derivepassphrase.git

@@ -23,7 +23,7 @@ The derivation is also <em>deterministic</em>, given the same inputs, thus the r

 The service name and constraints themselves also need not be kept secret; the latter are usually stored in a world-readable file to ease repeated entry of passphrase constraints.

-In lieu of a master passphrase, a master SSH key can also be used if there is a reachable, running SSH agent currently holding this key and if the key type is supported.  (See ["SSH KEY SUITABILITY"](#ssh-key-suitability) and ["BUGS"](#bugs) below.)  This too is compatible with <i>vault</i>(1).

+In lieu of a master passphrase, a master SSH key can also be used if there is a reachable, running SSH agent currently holding this key and if the key type is supported.  (See ["SSH AGENT SOCKET PROVIDERS"](#ssh-agent-socket-providers), ["SSH KEY SUITABILITY"](#ssh-key-suitability) and ["BUGS"](#bugs) below.)  This too is compatible with <i>vault</i>(1).

 ## OPTIONS

@@ -47,6 +47,9 @@ All character constraints refer to ASCII printable characters only (space (`U+00

     See also ["Configuration"](#configuration) for how this interacts with a stored passphrase or SSH key.

+    <b>derivepassphrase</b> uses so-called <i>SSH agent socket providers</i> to configure how it connects to the SSH agent.

+    See ["SSH AGENT SOCKET PROVIDERS"](#ssh-agent-socket-providers) for details.

+

 <b>-l</b> <var>n</var>, <b>-</b><b>-length</b> <var>n</var>

 :   Force the passphrase to have the length <var>n</var>.

     Defaults to the length <b>20</b> if not specified, or if explicitly specified as <code>0</code>.

@@ -181,6 +184,14 @@ The compatibility and extension options modify the behavior to enable additional

     (<i>vault</i>(1) behaves as if `--print-notes-after` were always given.)

+<b>-</b><b>-ssh-agent-socket-provider</b> <var>PROVIDER</var>

+:   When deriving a passphrase using an SSH key, use the named socket provider to connect to the SSH agent.

+    If not given, use the provider given in the configuration file, if any, else a platform-appropriate default provider.

+

+    (See ["SSH AGENT SOCKET PROVIDERS"](#ssh-agent-socket-providers) for details.)

+

+    (<i>vault</i>(1) behaves as if the built-in `ssh_auth_sock_on_unix` provider were always requested.)

+

 ### Other Options

 <b>-</b><b>-debug</b>

@@ -216,16 +227,58 @@ The script assumes a conforming <i>sh</i>(1), with support for "here" documents.

     **Do not run these emitted shell scripts directly without double-checking their output first!**

+## SSH AGENT SOCKET PROVIDERS

+

+An <dfn>SSH agent socket provider</dfn> is a named configuration (and associated support code) that teaches <b>derivepassphrase</b> how to connect to a specific SSH agent.

+Such providers can either be built-in, or contributed by third-party software, and may be dependent on a specific operating system and/or further third-party software.

+

+<b>derivepassphrase</b> ships with the following built-in providers:

+

+`ssh_auth_sock_on_posix`

+:   connects to an SSH agent named by the `SSH_AUTH_SOCK` enviroment variable, using UNIX domain sockets

+

+`ssh_auth_sock_on_windows`

+:   connects to an SSH agent named by the `SSH_AUTH_SOCK` enviroment variable, using Windows named pipes

+

+`openssh_on_windows`

+:   connects to the Powershell/"Win32" port of OpenSSH at its standard address, using Windows named pipes

+

+`pageant_on_windows`

+:   connects to Pageant on Windows at its standard address, using Windows named pipes

+

+and the following standard aliases:

+

+`unix_domain`

+:   alias for `ssh_auth_sock_on_posix`

+

+`windows_named_pipe`

+:   alias for `ssh_auth_sock_on_windows`

+

+`posix`

+:   alias for `unix_domain`

+

+`windows`

+:   alias for `windows_named_pipe`

+

+`native`

+:   alias for `posix` or `windows`, depending on the operating system

+

+(You are strongly advised to use a true provider name instead of an alias, if feasible.)

+

+The list of currently available and otherwise known SSH agent socket providers is part of the feature information emitted by `--version`.

