upstream: reshuffle the text to read better; input from naddy,

djmc, and dtucker OpenBSD-Commit-ID: a0b2aca2b67614dda3d6618ea097bf0610c35013
author: jmc@openbsd.org <jmc@openbsd.org> 2019-11-28 12:23:25 +0000
committer: Damien Miller <djm@mindrot.org> 2019-11-29 11:17:39 +1100
commit: 9a0e01bd0c61f553ead96b5af84abd73865847b8 (patch)
tree: fd8f059fc83c4d23ab6a6b25f0a386146ee8c9ff /ssh-agent.1
parent: 5ca52c0f2e5e7f7d01d8d557b994b5c2087bed00 (diff)
1 files changed, 76 insertions, 82 deletions
diff --git a/ssh-agent.1 b/ssh-agent.1
index 9129d36ff..2a1268af7 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.67 2019/11/19 16:02:32 jmc Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.68 2019/11/28 12:23:25 jmc Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2019 $
+.Dd $Mdocdate: November 28 2019 $
 .Dt SSH-AGENT 1
 .Os
 .Sh NAME
@@ -54,37 +54,12 @@
 .Fl k
 .Sh DESCRIPTION
 .Nm
-is a program to hold private keys used for public key authentication
+is a program to hold private keys used for public key authentication.
-(RSA, DSA, ECDSA, Ed25519).
-.Nm
-is usually started in the beginning of an X-session or a login session, and
-all other windows or programs are started as clients to the ssh-agent
-program.
 Through use of environment variables the agent can be located
 and automatically used for authentication when logging in to other
 machines using
 .Xr ssh 1 .
 .Pp
-The agent initially does not have any private keys.
-Keys are added using
-.Xr ssh 1
-(see
-.Cm AddKeysToAgent
-in
-.Xr ssh_config 5
-for details)
-or
-.Xr ssh-add 1 .
-Multiple identities may be stored in
-.Nm
-concurrently and
-.Xr ssh 1
-will automatically use them if present.
-.Xr ssh-add 1
-is also used to remove keys from
-.Nm
-and to query the keys that are held in one.
-.Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl a Ar bind_address
@@ -125,17 +100,17 @@ environment variable).
 .It Fl P Ar provider_whitelist
 Specify a pattern-list of acceptable paths for PKCS#11 and security key shared
 libraries that may be used with the
-.Fl s
-or
 .Fl S
+or
+.Fl s
 options to
 .Xr ssh-add 1 .
-The default is to allow loading libraries from
-.Dq /usr/lib/*,/usr/local/lib/* .
 Libraries that do not match the whitelist will be refused.
 See PATTERNS in
 .Xr ssh_config 5
 for a description of pattern-list syntax.
+The default whitelist is
+.Dq /usr/lib/*,/usr/local/lib/* .
 .It Fl s
 Generate Bourne shell commands on
 .Dv stdout .
@@ -150,64 +125,82 @@ A lifetime specified for an identity with
 .Xr ssh-add 1
 overrides this value.
 Without this option the default maximum lifetime is forever.
+.It Ar command Op Ar arg ...
+If a command (and optional arguments) is given,
+this is executed as a subprocess of the agent.
+The agent exits automatically when the command given on the command
+line terminates.
 .El
 .Pp
-If a command line is given, this is executed as a subprocess of the agent.
+There are two main ways to get an agent set up.
-When the command dies, so does the agent.
+The first is at the start of an X session,
-.Pp
+where all other windows or programs are started as children of the
-The idea is that the agent is run in the user's local PC, laptop, or
+.Nm
-terminal.
+program.
-Authentication data need not be stored on any other
+The agent starts a command under which its environment
-machine, and authentication passphrases never go over the network.
+variables are exported, for example
-However, the connection to the agent is forwarded over SSH
-remote logins, and the user can thus use the privileges given by the
-identities anywhere in the network in a secure way.
-.Pp
-There are two main ways to get an agent set up:
-The first is that the agent starts a new subcommand into which some environment
-variables are exported, eg
 .Cm ssh-agent xterm & .
-The second is that the agent prints the needed shell commands (either
+When the command terminates, so does the agent.
