ssh-keychain(8) BSD System Manager's Manual ssh-keychain(8)
NAME
ssh-keychain.dylib -- smartcard/keychain support library
DESCRIPTION
The ssh-keychain.dylib library is used as a PKCS11 module replacement for the family of ssh tools. It provides certificates on smartcards and/or in user keychains to the tools.
OVERVIEW
By default, all valid certificates from all smartcards currently inserted into attached readers are provided. Manual configuration of ssh-keychain.dylib is required if certificates in user keychains are desired, or if there is a need to limit which smartcard certificates are provided. The public key hash is used to select which certificates should be provided. This hash is usually in hexadecimal string form, without the leading 0x. To determine the hash for certificate on a smartcard, the sc_auth hash or sc_auth identities commands can be used. For certificates in user keychains, it is the value of the hpky attribute from security find-certificate output.
ENVIRONMENT
Configuration passed through the environment always takes precedence over the configuration file. The variable KEYCHAIN_CERTIFICATES is used to specify hashes. It should contain a semicolon-separated list of public key hashes of certificates which will be provided to the ssh tools.
CONFIG FILE
If no enviroment variable configuration is provided, ssh-keychain.dylib looks for a configuration file located at ~/.ssh/sshkeychain.plist. This file is a standard property-list with a dictionary root object. It should contain the key KeychainCertificates with a value that is either a string or an array of strings. If a string, then the expected value is semi- colon-separated list of public key hashes like the environment variable. If the value is an array, then each hash is an array entry.
EXAMPLES
Environment: KEYCHAIN_CERTIFICATES="AE31125DA4AAA294A4FED97B815D7F8DD1A78FF3;168D2C4CDDFCDADD465BAF3E6BCFE8193D8D42D1" ssh -o PKCS11Provider=/usr/lib/ssh-keychain.dylib machine Configuration plist: { "KeychainCertificates" => [ 0 => "AE31125DA4AAA294A4FED97B815D7F8DD1A78FF3" 1 => "168D2C4CDDFCDADD465BAF3E6BCFE8193D8D42D1" ] }
FILES
~/.ssh/sshkeychain.plist
SEE ALSO
sc_auth(8), ssh-add(1), ssh_config(5) Darwin February 9, 2017 Darwin
Mac OS X 10.12.3 - Generated Thu Feb 9 19:17:19 CST 2017