1SSH-ADD(1) BSD General Commands Manual SSH-ADD(1)
2
4 ssh-add — adds private key identities to the authentication agent
5
7 ssh-add [-cDdkLlXx] [-E fingerprint_hash] [-t life] [file ...]
8 ssh-add -s pkcs11
9 ssh-add -e pkcs11
10
12 ssh-add adds private key identities to the authentication agent,
13 ssh-agent(1). When run without arguments, it adds the files
14 ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
15 ~/.ssh/identity. After loading a private key, ssh-add will try to load
16 corresponding certificate information from the filename obtained by
17 appending -cert.pub to the name of the private key file. Alternative
18 file names can be given on the command line.
19 If any file requires a passphrase, ssh-add asks for the passphrase from
21 the user. The passphrase is read from the user's tty. ssh-add retries
22 the last passphrase if multiple identity files are given.
23 The authentication agent must be running and the SSH_AUTH_SOCK environ‐
25 ment variable must contain the name of its socket for ssh-add to work.
26 The options are as follows:
28 -c Indicates that added identities should be subject to confirmation
30 before being used for authentication. Confirmation is performed
31 by ssh-askpass(1). Successful confirmation is signaled by a zero
32 exit status from ssh-askpass(1), rather than text entered into
33 the requester.
34 -D Deletes all identities from the agent.
36 -d Instead of adding identities, removes identities from the agent.
38 If ssh-add has been run without arguments, the keys for the
39 default identities and their corresponding certificates will be
40 removed. Otherwise, the argument list will be interpreted as a
41 list of paths to public key files to specify keys and certifi‐
42 cates to be removed from the agent. If no public key is found at
43 a given path, ssh-add will append .pub and retry.
44 -E fingerprint_hash
46 Specifies the hash algorithm used when displaying key finger‐
47 prints. Valid options are: “md5” and “sha256”. The default is
48 “sha256”.
49 -e pkcs11
51 Remove keys provided by the PKCS#11 shared library pkcs11.
52 -k When loading keys into or deleting keys from the agent, process
54 plain private keys only and skip certificates.
55 -L Lists public key parameters of all identities currently repre‐
57 sented by the agent.
58 -l Lists fingerprints of all identities currently represented by the
60 agent.
61 -s pkcs11
63 Add keys provided by the PKCS#11 shared library pkcs11.
64 -t life
66 Set a maximum lifetime when adding identities to an agent. The
67 lifetime may be specified in seconds or in a time format speci‐
68 fied in sshd_config(5).
69 -X Unlock the agent.
71 -x Lock the agent with a password.
73
75 DISPLAY and SSH_ASKPASS
76 If ssh-add needs a passphrase, it will read the passphrase from
77 the current terminal if it was run from a terminal. If ssh-add
78 does not have a terminal associated with it but DISPLAY and
79 SSH_ASKPASS are set, it will execute the program specified by
80 SSH_ASKPASS (by default “ssh-askpass”) and open an X11 window to
81 read the passphrase. This is particularly useful when calling
82 ssh-add from a .xsession or related script. (Note that on some
83 machines it may be necessary to redirect the input from /dev/null
84 to make this work.)
85 SSH_AUTH_SOCK
87 Identifies the path of a UNIX-domain socket used to communicate
88 with the agent.
89 SSH_USE_STRONG_RNG
91 The reseeding of the OpenSSL random generator is usually done
92 from /dev/urandom. If the SSH_USE_STRONG_RNG environment vari‐
93 able is set to value other than 0 the OpenSSL random generator is
94 reseeded from /dev/random. The number of bytes read is defined
95 by the SSH_USE_STRONG_RNG value. Minimum is 14 bytes. This set‐
96 ting is not recommended on the computers without the hardware
97 random generator because insufficient entropy causes the connec‐
98 tion to be blocked until enough entropy is available.
99
101 ~/.ssh/identity
102 Contains the protocol version 1 RSA authentication identity of
103 the user.
104 ~/.ssh/id_dsa
106 Contains the protocol version 2 DSA authentication identity of
107 the user.
108 ~/.ssh/id_ecdsa
110 Contains the protocol version 2 ECDSA authentication identity of
111 the user.
112 ~/.ssh/id_ed25519
114 Contains the protocol version 2 Ed25519 authentication identity
115 of the user.
116 ~/.ssh/id_rsa
118 Contains the protocol version 2 RSA authentication identity of
119 the user.
120 Identity files should not be readable by anyone but the user. Note that
122 ssh-add ignores identity files if they are accessible by others.
123
125 Exit status is 0 on success, 1 if the specified command fails, and 2 if
126 ssh-add is unable to contact the authentication agent.
127
129 ssh(1), ssh-agent(1), ssh-askpass(1), ssh-keygen(1), sshd(8)
130
132 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
133 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
134 de Raadt and Dug Song removed many bugs, re-added newer features and cre‐
135 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
136 versions 1.5 and 2.0.
137BSD June 21, 2019 BSD