-.\" $OpenBSD: ssh-add.1,v 1.69 2019/01/21 12:53:35 djm Exp $
+.\" $OpenBSD: ssh-add.1,v 1.70 2019/10/31 21:19:56 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: January 21 2019 $
+.Dd $Mdocdate: October 31 2019 $
.Dt SSH-ADD 1
.Os
.Sh NAME
.Op Fl cDdkLlqvXx
.Op Fl E Ar fingerprint_hash
.Op Fl t Ar life
+.Op Fl S Ar provider
.Op Ar
.Nm ssh-add
.Fl s Ar pkcs11
.It Fl s Ar pkcs11
Add keys provided by the PKCS#11 shared library
.Ar pkcs11 .
+.It Fl S Ar provider
+Specifies a path to a security key provider library that will be used when
+adding any security key-hosted keys, overriding the default of using the
+.Ev "SSH_SK_PROVIDER"
+environment variable to specify a provider.
.It Fl T Ar pubkey ...
Tests whether the private keys that correspond to the specified
.Ar pubkey
Identifies the path of a
.Ux Ns -domain
socket used to communicate with the agent.
+.It Ev SSH_SK_PROVIDER
+Specifies the path to a security key provider library used to interact with
+hardware security keys.
.El
.Sh FILES
.Bl -tag -width Ds
-/* $OpenBSD: ssh-add.c,v 1.142 2019/10/31 21:19:15 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.143 2019/10/31 21:19:56 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
_PATH_SSH_CLIENT_ID_DSA,
#ifdef OPENSSL_HAS_ECC
_PATH_SSH_CLIENT_ID_ECDSA,
+ _PATH_SSH_CLIENT_ID_ECDSA_SK,
#endif
#endif /* WITH_OPENSSL */
_PATH_SSH_CLIENT_ID_ED25519,
}
static int
-add_file(int agent_fd, const char *filename, int key_only, int qflag)
+add_file(int agent_fd, const char *filename, int key_only, int qflag,
+ const char *skprovider)
{
struct sshkey *private, *cert;
char *comment = NULL;
ssh_free_identitylist(idlist);
}
+ if (sshkey_type_plain(private->type) != KEY_ECDSA_SK)
+ skprovider = NULL; /* Don't send constraint for other keys */
+ else if (skprovider == NULL) {
+ fprintf(stderr, "Cannot load security key %s without "
+ "provider\n", filename);
+ goto out;
+ }
+
if ((r = ssh_add_identity_constrained(agent_fd, private, comment,
- lifetime, confirm, maxsign, NULL)) == 0) {
+ lifetime, confirm, maxsign, skprovider)) == 0) {
ret = 0;
if (!qflag) {
fprintf(stderr, "Identity added: %s (%s)\n",
sshkey_free(cert);
if ((r = ssh_add_identity_constrained(agent_fd, private, comment,
- lifetime, confirm, maxsign, NULL)) != 0) {
+ lifetime, confirm, maxsign, skprovider)) != 0) {
error("Certificate %s (%s) add failed: %s", certpath,
private->cert->key_id, ssh_err(r));
goto out;
}
static int
-do_file(int agent_fd, int deleting, int key_only, char *file, int qflag)
+do_file(int agent_fd, int deleting, int key_only, char *file, int qflag,
+ const char *skprovider)
{
if (deleting) {
if (delete_file(agent_fd, file, key_only, qflag) == -1)
return -1;
} else {
- if (add_file(agent_fd, file, key_only, qflag) == -1)
+ if (add_file(agent_fd, file, key_only, qflag, skprovider) == -1)
return -1;
}
return 0;
fprintf(stderr, " -s pkcs11 Add keys from PKCS#11 provider.\n");
fprintf(stderr, " -e pkcs11 Remove keys provided by PKCS#11 provider.\n");
fprintf(stderr, " -T pubkey Test if ssh-agent can access matching private key.\n");
+ fprintf(stderr, " -S provider Specify security key provider.\n");
fprintf(stderr, " -q Be quiet after a successful operation.\n");
fprintf(stderr, " -v Be more verbose.\n");
}
extern char *optarg;
extern int optind;
int agent_fd;
- char *pkcs11provider = NULL;
+ char *pkcs11provider = NULL, *skprovider = NULL;
int r, i, ch, deleting = 0, ret = 0, key_only = 0;
int xflag = 0, lflag = 0, Dflag = 0, qflag = 0, Tflag = 0;
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
exit(2);
}
- while ((ch = getopt(argc, argv, "vklLcdDTxXE:e:M:m:qs:t:")) != -1) {
+ skprovider = getenv("SSH_SK_PROVIDER");
+
+ while ((ch = getopt(argc, argv, "vklLcdDTxXE:e:M:m:qs:S:t:")) != -1) {
switch (ch) {
case 'v':
if (log_level == SYSLOG_LEVEL_INFO)
case 's':
pkcs11provider = optarg;
break;
+ case 'S':
+ skprovider = optarg;
+ break;
case 'e':
deleting = 1;
pkcs11provider = optarg;
if (stat(buf, &st) == -1)
continue;
if (do_file(agent_fd, deleting, key_only, buf,
- qflag) == -1)
+ qflag, skprovider) == -1)
ret = 1;
else
count++;
} else {
for (i = 0; i < argc; i++) {
if (do_file(agent_fd, deleting, key_only,
- argv[i], qflag) == -1)
+ argv[i], qflag, skprovider) == -1)
ret = 1;
}
}
projects / thirdparty / openssh-portable.git / commitdiff