-.Xr sh 1
-or
-.Xr csh 1
-syntax can be generated) which can be evaluated in the calling shell, eg
-.Cm eval `ssh-agent -s`
-for Bourne-type shells such as
-.Xr sh 1
-or
-.Xr ksh 1
-and
-.Cm eval `ssh-agent -c`
-for
-.Xr csh 1
-and derivatives.
 .Pp
-Later
+The second method is used for a login session.
+When
+.Nm
+is started,
+it prints the shell commands required to set its environment variables,
+which in turn can be evaluated in the calling shell, for example
+.Cm eval `ssh-agent -s` .
+.Pp
+In both cases,
 .Xr ssh 1
-looks at these variables and uses them to establish a connection to the agent.
+looks at these environment variables and uses them to establish a connection to the agent.
 .Pp
-The agent will never send a private key over its request channel.
+The agent initially does not have any private keys.
-Instead, operations that require a private key will be performed
+Keys are added using
-by the agent, and the result will be returned to the requester.
+.Xr ssh-add 1
-This way, private keys are not exposed to clients using the agent.
+or by
+.Xr ssh 1
+when
+.Cm AddKeysToAgent
+is set in
+.Xr ssh_config 5 .
+Multiple identities may be stored in
+.Nm
+concurrently and
+.Xr ssh 1
+will automatically use them if present.
+.Xr ssh-add 1
+is also used to remove keys from
+.Nm
+and to query the keys that are held in one.
 .Pp
-A
+Connections to
+.Nm
+may be forwarded from further remote hosts using the
+.Fl A
+option to
+.Xr ssh 1
+(but see the caveats documented therein),
+avoiding the need for authentication data to be stored on other machines.
+Authentication passphrases and private keys never go over the network:
+the connection to the agent is forwarded over SSH remote connections
+and the result is returned to the requester,
+allowing the user access to their identities anywhere in the network
+in a secure fashion.
+.Sh ENVIRONMENT
+.Bl -tag -width "SSH_AGENT_PID"
+.It Ev SSH_AGENT_PID
+When
+.Nm
+starts, it stores the name of the agent's process ID (PID) in this variable.
+.It Ev SSH_AUTH_SOCK
+When
+.Nm
+starts, it creates a
 .Ux Ns -domain
-socket is created and the name of this socket is stored in the
+socket and stores its pathname in this variable.
-.Ev SSH_AUTH_SOCK
+It is accessible only to the current user,
-environment
+but is easily abused by root or another instance of the same user.
-variable.
+.El
-The socket is made accessible only to the current user.
-This method is easily abused by root or another instance of the same
-user.
-.Pp
-The
-.Ev SSH_AGENT_PID
-environment variable holds the agent's process ID.
-.Pp
-The agent exits automatically when the command given on the command
-line terminates.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
@@ -220,6 +213,7 @@ The sockets should get automatically removed when the agent exits.
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-keygen 1 ,
+.Xr ssh_config 5 ,
 .Xr sshd 8
 .Sh AUTHORS
 .An -nosplit
author	jmc@openbsd.org <jmc@openbsd.org>	2019-11-28 12:23:25 +0000
committer	Damien Miller <djm@mindrot.org>	2019-11-29 11:17:39 +1100
commit	9a0e01bd0c61f553ead96b5af84abd73865847b8 (patch)
tree	fd8f059fc83c4d23ab6a6b25f0a386146ee8c9ff /ssh-agent.1
parent	5ca52c0f2e5e7f7d01d8d557b994b5c2087bed00 (diff)

diff --git a/ssh-agent.1 b/ssh-agent.1 index 9129d36ff..2a1268af7 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-agent.1,v 1.67 2019/11/19 16:02:32 jmc Exp $	1	.\" $OpenBSD: ssh-agent.1,v 1.68 2019/11/28 12:23:25 jmc Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.Dd $Mdocdate: November 19 2019 $	37	.Dd $Mdocdate: November 28 2019 $
38	.Dt SSH-AGENT 1	38	.Dt SSH-AGENT 1
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -54,37 +54,12 @@
54	.Fl k	54	.Fl k
55	.Sh DESCRIPTION	55	.Sh DESCRIPTION
56	.Nm	56	.Nm
57	is a program to hold private keys used for public key authentication	57	is a program to hold private keys used for public key authentication.
