SSH-AGENT2(1) SSH2 SSH-AGENT2(1)
NAME
ssh-agent2 - authentication agent
SYNOPSIS
ssh-agent2 command
eval `ssh-agent2 [-s] [-c] [-1] [-d]`
DESCRIPTION
ssh-agent2 is a program that holds authentication private
keys. The idea is that ssh-agent2 is started in the
beginning of an X11 session or a login session, and all
other programs are started as children of the ssh-agent2
program (command normally starts X11 or is the user
shell). The programs started under the agent inherit a
connection to the agent, and the agent is automatically
used for public-key authentication when logging to other
machines using ssh.
If the ssh-agent2 is started without arguments (no com-
mand) it will fork and start the agent as a background
process. The agent also prints a command that can be
evaluated in sh- or csh-like shells, setting the
SSH2_AUTH_SOCK and SSH2_AGENT_PID environment variables.
The SSH2_AGENT_PID environment variable can be used to
kill the agent when it is no longer needed (e.g. when you
logout from X11). If no options are given, the ssh-agent2
uses the SHELL environment variable to detect the kind of
shell you have (csh or sh). The -c option enforces using
csh-style, and the -s option enforces sh-style.
Note that in SysV variants (at least IRIX and Solaris) the
environment variable SHELL might not contain the actual
value of the shell executing the evaluation. If ALTSHELL
is set to YES in /etc/default/login, the SHELL environment
variable is set to the login shell of the user.
Initially the agent does not have any private keys. Keys
are added using ssh-add2(1). Several identities can be
stored in the agent, and the agent can automatically use
any of these identities. ssh-add2 -l displays the identi-
ties currently held by the agent.
The idea is that the agent is run on the user's local PC,
laptop, or terminal. Authentication data does not have to
be stored on any other machine, and authentication
passphrases never go over the network. However, the con-
nection to the agent is forwarded over ssh remote logins,
and the user can thus use the privileges given by the
identities anywhere in the network in a secure way.
A connection to the agent is inherited by child programs.
A Unix-domain socket is created (/tmp/ssh-$USER/agent-
socket-<pid>), where <pid> is the process ID of the lis-
tener (agent or sshd proxying the agent). The name of
this socket is stored in the SSH2_AUTH_SOCK environment
variable. The socket is made accessible only to the cur-
rent user. This method can easily be abused by root or
another instance of the same user. Older versions of ssh
used inherited file descriptors for contacting the agent
and used the Unix-domain sockets in an incompatible way.
If the command is given as an argument to ssh-agent2, the
agent exits automatically when the command given on the
command line terminates. The command is executed even if
the agent fails to start its key storing and challenge
processing services.
The -d debug_level option prints extensive debug informa-
tion to stderr. debug_level is either a number, from 0 to
99, where 99 specifies that all debug information should
be displayed, or a comma-separated list of assignments of
the format ModulePattern=debug_level, for example
"*=10,sshd2=2". This should be the first argument on the
command line.
COMPATIBILITY
With the -1 option, ssh-agent2 can serve old SSH1 applica-
tions and be accessed with the ssh-add(1) program shipped
with old SSH1 releases. The environment variables
SSH_AUTH_SOCK and SSH_AGENT_PID will be set appropriately
and keys are shared with both protocols.
FILES
$HOME/.ssh2/id_KEYTYPE_KEYLEN_XX
Contains the private-key authentication identity of
the user. This file should not be readable by any-
one but the user. It is possible to specify a
passphrase when generating the key, and the
passphrase will be used to encrypt the private part
of this file. This file is not used by ssh-agent2
but it is normally added to the agent using ssh-
add2 at login time.
/tmp/ssh-$USER/agent-socket-<pid>
Unix-domain sockets used to contain the connection
to the authentication agent. These sockets should
only be readable by the owner. The sockets should
be automatically removed when the agent exits. The
parent directory of ssh2-$USER must have its sticky
bit set.
AUTHORS
SSH Communications Security Corp.
For more information, see http://www.ssh.com.
SEE ALSO
ssh-add2(1), ssh-keygen2(1), ssh2(1), sshd2(8), sftp2(1)
|
