version 1.81, 2020/07/14 23:57:01 |
version 1.82, 2021/12/19 22:14:12 |
|
|
.Op Fl E Ar fingerprint_hash |
.Op Fl E Ar fingerprint_hash |
.Op Fl S Ar provider |
.Op Fl S Ar provider |
.Op Fl t Ar life |
.Op Fl t Ar life |
|
.Op Fl H Ar hostkey_file |
|
.Op Fl h Ar destination_constraint |
.Op Ar |
.Op Ar |
.Nm ssh-add |
.Nm ssh-add |
.Fl s Ar pkcs11 |
.Fl s Ar pkcs11 |
|
|
.It Fl e Ar pkcs11 |
.It Fl e Ar pkcs11 |
Remove keys provided by the PKCS#11 shared library |
Remove keys provided by the PKCS#11 shared library |
.Ar pkcs11 . |
.Ar pkcs11 . |
|
.It Fl H Ar hostkey_file |
|
Specifies a known hosts file to lookup hostkeys when using destination- |
|
constained keys via the |
|
.Fl h |
|
flag. |
|
This option may be specified multiple times to allow multiple files to be |
|
searched. |
|
If no files are specified, |
|
.Nm |
|
will use the default |
|
.Xr ssh_config 5 |
|
known hosts files: |
|
.Pa ~/.ssh/known_hosts , |
|
.Pa ~/.ssh/known_hosts2 , |
|
.Pa /etc/ssh/ssh_known_hosts , |
|
and |
|
.Pa /etc/ssh/ssh_known_hosts2 . |
|
.It Fl h Ar destination_constraint |
|
When adding keys, constrain them to be usable only through specific hosts or to |
|
specific destinations. |
|
.Pp |
|
Destination constraints of the form |
|
.Sq [user@]dest-hostname |
|
permit use of the key only from the origin host (the one running |
|
.Xr ssh-agent 1 ) |
|
to the listed destination host, with optional user name. |
|
.Pp |
|
Constraints of the form |
|
.Sq src-hostname>[user@]dst-hostname |
|
allow a key available on a forwarded |
|
.Xr ssh-agent 1 |
|
to be used through a particular host (as specified by |
|
.Sq src-hostname ) |
|
to authenticate to a further host, |
|
specified by |
|
.Sq dst-hostname . |
|
.Pp |
|
Multiple destination constraints may be added when loading keys. |
|
When attempting authentication with a key that has destination constraints, |
|
the whole connection path, including |
|
.Xr ssh-agent 1 |
|
forwarding, is tested against those constraints and each |
|
hop must be permitted for the attempt to succeed. |
|
For example, if key is forwarded to a remote host, |
|
.Sq host-b , |
|
and is attempting authentication to another host, |
|
.Sq host-c , |
|
then the operation will be successful only if |
|
.Sq host-b |
|
was permitted from the origin host and the subsequent |
|
.Sq host-b>host-c |
|
hop is also permitted by destination constraints. |
|
.Pp |
|
Hosts are identified by their host keys, and are looked up from known hosts |
|
files by |
|
.Nm . |
|
Wildcards patterns may be used for hostnames and certificate host |
|
keys are supported. |
|
By default, keys added by |
|
.Nm |
|
are not destination constrained. |
|
.Pp |
|
Destination constraints were added in OpenSSH release 8.9. |
|
Support in both the remote SSH client and server is required when using |
|
destination-constrained keys over a forwarded |
|
.Xr ssh-agent 1 |
|
channel. |
|
.Pp |
|
It is also important to note that destination constraints can only be |
|
enforced by |
|
.Xr ssh-agent 1 |
|
when a key is used, or when it is forwarded by a |
|
.Sy cooperating |
|
.Xr ssh 1 . |
|
Specifically, it does not prevent an attacker with access to a remote |
|
.Ev SSH_AUTH_SOCK |
|
from forwarding it again and using it on a different host (but only to |
|
a permitted destination). |
.It Fl K |
.It Fl K |
Load resident keys from a FIDO authenticator. |
Load resident keys from a FIDO authenticator. |
.It Fl k |
.It Fl k |