58	(RSA, DSA, ECDSA, Ed25519).
59	.Nm
60	is usually started in the beginning of an X-session or a login session, and
61	all other windows or programs are started as clients to the ssh-agent
62	program.
63	Through use of environment variables the agent can be located	58	Through use of environment variables the agent can be located
64	and automatically used for authentication when logging in to other	59	and automatically used for authentication when logging in to other
65	machines using	60	machines using
66	.Xr ssh 1 .	61	.Xr ssh 1 .
67	.Pp	62	.Pp
68	The agent initially does not have any private keys.
69	Keys are added using
70	.Xr ssh 1
71	(see
72	.Cm AddKeysToAgent
73	in
74	.Xr ssh_config 5
75	for details)
76	or
77	.Xr ssh-add 1 .
78	Multiple identities may be stored in
79	.Nm
80	concurrently and
81	.Xr ssh 1
82	will automatically use them if present.
83	.Xr ssh-add 1
84	is also used to remove keys from
85	.Nm
86	and to query the keys that are held in one.
87	.Pp
88	The options are as follows:	63	The options are as follows:
89	.Bl -tag -width Ds	64	.Bl -tag -width Ds
90	.It Fl a Ar bind_address	65	.It Fl a Ar bind_address
@@ -125,17 +100,17 @@ environment variable).
125	.It Fl P Ar provider_whitelist	100	.It Fl P Ar provider_whitelist
126	Specify a pattern-list of acceptable paths for PKCS#11 and security key shared	101	Specify a pattern-list of acceptable paths for PKCS#11 and security key shared
127	libraries that may be used with the	102	libraries that may be used with the
128	.Fl s
129	or
130	.Fl S	103	.Fl S
		104	or
		105	.Fl s
131	options to	106	options to
132	.Xr ssh-add 1 .	107	.Xr ssh-add 1 .
133	The default is to allow loading libraries from
134	.Dq /usr/lib/,/usr/local/lib/ .
135	Libraries that do not match the whitelist will be refused.	108	Libraries that do not match the whitelist will be refused.
136	See PATTERNS in	109	See PATTERNS in
137	.Xr ssh_config 5	110	.Xr ssh_config 5
138	for a description of pattern-list syntax.	111	for a description of pattern-list syntax.
		112	The default whitelist is
		113	.Dq /usr/lib/,/usr/local/lib/ .
139	.It Fl s	114	.It Fl s
140	Generate Bourne shell commands on	115	Generate Bourne shell commands on
141	.Dv stdout .	116	.Dv stdout .
@@ -150,64 +125,82 @@ A lifetime specified for an identity with
150	.Xr ssh-add 1	125	.Xr ssh-add 1
151	overrides this value.	126	overrides this value.
152	Without this option the default maximum lifetime is forever.	127	Without this option the default maximum lifetime is forever.
		128	.It Ar command Op Ar arg ...
		129	If a command (and optional arguments) is given,
		130	this is executed as a subprocess of the agent.
		131	The agent exits automatically when the command given on the command
		132	line terminates.
153	.El	133	.El
154	.Pp	134	.Pp
155	If a command line is given, this is executed as a subprocess of the agent.	135	There are two main ways to get an agent set up.
156	When the command dies, so does the agent.	136	The first is at the start of an X session,
157	.Pp	137	where all other windows or programs are started as children of the
158	The idea is that the agent is run in the user's local PC, laptop, or	138	.Nm
159	terminal.	139	program.
160	Authentication data need not be stored on any other	140	The agent starts a command under which its environment
161	machine, and authentication passphrases never go over the network.	141	variables are exported, for example
162	However, the connection to the agent is forwarded over SSH
163	remote logins, and the user can thus use the privileges given by the
164	identities anywhere in the network in a secure way.
165	.Pp
166	There are two main ways to get an agent set up:
167	The first is that the agent starts a new subcommand into which some environment
168	variables are exported, eg
169	.Cm ssh-agent xterm & .	142	.Cm ssh-agent xterm & .
