SSH-AGENT2(1)                  SSH2                 SSH-AGENT2(1)



NAME
       ssh-agent2 - authentication agent


SYNOPSIS
       ssh-agent2 command

       eval `ssh-agent2 [-s] [-c] [-1]`


DESCRIPTION
       ssh-agent2  is  a  program  to hold authentication private
       keys.  The idea is  that  ssh-agent2  is  started  in  the
       beginning  of  an  X-session  or  a login session, and all
       other windows or programs are started as children  of  the
       ssh-agent2  program  (the  command normally starts X or is
       the user shell).  The programs  started  under  the  agent
       inherit  a connection to the agent, and the agent is auto­
       matically used for public key authentication when  logging
       to other machines using ssh.

       If  the  ssh-agent2  is  started without any arguments (no
       command) it will fork and start agent as  background  pro­
       cess.  The agent also prints command that can be evaluated
       in sh or csh like shells, that will set the SSH2_AUTH_SOCK
       and    SSH2_AGENT_PID    environment    variables.     The
       SSH2_AGENT_PID environment variable can be  used  to  kill
       agent  away  when  it is no longer needed (when you logout
       from X-session etc). If no options  are  given,  the  ssh-
       agent2  uses the SHELL environment variable to detect what
       kind of shell you have (*csh or sh-style  shell).  The  -c
       option  will  force  csh-style  shell,  and -s option will
       force sh-style shell.

       Note that in SysV variants (at least IRIX and Solaris) the
       environment  variable  SHELL  might not contain the actual
       value of the shell executing the evaluation.  If  ALTSHELL
       is set to YES in /etc/default/login, the SHELL environment
       variable is set to the login shell of the user.

       The agent initially does not have any private keys.   Keys
       are  added  using  ssh-add2.   Several  identities  can be
       stored in the agent; the agent can automatically  use  any
       of  these identities.  ssh-add2 -l displays the identities
       currently held by the agent.

       The idea is that the agent is run in the user's local  PC,
       laptop, or terminal.  Authentication data does not have to
       be  stored  on  any  other  machine,  and   authentication
       passphrases  never go over the network.  However, the con­
       nection to the agent is forwarded over ssh remote  logins,
       and  the  user  can  thus  use the privileges given by the
       identities anywhere in the network in a secure way.

       A connection to the agent is inherited by child  programs.
       A  unix-domain  socket  is  created (/tmp/ssh-$USER/agent-
       socket-<pid>), where the <pid> is the process  id  of  the
       listener  (agent  or sshd proxying the agent). The name of
       this socket is stored in  the  SSH2_AUTH_SOCK  environment
       variable.   The socket is made accessible only to the cur­
       rent user.  This  method  is  easily  abused  by  root  or
       another  instance  of the same user. Older versions of ssh
       used inherited file descriptors for contacting  the  agent
       and used the unix-domain sockets in an incompatible way.

       If  the  command  is  given as argument to ssh-agent2, the
       agent exits automatically when the command  given  on  the
       command  line terminates.  The command is executed even if
       the agent fails to start it's key  storing  and  challenge
       processing services.


COMPATIBILITY
       With  the  option  -1  ssh-agent2  can also serve old ssh1
       applications and can also be accessed with ssh-add program
       in  ssh1  releases.  If the option -1 is given to the ssh-
       agent2, the program will also set  the  environment  vari­
       ables  SSH_AUTH_SOCK and SSH_AGENT_PID and share keys with
       both protocols.


FILES
       $HOME/.ssh2/id_KEYTYPE_KEYLEN_XX
              Contains the private key authentication identity of
              the user.  This file should not be readable by any­
              one but the user.  It  is  possible  to  specify  a
              passphrase when generating the key; that passphrase
              will be used to encrypt the private  part  of  this
              file.   This file is not used by ssh-agent2, but is
              normally added to the agent using ssh-add2 at login
              time.

       /tmp/ssh-$USER/agent-socket-<pid>
              Unix-domain  sockets used to contain the connection
              to the authentication agent.  These sockets  should
              only  be readable by the owner.  The sockets should
              get automatically removed when the agent exits. The
              parent  directory  of  ssh2-$USER  must  have  it's
              sticky bit set.


AUTHORS
       SSH Communications Security Corp

       For more information, see http://www.ssh.com.


SEE ALSO
       ssh-add2(1), ssh-keygen2(1), ssh2(1), sshd2(8), sftp(1)



SSH2                      March 22, 2000            SSH-AGENT2(1)