diff options
author | djm@openbsd.org <djm@openbsd.org> | 2022-10-07 04:06:26 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2022-10-25 08:54:43 +1100 |
commit | 9fd2441113fce2a83fc7470968c3b27809cc7f10 (patch) | |
tree | 48f4483522da097ecd8d8fc505970abfad650c9a /ssh-agent.1 | |
parent | 614252b05d70f798a0929b1cd3d213030ad4d007 (diff) | |
download | openssh-git-9fd2441113fce2a83fc7470968c3b27809cc7f10.tar.gz |
upstream: document "-O no-restrict-websafe"; spotted by Ross L
Richardson
OpenBSD-Commit-ID: fe9eaa50237693a14ebe5b5614bf32a02145fe8b
Diffstat (limited to 'ssh-agent.1')
-rw-r--r-- | ssh-agent.1 | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/ssh-agent.1 b/ssh-agent.1 index ea43cd15..9c5aec70 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.73 2022/03/31 17:27:27 naddy Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.74 2022/10/07 04:06:26 djm Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 31 2022 $ +.Dd $Mdocdate: October 7 2022 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -46,11 +46,13 @@ .Op Fl \&Dd .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash +.Op Fl O Ar option .Op Fl P Ar allowed_providers .Op Fl t Ar life .Nm ssh-agent .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash +.Op Fl O Ar option .Op Fl P Ar allowed_providers .Op Fl t Ar life .Ar command Op Ar arg ... @@ -102,6 +104,27 @@ The default is Kill the current agent (given by the .Ev SSH_AGENT_PID environment variable). +.It Fl O Ar option +Specify an option when starting +.Xr ssh-agent 1 . +Currently only one option is supported: +.Cm no-restrict-websafe . +This instructs +.Xr ssh-agent 1 +to permit signatures using FIDO keys that might be web authentication +requests. +By default, +.Xr ssh-agent 1 +refuses signature requests for FIDO keys where the key application string +does not start with +.Dq ssh: +and when the data to be signed does not appear to be a +.Xr ssh 1 +user authentication request or a +.Xr ssh-keygen 1 +signature. +The default behaviour prevents forwarded access to a FIDO key from also +implicitly forwarding the ability to authenticate to websites. .It Fl P Ar allowed_providers Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO authenticator middleware shared libraries that may be used with the |