HP OpenVMS Systems Documentation

Content starts here

Using the SSH_AGENT Utility

 » Table of Contents

 » Glossary

 » Index

The SSH_AGENT utility starts the SSH authentication agent to use an SSH client that is configured to use public-key user authentication. Because the authentication agent holds private keys in memory, the user does not need to enter a passphrase if one exists for the key being used. As long as the agent is running, all key-related operations are directed to the agent.

On startup, the agent does not hold any private keys. Keys are added by using the SSH_ADD command. Several identities can be stored in the agent, and the agent can use any of these identities automatically. The command SSH_ADD -l displays the identities currently held by the agent.

When the SSH agent starts up, it assigns the logical name TCPIP$SSH_AGENT_PORT in the process job table, which is shared by a process and its subprocesses. Client programs use this value to start communication with the agent, in turn assigning the logical name TCPIP$SSH_CLIENT_PORT. The agent uses the latter logical name to check that the client is a valid user on the same job (that is, in the parent of the agent subprocess).

The agent terminates when the user logs out or stops the agent.

Command Synopsis

SSH_AGENT [-d debug_level]

Options

Table 7–6 describes the options you can use with the SSH_AGENT command.

Table 7-6 SSH_AGENT Command Options

OptionsDescription

-d debug-level

Displays debug information. The debug-level value is a number from 0 to 99, where 99 specifies that all debug information or a comma-separated list of assignments should be displayed.

 

Examples

The following example shows a normal agent startup and displays the value of the TCPIP$SSH_AGENT_PORT logical name:

 $ SSH_AGENT
%DCL-S-SPAWNED, process USER01_67 spawned

$ SHOW USER/FULL
USER01        OpenVMS User Processes at 12-AUG-2003 13:49:36.29
Total number of users = 1,  number of processes = 2
Username Process Name    PID     Terminal
USER01   USER01        00000B53  RTA1:    (SYS01::USER01)
USER01   USER01_67     00000EB8  (subprocess of 00000B53)

$ SHOW LOGICAL TCPIP$SSH_AGENT_PORT
"TCPIP$SSH_AGENT_PORT" = "49198" (LNM$JOB_81425DC0)

The following example shows an attempt to start a second agent within the same parent process.

 $ SSH_AGENT
%DCL-S-SPAWNED, process USER01_253 spawned
$  Agent already running on port: 49198.  Cannot start agent
%TCPIP-F-SSH_FATAL, non-specific fatal error condition

The following example shows the message displayed when a client not in the current user's job attempts to connect to the user's agent subprocess:

$   Possible security attack. Actual socket port of client: 49202 did not match
value of logical name TCPIP$SSH_CLIENT_PORT: ""