SSH-AGENT(1) SSH SSH-AGENT(1)NAME
ssh-agent - authentication agent
SYNOPSIS
ssh-agent command
eval `ssh-agent [-k] [-s] [-c]`
DESCRIPTION
Ssh-agent is a program to hold authentication private keys. The idea
is that ssh-agent is started in the beginning of an X-session or a
login session, and all other windows or programs are started as chil‐
dren of the ssh-agent program (the command normally starts X or is the
user shell). Programs started under the agent inherit a connection to
the agent, and the agent is automatically used for RSA authentication
when logging to other machines using ssh.
If the ssh-agent is started without any arguments (no command) it will
fork and start agent as background process. The agent also prints com‐
mand that can be evaluated in sh or csh like shells, that will set the
SSH_AUTH_SOCK and SSH_AGENT_PID environment variables. The
SSH_AGENT_PID environment variable can be used to kill agent away when
it is no longer needed (you logout from X-session etc). If no options
are given the ssh-agent uses SHELL environment variable the detect what
kind of shell you have (*csh or sh-style shell). The -c option will
force csh-style shell, and -s option will force sh-style shell.
Note that in SysV variants (at least IRIX and Solaris) the environment
variable SHELL might not contain the actual value of the shell execut‐
ing the evaluation. If ALTSHELL is set to YES in /etc/default/login,
the SHELL environment variable is set to the login shell of the user.
The -k option can be used to kill agent automatically. It kills the
agent (it uses the SSH_AGENT_PID to find it) and prints shell commands
to stdout that will unset the SSH_AUTH_SOCKET and SSH_AGENT_PID enviro‐
ment variables.
The agent initially does not have any private keys. Keys are added
using ssh-add. When executed without arguments, ssh-add adds the
$HOME/.ssh/identity file. If the identity has a passphrase, ssh-add
asks for the passphrase (using a small X11 application if running under
X11, or from the terminal if running without X). It then sends the
identity to the agent. Several identities can be stored in the agent;
the agent can automatically use any of these identities. Ssh-add -l
displays the identities currently held by the agent.
The idea is that the agent is run in the user's local PC, laptop, or
terminal. Authentication data need not be stored on any other machine,
and authentication passphrases never go over the network. However, the
connection to the agent is forwarded over ssh remote logins, and the
user can thus use the privileges given by the identities anywhere in
the network in a secure way.
A connection to the agent is inherited by child programs. A unix-
domain socket is created (/tmp/ssh-$USER/ssh-<pid>-agent), where the %d
is the process id of the listener (agent or sshd proxying the agent).
The name of this socket is stored in the SSH_AUTH_SOCK environment
variable. The socket is made accessible only to the current user.
This method is easily abused by root or another instance of the same
user. Older versions of ssh used inherited file descriptors for con‐
tacting the agent and used the unix-domain sockets in an incompatible
way.
If the command is given as argument to ssh-agent the agent exits auto‐
matically when the command given on the command line terminates. The
command is executed even if agent fails to start it's key-storing and
challenge-processing services.
FILES
$HOME/.ssh/identity
Contains the RSA authentication identity of the user. This file
should not be readable by anyone but the user. It is possible
to specify a passphrase when generating the key; that passphrase
will be used to encrypt the private part of this file. This
file is not used by ssh-agent, but is normally added to the
agent using ssh-add at login time.
/tmp/ssh-$USER/ssh-<pid>-agent
Unix-domain sockets used to contain the connection to the
authentication agent. These sockets should only be readable by
the owner. The sockets should get automatically removed when
the agent exits. The parent directory of ssh-$USER must have
it's sticky bit set.
AUTHOR
Tatu Ylonen <ylo@ssh.fi>
SEE ALSOssh-add(1), ssh-keygen(1), ssh(1), sshd(8)SSH November 8, 1995 SSH-AGENT(1)