diff options
Diffstat (limited to 'ssh-agent.0')
-rw-r--r-- | ssh-agent.0 | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/ssh-agent.0 b/ssh-agent.0 new file mode 100644 index 000000000..f4575d01b --- /dev/null +++ b/ssh-agent.0 | |||
@@ -0,0 +1,120 @@ | |||
1 | SSH-AGENT(1) General Commands Manual SSH-AGENT(1) | ||
2 | |||
3 | NAME | ||
4 | ssh-agent M-bM-^@M-^S authentication agent | ||
5 | |||
6 | SYNOPSIS | ||
7 | ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash] | ||
8 | [-P pkcs11_whitelist] [-t life] [command [arg ...]] | ||
9 | ssh-agent [-c | -s] -k | ||
10 | |||
11 | DESCRIPTION | ||
12 | ssh-agent is a program to hold private keys used for public key | ||
13 | authentication (RSA, DSA, ECDSA, Ed25519). ssh-agent is usually started | ||
14 | in the beginning of an X-session or a login session, and all other | ||
15 | windows or programs are started as clients to the ssh-agent program. | ||
16 | Through use of environment variables the agent can be located and | ||
17 | automatically used for authentication when logging in to other machines | ||
18 | using ssh(1). | ||
19 | |||
20 | The agent initially does not have any private keys. Keys are added using | ||
21 | ssh(1) (see AddKeysToAgent in ssh_config(5) for details) or ssh-add(1). | ||
22 | Multiple identities may be stored in ssh-agent concurrently and ssh(1) | ||
23 | will automatically use them if present. ssh-add(1) is also used to | ||
24 | remove keys from ssh-agent and to query the keys that are held in one. | ||
25 | |||
26 | The options are as follows: | ||
27 | |||
28 | -a bind_address | ||
29 | Bind the agent to the UNIX-domain socket bind_address. The | ||
30 | default is $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>. | ||
31 | |||
32 | -c Generate C-shell commands on stdout. This is the default if | ||
33 | SHELL looks like it's a csh style of shell. | ||
34 | |||
35 | -D Foreground mode. When this option is specified ssh-agent will | ||
36 | not fork. | ||
37 | |||
38 | -d Debug mode. When this option is specified ssh-agent will not | ||
39 | fork and will write debug information to standard error. | ||
40 | |||
41 | -E fingerprint_hash | ||
42 | Specifies the hash algorithm used when displaying key | ||
43 | fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The | ||
44 | default is M-bM-^@M-^\sha256M-bM-^@M-^]. | ||
45 | |||
46 | -k Kill the current agent (given by the SSH_AGENT_PID environment | ||
47 | variable). | ||
48 | |||
49 | -P pkcs11_whitelist | ||
50 | Specify a pattern-list of acceptable paths for PKCS#11 shared | ||
51 | libraries that may be added using the -s option to ssh-add(1). | ||
52 | The default is to allow loading PKCS#11 libraries from | ||
53 | M-bM-^@M-^\/usr/lib/*,/usr/local/lib/*M-bM-^@M-^]. PKCS#11 libraries that do not | ||
54 | match the whitelist will be refused. See PATTERNS in | ||
55 | ssh_config(5) for a description of pattern-list syntax. | ||
56 | |||
57 | -s Generate Bourne shell commands on stdout. This is the default if | ||
58 | SHELL does not look like it's a csh style of shell. | ||
59 | |||
60 | -t life | ||
61 | Set a default value for the maximum lifetime of identities added | ||
62 | to the agent. The lifetime may be specified in seconds or in a | ||
63 | time format specified in sshd_config(5). A lifetime specified | ||
64 | for an identity with ssh-add(1) overrides this value. Without | ||
65 | this option the default maximum lifetime is forever. | ||
66 | |||
67 | If a command line is given, this is executed as a subprocess of the | ||
68 | agent. When the command dies, so does the agent. | ||
69 | |||
70 | The idea is that the agent is run in the user's local PC, laptop, or | ||
71 | terminal. Authentication data need not be stored on any other machine, | ||
72 | and authentication passphrases never go over the network. However, the | ||
73 | connection to the agent is forwarded over SSH remote logins, and the user | ||
74 | can thus use the privileges given by the identities anywhere in the | ||
75 | network in a secure way. | ||
76 | |||
77 | There are two main ways to get an agent set up: The first is that the | ||
78 | agent starts a new subcommand into which some environment variables are | ||
79 | exported, eg ssh-agent xterm &. The second is that the agent prints the | ||
80 | needed shell commands (either sh(1) or csh(1) syntax can be generated) | ||
81 | which can be evaluated in the calling shell, eg eval `ssh-agent -s` for | ||
82 | Bourne-type shells such as sh(1) or ksh(1) and eval `ssh-agent -c` for | ||
83 | csh(1) and derivatives. | ||
84 | |||
85 | Later ssh(1) looks at these variables and uses them to establish a | ||
86 | connection to the agent. | ||
87 | |||
88 | The agent will never send a private key over its request channel. | ||
89 | Instead, operations that require a private key will be performed by the | ||
90 | agent, and the result will be returned to the requester. This way, | ||
91 | private keys are not exposed to clients using the agent. | ||
92 | |||
93 | A UNIX-domain socket is created and the name of this socket is stored in | ||
94 | the SSH_AUTH_SOCK environment variable. The socket is made accessible | ||
95 | only to the current user. This method is easily abused by root or | ||
96 | another instance of the same user. | ||
97 | |||
98 | The SSH_AGENT_PID environment variable holds the agent's process ID. | ||
99 | |||
100 | The agent exits automatically when the command given on the command line | ||
101 | terminates. | ||
102 | |||
103 | FILES | ||
104 | $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> | ||
105 | UNIX-domain sockets used to contain the connection to the | ||
106 | authentication agent. These sockets should only be readable by | ||
107 | the owner. The sockets should get automatically removed when the | ||
108 | agent exits. | ||
109 | |||
110 | SEE ALSO | ||
111 | ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) | ||
112 | |||
113 | AUTHORS | ||
114 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
115 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
116 | de Raadt and Dug Song removed many bugs, re-added newer features and | ||
117 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
118 | versions 1.5 and 2.0. | ||
119 | |||
120 | OpenBSD 6.4 November 30, 2016 OpenBSD 6.4 | ||