summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2022-10-07 04:06:27 +0000
committerDamien Miller <djm@cvs.openbsd.org>2022-10-07 04:06:27 +0000
commitef1f41404a494f1767c1eececfd7fbf688871843 (patch)
treeb27d7277eda88e8654dbe5f5df733d905456d3ee /usr.bin
parentf48e869dbf7321549666739e254464ce66ec053a (diff)
document "-O no-restrict-websafe"; spotted by Ross L Richardson
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/ssh-agent.127
1 files changed, 25 insertions, 2 deletions
diff --git a/usr.bin/ssh/ssh-agent.1 b/usr.bin/ssh/ssh-agent.1
index 52634e92c42..2c6cd889aa3 100644
--- a/usr.bin/ssh/ssh-agent.1
+++ b/usr.bin/ssh/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.73 2022/03/31 17:27:27 naddy Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.74 2022/10/07 04:06:26 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: October 7 2022 $
.Dt SSH-AGENT 1
.Os
.Sh NAME
@@ -46,11 +46,13 @@
.Op Fl \&Dd
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
+.Op Fl O Ar option
.Op Fl P Ar allowed_providers
.Op Fl t Ar life
.Nm ssh-agent
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
+.Op Fl O Ar option
.Op Fl P Ar allowed_providers
.Op Fl t Ar life
.Ar command Op Ar arg ...
@@ -102,6 +104,27 @@ The default is
Kill the current agent (given by the
.Ev SSH_AGENT_PID
environment variable).
+.It Fl O Ar option
+Specify an option when starting
+.Xr ssh-agent 1 .
+Currently only one option is supported:
+.Cm no-restrict-websafe .
+This instructs
+.Xr ssh-agent 1
+to permit signatures using FIDO keys that might be web authentication
+requests.
+By default,
+.Xr ssh-agent 1
+refuses signature requests for FIDO keys where the key application string
+does not start with
+.Dq ssh:
+and when the data to be signed does not appear to be a
+.Xr ssh 1
+user authentication request or a
+.Xr ssh-keygen 1
+signature.
+The default behaviour prevents forwarded access to a FIDO key from also
+implicitly forwarding the ability to authenticate to websites.
.It Fl P Ar allowed_providers
Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO
authenticator middleware shared libraries that may be used with the