ssh-agent [-c | -s] -k
DESCRIPTION
ssh-agent is a program to hold private keys used for public key authenti-
cation (RSA, DSA). The idea is that ssh-agent is started in the begin-
ning of an X-session or a login session, and all other windows or pro-
grams are started as clients to the ssh-agent program. Through use of
environment variables the agent can be located and automatically used for
authentication when logging in to other machines using ssh(1).
The options are as follows:
-a bind_address
Bind the agent to the unix-domain socket bind_address. The
default is /tmp/ssh-XXXXXXXX/agent.<ppid>.
-c Generate C-shell commands on stdout. This is the default if
SHELL looks like it's a csh style of shell.
-s Generate Bourne shell commands on stdout. This is the default if
SHELL does not look like it's a csh style of shell.
-k Kill the current agent (given by the SSH_AGENT_PID environment
variable).
-t life
Set a default value for the maximum lifetime of identities added
to the agent. The lifetime may be specified in seconds or in a
time format specified in sshd(8). A lifetime specified for an
identity with ssh-add(1) overrides this value. Without this
option the default maximum lifetime is forever.
-d Debug mode. When this option is specified ssh-agent will not
fork.
If a commandline is given, this is executed as a subprocess of the agent.
When the command dies, so does the agent.
The agent initially does not have any private keys. Keys are added using
ssh-add(1). When executed without arguments, ssh-add(1) adds the files
$HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. If the
identity has a passphrase, ssh-add(1) asks for the passphrase (using a
small X11 application if running under X11, or from the terminal if run-
ning without X). It then sends the identity to the agent. Several iden-
tities can be stored in the agent; the agent can automatically use any of
these identities. ssh-add -l displays the identities currently held by
the agent.
The idea is that the agent is run in the user's local PC, laptop, or ter-
minal. Authentication data need not be stored on any other machine, and
authentication passphrases never go over the network. However, the con-
nection to the agent is forwarded over SSH remote logins, and the user
A unix-domain socket is created and the name of this socket is stored in
the SSH_AUTH_SOCK environment variable. The socket is made accessible
only to the current user. This method is easily abused by root or
another instance of the same user.
The SSH_AGENT_PID environment variable holds the agent's process ID.
The agent exits automatically when the command given on the command line
terminates.
FILES
$HOME/.ssh/identity
Contains the protocol version 1 RSA authentication identity of
the user.
$HOME/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of
the user.
$HOME/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of
the user.
/tmp/ssh-XXXXXXXX/agent.<ppid>
Unix-domain sockets used to contain the connection to the authen-
tication agent. These sockets should only be readable by the
owner. The sockets should get automatically removed when the
agent exits.
SEE ALSO
ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer features and cre-
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
BSD September 25, 1999 BSD
Man(1) output converted with man2html