Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
SSH-AGENT(1)		FreeBSD	General	Commands Manual		  SSH-AGENT(1)

NAME
     ssh-agent -- authentication agent

SYNOPSIS
     ssh-agent [-c | -s] [-dx] [-a bind_address] [-t life] [command [arg ...]]
     ssh-agent [-c | -s] -k

DESCRIPTION
     ssh-agent is a program to hold private keys used for public key authenti-
     cation (RSA, DSA, ECDSA, ED25519).	 The idea is that ssh-agent is started
     in	the beginning of an X-session or a login session, and all other	win-
     dows or programs are started as clients to	the ssh-agent program.
     Through use of environment	variables the agent can	be located and auto-
     matically used for	authentication when logging in to other	machines using
     ssh(1).

     The options are as	follows:

     -a	bind_address
	     Bind the agent to the UNIX-domain socket bind_address.  The
	     default is	$TMPDIR/ssh-XXXXXXXXXX/agent._ppid_.

     -c	     Generate C-shell commands on stdout.  This	is the default if
	     SHELL looks like it's a csh style of shell.

     -d	     Debug mode.  When this option is specified	ssh-agent will not
	     fork.

     -k	     Kill the current agent (given by the SSH_AGENT_PID	environment
	     variable).

     -s	     Generate Bourne shell commands on stdout.	This is	the default if
	     SHELL does	not look like it's a csh style of shell.

     -t	life
	     Set a default value for the maximum lifetime of identities	added
	     to	the agent.  The	lifetime may be	specified in seconds or	in a
	     time format specified in sshd_config(5).  A lifetime specified
	     for an identity with ssh-add(1) overrides this value.  Without
	     this option the default maximum lifetime is forever.

     -x	     Exit after	the last client	has disconnected.

     If	a commandline is given,	this is	executed as a subprocess of the	agent.
     When the command dies, so does the	agent.

     The agent initially does not have any private keys.  Keys are added using
     ssh-add(1).  When executed	without	arguments, ssh-add(1) adds the files
     ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
     ~/.ssh/identity.  If the identity has a passphrase, ssh-add(1) asks for
     the passphrase on the terminal if it has one or from a small X11 program
     if	running	under X11.  If neither of these	is the case then the authenti-
     cation will fail.	It then	sends the identity to the agent.  Several
     identities	can be stored in the agent; the	agent can automatically	use
     any of these identities.  ssh-add -l displays the identities currently
     held by the agent.

     The idea is that the agent	is run in the user's local PC, laptop, or ter-
     minal.  Authentication data need not be stored on any other machine, and
     authentication passphrases	never go over the network.  However, the con-
     nection to	the agent is forwarded over SSH	remote logins, and the user
     can thus use the privileges given by the identities anywhere in the net-
     work in a secure way.

     There are two main	ways to	get an agent set up: The first is that the
     agent starts a new	subcommand into	which some environment variables are
     exported, eg ssh-agent xterm &.  The second is that the agent prints the
     needed shell commands (either sh(1) or csh(1) syntax can be generated)
     which can be evaluated in the calling shell, eg eval `ssh-agent -s` for
     Bourne-type shells	such as	sh(1) or ksh(1)	and eval `ssh-agent -c`	for
     csh(1) and	derivatives.

     Later ssh(1) looks	at these variables and uses them to establish a	con-
     nection to	the agent.

     The agent will never send a private key over its request channel.
     Instead, operations that require a	private	key will be performed by the
     agent, and	the result will	be returned to the requester.  This way, pri-
     vate keys are not exposed to clients using	the agent.

     A UNIX-domain socket is created and the name of this socket is stored in
     the SSH_AUTH_SOCK environment variable.  The socket is made accessible
     only to the current user.	This method is easily abused by	root or
     another instance of the same user.

     The SSH_AGENT_PID environment variable holds the agent's process ID.

     The agent exits automatically when	the command given on the command line
     terminates.

FILES
     ~/.ssh/identity
	     Contains the protocol version 1 RSA authentication	identity of
	     the user.

     ~/.ssh/id_dsa
	     Contains the protocol version 2 DSA authentication	identity of
	     the user.

     ~/.ssh/id_ecdsa
	     Contains the protocol version 2 ECDSA authentication identity of
	     the user.

     ~/.ssh/id_ed25519
	     Contains the protocol version 2 ED25519 authentication identity
	     of	the user.

     ~/.ssh/id_rsa
	     Contains the protocol version 2 RSA authentication	identity of
	     the user.

     $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
	     UNIX-domain sockets used to contain the connection	to the authen-
	     tication agent.  These sockets should only	be readable by the
	     owner.  The sockets should	get automatically removed when the
	     agent exits.

SEE ALSO
     ssh(1), ssh-add(1), ssh-keygen(1),	sshd(8)

AUTHORS
     OpenSSH is	a derivative of	the original and free ssh 1.2.12 release by
     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
     de	Raadt and Dug Song removed many	bugs, re-added newer features and cre-
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.

FreeBSD	9.2		       December	7, 2013			   FreeBSD 9.2

NAME | SYNOPSIS | DESCRIPTION | FILES | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<http://www.freebsd.org/cgi/man.cgi?query=ssh-agent&manpath=FreeBSD+9.3-RELEASE>

home | help