From f8e7299e0e38dea6d8dc9c8b5463a182e78be915 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 7 Oct 2022 04:06:26 +0000 Subject: [PATCH] document "-O no-restrict-websafe"; spotted by Ross L Richardson --- usr.bin/ssh/ssh-agent.1 | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/usr.bin/ssh/ssh-agent.1 b/usr.bin/ssh/ssh-agent.1 index 52634e92c42..2c6cd889aa3 100644 --- a/usr.bin/ssh/ssh-agent.1 +++ b/usr.bin/ssh/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.73 2022/03/31 17:27:27 naddy Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.74 2022/10/07 04:06:26 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 31 2022 $ +.Dd $Mdocdate: October 7 2022 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -46,11 +46,13 @@ .Op Fl \&Dd .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash +.Op Fl O Ar option .Op Fl P Ar allowed_providers .Op Fl t Ar life .Nm ssh-agent .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash +.Op Fl O Ar option .Op Fl P Ar allowed_providers .Op Fl t Ar life .Ar command Op Ar arg ... @@ -102,6 +104,27 @@ The default is Kill the current agent (given by the .Ev SSH_AGENT_PID environment variable). +.It Fl O Ar option +Specify an option when starting +.Xr ssh-agent 1 . +Currently only one option is supported: +.Cm no-restrict-websafe . +This instructs +.Xr ssh-agent 1 +to permit signatures using FIDO keys that might be web authentication +requests. +By default, +.Xr ssh-agent 1 +refuses signature requests for FIDO keys where the key application string +does not start with +.Dq ssh: +and when the data to be signed does not appear to be a +.Xr ssh 1 +user authentication request or a +.Xr ssh-keygen 1 +signature. +The default behaviour prevents forwarded access to a FIDO key from also +implicitly forwarding the ability to authenticate to websites. .It Fl P Ar allowed_providers Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO authenticator middleware shared libraries that may be used with the -- 2.20.1