ssh-agent - Single Sign-On using SSH

The ssh-agent is a helper program that keeps track of user's identity keys and their passphrases. The agent can then use the keys to log into other servers without having the user type in a password or passphrase again. This implements a form of single sign-on (SSO).

The SSH agent is used with SSH public key authentication. It uses SSH keys for authentication. Users can create SSH keys using the ssh-keygen command and install them on servers using the ssh-copy-id command. Proper SSH key management solutions are recommended to properly manage and audit access based on SSH keys in production environments.

Required Configuration

On most Linux systems, the ssh-agent is automatically configured and run at login, and no additional actions are required to use it. However, an SSH key must still be created for the user.

Also, to allow key-based logins to servers, public key authentication must be enabled on the server. In OpenSSH it is enabled by default. It is controlled by the PubkeyAuthentication option in sshd_config.

Adding Identities to the Agent

XXX

SSH Agent Forwarding

Furthermore, the SSH protocol implements agent forwarding, a mechanism whereby an SSH client allows an SSH server to use the local ssh-agent on the server the user logs into, as if it was local there. When the user uses an SSH client on the server, the client will try to contact the agent implemented by the server, and the server then forwards the request to the client that originally contacted the server, which further forwards it to the local agent. This way, ssh-agent and agent forwarding implement single sign-on that can progress transitively.

A wonderful feature of the single sign-on provided by SSH is that it works independent of organizational boundaries and geography. You can easily implement single sign-on to servers on the other side of the world, in cloud services, or at customer premises. No central coordination is needed.

To use agent forwarding, the ForwardAgent option must be set to yes on the client (see ssh_config) and the AllowAgentForwarding option must be set to yes on the server (see sshd_config).

Running ssh-agent

To run the agent manually, it should be run from a shell as follows: # eval `ssh-agent`

The agent outputs environment variable settings that this puts in place. The SSH_AUTH_SOCK environment variable is set to point to a unix-domain socket used for communicating with the agent, and the SSH_AGENT_PID environment variable is set to the process ID of the agent.

The command accepts the following options:

-a bind_address

Forces to bind the Unix domain socket to the given file path.

-c

Forces generation of C-shell commands on stdout. By default the shell is automatically detected.

-d

Enables debug mode.

-k

Kills the currently running agent.

-s

Forces generation of Bourne shell (/bin/sh) commands on stdout. By default the shell is automatically detected.

-t life

Specifies a maximum number of seconds that identities are kept in the agent. Without this option, the agent keeps keys as long as it runs. This can be overridden when running the ssh-add command.

Further Reading