-11-08 10:45:44 +00:00
|
|
|
Later ssh(1) looks at these variables and uses them to establish a
|
|
|
|
connection to the agent.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
2010-11-08 10:45:44 +00:00
|
|
|
The agent will never send a private key over its request channel.
|
|
|
|
Instead, operations that require a private key will be performed by the
|
|
|
|
agent, and the result will be returned to the requester. This way,
|
|
|
|
private keys are not exposed to clients using the agent.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
2010-03-08 11:19:52 +00:00
|
|
|
A UNIX-domain socket is created and the name of this socket is stored in
|
2008-07-23 09:15:38 +00:00
|
|
|
the SSH_AUTH_SOCK environment variable. The socket is made accessible
|
2010-11-08 10:45:44 +00:00
|
|
|
only to the current user. This method is easily abused by root or
|
|
|
|
another instance of the same user.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
The SSH_AGENT_PID environment variable holds the agent's process ID.
|
|
|
|
|
|
|
|
The agent exits automatically when the command given on the command line
|
|
|
|
terminates.
|
|
|
|
|
|
|
|
FILES
|
2011-02-17 11:47:40 +00:00
|
|
|
$TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
|
2010-11-08 10:45:44 +00:00
|
|
|
UNIX-domain sockets used to contain the connection to the
|
|
|
|
authentication agent. These sockets should only be readable by
|
|
|
|
the owner. The sockets should get automatically removed when the
|
2008-07-23 09:15:38 +00:00
|
|
|
agent exits.
|
|
|
|
|
|
|
|
SEE ALSO
|
|
|
|
ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
|
|
|
|
|
|
|
|
AUTHORS
|
|
|
|
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
|
|
|
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
2010-11-08 10:45:44 +00:00
|
|
|
de Raadt and Dug Song removed many bugs, re-added newer features and
|
|
|
|
created OpenSSH. Markus Friedl contributed the support for SSH protocol
|
2008-07-23 09:15:38 +00:00
|
|
|
versions 1.5 and 2.0.
|
|
|
|
|
2017-01-31 12:33:47 +00:00
|
|
|
OpenBSD 6.0 November 30, 2016 OpenBSD 6.0
|