jcs.org / openbsd-src
jcs's openbsd hax
openbsd
fork atom
openbsd-src / usr.bin / ssh / ssh-agent.1
at jcs 310 lines 9.2 kB view raw
naddy typos: a ssh* -> an ssh*
0bae8e19
1.\" $OpenBSD: ssh-agent.1,v 1.86 2025/10/04 21:41:35 naddy Exp $ 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is 10.\" incompatible with the protocol description in the RFC file, it must be 11.\" called by a name other than "ssh" or "Secure Shell". 12.\" 13.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 14.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 15.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 16.\" 17.\" Redistribution and use in source and binary forms, with or without 18.\" modification, are permitted provided that the following conditions 19.\" are met: 20.\" 1. Redistributions of source code must retain the above copyright 21.\" notice, this list of conditions and the following disclaimer. 22.\" 2. Redistributions in binary form must reproduce the above copyright 23.\" notice, this list of conditions and the following disclaimer in the 24.\" documentation and/or other materials provided with the distribution. 25.\" 26.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" 37.Dd $Mdocdate: October 4 2025 $ 38.Dt SSH-AGENT 1 39.Os 40.Sh NAME 41.Nm ssh-agent 42.Nd OpenSSH authentication agent 43.Sh SYNOPSIS 44.Nm ssh-agent 45.Op Fl c | s 46.Op Fl \&DdTU 47.Op Fl a Ar bind_address 48.Op Fl E Ar fingerprint_hash 49.Op Fl O Ar option 50.Op Fl P Ar allowed_providers 51.Op Fl t Ar life 52.Nm ssh-agent 53.Op Fl TU 54.Op Fl a Ar bind_address 55.Op Fl E Ar fingerprint_hash 56.Op Fl O Ar option 57.Op Fl P Ar allowed_providers 58.Op Fl t Ar life 59.Ar command Op Ar arg ... 60.Nm ssh-agent 61.Op Fl c | s 62.Fl k 63.Nm ssh-agent 64.Fl u 65.Sh DESCRIPTION 66.Nm 67is a program to hold private keys used for public key authentication. 68Through use of environment variables the agent can be located 69and automatically used for authentication when logging in to other 70machines using 71.Xr ssh 1 . 72.Pp 73The options are as follows: 74.Bl -tag -width Ds 75.It Fl a Ar bind_address 76Bind the agent to the 77.Ux Ns -domain 78socket 79.Ar bind_address . 80The default is to create a socket at a random path matching 81.Pa $HOME/.ssh/agent/s.* . 82.It Fl c 83Generate C-shell commands on standard output. 84This is the default if 85.Ev SHELL 86looks like it's a csh style of shell. 87.It Fl D 88Foreground mode. 89When this option is specified, 90.Nm 91will not fork. 92.It Fl d 93Debug mode. 94When this option is specified, 95.Nm 96will not fork and will write debug information to standard error. 97.It Fl E Ar fingerprint_hash 98Specifies the hash algorithm used when displaying key fingerprints. 99Valid options are: 100.Dq md5 101and 102.Dq sha256 . 103The default is 104.Dq sha256 . 105.It Fl k 106Kill the current agent (given by the 107.Ev SSH_AGENT_PID 108environment variable). 109.It Fl O Ar option 110Specify an option when starting 111.Nm . 112The supported options are: 113.Cm allow-remote-pkcs11 , 114.Cm no-restrict-websafe 115and 116.Cm websafe-allow . 117.Pp 118The 119.Cm allow-remote-pkcs11 120option allows clients of a forwarded 121.Nm 122to load PKCS#11 or FIDO provider libraries. 123By default only local clients may perform this operation. 124Note that signalling that an 125.Nm 126client is remote is performed by 127.Xr ssh 1 , 128and use of other tools to forward access to the agent socket may circumvent 129this restriction. 130.Pp 131The 132.Cm no-restrict-websafe 133option instructs 134.Nm 135to permit signatures using FIDO keys that might be web authentication 136requests. 137By default, 138.Nm 139refuses signature requests for FIDO keys where the key application string 140does not start with 141.Dq ssh: 142and when the data to be signed does not appear to be an 143.Xr ssh 1 144user authentication request or an 145.Xr ssh-keygen 1 146signature. 147The default behaviour prevents forwarded access to a FIDO key from also 148implicitly forwarding the ability to authenticate to websites. 149.Pp 150Alternately the 151.Cm websafe-allow 152option allows specifying a pattern-list of key application strings to 153replace the default application allow-list, for example: 154.Dq websafe-allow=ssh:*,example.org,*.example.com 155.Pp 156See PATTERNS in 157.Xr ssh_config 5 158for a description of pattern-list syntax. 159.It Fl P Ar allowed_providers 160Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO 161authenticator middleware shared libraries that may be used with the 162.Fl S 163or 164.Fl s 165options to 166.Xr ssh-add 1 . 