ssh-agent - authentication agent
ssh-agent command
eval ’ssh-agent [-k] [-s] [-c]’
Ssh-agent is a program to hold authentication private keys. The idea is that ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as children of the ssh-agent program (the command normally starts X or is the user shell). Programs started under the agent inherit a connection to the agent, and the agent is automatically used for RSA authentication when logging to other machines using ssh.
If the ssh-agent is started without any arguments (no command) it will fork and start agent as background process. The agent also prints command that can be evaluated in sh or csh like shells, that will set the SSH_AUTH_SOCK and SSH_AGENT_PID environment variables. The SSH_AGENT_PID environment variable can be used to kill agent away when it is no longer needed (you logout from X-session etc). If no options are given the ssh-agent uses SHELL environment variable the detect what kind of shell you have (*csh or sh-style shell). The -c option will force csh-style shell, and -s option will force sh-style shell.
Note that in SysV variants (at least IRIX and Solaris) the environment variable SHELL might not contain the actual value of the shell executing the evaluation. If ALTSHELL is set to YES in /etc/default/login, the SHELL environment variable is set to the login shell of the user.
The -k option can be used to kill agent automatically. It kills the agent (it uses the SSH_AGENT_PID to find it) and prints shell commands to stdout that will unset the SSH_AUTH_SOCKET and SSH_AGENT_PID enviroment variables.
The agent initially does not have any private keys. Keys are added using ssh-add. When executed without arguments, ssh-add adds the $HOME/ . ssh/identity file. If the identity has a passphrase, ssh-add asks for the passphrase (using a small X11 application if running under X11, or from the terminal if running without X). It then sends the identity to the agent. Several identities can be stored in the agent; the agent can automatically use any of these identities. Ssh-add -l displays the identities currently held by the agent.
The idea is that the agent is run in the user’s local PC, laptop, or terminal. Authentication data need not be stored on any other machine, and authentication passphrases never go over the network. However, the connection to the agent is forwarded over ssh remote logins, and the user can thus use the privileges given by the identities anywhere in the network in a secure way.
A connection to the agent is inherited by child programs. A unix-domain socket is created (/tmp/ssh-$USER/agent-socket-<pid>), where the %d is the process id of the listener (agent or sshd proxying the agent). The name of this socket is stored in the SSH_AUTH_SOCK environment variable. The socket is made accessible only to the current user. This method is easily abused by root or another instance of the same user. Older versions of ssh used inherited file descriptors for contacting the agent and used the unix-domain sockets in an incompatible way.
If the command is given as argument to ssh-agent the agent exits automatically when the command given on the command line terminates. The command is executed even if agent fails to start it’s key-storing and challenge-processing services.
$HOME/ . ssh/identity
Contains the RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file. This file is not used by ssh-agent, but is normally added to the agent using ssh-add at login time.
/tmp/ssh-$USER/agent-socket-<pid>
Unix-domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. The parent directory of ssh-$USER must have it’s sticky bit set.
Tatu Ylonen <ylo@ssh.fi>
ssh-add(1), ssh-keygen(1), ssh(1), sshd(8)