SSH-AGENT(1)                   SSH                   SSH-AGENT(1)



NAME
       ssh-agent - authentication agent


SYNOPSIS
       ssh-agent command

       eval `ssh-agent [-k] [-s] [-c]`


DESCRIPTION
       Ssh-agent  is  a  program  to  hold authentication private
       keys.  The idea is that ssh-agent is started in the begin­
       ning  of  an  X-session  or a login session, and all other
       windows or programs are started as children  of  the  ssh-
       agent  program  (the  command  normally starts X or is the
       user shell).  Programs started under the agent  inherit  a
       connection  to  the  agent, and the agent is automatically
       used for RSA authentication when logging to other machines
       using ssh.

       If the ssh-agent is started without any arguments (no com­
       mand) it will fork and start agent as background  process.
       The  agent also prints command that can be evaluated in sh
       or csh like shells, that will set  the  SSH_AUTH_SOCK  and
       SSH_AGENT_PID  environment  variables.   The SSH_AGENT_PID
       environment variable can be used to kill agent  away  when
       it is no longer needed (you logout from X-session etc). If
       no options are given the ssh-agent uses SHELL  environment
       variable  the  detect what kind of shell you have (*csh or
       sh-style shell). The -c option will force csh-style shell,
       and -s option will force sh-style shell.

       Note that in SysV variants (at least IRIX and Solaris) the
       environment variable SHELL might not  contain  the  actual
       value  of the shell executing the evaluation.  If ALTSHELL
       is set to YES in /etc/default/login, the SHELL environment
       variable is set to the login shell of the user.

       The  -k option can be used to kill agent automatically. It
       kills the agent (it uses the SSH_AGENT_PID to find it) and
       prints  shell  commands  to  stdout  that  will  unset the
       SSH_AUTH_SOCKET and SSH_AGENT_PID enviroment variables.

       The agent initially does not have any private keys.   Keys
       are added using ssh-add.  When executed without arguments,
       ssh-add adds the $HOME/.ssh/identity file.  If  the  iden­
       tity  has  a  passphrase,  ssh-add asks for the passphrase
       (using a small X11 application if running  under  X11,  or
       from  the  terminal  if running without X).  It then sends
       the identity to the  agent.   Several  identities  can  be
       stored  in  the agent; the agent can automatically use any
       of these identities.  Ssh-add -l displays  the  identities
       currently held by the agent.

       The  idea is that the agent is run in the user's local PC,
       laptop, or terminal.   Authentication  data  need  not  be
       stored   on   any   other   machine,   and  authentication
       passphrases never go over the network.  However, the  con­
       nection  to the agent is forwarded over ssh remote logins,
       and the user can thus use  the  privileges  given  by  the
       identities anywhere in the network in a secure way.

       A  connection to the agent is inherited by child programs.
       A       unix-domain        socket        is        created
       (/tmp/ssh-$USER/ssh-<pid>-agent), where the %d is the pro­
       cess id of  the  listener  (agent  or  sshd  proxying  the
       agent).   The  name  of  this  socket  is  stored  in  the
       SSH_AUTH_SOCK environment variable.  The  socket  is  made
       accessible  only to the current user.  This method is eas­
       ily abused by root or another instance of the  same  user.
       Older  versions of ssh used inherited file descriptors for
       contacting the agent and used the unix-domain  sockets  in
       an incompatible way.

       If the command is given as argument to ssh-agent the agent
       exits automatically when the command given on the  command
       line  terminates.   The  command is executed even if agent
       fails to start it's key-storing  and  challenge-processing
       services.


FILES
       $HOME/.ssh/identity
              Contains  the  RSA  authentication  identity of the
              user.  This file should not be readable  by  anyone
              but   the  user.   It  is  possible  to  specify  a
              passphrase when generating the key; that passphrase
              will  be  used  to encrypt the private part of this
              file.  This file is not used by ssh-agent,  but  is
              normally  added to the agent using ssh-add at login
              time.

       /tmp/ssh-$USER/ssh-<pid>-agent
              Unix-domain sockets used to contain the  connection
              to  the authentication agent.  These sockets should
              only be readable by the owner.  The sockets  should
              get automatically removed when the agent exits. The
              parent directory of ssh-$USER must have it's sticky
              bit set.


AUTHOR
       Tatu Ylonen <ylo@ssh.fi>


SEE ALSO
       ssh-add(1), ssh-keygen(1), ssh(1), sshd(8)



SSH                      November 8, 1995            SSH-AGENT(1)