diff options
| author | Colin Watson <cjwatson@debian.org> | 2020-02-21 11:57:14 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2020-02-21 11:57:14 +0000 |
| commit | f0de78bd4f29fa688c5df116f3f9cd43543a76d0 (patch) | |
| tree | 856b0dee3f2764c13a32dad5ffe2424fab7fef41 /ssh-agent.0 | |
| parent | 4213eec74e74de6310c27a40c3e9759a08a73996 (diff) | |
| parent | 8aa3455b16fddea4c0144a7c4a1edb10ec67dcc8 (diff) | |
Import openssh_8.2p1.orig.tar.gz
Diffstat (limited to 'ssh-agent.0')
| -rw-r--r-- | ssh-agent.0 | 99 |
1 files changed, 48 insertions, 51 deletions
diff --git a/ssh-agent.0 b/ssh-agent.0 index 1ef2702f6..c5fe8b153 100644 --- a/ssh-agent.0 +++ b/ssh-agent.0 | |||
| @@ -1,27 +1,18 @@ | |||
| 1 | SSH-AGENT(1) General Commands Manual SSH-AGENT(1) | 1 | SSH-AGENT(1) General Commands Manual SSH-AGENT(1) |
| 2 | 2 | ||
| 3 | NAME | 3 | NAME |
| 4 | ssh-agent M-bM-^@M-^S authentication agent | 4 | ssh-agent M-bM-^@M-^S OpenSSH authentication agent |
| 5 | 5 | ||
| 6 | SYNOPSIS | 6 | SYNOPSIS |
| 7 | ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash] | 7 | ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash] |
| 8 | [-P pkcs11_whitelist] [-t life] [command [arg ...]] | 8 | [-P provider_whitelist] [-t life] [command [arg ...]] |
| 9 | ssh-agent [-c | -s] -k | 9 | ssh-agent [-c | -s] -k |
| 10 | 10 | ||
| 11 | DESCRIPTION | 11 | DESCRIPTION |
| 12 | ssh-agent is a program to hold private keys used for public key | 12 | ssh-agent is a program to hold private keys used for public key |
| 13 | authentication (RSA, DSA, ECDSA, Ed25519). ssh-agent is usually started | 13 | authentication. Through use of environment variables the agent can be |
| 14 | in the beginning of an X-session or a login session, and all other | 14 | located and automatically used for authentication when logging in to |
| 15 | windows or programs are started as clients to the ssh-agent program. | 15 | other machines using ssh(1). |
| 16 | Through use of environment variables the agent can be located and | ||
| 17 | automatically used for authentication when logging in to other machines | ||
| 18 | using ssh(1). | ||
| 19 | |||
| 20 | The agent initially does not have any private keys. Keys are added using | ||
| 21 | ssh(1) (see AddKeysToAgent in ssh_config(5) for details) or ssh-add(1). | ||
| 22 | Multiple identities may be stored in ssh-agent concurrently and ssh(1) | ||
| 23 | will automatically use them if present. ssh-add(1) is also used to | ||
| 24 | remove keys from ssh-agent and to query the keys that are held in one. | ||
| 25 | 16 | ||
| 26 | The options are as follows: | 17 | The options are as follows: |
| 27 | 18 | ||
| @@ -46,13 +37,13 @@ DESCRIPTION | |||
| 46 | -k Kill the current agent (given by the SSH_AGENT_PID environment | 37 | -k Kill the current agent (given by the SSH_AGENT_PID environment |
| 47 | variable). | 38 | variable). |
| 48 | 39 | ||
| 49 | -P pkcs11_whitelist | 40 | -P provider_whitelist |
| 50 | Specify a pattern-list of acceptable paths for PKCS#11 shared | 41 | Specify a pattern-list of acceptable paths for PKCS#11 and FIDO |
| 51 | libraries that may be added using the -s option to ssh-add(1). | 42 | authenticator shared libraries that may be used with the -S or -s |
| 52 | The default is to allow loading PKCS#11 libraries from | 43 | options to ssh-add(1). Libraries that do not match the whitelist |
| 53 | M-bM-^@M-^\/usr/lib/*,/usr/local/lib/*M-bM-^@M-^]. PKCS#11 libraries that do not | 44 | will be refused. See PATTERNS in ssh_config(5) for a description |
| 54 | match the whitelist will be refused. See PATTERNS in | 45 | of pattern-list syntax. The default whitelist is |
| 55 | ssh_config(5) for a description of pattern-list syntax. | 46 | M-bM-^@M-^\/usr/lib/*,/usr/local/lib/*M-bM-^@M-^]. |
| 56 | 47 | ||
| 57 | -s Generate Bourne shell commands on stdout. This is the default if | 48 | -s Generate Bourne shell commands on stdout. This is the default if |
| 58 | SHELL does not look like it's a csh style of shell. | 49 | SHELL does not look like it's a csh style of shell. |
| @@ -64,41 +55,47 @@ DESCRIPTION | |||
| 64 | for an identity with ssh-add(1) overrides this value. Without | 55 | for an identity with ssh-add(1) overrides this value. Without |
| 65 | this option the default maximum lifetime is forever. | 56 | this option the default maximum lifetime is forever. |
| 66 | 57 | ||
| 67 | If a command line is given, this is executed as a subprocess of the | 58 | command [arg ...] |
| 68 | agent. When the command dies, so does the agent. | 59 | If a command (and optional arguments) is given, this is executed |
| 60 | as a subprocess of the agent. The agent exits automatically when | ||
| 61 | the command given on the command line terminates. | ||
| 69 | 62 | ||
| 70 | The idea is that the agent is run in the user's local PC, laptop, or | 63 | There are two main ways to get an agent set up. The first is at the |
