ssh-add(1)

1SSH-ADD(1)                BSD General Commands Manual               SSH-ADD(1)
2

NAME

4     ssh-add — adds private key identities to the OpenSSH authentication agent
5

SYNOPSIS

7     ssh-add [-cDdKkLlqvXx] [-E fingerprint_hash] [-H hostkey_file]
8             [-h destination_constraint] [-S provider] [-t life] [file ...]
9     ssh-add -s pkcs11
10     ssh-add -e pkcs11
11     ssh-add -T pubkey ...
12

DESCRIPTION

14     ssh-add adds private key identities to the authentication agent,
15     ssh-agent(1).  When run without arguments, it adds the files
16     ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519,
17     ~/.ssh/id_ed25519_sk, and ~/.ssh/id_dsa.  After loading a private key,
18     ssh-add will try to load corresponding certificate information from the
19     filename obtained by appending -cert.pub to the name of the private key
20     file.  Alternative file names can be given on the command line.
21
22     If any file requires a passphrase, ssh-add asks for the passphrase from
23     the user.  The passphrase is read from the user's tty.  ssh-add retries
24     the last passphrase if multiple identity files are given.
25
26     The authentication agent must be running and the SSH_AUTH_SOCK environ‐
27     ment variable must contain the name of its socket for ssh-add to work.
28
29     The options are as follows:
30
31     -c      Indicates that added identities should be subject to confirmation
32             before being used for authentication.  Confirmation is performed
33             by ssh-askpass(1).  Successful confirmation is signaled by a zero
34             exit status from ssh-askpass(1), rather than text entered into
35             the requester.
36
37     -D      Deletes all identities from the agent.
38
39     -d      Instead of adding identities, removes identities from the agent.
40             If ssh-add has been run without arguments, the keys for the de‐
41             fault identities and their corresponding certificates will be re‐
42             moved.  Otherwise, the argument list will be interpreted as a
43             list of paths to public key files to specify keys and certifi‐
44             cates to be removed from the agent.  If no public key is found at
45             a given path, ssh-add will append .pub and retry.  If the argu‐
46             ment list consists of “-” then ssh-add will read public keys to
47             be removed from standard input.
48
49     -E fingerprint_hash
50             Specifies the hash algorithm used when displaying key finger‐
51             prints.  Valid options are: “md5” and “sha256”.  The default is
52             “sha256”.
53
54     -e pkcs11
55             Remove keys provided by the PKCS#11 shared library pkcs11.
56
57     -H hostkey_file
58             Specifies a known hosts file to look up hostkeys when using des‐
59             tination-constrained keys via the -h flag.  This option may be
60             specified multiple times to allow multiple files to be searched.
61             If no files are specified, ssh-add will use the default
62             ssh_config(5) known hosts files: ~/.ssh/known_hosts,
63             ~/.ssh/known_hosts2, /etc/ssh/ssh_known_hosts, and
64             /etc/ssh/ssh_known_hosts2.
65
66     -h destination_constraint
67             When adding keys, constrain them to be usable only through spe‐
68             cific hosts or to specific destinations.
69
70             Destination constraints of the form ‘[user@]dest-hostname’ permit
71             use of the key only from the origin host (the one running
72             ssh-agent(1)) to the listed destination host, with optional user
73             name.
74
75             Constraints of the form ‘src-hostname>[user@]dst-hostname’ allow
76             a key available on a forwarded ssh-agent(1) to be used through a
77             particular host (as specified by ‘src-hostname’) to authenticate
78             to a further host, specified by ‘dst-hostname’.
79
80             Multiple destination constraints may be added when loading keys.
81             When attempting authentication with a key that has destination
82             constraints, the whole connection path, including ssh-agent(1)
83             forwarding, is tested against those constraints and each hop must
84             be permitted for the attempt to succeed.  For example, if key is
85             forwarded to a remote host, ‘host-b’, and is attempting authenti‐
86             cation to another host, ‘host-c’, then the operation will be suc‐
87             cessful only if ‘host-b’ was permitted from the origin host and
88             the subsequent ‘host-b>host-c’ hop is also permitted by destina‐
89             tion constraints.
90
91             Hosts are identified by their host keys, and are looked up from
92             known hosts files by ssh-add.  Wildcards patterns may be used for
93             hostnames and certificate host keys are supported.  By default,
94             keys added by ssh-add are not destination constrained.
95
96             Destination constraints were added in OpenSSH release 8.9.  Sup‐
97             port in both the remote SSH client and server is required when
98             using destination-constrained keys over a forwarded ssh-agent(1)
99             channel.
100
101             It is also important to note that destination constraints can
102             only be enforced by ssh-agent(1) when a key is used, or when it
103             is forwarded by a cooperating [22mssh(1).  Specifically, it does not
104             prevent an attacker with access to a remote SSH_AUTH_SOCK from
105             forwarding it again and using it on a different host (but only to
106             a permitted destination).
107
108     -K      Load resident keys from a FIDO authenticator.
109
110     -k      When loading keys into or deleting keys from the agent, process
111             plain private keys only and skip certificates.
112
113     -L      Lists public key parameters of all identities currently repre‐
114             sented by the agent.
115
116     -l      Lists fingerprints of all identities currently represented by the
117             agent.
118
119     -q      Be quiet after a successful operation.
120
121     -S provider
122             Specifies a path to a library that will be used when adding FIDO
123             authenticator-hosted keys, overriding the default of using the
124             internal USB HID support.
125
126     -s pkcs11
127             Add keys provided by the PKCS#11 shared library pkcs11.
128
129     -T pubkey ...
130             Tests whether the private keys that correspond to the specified
131             pubkey files are usable by performing sign and verify operations
132             on each.
133
134     -t life
135             Set a maximum lifetime when adding identities to an agent.  The
136             lifetime may be specified in seconds or in a time format speci‐
137             fied in sshd_config(5).
138
139     -v      Verbose mode.  Causes ssh-add to print debugging messages about
140             its progress.  This is helpful in debugging problems.  Multiple
141             -v options increase the verbosity.  The maximum is 3.
142
143     -X      Unlock the agent.
144
145     -x      Lock the agent with a password.
146

