=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-agent.1,v retrieving revision 1.73.6.1 retrieving revision 1.74 diff -u -r1.73.6.1 -r1.74 --- src/usr.bin/ssh/ssh-agent.1 2023/07/19 14:08:59 1.73.6.1 +++ src/usr.bin/ssh/ssh-agent.1 2022/10/07 04:06:26 1.74 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.73.6.1 2023/07/19 14:08:59 bluhm Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.74 2022/10/07 04:06:26 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 19 2023 $ +.Dd $Mdocdate: October 7 2022 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -106,33 +106,15 @@ environment variable). .It Fl O Ar option Specify an option when starting -.Nm . -Currently two options are supported: -.Cm allow-remote-pkcs11 -and +.Xr ssh-agent 1 . +Currently only one option is supported: .Cm no-restrict-websafe . -.Pp -The -.Cm allow-remote-pkcs11 -option allows clients of a forwarded -.Nm -to load PKCS#11 or FIDO provider libraries. -By default only local clients may perform this operation. -Note that signalling that a -.Nm -client remote is performed by -.Xr ssh 1 , -and use of other tools to forward access to the agent socket may circumvent -this restriction. -.Pp -The -.Cm no-restrict-websafe , -instructs -.Nm +This instructs +.Xr ssh-agent 1 to permit signatures using FIDO keys that might be web authentication requests. By default, -.Nm +.Xr ssh-agent 1 refuses signature requests for FIDO keys where the key application string does not start with .Dq ssh: @@ -198,8 +180,7 @@ .Pp In both cases, .Xr ssh 1 -looks at these environment variables -and uses them to establish a connection to the agent. +looks at these environment variables and uses them to establish a connection to the agent. .Pp The agent initially does not have any private keys. Keys are added using