| 71 | terminal. Authentication data need not be stored on any other machine, | 64 | start of an X session, where all other windows or programs are started as |
| 72 | and authentication passphrases never go over the network. However, the | 65 | children of the ssh-agent program. The agent starts a command under |
| 73 | connection to the agent is forwarded over SSH remote logins, and the user | 66 | which its environment variables are exported, for example ssh-agent xterm |
| 74 | can thus use the privileges given by the identities anywhere in the | 67 | &. When the command terminates, so does the agent. |
| 75 | network in a secure way. | ||
| 76 | 68 | ||
| 77 | There are two main ways to get an agent set up: The first is that the | 69 | The second method is used for a login session. When ssh-agent is |
| 78 | agent starts a new subcommand into which some environment variables are | 70 | started, it prints the shell commands required to set its environment |
| 79 | exported, eg ssh-agent xterm &. The second is that the agent prints the | 71 | variables, which in turn can be evaluated in the calling shell, for |
| 80 | needed shell commands (either sh(1) or csh(1) syntax can be generated) | 72 | example eval `ssh-agent -s`. |
| 81 | which can be evaluated in the calling shell, eg eval `ssh-agent -s` for | ||
| 82 | Bourne-type shells such as sh(1) or ksh(1) and eval `ssh-agent -c` for | ||
| 83 | csh(1) and derivatives. | ||
| 84 | 73 | ||
| 85 | Later ssh(1) looks at these variables and uses them to establish a | 74 | In both cases, ssh(1) looks at these environment variables and uses them |
| 86 | connection to the agent. | 75 | to establish a connection to the agent. |
| 87 | 76 | ||
| 88 | The agent will never send a private key over its request channel. | 77 | The agent initially does not have any private keys. Keys are added using |
| 89 | Instead, operations that require a private key will be performed by the | 78 | ssh-add(1) or by ssh(1) when AddKeysToAgent is set in ssh_config(5). |
| 90 | agent, and the result will be returned to the requester. This way, | 79 | Multiple identities may be stored in ssh-agent concurrently and ssh(1) |
| 91 | private keys are not exposed to clients using the agent. | 80 | will automatically use them if present. ssh-add(1) is also used to |
| 81 | remove keys from ssh-agent and to query the keys that are held in one. | ||
| 92 | 82 | ||
| 93 | A UNIX-domain socket is created and the name of this socket is stored in | 83 | Connections to ssh-agent may be forwarded from further remote hosts using |
| 94 | the SSH_AUTH_SOCK environment variable. The socket is made accessible | 84 | the -A option to ssh(1) (but see the caveats documented therein), |
| 95 | only to the current user. This method is easily abused by root or | 85 | avoiding the need for authentication data to be stored on other machines. |
| 96 | another instance of the same user. | 86 | Authentication passphrases and private keys never go over the network: |
| 87 | the connection to the agent is forwarded over SSH remote connections and | ||
| 88 | the result is returned to the requester, allowing the user access to | ||
| 89 | their identities anywhere in the network in a secure fashion. | ||
| 97 | 90 | ||
| 98 | The SSH_AGENT_PID environment variable holds the agent's process ID. | 91 | ENVIRONMENT |
| 92 | SSH_AGENT_PID When ssh-agent starts, it stores the name of the agent's | ||
| 93 | process ID (PID) in this variable. | ||
| 99 | 94 | ||
| 100 | The agent exits automatically when the command given on the command line | 95 | SSH_AUTH_SOCK When ssh-agent starts, it creates a UNIX-domain socket and |
| 101 | terminates. | 96 | stores its pathname in this variable. It is accessible |
| 97 | only to the current user, but is easily abused by root or | ||
| 98 | another instance of the same user. | ||
| 102 | 99 | ||
| 103 | FILES | 100 | FILES |
| 104 | $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> | 101 | $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> |
| @@ -108,7 +105,7 @@ FILES | |||
| 108 | agent exits. | 105 | agent exits. |
| 109 | 106 | ||
| 110 | SEE ALSO | 107 | SEE ALSO |
| 111 | ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) | 108 | ssh(1), ssh-add(1), ssh-keygen(1), ssh_config(5), sshd(8) |
| 112 | 109 | ||
| 113 | AUTHORS | 110 | AUTHORS |
| 114 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 111 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
| @@ -117,4 +114,4 @@ AUTHORS | |||
| 117 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 114 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 118 | versions 1.5 and 2.0. | 115 | versions 1.5 and 2.0. |
| 119 | 116 | ||
| 120 | OpenBSD 6.6 November 30, 2016 OpenBSD 6.6 | 117 | OpenBSD 6.6 December 21, 2019 OpenBSD 6.6 |