| version 1.73, 2022/03/31 17:27:27 |
version 1.73.6.1, 2023/07/19 14:08:59 |
|
|
| .Op Fl \&Dd |
.Op Fl \&Dd |
| .Op Fl a Ar bind_address |
.Op Fl a Ar bind_address |
| .Op Fl E Ar fingerprint_hash |
.Op Fl E Ar fingerprint_hash |
| |
.Op Fl O Ar option |
| .Op Fl P Ar allowed_providers |
.Op Fl P Ar allowed_providers |
| .Op Fl t Ar life |
.Op Fl t Ar life |
| .Nm ssh-agent |
.Nm ssh-agent |
| .Op Fl a Ar bind_address |
.Op Fl a Ar bind_address |
| .Op Fl E Ar fingerprint_hash |
.Op Fl E Ar fingerprint_hash |
| |
.Op Fl O Ar option |
| .Op Fl P Ar allowed_providers |
.Op Fl P Ar allowed_providers |
| .Op Fl t Ar life |
.Op Fl t Ar life |
| .Ar command Op Ar arg ... |
.Ar command Op Ar arg ... |
|
|
| Kill the current agent (given by the |
Kill the current agent (given by the |
| .Ev SSH_AGENT_PID |
.Ev SSH_AGENT_PID |
| environment variable). |
environment variable). |
| |
.It Fl O Ar option |
| |
Specify an option when starting |
| |
.Nm . |
| |
Currently two options are supported: |
| |
.Cm allow-remote-pkcs11 |
| |
and |
| |
.Cm no-restrict-websafe . |
| |
.Pp |
| |
The |
| |
.Cm allow-remote-pkcs11 |
| |
option allows clients of a forwarded |
| |
.Nm |
| |
to load PKCS#11 or FIDO provider libraries. |
| |
By default only local clients may perform this operation. |
| |
Note that signalling that a |
| |
.Nm |
| |
client remote is performed by |
| |
.Xr ssh 1 , |
| |
and use of other tools to forward access to the agent socket may circumvent |
| |
this restriction. |
| |
.Pp |
| |
The |
| |
.Cm no-restrict-websafe , |
| |
instructs |
| |
.Nm |
| |
to permit signatures using FIDO keys that might be web authentication |
| |
requests. |
| |
By default, |
| |
.Nm |
| |
refuses signature requests for FIDO keys where the key application string |
| |
does not start with |
| |
.Dq ssh: |
| |
and when the data to be signed does not appear to be a |
| |
.Xr ssh 1 |
| |
user authentication request or a |
| |
.Xr ssh-keygen 1 |
| |
signature. |
| |
The default behaviour prevents forwarded access to a FIDO key from also |
| |
implicitly forwarding the ability to authenticate to websites. |
| .It Fl P Ar allowed_providers |
.It Fl P Ar allowed_providers |
| Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO |
Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO |
| authenticator middleware shared libraries that may be used with the |
authenticator middleware shared libraries that may be used with the |
|
|
| .Pp |
.Pp |
| In both cases, |
In both cases, |
| .Xr ssh 1 |
.Xr ssh 1 |
| looks at these environment variables and uses them to establish a connection to the agent. |
looks at these environment variables |
| |
and uses them to establish a connection to the agent. |
| .Pp |
.Pp |
| The agent initially does not have any private keys. |
The agent initially does not have any private keys. |
| Keys are added using |
Keys are added using |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-agent.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh