manpagez: man pages & more
man ssh-keychain(8)
Home | html | info | man

ssh-keychain(8)           BSD System Manager's Manual          ssh-keychain(8)


NAME

     ssh-keychain.dylib -- smartcard/keychain support library


DESCRIPTION

     The ssh-keychain.dylib library is used as a PKCS11 module replacement for
     the family of ssh tools. It provides certificates on smartcards and/or in
     user keychains to the tools.


OVERVIEW

     By default, all valid certificates from all smartcards currently inserted
     into attached readers are provided. Manual configuration of
     ssh-keychain.dylib is required if certificates in user keychains are
     desired, or if there is a need to limit which smartcard certificates are
     provided.  The public key hash is used to select which certificates
     should be provided.  This hash is usually in hexadecimal string form,
     without the leading 0x.  To determine the hash for certificate on a
     smartcard, the sc_auth hash or sc_auth identities commands can be used.
     For certificates in user keychains, it is the value of the hpky attribute
     from security find-certificate output.


ENVIRONMENT

     Configuration passed through the environment always takes precedence over
     the configuration file. The variable KEYCHAIN_CERTIFICATES is used to
     specify hashes. It should contain a semicolon-separated list of public
     key hashes of certificates which will be provided to the ssh tools.


CONFIG FILE

     If no enviroment variable configuration is provided, ssh-keychain.dylib
     looks for a configuration file located at ~/.ssh/sshkeychain.plist.  This
     file is a standard property-list with a dictionary root object. It should
     contain the key KeychainCertificates with a value that is either a string
     or an array of strings. If a string, then the expected value is semi-
     colon-separated list of public key hashes like the environment variable.
     If the value is an array, then each hash is an array entry.


EXAMPLES

     Environment:
             KEYCHAIN_CERTIFICATES="AE31125DA4AAA294A4FED97B815D7F8DD1A78FF3;168D2C4CDDFCDADD465BAF3E6BCFE8193D8D42D1"
             ssh -o PKCS11Provider=/usr/lib/ssh-keychain.dylib machine


     Configuration plist:
             {
                 "KeychainCertificates" => [
                     0 => "AE31125DA4AAA294A4FED97B815D7F8DD1A78FF3"
                     1 => "168D2C4CDDFCDADD465BAF3E6BCFE8193D8D42D1"
                 ]
             }


FILES

     ~/.ssh/sshkeychain.plist


SEE ALSO

     sc_auth(8), ssh-add(1), ssh_config(5)

Darwin                         February 9, 2017                         Darwin

Mac OS X 10.12.3 - Generated Thu Feb 9 19:17:19 CST 2017
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.