- stevesk@cvs.openbsd.org 2001/11/19 18:40:46

     [ssh-agent.1]
     clarify/state that private keys are not exposed to clients using the
     agent; ok markus@

2 files changed, 11 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 674ad85d7..7ff15b28b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,10 @@
    - markus@cvs.openbsd.org 2001/11/19 11:20:21
      [sshd.c]
      fd leak on HUP; ok stevesk@
+   - stevesk@cvs.openbsd.org 2001/11/19 18:40:46
+     [ssh-agent.1]
+     clarify/state that private keys are not exposed to clients using the 
+     agent; ok markus@
 
 20011126
  - (tim) [contrib/cygwin/README, openbsd-compat/bsd-cygwin_util.c,
@@ -6934,4 +6938,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1670 2001/12/06 16:35:40 mouring Exp $
+$Id: ChangeLog,v 1.1671 2001/12/06 16:37:51 mouring Exp $
diff --git a/ssh-agent.1 b/ssh-agent.1
index 00c19921c..2b9f3d97c 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.28 2001/09/05 06:23:07 deraadt Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.29 2001/11/19 18:40:46 stevesk Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -127,6 +127,11 @@ Later
 .Xr ssh 1
 looks at these variables and uses them to establish a connection to the agent.
 .Pp
+The agent will never send a private key over its request channel.
+Instead, operations that require a private key will be performed
+by the agent, and the result will be returned to the requester.
+This way, private keys are not exposed to clients using the agent.
+.Pp
 A unix-domain socket is created
 .Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
 and the name of this socket is stored in the