mojave man page for ssh-keychain

Mojave Man Pages All Man Pages Latest Topics Forum Categories

Query: ssh-keychain

OS: mojave

Section: 8

Format: Original Unix Latex Style Formatted with HTML and a Horizontal Scroll Bar

SSH-KEYCHAIN(8) 					    BSD System Manager's Manual 					   SSH-KEYCHAIN(8)


NAME

     ssh-keychain.dylib -- smartcard/keychain support library


DESCRIPTION

     The ssh-keychain.dylib library is used as a PKCS11 module replacement for the family of ssh tools. It provides certificates on SmartCards
     and/or in user keychains to the tools.


OVERVIEW

     By default, all valid certificates from all SmartCards currently inserted into attached readers are provided. Manual configuration of
     ssh-keychain.dylib is required if certificates in user keychains are desired, or if there is a need to limit which SmartCard certificates are
     provided.	The public key hash is used to select which certificates should be provided.  This hash is usually in hexadecimal string form,
     without the leading 0x.  To determine the hash for certificate on a SmartCard, the sc_auth hash or sc_auth identities commands can be used.
     For certificates in user keychains, it is the value of the hpky attribute from security find-certificate output.


ENVIRONMENT

     Configuration passed through the environment always takes precedence over the configuration file. The variable KEYCHAIN_CERTIFICATES is used
     to specify hashes. It should contain a semicolon-separated list of public key hashes of certificates which will be provided to the ssh tools.


CONFIG FILE

     If no enviroment variable configuration is provided, ssh-keychain.dylib looks for a configuration file located at ~/.ssh/sshkeychain.plist.
     This file is a standard property-list with a dictionary root object. It should contain the key KeychainCertificates with a value that is
     either a string or an array of strings. If a string, then the expected value is semicolon-separated list of public key hashes like the envi-
     ronment variable. If the value is an array, then each hash is an array entry.


EXAMPLES

     Environment:
	     KEYCHAIN_CERTIFICATES="AE31125DA4AAA294A4FED97B815D7F8DD1A78FF3;168D2C4CDDFCDADD465BAF3E6BCFE8193D8D42D1"
	     ssh -o PKCS11Provider=/usr/lib/ssh-keychain.dylib machine

     Configuration plist:
	     {
		 "KeychainCertificates" => [
		     0 => "AE31125DA4AAA294A4FED97B815D7F8DD1A78FF3"
		     1 => "168D2C4CDDFCDADD465BAF3E6BCFE8193D8D42D1"
		 ]
	     }


FILES

     ~/.ssh/sshkeychain.plist


SEE ALSO

     sc_auth(8), ssh-add(1), ssh_config(5)

Darwin								   June 1, 2019 							    Darwin
Related Man Pages
ssh-add(1) - osx
systemkeychain(8) - mojave
ssh-add(1) - v7
ssh-add(1) - xfree86
ssh-add(1) - posix
Similar Topics in the Unix Linux Community
Using keychains with MobileMe, troubleshooting keychain issues
Weird "security" bahavior with SSL certificates
Storing ssh passwords/keys in keychain
grep lines separated with semicolon
Retrieve/download SSH key instead of Send/Upload?