| SSH-AGENT(1) | General Commands Manual | SSH-AGENT(1) | 
ssh-agent —
| ssh-agent | [ -c|-s]
      [-Dd] [-abind_address] [-Efingerprint_hash] [-Ooption] [-Pallowed_providers] [-tlife] | 
| ssh-agent | [ -abind_address]
      [-Efingerprint_hash]
      [-Ooption]
      [-Pallowed_providers]
      [-tlife]
      command [arg ...] | 
| ssh-agent | [ -c|-s]-k | 
ssh-agent is a program to hold private keys used for
  public key authentication. Through use of environment variables the agent can
  be located and automatically used for authentication when logging in to other
  machines using ssh(1).
The options are as follows:
-a
    bind_address-cstdout. This is the
      default if SHELL looks like it's a csh style of
      shell.-Dssh-agent will not fork.-dssh-agent will not fork and will write debug
      information to standard error.-E
    fingerprint_hash-kSSH_AGENT_PID
      environment variable).-O
    optionssh-agent.
      Currently two options are supported:
      allow-remote-pkcs11 and
      no-restrict-websafe.
    The allow-remote-pkcs11 option allows
        clients of a forwarded ssh-agent to load PKCS#11
        or FIDO provider libraries. By default only local clients may perform
        this operation. Note that signalling that an
        ssh-agent client is remote is performed by
        ssh(1), and use of other
        tools to forward access to the agent socket may circumvent this
        restriction.
The no-restrict-websafe option
        instructs ssh-agent to permit signatures using
        FIDO keys that might be web authentication requests. By default,
        ssh-agent refuses signature requests for FIDO
        keys where the key application string does not start with
        “ssh:” and when the data to be signed does not appear to
        be a ssh(1) user
        authentication request or a
        ssh-keygen(1)
        signature. The default behaviour prevents forwarded access to a FIDO key
        from also implicitly forwarding the ability to authenticate to
      websites.
-P
    allowed_providers-S or -s options to
      ssh-add(1). Libraries that
      do not match the pattern list will be refused. See PATTERNS in
      ssh_config(5) for a
      description of pattern-list syntax. The default list is
      “/usr/lib/*,/usr/local/lib/*”.-sstdout. This is
      the default if SHELL does not look like it's a csh
      style of shell.-t
    lifeThere are two main ways to get an agent set up. The first is at
    the start of an X session, where all other windows or programs are started
    as children of the ssh-agent program. The agent
    starts a command under which its environment variables are exported, for
    example ssh-agent xterm &. When the command
    terminates, so does the agent.
The second method is used for a login session. When
    ssh-agent is started, it prints the shell commands
    required to set its environment variables, which in turn can be evaluated in
    the calling shell, for example eval `ssh-agent
  -s`.
In both cases, ssh(1) looks at these environment variables and uses them to establish a connection to the agent.
The agent initially does not have any private keys. Keys are added
    using ssh-add(1) or by
    ssh(1) when
    AddKeysToAgent is set in
    ssh_config(5). Multiple
    identities may be stored in ssh-agent concurrently
    and ssh(1) will automatically use
    them if present. ssh-add(1)
    is also used to remove keys from ssh-agent and to
    query the keys that are held in one.
Connections to ssh-agent may be forwarded
    from further remote hosts using the -A option to
    ssh(1) (but see the caveats
    documented therein), avoiding the need for authentication data to be stored
    on other machines. Authentication passphrases and private keys never go over
    the network: the connection to the agent is forwarded over SSH remote
    connections and the result is returned to the requester, allowing the user
    access to their identities anywhere in the network in a secure fashion.
SSH_AGENT_PIDssh-agent starts, it stores the name of the
      agent's process ID (PID) in this variable.SSH_AUTH_SOCKssh-agent starts, it creates a
      UNIX-domain socket and stores its pathname in this
      variable. It is accessible only to the current user, but is easily abused
      by root or another instance of the same user.| August 10 2023 | NetBSD 9.4 |