MirBSD manpage: ssh-agent(1)

SSH-AGENT(1)                 BSD Reference Manual                 SSH-AGENT(1)


     ssh-agent - authentication agent


     ssh-agent [-c | -s] [-d] [-a bind_address] [-t life] [command [arg ...]]
     ssh-agent [-c | -s] -k


     ssh-agent is a program to hold private keys used for public key authenti-
     cation (RSA, DSA). The idea is that ssh-agent is started in the beginning
     of an X-session or a login session, and all other windows or programs are
     started as clients to the ssh-agent program. Through use of environment
     variables the agent can be located and automatically used for authentica-
     tion when logging in to other machines using ssh(1).

     The options are as follows:

     -a bind_address
             Bind the agent to the unix-domain socket bind_address. The de-
             fault is /tmp/ssh-XXXXXXXXXX/agent.<ppid>.

     -c      Generate C-shell commands on stdout. This is the default if SHELL
             looks like it's a csh style of shell.

     -d      Debug mode. When this option is specified ssh-agent will not

     -k      Kill the current agent (given by the SSH_AGENT_PID environment

     -s      Generate Bourne shell commands on stdout. This is the default if
             SHELL does not look like it's a csh style of shell.

     -t life
             Set a default value for the maximum lifetime of identities added
             to the agent. The lifetime may be specified in seconds or in a
             time format specified in sshd_config(5). A lifetime specified for
             an identity with ssh-add(1) overrides this value. Without this
             option the default maximum lifetime is forever.

     If a commandline is given, this is executed as a subprocess of the agent.
     When the command dies, so does the agent.

     The agent initially does not have any private keys. Keys are added using
     ssh-add(1). When executed without arguments, ssh-add(1) adds the files
     ~/.etc/ssh/id_rsa, ~/.etc/ssh/id_dsa and ~/.etc/ssh/identity. If the
     identity has a passphrase, ssh-add(1) asks for the passphrase (using a
     small X11 application if running under X11, or from the terminal if run-
     ning without X). It then sends the identity to the agent. Several identi-
     ties can be stored in the agent; the agent can automatically use any of
     these identities. ssh-add -l displays the identities currently held by
     the agent.

     The idea is that the agent is run in the user's local PC, laptop, or ter-
     minal. Authentication data need not be stored on any other machine, and
     authentication passphrases never go over the network. However, the con-
     nection to the agent is forwarded over SSH remote logins, and the user
     can thus use the privileges given by the identities anywhere in the net-
     work in a secure way.

     There are two main ways to get an agent set up: The first is that the
     agent starts a new subcommand into which some environment variables are
     exported, eg ssh-agent xterm &. The second is that the agent prints the
     needed shell commands (either sh(1) or csh(1) syntax can be generated)
     which can be evaluated in the calling shell, eg eval $(ssh-agent -s) for
     Bourne-type shells such as sh(1) or ksh(1) and eval $(ssh-agent -c) for
     csh(1) and derivatives.

     Later ssh(1) looks at these variables and uses them to establish a con-
     nection to the agent.

     The agent will never send a private key over its request channel. In-
     stead, operations that require a private key will be performed by the
     agent, and the result will be returned to the requester. This way,
     private keys are not exposed to clients using the agent.

     A unix-domain socket is created and the name of this socket is stored in
     the SSH_AUTH_SOCK environment variable. The socket is made accessible
     only to the current user. This method is easily abused by root or another
     instance of the same user.

     The SSH_AGENT_PID environment variable holds the agent's process ID.

     The agent exits automatically when the command given on the command line


             Contains the protocol version 1 RSA authentication identity of
             the user.

             Contains the protocol version 2 DSA authentication identity of
             the user.

             Contains the protocol version 2 RSA authentication identity of
             the user.

             Unix-domain sockets used to contain the connection to the authen-
             tication agent. These sockets should only be readable by the own-
             er. The sockets should get automatically removed when the agent


     ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)


     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
     Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
     de Raadt and Dug Song removed many bugs, re-added newer features and
     created OpenSSH. Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.

MirBSD #10-current             October 4, 2009                               1

Generated on 2022-12-24 01:00:14 by $MirOS: src/scripts/roff2htm,v 1.113 2022/12/21 23:14:31 tg Exp $ — This product includes material provided by mirabilos.

These manual pages and other documentation are copyrighted by their respective writers; their sources are available at the project’s CVSweb, AnonCVS and other mirrors. The rest is Copyright © 2002–2022 MirBSD.

This manual page’s HTML representation is supposed to be valid XHTML/1.1; if not, please send a bug report — diffs preferred.

Kontakt / Impressum & Datenschutzerklärung