diff options
Diffstat (limited to 'crypto/openssh/ssh-agent.1')
| -rw-r--r-- | crypto/openssh/ssh-agent.1 | 62 |
1 files changed, 49 insertions, 13 deletions
diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1 index f3db48e6c97e..a866e5728fc3 100644 --- a/crypto/openssh/ssh-agent.1 +++ b/crypto/openssh/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.79 2023/08/10 14:37:32 naddy Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.82 2025/02/09 18:24:08 schwarze Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 10 2023 $ +.Dd $Mdocdate: February 9 2025 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -77,8 +77,7 @@ socket The default is .Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt . .It Fl c -Generate C-shell commands on -.Dv stdout . +Generate C-shell commands on standard output. This is the default if .Ev SHELL looks like it's a csh style of shell. @@ -107,10 +106,11 @@ environment variable). .It Fl O Ar option Specify an option when starting .Nm . -Currently two options are supported: -.Cm allow-remote-pkcs11 +The supported options are: +.Cm allow-remote-pkcs11 , +.Cm no-restrict-websafe and -.Cm no-restrict-websafe . +.Cm websafe-allow . .Pp The .Cm allow-remote-pkcs11 @@ -143,6 +143,16 @@ user authentication request or a signature. The default behaviour prevents forwarded access to a FIDO key from also implicitly forwarding the ability to authenticate to websites. +.Pp +Alternately the +.Cm websafe-allow +option allows specifying a pattern-list of key application strings to +replace the default application allow-list, for example: +.Dq websafe-allow=ssh:*,example.org,*.example.com +.Pp +See PATTERNS in +.Xr ssh_config 5 +for a description of pattern-list syntax. .It Fl P Ar allowed_providers Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO authenticator middleware shared libraries that may be used with the @@ -152,14 +162,14 @@ or options to .Xr ssh-add 1 . Libraries that do not match the pattern list will be refused. +The default list is +.Dq usr/lib*/*,/usr/local/lib*/* . +.Pp See PATTERNS in .Xr ssh_config 5 for a description of pattern-list syntax. -The default list is -.Dq usr/lib*/*,/usr/local/lib*/* . .It Fl s -Generate Bourne shell commands on -.Dv stdout . +Generate Bourne shell commands on standard output. This is the default if .Ev SHELL does not look like it's a csh style of shell. @@ -180,7 +190,7 @@ The agent exits automatically when the command given on the command line terminates. .El .Pp -There are two main ways to get an agent set up. +There are three main ways to get an agent set up. The first is at the start of an X session, where all other windows or programs are started as children of the .Nm @@ -198,11 +208,33 @@ it prints the shell commands required to set its environment variables, which in turn can be evaluated in the calling shell, for example .Cm eval `ssh-agent -s` . .Pp -In both cases, +In both of these cases, .Xr ssh 1 looks at these environment variables and uses them to establish a connection to the agent. .Pp +The third way to run +.Nm +is via socket activation from a supervising process, such as systemd. +In this mode, the supervising process creates the listening socket and +is responsible for starting +.Nm +as needed, and also for communicating the location of the socket listener +to other programs in the user's session. +Socket activation is used when +.Nm +is started with either of the +.Fl d +or +.Fl D +flags, no socket listening address specified by the +.Fl a +flag, and both the +.Ev LISTEN_FDS +and +.Ev LISTEN_PID +environment variables correctly supplied by the supervising process. +.Pp The agent initially does not have any private keys. Keys are added using .Xr ssh-add 1 @@ -235,6 +267,10 @@ the connection to the agent is forwarded over SSH remote connections and the result is returned to the requester, allowing the user access to their identities anywhere in the network in a secure fashion. +.Pp +.Nm +will delete all keys it has loaded upon receiving +.Dv SIGUSR1 . .Sh ENVIRONMENT .Bl -tag -width "SSH_AGENT_PID" .It Ev SSH_AGENT_PID |