1.\" $OpenBSD: ssh-agent.1,v 1.62 2015/11/15 23:54:15 jmc Exp $ 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is 10.\" incompatible with the protocol description in the RFC file, it must be 11.\" called by a name other than "ssh" or "Secure Shell". 12.\" 13.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 14.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 15.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 16.\" 17.\" Redistribution and use in source and binary forms, with or without 18.\" modification, are permitted provided that the following conditions 19.\" are met: 20.\" 1. Redistributions of source code must retain the above copyright 21.\" notice, this list of conditions and the following disclaimer. 22.\" 2. Redistributions in binary form must reproduce the above copyright 23.\" notice, this list of conditions and the following disclaimer in the 24.\" documentation and/or other materials provided with the distribution. 25.\" 26.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" 37.Dd $Mdocdate: November 15 2015 $ 38.Dt SSH-AGENT 1 39.Os 40.Sh NAME 41.Nm ssh-agent 42.Nd authentication agent 43.Sh SYNOPSIS 44.Nm ssh-agent 45.Op Fl c | s 46.Op Fl \&Dd 47.Op Fl a Ar bind_address 48.Op Fl E Ar fingerprint_hash 49.Op Fl t Ar life 50.Op Ar command Op Ar arg ... 51.Nm ssh-agent 52.Op Fl c | s 53.Fl k 54.Sh DESCRIPTION 55.Nm 56is a program to hold private keys used for public key authentication 57(RSA, DSA, ECDSA, Ed25519). 58.Nm 59is usually started in the beginning of an X-session or a login session, and 60all other windows or programs are started as clients to the ssh-agent 61program. 62Through use of environment variables the agent can be located 63and automatically used for authentication when logging in to other 64machines using 65.Xr ssh 1 . 66.Pp 67The agent initially does not have any private keys. 68Keys are added using 69.Xr ssh 1 70(see 71.Cm AddKeysToAgent 72in 73.Xr ssh_config 5 74for details) 75or 76.Xr ssh-add 1 . 77Multiple identities may be stored in 78.Nm 79concurrently and 80.Xr ssh 1 81will automatically use them if present. 82.Xr ssh-add 1 83is also used to remove keys from 84.Nm 85and to query the keys that are held in one. 86.Pp 87The options are as follows: 88.Bl -tag -width Ds 89.It Fl a Ar bind_address 90Bind the agent to the 91.Ux Ns -domain 92socket 93.Ar bind_address . 94The default is 95.Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt . 96.It Fl c 97Generate C-shell commands on 98.Dv stdout . 99This is the default if 100.Ev SHELL 101looks like it's a csh style of shell. 102.It Fl D 103Foreground mode. 104When this option is specified 105.Nm 106will not fork. 107.It Fl d 108Debug mode. 109When this option is specified 110.Nm 111will not fork and will write debug information to standard error. 112.It Fl E Ar fingerprint_hash 113Specifies the hash algorithm used when displaying key fingerprints. 114Valid options are: 115.Dq md5 116and 117.Dq sha256 . 118The default is 119.Dq sha256 . 120.It Fl k 121Kill the current agent (given by the 122.Ev SSH_AGENT_PID 123environment variable). 124.It Fl s 125Generate Bourne shell commands on 126.Dv stdout . 127This is the default if 128.Ev SHELL 129does not look like it's a csh style of shell. 130.It Fl t Ar life 131Set a default value for the maximum lifetime of identities added to the agent. 132The lifetime may be specified in seconds or in a time format specified in 133.Xr sshd_config 5 . 134A lifetime specified for an identity with 135.Xr ssh-add 1 136overrides this value. 137Without this option the default maximum lifetime is forever. 138.El 139.Pp 140If a command line is given, this is executed as a subprocess of the agent. 141When the command dies, so does the agent. 142.Pp 143The idea is that the agent is run in the user's local PC, laptop, or 144terminal. 145Authentication data need not be stored on any other 146machine, and authentication passphrases never go over the network. 147However, the connection to the agent is forwarded over SSH 148remote logins, and the user can thus use the privileges given by the 149identities anywhere in the network in a secure way. 150.Pp 151There are two main ways to get an agent set up: 152The first is that the agent starts a new subcommand into which some environment 153variables are exported, eg 154.Cm ssh-agent xterm & . 155The second is that the agent prints the needed shell commands (either 156.Xr sh 1 157or 158.Xr csh 1 159syntax can be generated) which can be evaluated in the calling shell, eg 160.Cm eval `ssh-agent -s` 161for Bourne-type shells such as 162.Xr sh 1 163or 164.Xr ksh 1 165and 166.Cm eval `ssh-agent -c` 167for 168.Xr csh 1 169and derivatives. 170.Pp 171Later 172.Xr ssh 1 173looks at these variables and uses them to establish a connection to the agent. 174.Pp 175The agent will never send a private key over its request channel. 176Instead, operations that require a private key will be performed 177by the agent, and the result will be returned to the requester. 178This way, private keys are not exposed to clients using the agent. 179.Pp 180A 181.Ux Ns -domain 182socket is created and the name of this socket is stored in the 183.Ev SSH_AUTH_SOCK 184environment 185variable. 186The socket is made accessible only to the current user. 187This method is easily abused by root or another instance of the same 188user. 189.Pp 190The 191.Ev SSH_AGENT_PID 192environment variable holds the agent's process ID. 193.Pp 194The agent exits automatically when the command given on the command 195line terminates. 196.Sh FILES 197.Bl -tag -width Ds 198.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt 199.Ux Ns -domain 200sockets used to contain the connection to the authentication agent. 201These sockets should only be readable by the owner. 202The sockets should get automatically removed when the agent exits. 203.El 204.Sh SEE ALSO 205.Xr ssh 1 , 206.Xr ssh-add 1 , 207.Xr ssh-keygen 1 , 208.Xr sshd 8 209.Sh AUTHORS 210OpenSSH is a derivative of the original and free 211ssh 1.2.12 release by Tatu Ylonen. 212Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 213Theo de Raadt and Dug Song 214removed many bugs, re-added newer features and 215created OpenSSH. 216Markus Friedl contributed the support for SSH 217protocol versions 1.5 and 2.0. 218