pageant(1) | PuTTY tool suite | pageant(1) |
pageant - PuTTY SSH authentication agent
pageant ( -X | -T | --permanent | --debug ) [ [ --encrypted ] key-file... ] pageant [ [ --encrypted ] key-file... ] --exec command [ args... ] pageant -a [ --encrypted ] key-file... pageant ( -d | -r | --public | --public-openssh ) key-identifier... pageant ( -D | -R ) pageant -l [ --fptype format ] pageant --askpass prompt
pageant is both an SSH authentication agent, and also a tool for communicating with an already-running agent.
When running as an SSH agent, it listens on a Unix-domain socket for connections from client processes running under your user id. Clients can load SSH private keys into the agent, or request signatures on a given message from a key already in the agent. This permits one-touch authentication by SSH client programs, if Pageant is holding a key that the server they are connecting to will accept.
pageant can also act as a client program itself, communicating with an already-running agent to add or remove keys, list the keys, or extract their public half.
The agent protocol used by pageant is compatible with the PuTTY tools and also with other implementations such as OpenSSH's SSH client and ssh-agent(1). Some pageant features are implemented with protocol extensions, so will only work if pageant is on both ends.
To run pageant as an agent, you must provide an option to tell it what its lifetime should be. Typically you would probably want Pageant to last for the duration of a login session, in which case you should use either -X or -T, depending on whether your login session is GUI or purely terminal-based respectively. For example, in your X session startup script you might write
eval $(pageant -X)
which will cause Pageant to start running, monitor the X server to notice when your session terminates (and then it will terminate too), and print on standard output some shell commands to set environment variables that client processes will need to find the running agent.
In a terminal-based login, you could do almost exactly the same thing but with -T:
eval $(pageant -T)
This will cause Pageant to tie its lifetime to that of your controlling terminal: when you log out, and the terminal device ceases to be associated with your session, Pageant will notice that it has no controlling terminal any more, and will terminate automatically.
In either of these modes, you can also add one or more private keys as extra command-line arguments, e.g.
eval $(pageant -T ~/.ssh/key.ppk)
in which case Pageant will immediately prompt for the keys' passphrases (if any) and start the agent with those keys already loaded in cleartext form. Passphrase prompts will use the controlling terminal if one is available, or failing that the GUI if one of those is available. (The prompt method can be overridden with the --gui-prompt or --tty-prompt options.) If neither is available, no passphrase prompting can be done.
Alternatively, you can start an agent with keys stored in encrypted form:
eval $(pageant -T --encrypted ~/.ssh/key.ppk)
In this case, Pageant will not prompt for a passphrase at startup; instead, it will prompt the first time a client tries to use the key. (Pageant will need access to a GUI so that it can pop up a passphrase prompt when required, unless it's running in --debug mode.)
To use Pageant to talk to an existing agent, you can add new keys using -a, list the current set of keys' fingerprints and comments with -l, extract the full public half of any key using --public or --public-openssh, delete a specific key or all keys using -d or -D respectively, or request re-encryption of a specific key or all keys using -r or -R respectively.
The following options are called lifetime modes. They all request Pageant to operate in agent mode; each one specifies a different method for Pageant to start up and know when to shut down.
The usual approach would be to run
eval $(pageant -X)
in an X session startup script. However, other possibilities exist, such as directing the standard output of `pageant -X' to a file which is then sourced by any new shell.
All arguments on Pageant's command line after --exec will be treated as part of the command to run, even if they look like other valid Pageant options or key files.
This option is not recommended, because any method of manually killing the agent carries the risk of the session terminating unexpectedly before it manages to happen.
The following options tell Pageant to operate in client mode, contacting an existing agent via environment variables that it should already have set.
The private key files must be in PuTTY's .ppk file format.
Keys that will require a passphrase on their next use are listed as `encrypted'. Keys that can be returned to this state with -r are listed as `re-encryptable'.
Each key-identifier can be any of the following:
If Pageant can uniquely identify one key by interpreting the key-identifier in any of these ways, it will assume that key was the one you meant. If it cannot, you will have to specify more detail.
If you find that your desired key-identifier string can be validly interpreted as more than one of the above kinds of identification, you can disambiguate by prefixing it as follows:
(Holding encrypted keys is a Pageant extension, so this option and -R are unlikely to work with other agents.)
The data to sign is taken from standard input, signed by the agent with the key identified by key-identifier, and the resulting signature emitted on standard output (as a binary blob in the format defined by the SSH specifications).
flags is a number representing a combination of flag bits defined by the SSH agent protocol.
pageant --askpass implements the standard ssh-askpass(1) interface: it can be passed a prompt to display (as a single argument) and, if successful, prints the passphrase on standard output and returns a zero exit status. Typically you would use the environment variable SSH_ASKPASS to tell other programs to use pageant in this way.
eval $(pageant -X -v 2>~/.pageant.log)
and expect a list of all signatures requested by agent clients to build up in that log file.
The log information is the same as that produced by the --debug lifetime option, but --debug sends it to standard output (since that is the main point of debugging mode) whereas -v in all other lifetime modes sends the same log data to standard error (being a by-product of the program's main purpose). Using -v in --debug mode has no effect: the log still goes to standard output.
This allows access to an agent instance by setting the SSH_AUTH_SOCK environment variable to fixed-path, rather than having to use the value invented by pageant when it starts. It's mainly expected to be useful for debugging.
The --encrypted option makes no difference for key files which do not have a passphrase.
(Storing keys in encrypted form is a Pageant extension; other agent implementations are unlikely to support it.)
2015‐05‐19 | PuTTY tool suite |