| SSH-KEYCHAIN(8) | System Manager's Manual | SSH-KEYCHAIN(8) |
ssh-keychain.dylib —
smartcard/token support library
The ssh-keychain.dylib library is used as a PKCS#11 and Secure Key module replacement for the family of ssh tools. It provides identities from CryptoTokenKit tokens (SmartCards and persistent tokens) to the tools.
By default, all valid (RSA for PKCS#11 and ecdsa256 for Secure Key
module) identities from all SmartCards and persistent tokens currently
available in the system are provided. Manual configuration of
ssh-keychain.dylib is required if there is a need to
limit which token identities are provided. The public key hash is used to
select which identities should be provided. This hash is usually in
hexadecimal string form, without the leading
0x. To
determine the hash for identity use the sc_auth
list-ctk-identities and sc_auth identities commands or
pkhh
attribute from
security
export-smartcard output.
Configuration passed through the environment always takes precedence over the configuration file. The variable KEYCHAIN_CERTIFICATES is used to specify hashes. It should contain a semicolon-separated list of public key hashes of certificates which will be provided to the ssh tools.
If no enviroment variable configuration is provided,
ssh-keychain.dylib looks for a configuration file
located at
~/.ssh/sshkeychain.plist.
This file is a standard property-list with a dictionary root object. It
should contain the key
KeychainCertificates
with a value that is either a string or an array of strings. If a string,
then the expected value is semicolon-separated list of public key hashes
like the environment variable. If the value is an array, then each hash is
an array entry.
Environment:Configuration
plist:| February 10, 2020 | Darwin |