+

 ## SSH KEY SUITABILITY

 An SSH key is <dfn>suitable</dfn> for use with <b>derivepassphrase vault</b> if the SSH agent guarantees that signatures produced with this key will be <em>deterministic</em>, given the same message to be signed.

 This is a property specific to the key type, and sometimes the agent used:

-  * RSA, Ed25519 and Ed448 keys are always suitable.

-    OpenSSH’s <i>ssh-agent</i>(1) supports only these keys as suitable keys.

+  * RSA, Ed25519 and Ed448 keys are always suitable, by design of the key type.

   * DSA and ECDSA keys are suitable if the SSH agent supports deterministic DSA signatures, e.g. by implementing RFC 6979.

-    PuTTY’s <i>pageant</i>(1) supports this, in addition to the always-suitable keys mentioned above.

+

+  * As of version 10.2 (October 2025), OpenSSH’s <i>ssh-agent</i>(1) supports only some of the always-suitable key types: RSA and Ed25519 keys.

+

+  * As of version 0.83 (February 2025), PuTTY’s <i>pageant</i>(1) supports all the key types mentioned above, including DSA and ECDSA keys via deterministic signatures.

 ## ENVIRONMENT

@@ -390,6 +443,14 @@ The <b>derivepassphrase vault</b> utility exits 0 on success, and >0 if an error

     (Exactly what it says.)

+<!-- Message-ID: ErrMsgTemplate.UNKNOWN_SSH_AGENT_SOCKET_PROVIDER -->

+??? failure "`The SSH agent socket provider %s is not in derivepassphrase's provider registry.`"

+

+    The requested SSH agent socket provider is unknown to <b>derivepassphrase</b>.

+    The provider name may be misspelled, or it may be provided by an external software package that is not installed on this system.

+

+    The list of SSH agent socket providers currently known to <b>derivepassphrase</b> may be queried via <b>derivepassphrase vault <span>-</span>-version</b>.

+

 <!-- Message-ID: ErrMsgTemplate.USER_ABORTED_EDIT -->

 ??? failure "`Not saving any new notes: the user aborted the request.`"

@@ -556,5 +617,3 @@ Exceptions:

   * The defaults are dictated by <i>vault</i>(1), necessitating the ["Compatibility and extension options"](#compatibility-and-extension-options).

     (WONTFIX.)

-

-  * The Windows version does not support SSH keys because Python on Windows does not support the predominant type of inter-process communication used by SSH agents on Windows.

@@ -81,6 +81,7 @@ key can also be used if there is a reachable, running

 .Tn SSH

 agent currently holding this key and if the key type is supported.

 (See

+.Sx "SSH AGENT SOCKET PROVIDERS" ,

 .Sx "SSH KEY SUITABILITY"

 and

 .Sx BUGS

@@ -156,6 +157,16 @@ See also

 for how this interacts with a stored passphrase or

 .Tn SSH

 key.

+.Pp

+.Nm derivepassphrase

+uses so-called

+.Dq Tn SSH No agent socket providers

+to configure how it connects to the

+.Tn SSH

+agent.

+See

+.Sx "SSH AGENT SOCKET PROVIDERS"

+for details.

 .

 .It Fl l Ar n , Fl \-length Ar n

 Force the passphrase to have the length

@@ -482,6 +493,25 @@ behaves as if

 .Fl \-print\-notes\-after

 were always given.)

 .

+.It Fl \-ssh\-agent\-socket\-provider Ar PROVIDER

+When deriving a passphrase using an SSH key, use the named socket provider

+to connect to the

+.Tn SSH

+agent.

+If not given, use the provider given in the configuration file, if any,

+else a platform-appropriate default provider.

+.Pp

+.

+(See

+.Sx "SSH AGENT SOCKET PROVIDERS"

+for details.)

+.Pp

+.

+.Xr ( vault 1

+behaves as if the built-in

+.Li ssh_auth_sock_on_unix

+provider were always requested.)

+.

 .El

 .

 .Ss Other options

@@ -556,6 +586,78 @@ Do not run these emitted shell scripts directly without double-checking

 their output first!

 .Ef

 .

+.Sh SSH AGENT SOCKET PROVIDERS

+.

