SSH-KEYCHAIN(8) | System Manager's Manual | SSH-KEYCHAIN(8) |
ssh-keychain.dylib
—
smartcard/keychain support library
The ssh-keychain.dylib library is used as a PKCS11 module replacement for the family of ssh tools. It provides certificates on SmartCards and/or in user keychains to the tools.
By default, all valid certificates from all SmartCards currently
inserted into attached readers are provided. Manual configuration of
ssh-keychain.dylib
is required if certificates in
user keychains are desired, or if there is a need to limit which SmartCard
certificates are provided. The public key hash is used to select which
certificates should be provided. This hash is usually in hexadecimal string
form, without the leading
0x. To
determine the hash for certificate on a SmartCard, the sc_auth
hash or sc_auth identities commands can be used. For
certificates in user keychains, it is the value of the
hpky
attribute from
security
find-certificate output.
Configuration passed through the environment always takes precedence over the configuration file. The variable KEYCHAIN_CERTIFICATES is used to specify hashes. It should contain a semicolon-separated list of public key hashes of certificates which will be provided to the ssh tools.
If no enviroment variable configuration is provided,
ssh-keychain.dylib
looks for a configuration file
located at
~/.ssh/sshkeychain.plist.
This file is a standard property-list with a dictionary root object. It
should contain the key
KeychainCertificates
with a value that is either a string or an array of strings. If a string,
then the expected value is semicolon-separated list of public key hashes
like the environment variable. If the value is an array, then each hash is
an array entry.
Environment:
Configuration
plist:
February 10, 2020 | Darwin |