167Libraries that do not match the pattern list will be refused. 168The default list is 169.Dq /usr/lib/*,/usr/local/lib/* . 170.Pp 171See PATTERNS in 172.Xr ssh_config 5 173for a description of pattern-list syntax. 174.It Fl s 175Generate Bourne shell commands on standard output. 176This is the default if 177.Ev SHELL 178does not look like it's a csh style of shell. 179.It Fl T 180Bind the agent socket in a randomised subdirectory of the form 181.Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt , 182instead of the default behaviour of using a randomised name matching 183.Pa $HOME/.ssh/agent/s.* . 184.It Fl t Ar life 185Set a default value for the maximum lifetime of identities added to the agent. 186The lifetime may be specified in seconds or in a time format specified in 187.Xr sshd_config 5 . 188A lifetime specified for an identity with 189.Xr ssh-add 1 190overrides this value. 191Without this option the default maximum lifetime is forever. 192.It Fl U 193Instructs 194.Nm 195not to clean up stale agent sockets under 196.Pa $HOME/.ssh/agent/ . 197.It Fl u 198Instructs 199.Nm 200to only clean up stale agent sockets under 201.Pa $HOME/.ssh/agent/ 202and then exit immediately. 203If this option is given twice, 204.Nm 205will delete stale agent sockets regardless of the host name that created them. 206.It Ar command Op Ar arg ... 207If a command (and optional arguments) is given, 208this is executed as a subprocess of the agent. 209The agent exits automatically when the command given on the command 210line terminates. 211.El 212.Pp 213There are two main ways to get an agent set up. 214The first is at the start of an X session, 215where all other windows or programs are started as children of the 216.Nm 217program. 218The agent starts a command under which its environment 219variables are exported, for example 220.Cm ssh-agent xterm & . 221When the command terminates, so does the agent. 222.Pp 223The second method is used for a login session. 224When 225.Nm 226is started, 227it prints the shell commands required to set its environment variables, 228which in turn can be evaluated in the calling shell, for example 229.Cm eval `ssh-agent -s` . 230.Pp 231In both cases, 232.Xr ssh 1 233looks at these environment variables 234and uses them to establish a connection to the agent. 235.Pp 236The agent initially does not have any private keys. 237Keys are added using 238.Xr ssh-add 1 239or by 240.Xr ssh 1 241when 242.Cm AddKeysToAgent 243is set in 244.Xr ssh_config 5 . 245Multiple identities may be stored in 246.Nm 247concurrently and 248.Xr ssh 1 249will automatically use them if present. 250.Xr ssh-add 1 251is also used to remove keys from 252.Nm 253and to query the keys that are held in one. 254.Pp 255Connections to 256.Nm 257may be forwarded from further remote hosts using the 258.Fl A 259option to 260.Xr ssh 1 261(but see the caveats documented therein), 262avoiding the need for authentication data to be stored on other machines. 263Authentication passphrases and private keys never go over the network: 264the connection to the agent is forwarded over SSH remote connections 265and the result is returned to the requester, 266allowing the user access to their identities anywhere in the network 267in a secure fashion. 268.Pp 269.Nm 270will delete all keys it has loaded upon receiving 271.Dv SIGUSR1 . 272.Sh ENVIRONMENT 273.Bl -tag -width "SSH_AGENT_PID" 274.It Ev SSH_AGENT_PID 275When 276.Nm 277starts, it stores the name of the agent's process ID (PID) in this variable. 278.It Ev SSH_AUTH_SOCK 279When 280.Nm 281starts, it creates a 282.Ux Ns -domain 283socket and stores its pathname in this variable. 284It is accessible only to the current user, 285but is easily abused by root or another instance of the same user. 286.El 287.Sh FILES 288.Bl -tag -width Ds 289.It Pa $HOME/.ssh/agent/s.* 290.Ux Ns -domain 291sockets used to contain the connection to the authentication agent. 292These sockets should only be readable by the owner. 293The sockets should get automatically removed when the agent exits. 294.El 295.Sh SEE ALSO 296.Xr ssh 1 , 297.Xr ssh-add 1 , 298.Xr ssh-keygen 1 , 299.Xr ssh_config 5 , 300.Xr sshd 8 301.Sh AUTHORS 302.An -nosplit 303OpenSSH is a derivative of the original and free ssh 1.2.12 release by 304.An Tatu Ylonen . 305.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos , Theo de Raadt 306and 307.An Dug Song 308removed many bugs, re-added newer features and created OpenSSH. 309.An Markus Friedl 310contributed the support for SSH protocol versions 1.5 and 2.0.