I've read the official definition:
ssh-agentis a program to hold private keys used for public key authentication (RSA, DSA, ECDSA). The idea is that ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh(1).
"a program to hold private keys" – IMHO, ssh keys are generated by a user with the ssh-keygen command and simply stored in ~/.ssh – why do I need some daemon to hold these keys? How exactly does it hold them anyways? – aren't they just stored in .ssh?
"are started as clients to the ssh-agent program" – I don't get it. Where would one need that? I usually just use ssh as this:
ssh -i ~/.ssh/private_key_name username@hostname
What exactly does the above definition mean by "clients"? What clients? Don't you just run the ssh command from a terminal to connect to another machine? What other clients are there and why can't they just use the standard path to that private key file, just like the ssh command?
Best Answer
The SSH agent handles signing of authentication data for you. When authenticating to a server, you are required to sign some data using your private key, to prove that you are, well, you.
As a security measure, most people sensibly protect their private keys with a passphrase, so any authentication attempt would require you to enter this passphrase. This can be undesirable, so the ssh-agent caches the key for you and you only need to enter the password once, when the agent wants to decrypt it (and often not even that, as the ssh-agent can be integrated with pam, which many distros do).
The SSH agent never hands these keys to client programs, but merely presents a socket over which clients can send it data and over which it responds with signed data. A side benefit of this is that you can use your private key even with programs you don't fully trust.
Another benefit of the SSH agent is that it can be forwarded over SSH. So when you ssh to host A, while forwarding your agent, you can then ssh from A to another host B without needing your key present (not even in encrypted form) on host A.