upstream: Document loading of resident keys from a FIDO

authenticator. * Rename -O to -K to keep "-O option" available. * Document -K. * Trim usage() message down to synopsis, like all other commands. ok markus@ OpenBSD-Commit-ID: 015c2c4b28f8e19107adc80351b44b23bca4c78a
2025-07-27 07:44:29 +02:00 · 2020-01-17 20:13:47 +00:00 · 2020-01-17 20:13:47 +00:00 · e8c06c4ee7
commit e8c06c4ee7
parent 0d005d6372
2 changed files with 20 additions and 28 deletions
--- a/ssh-add.1
+++ b/ssh-add.1
@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-add.1,v 1.77 2019/12/21 20:22:34 naddy Exp $
+.\"	$OpenBSD: ssh-add.1,v 1.78 2020/01/17 20:13:47 naddy Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 21 2019 $
+.Dd $Mdocdate: January 17 2020 $
 .Dt SSH-ADD 1
 .Os
 .Sh NAME
@ -43,7 +43,7 @@
 .Nd adds private key identities to the OpenSSH authentication agent
 .Sh SYNOPSIS
 .Nm ssh-add
-.Op Fl cDdkLlqvXx
+.Op Fl cDdKkLlqvXx
 .Op Fl E Ar fingerprint_hash
 .Op Fl S Ar provider
 .Op Fl t Ar life
@ -124,6 +124,8 @@ The default is
 .It Fl e Ar pkcs11
 Remove keys provided by the PKCS#11 shared library
 .Ar pkcs11 .
+.It Fl K
+Load resident keys from a FIDO authenticator.
 .It Fl k
 When loading keys into or deleting keys from the agent, process plain private
 keys only and skip certificates.
--- a/ssh-add.c
+++ b/ssh-add.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.149 2020/01/06 02:00:46 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.150 2020/01/17 20:13:47 naddy Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -606,26 +606,16 @@ do_file(int agent_fd, int deleting, int key_only, char *file, int qflag,
 static void
 usage(void)
 {
-	fprintf(stderr, "usage: %s [options] [file ...]\n", __progname);
-	fprintf(stderr, "Options:\n");
-	fprintf(stderr, "  -l          List fingerprints of all identities.\n");
-	fprintf(stderr, "  -E hash     Specify hash algorithm used for fingerprints.\n");
-	fprintf(stderr, "  -L          List public key parameters of all identities.\n");
-	fprintf(stderr, "  -k          Load only keys and not certificates.\n");
-	fprintf(stderr, "  -c          Require confirmation to sign using identities\n");
-	fprintf(stderr, "  -m minleft  Maxsign is only changed if less than minleft are left (for XMSS)\n");
-	fprintf(stderr, "  -M maxsign  Maximum number of signatures allowed (for XMSS)\n");
-	fprintf(stderr, "  -t life     Set lifetime (in seconds) when adding identities.\n");
-	fprintf(stderr, "  -d          Delete identity.\n");
-	fprintf(stderr, "  -D          Delete all identities.\n");
-	fprintf(stderr, "  -x          Lock agent.\n");
-	fprintf(stderr, "  -X          Unlock agent.\n");
-	fprintf(stderr, "  -s pkcs11   Add keys from PKCS#11 provider.\n");
-	fprintf(stderr, "  -e pkcs11   Remove keys provided by PKCS#11 provider.\n");
-	fprintf(stderr, "  -T pubkey   Test if ssh-agent can access matching private key.\n");
-	fprintf(stderr, "  -S provider Specify security key provider.\n");
-	fprintf(stderr, "  -q          Be quiet after a successful operation.\n");
-	fprintf(stderr, "  -v          Be more verbose.\n");
+	fprintf(stderr,
+"usage: ssh-add [-cDdKkLlqvXx] [-E fingerprint_hash] [-S provider] [-t life]\n"
+#ifdef WITH_XMSS
+"               [-M maxsign] [-m minleft]\n"
+#endif
+"               [file ...]\n"
+"       ssh-add -s pkcs11\n"
+"       ssh-add -e pkcs11\n"
+"       ssh-add -T pubkey ...\n"
+	);
 }

 int
@ -665,7 +655,7 @@ main(int argc, char **argv)

 	skprovider = getenv("SSH_SK_PROVIDER");

-	while ((ch = getopt(argc, argv, "vklLcdDTxXE:e:M:m:Oqs:S:t:")) != -1) {
+	while ((ch = getopt(argc, argv, "vkKlLcdDTxXE:e:M:m:qs:S:t:")) != -1) {
 		switch (ch) {
 		case 'v':
 			if (log_level == SYSLOG_LEVEL_INFO)
@ -681,15 +671,15 @@ main(int argc, char **argv)
 		case 'k':
 			key_only = 1;
 			break;
+		case 'K':
+			do_download = 1;
+			break;
 		case 'l':
 		case 'L':
 			if (lflag != 0)
 				fatal("-%c flag already specified", lflag);
 			lflag = ch;
 			break;
-		case 'O':
-			do_download = 1;
-			break;
 		case 'x':
 		case 'X':
 			if (xflag != 0)