+An

+.Dq Tn SSH No agent socket provider

+is a named configuration

+.Pq and associated support code

+that teaches

+.Nm derivepassphrase

+how to connect to a specific

+.Tn SSH

+agent.

+Such providers can either be built-in, or contributed by third-party software,

+and may be dependent on a specific operating system and/or further third-party

+software.

+.Pp

+.Nm derivepassphrase

+ships with the following built-in providers:

+.Bl -ohang -offset indent

+.It Li ssh_auth_sock_on_posix

+connects to an

+.Tn SSH

+agent named by the

+.Ev SSH_AUTH_SOCK

+environment variable, using

+.Tn UNIX

+domain sockets

+.It Li ssh_auth_sock_on_windows

+connects to an

+.Tn SSH

+agent named by the

+.Ev SSH_AUTH_SOCK

+environment variable, using Windows named pipes

+.It Li openssh_on_windows

+connects to the

+.Pf Powershell Pf / Dq Win32

+port of

+.Tn OpenSSH

+at its standard address, using Windows named pipes

+.It Li pageant_on_windows

+connects to Pageant on Windows at its standard address, using Windows named pipes

+.El

+.Pp

+and the following standard aliases:

+.Bl -ohang -offset indent

+.It Li unix_domain

+alias for

+.Li ssh_auth_sock_on_posix

+.It Li windows_named_pipe

+alias for

+.Li ssh_auth_sock_on_windows

+.It Li posix

+alias for

+.Li unix_domain

+.It Li windows

+alias for

+.Li windows_named_pipe

+.It Li native

+alias for

+.Li posix

+or

+.Li windows ,

+depending on the operating system

+.El

+.Pp

+(You are strongly advised to use a true provider name instead of an alias,

+if feasible.)

+.Pp

+The list of currently available and otherwise known

+.Tn SSH

+agent socket providers is part of the feature information emitted by

+.Fl \-version .

+.

 .Sh SSH KEY SUITABILITY

 .

 An

@@ -580,10 +682,7 @@ and sometimes the agent used:

 .Tn Ed25519

 and

 .Tn Ed448

-keys are always suitable.

-.Tn OpenSSH Ns No 's

-.Xr ssh-agent 1

-supports only these keys as suitable keys.

+keys are always suitable, by design of the key type.

 .

 .It

 .Tn DSA

@@ -595,9 +694,26 @@ agent supports deterministic

 .Tn DSA

 signatures, e.g. by implementing

 .Tn RFC 6979 .

+.

+.It

+As of version 10.2 (October 2025),

+.Tn OpenSSH Ns No 's

+.Xr ssh-agent 1

+supports only some of the always-suitable key types:

+.Tn RSA

+and

+.Tn Ed25519

+keys.

+.

+.It

+As of version 0.83 (February 2025),

 .Tn PuTTY Ns No 's

 .Xr pageant 1

-supports this, in addition to the always-suitable keys mentioned above.

+supports all key types mentioned above, including

+.Tn DSA

+and

+.Tn ECDSA

+keys via deterministic signatures.

 .

 .El

 .

@@ -879,6 +995,21 @@ agent must fulfill to be suitable.

 .

 (Exactly what it says.)

 .

+.\" Message-ID: ErrMsgTemplate.UNKNOWN_SSH_AGENT_SOCKET_PROVIDER

+.It The SSH agent socket provider %s is not in derivepassphrase's provider registry.

+The requested

+.Tn SSH

+agent socket provider is unknown to

+.Nm derivepassphrase .

+The provider name may be misspelled, or it may be provided by an external

+software package that is not installed on this system.

+.Pp

+The list of

+.Tn SSH agent socket providers currently known to

+.Nm derivepassphrase

+may be queried via

+.Li derivepassphrase vault Fl \-version .

+.

 .\" Message-ID: ErrMsgTemplate.USER_ABORTED_EDIT

 .It Not saving any new notes: the user aborted the request.

 (Exactly what it says.)

@@ -1178,13 +1309,5 @@ necessitating the

 .Sx Compatibility and extension options .

 .Pq WONTFIX.

 .

-.It

-The Windows version does not support

-.Tn SSH

-keys because Python on Windows does not support the predominant type of

-inter-process communication used by

-.Tn SSH

-agents on Windows.

-.

 .El

 .