170	The second is that the agent prints the needed shell commands (either	143	When the command terminates, so does the agent.
171	.Xr sh 1
172	or
173	.Xr csh 1
174	syntax can be generated) which can be evaluated in the calling shell, eg
175	.Cm eval `ssh-agent -s`
176	for Bourne-type shells such as
177	.Xr sh 1
178	or
179	.Xr ksh 1
180	and
181	.Cm eval `ssh-agent -c`
182	for
183	.Xr csh 1
184	and derivatives.
185	.Pp	144	.Pp
186	Later	145	The second method is used for a login session.
		146	When
		147	.Nm
		148	is started,
		149	it prints the shell commands required to set its environment variables,
		150	which in turn can be evaluated in the calling shell, for example
		151	.Cm eval `ssh-agent -s` .
		152	.Pp
		153	In both cases,
187	.Xr ssh 1	154	.Xr ssh 1
188	looks at these variables and uses them to establish a connection to the agent.	155	looks at these environment variables and uses them to establish a connection to the agent.
189	.Pp	156	.Pp
190	The agent will never send a private key over its request channel.	157	The agent initially does not have any private keys.
191	Instead, operations that require a private key will be performed	158	Keys are added using
192	by the agent, and the result will be returned to the requester.	159	.Xr ssh-add 1
193	This way, private keys are not exposed to clients using the agent.	160	or by
		161	.Xr ssh 1
		162	when
		163	.Cm AddKeysToAgent
		164	is set in
		165	.Xr ssh_config 5 .
		166	Multiple identities may be stored in
		167	.Nm
		168	concurrently and
		169	.Xr ssh 1
		170	will automatically use them if present.
		171	.Xr ssh-add 1
		172	is also used to remove keys from
		173	.Nm
		174	and to query the keys that are held in one.
194	.Pp	175	.Pp
195	A	176	Connections to
		177	.Nm
		178	may be forwarded from further remote hosts using the
		179	.Fl A
		180	option to
		181	.Xr ssh 1
		182	(but see the caveats documented therein),
		183	avoiding the need for authentication data to be stored on other machines.
		184	Authentication passphrases and private keys never go over the network:
		185	the connection to the agent is forwarded over SSH remote connections
		186	and the result is returned to the requester,
		187	allowing the user access to their identities anywhere in the network
		188	in a secure fashion.
		189	.Sh ENVIRONMENT
		190	.Bl -tag -width "SSH_AGENT_PID"
		191	.It Ev SSH_AGENT_PID
		192	When
		193	.Nm
		194	starts, it stores the name of the agent's process ID (PID) in this variable.
		195	.It Ev SSH_AUTH_SOCK
		196	When
		197	.Nm
		198	starts, it creates a
196	.Ux Ns -domain	199	.Ux Ns -domain
197	socket is created and the name of this socket is stored in the	200	socket and stores its pathname in this variable.
198	.Ev SSH_AUTH_SOCK	201	It is accessible only to the current user,
199	environment	202	but is easily abused by root or another instance of the same user.
200	variable.	203	.El
201	The socket is made accessible only to the current user.
202	This method is easily abused by root or another instance of the same
203	user.
204	.Pp
205	The
206	.Ev SSH_AGENT_PID
207	environment variable holds the agent's process ID.
208	.Pp
209	The agent exits automatically when the command given on the command
210	line terminates.
211	.Sh FILES	204	.Sh FILES
212	.Bl -tag -width Ds	205	.Bl -tag -width Ds
213	.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>	206	.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
@@ -220,6 +213,7 @@ The sockets should get automatically removed when the agent exits.
220	.Xr ssh 1 ,	213	.Xr ssh 1 ,
221	.Xr ssh-add 1 ,	214	.Xr ssh-add 1 ,
222	.Xr ssh-keygen 1 ,	215	.Xr ssh-keygen 1 ,
		216	.Xr ssh_config 5 ,
223	.Xr sshd 8	217	.Xr sshd 8
224	.Sh AUTHORS	218	.Sh AUTHORS
225	.An -nosplit	219	.An -nosplit