1.\" $OpenBSD: ssh-add.1,v 1.79 2020/02/07 03:57:31 djm Exp $ 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is 10.\" incompatible with the protocol description in the RFC file, it must be 11.\" called by a name other than "ssh" or "Secure Shell". 12.\" 13.\" 14.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 15.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 16.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 17.\" 18.\" Redistribution and use in source and binary forms, with or without 19.\" modification, are permitted provided that the following conditions 20.\" are met: 21.\" 1. Redistributions of source code must retain the above copyright 22.\" notice, this list of conditions and the following disclaimer. 23.\" 2. Redistributions in binary form must reproduce the above copyright 24.\" notice, this list of conditions and the following disclaimer in the 25.\" documentation and/or other materials provided with the distribution. 26.\" 27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37.\" 38.Dd $Mdocdate: February 7 2020 $ 39.Dt SSH-ADD 1 40.Os 41.Sh NAME 42.Nm ssh-add 43.Nd adds private key identities to the OpenSSH authentication agent 44.Sh SYNOPSIS 45.Nm ssh-add 46.Op Fl cDdKkLlqvXx 47.Op Fl E Ar fingerprint_hash 48.Op Fl S Ar provider 49.Op Fl t Ar life 50.Op Ar 51.Nm ssh-add 52.Fl s Ar pkcs11 53.Nm ssh-add 54.Fl e Ar pkcs11 55.Nm ssh-add 56.Fl T 57.Ar pubkey ... 58.Sh DESCRIPTION 59.Nm 60adds private key identities to the authentication agent, 61.Xr ssh-agent 1 . 62When run without arguments, it adds the files 63.Pa ~/.ssh/id_rsa , 64.Pa ~/.ssh/id_dsa , 65.Pa ~/.ssh/id_ecdsa , 66.Pa ~/.ssh/id_ecdsa_sk , 67.Pa ~/.ssh/id_ed25519 , 68and 69.Pa ~/.ssh/id_ed25519_sk . 70After loading a private key, 71.Nm 72will try to load corresponding certificate information from the 73filename obtained by appending 74.Pa -cert.pub 75to the name of the private key file. 76Alternative file names can be given on the command line. 77.Pp 78If any file requires a passphrase, 79.Nm 80asks for the passphrase from the user. 81The passphrase is read from the user's tty. 82.Nm 83retries the last passphrase if multiple identity files are given. 84.Pp 85The authentication agent must be running and the 86.Ev SSH_AUTH_SOCK 87environment variable must contain the name of its socket for 88.Nm 89to work. 90.Pp 91The options are as follows: 92.Bl -tag -width Ds 93.It Fl c 94Indicates that added identities should be subject to confirmation before 95being used for authentication. 96Confirmation is performed by 97.Xr ssh-askpass 1 . 98Successful confirmation is signaled by a zero exit status from 99.Xr ssh-askpass 1 , 100rather than text entered into the requester. 101.It Fl D 102Deletes all identities from the agent. 103.It Fl d 104Instead of adding identities, removes identities from the agent. 105If 106.Nm 107has been run without arguments, the keys for the default identities and 108their corresponding certificates will be removed. 109Otherwise, the argument list will be interpreted as a list of paths to 110public key files to specify keys and certificates to be removed from the agent. 111If no public key is found at a given path, 112.Nm 113will append 114.Pa .pub 115and retry. 116.It Fl E Ar fingerprint_hash 117Specifies the hash algorithm used when displaying key fingerprints. 118Valid options are: 119.Dq md5 120and 121.Dq sha256 . 122The default is 123.Dq sha256 . 124.It Fl e Ar pkcs11 125Remove keys provided by the PKCS#11 shared library 126.Ar pkcs11 . 127.It Fl K 128Load resident keys from a FIDO authenticator. 129.It Fl k 130When loading keys into or deleting keys from the agent, process plain private 131keys only and skip certificates. 132.It Fl L 133Lists public key parameters of all identities currently represented 134by the agent. 135.It Fl l 136Lists fingerprints of all identities currently represented by the agent. 137.It Fl q 138Be quiet after a successful operation. 139.It Fl S Ar provider 140Specifies a path to a library that will be used when adding 141FIDO authenticator-hosted keys, overriding the default of using the 142internal USB HID support. 143.It Fl s Ar pkcs11 144Add keys provided by the PKCS#11 shared library 145.Ar pkcs11 . 146.It Fl T Ar pubkey ... 147Tests whether the private keys that correspond to the specified 148.Ar pubkey 149files are usable by performing sign and verify operations on each. 150.It Fl t Ar life 151Set a maximum lifetime when adding identities to an agent. 152The lifetime may be specified in seconds or in a time format 153specified in 154.Xr sshd_config 5 . 155.It Fl v 156Verbose mode. 157Causes 158.Nm 159to print debugging messages about its progress. 160This is helpful in debugging problems. 161Multiple 162.Fl v 163options increase the verbosity. 164The maximum is 3. 165.It Fl X 166Unlock the agent. 167.It Fl x 168Lock the agent with a password. 169.El 170.Sh ENVIRONMENT 171.Bl -tag -width Ds 172.It Ev "DISPLAY" and "SSH_ASKPASS" 173If 174.Nm 175needs a passphrase, it will read the passphrase from the current 176terminal if it was run from a terminal. 177If 178.Nm 179does not have a terminal associated with it but 180.Ev DISPLAY 181and 182.Ev SSH_ASKPASS 183are set, it will execute the program specified by 184.Ev SSH_ASKPASS 185(by default 186.Dq ssh-askpass ) 187and open an X11 window to read the passphrase. 188This is particularly useful when calling 189.Nm 190from a 191.Pa .xsession 192or related script. 193(Note that on some machines it 194may be necessary to redirect the input from 195.Pa /dev/null 196to make this work.) 197.It Ev SSH_AUTH_SOCK 198Identifies the path of a 199.Ux Ns -domain 200socket used to communicate with the agent. 201.It Ev SSH_SK_PROVIDER 202Specifies a path to a library that will be used when loading any 203FIDO authenticator-hosted keys, overriding the default of using 204the built-in USB HID support. 205.El 206.Sh FILES 207.Bl -tag -width Ds -compact 208.It Pa ~/.ssh/id_dsa 209.It Pa ~/.ssh/id_ecdsa 210.It Pa ~/.ssh/id_ecdsa_sk 211.It Pa ~/.ssh/id_ed25519 212.It Pa ~/.ssh/id_ed25519_sk 213.It Pa ~/.ssh/id_rsa 214Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, 215authenticator-hosted Ed25519 or RSA authentication identity of the user. 216.El 217.Pp 218Identity files should not be readable by anyone but the user. 219Note that 220.Nm 221ignores identity files if they are accessible by others. 222.Sh EXIT STATUS 223Exit status is 0 on success, 1 if the specified command fails, 224and 2 if 225.Nm 226is unable to contact the authentication agent. 227.Sh SEE ALSO 228.Xr ssh 1 , 229.Xr ssh-agent 1 , 230.Xr ssh-askpass 1 , 231.Xr ssh-keygen 1 , 232.Xr sshd 8 233.Sh AUTHORS 234OpenSSH is a derivative of the original and free 235ssh 1.2.12 release by Tatu Ylonen. 236Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 237Theo de Raadt and Dug Song 238removed many bugs, re-added newer features and 239created OpenSSH. 240Markus Friedl contributed the support for SSH 241protocol versions 1.5 and 2.0. 242