.\" -*- nroff -*- .\" .\" ssh-agent2.1 .\" .\" Author: Tatu Ylonen .\" Markku-Juhani Saarinen .\" .\" Copyright (c) 1997, 2000, 2002 SSH Communications Security Corp, Finland .\" All rights reserved .\" .TH SSH-AGENT2 1 "May 16, 2002" "SSH2" "SSH2" .SH NAME ssh-agent2 \- authentication agent .SH SYNOPSIS .LP .B ssh-agent2 .I command .B eval `ssh-agent2 [\c .BR \-s \c ] [\c .BR \-c \c ] [\c .BR \-1 \c ] [\c .BR \-d \c ]` .SH DESCRIPTION .LP .B ssh-agent2 is a program to hold authentication private keys. The idea is that .B ssh-agent2 is started in the beginning of an X11 session or a login session, and all other programs are started as children of the \fBssh-agent2\fR program (\fIcommand\fR normally starts X11 or is the user shell). The programs started under the agent inherit a connection to the agent, and the agent is automatically used for public-key authentication when logging to other machines using .B ssh. .LP If the ssh-agent2 is started without any arguments (no command) it will fork and start the agent as a background process. The agent also prints a command that can be evaluated in sh or csh like shells, setting the .B \s-1SSH2_AUTH_SOCK\s0 and .B \s-1SSH2_AGENT_PID\s0 environment variables. The .B \s-1SSH2_AGENT_PID\s0 environment variable can be used to kill the agent when it is no longer needed (e.g. when you logout from X11). If no options are given, the \fBssh-agent2\fR uses the SHELL environment variable to detect what kind of shell you have (csh or sh). The .BI \-c option enforces using csh-style, and the .BI \-s option enforces sh-style. .LP Note that in SysV variants (at least IRIX and Solaris) the environment variable SHELL might not contain the actual value of the shell executing the evaluation. If ALTSHELL is set to YES in /etc/default/login, the SHELL environment variable is set to the login shell of the user. .LP The agent initially does not have any private keys. Keys are added using \fBssh-add2\fR(1). Several identities can be stored in the agent; the agent can automatically use any of these identities. \'ssh-add2 -l' displays the identities currently held by the agent. .LP The idea is that the agent is run in the user's local PC, laptop, or terminal. Authentication data does not have to be stored on any other machine, and authentication passphrases never go over the network. However, the connection to the agent is forwarded over ssh remote logins, and the user can thus use the privileges given by the identities anywhere in the network in a secure way. .LP A connection to the agent is inherited by child programs. A Unix-domain socket is created (\fI/tmp/ssh-$USER/agent-socket-\fR), where is the process id of the listener (agent or sshd proxying the agent). The name of this socket is stored in the .B \s-1SSH2_AUTH_SOCK\s0 environment variable. The socket is made accessible only to the current user. This method can easily be abused by root or another instance of the same user. Older versions of ssh used inherited file descriptors for contacting the agent and used the Unix-domain sockets in an incompatible way. .LP If the command is given as an argument to \fBssh-agent2\fR, the agent exits automatically when the command given on the command line terminates. The command is executed even if the agent fails to start its key storing and challenge processing services. The .BI \-d \ debug_level option prints extensive debug information to stderr. \fIdebug_level\fR is either a number, from 0 to 99, where 99 specifies that all debug information should be displayed, or a comma-separated list of assignments \fR"\fBModulePattern=debug_level\fR". This should be the first argument on the command line. .SH COMPATIBILITY With the .BI \-1 option, \fBssh-agent2\fR can serve old SSH1 applications and be accessed with the \fBssh-add\fR(1) program shipped with old SSH1 releases. The environment variables .B \s-1SSH_AUTH_SOCK\s0 and .B \s-1SSH_AGENT_PID\s0 will be set appropriately and keys are shared with both protocols. .SH FILES .TP .I \&$HOME/\s+2.\s0ssh2/id_KEYTYPE_KEYLEN_XX Contains the private-key authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file. This file is not used by .B ssh-agent2, but is normally added to the agent using .B ssh-add2 at login time. .TP .I \&/tmp/ssh-$USER/agent-socket- Unix-domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. The parent directory of ssh2-$USER must have its sticky bit set. .SH AUTHORS .LP SSH Communications Security Corp. For more information, see http://www.ssh.com. .SH SEE ALSO .BR ssh-add2 (1), .BR ssh-keygen2 (1), .BR ssh2 (1), .BR sshd2 (8), .BR sftp (1)