ENVIRONMENT

148     DISPLAY, SSH_ASKPASS and SSH_ASKPASS_REQUIRE
149             If ssh-add needs a passphrase, it will read the passphrase from
150             the current terminal if it was run from a terminal.  If ssh-add
151             does not have a terminal associated with it but DISPLAY and
152             SSH_ASKPASS are set, it will execute the program specified by
153             SSH_ASKPASS (by default “ssh-askpass”) and open an X11 window to
154             read the passphrase.  This is particularly useful when calling
155             ssh-add from a .xsession or related script.
156
157             SSH_ASKPASS_REQUIRE allows further control over the use of an
158             askpass program.  If this variable is set to “never” then ssh-add
159             will never attempt to use one.  If it is set to “prefer”, then
160             ssh-add will prefer to use the askpass program instead of the TTY
161             when requesting passwords.  Finally, if the variable is set to
162             “force”, then the askpass program will be used for all passphrase
163             input regardless of whether DISPLAY is set.
164
165     SSH_AUTH_SOCK
166             Identifies the path of a UNIX-domain socket used to communicate
167             with the agent.
168
169     SSH_SK_PROVIDER
170             Specifies a path to a library that will be used when loading any
171             FIDO authenticator-hosted keys, overriding the default of using
172             the built-in USB HID support.
173

FILES

175     ~/.ssh/id_dsa
176     ~/.ssh/id_ecdsa
177     ~/.ssh/id_ecdsa_sk
178     ~/.ssh/id_ed25519
179     ~/.ssh/id_ed25519_sk
180     ~/.ssh/id_rsa
181             Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, au‐
182             thenticator-hosted Ed25519 or RSA authentication identity of the
183             user.
184
185     Identity files should not be readable by anyone but the user.  Note that
186     ssh-add ignores identity files if they are accessible by others.
187

EXIT STATUS

189     Exit status is 0 on success, 1 if the specified command fails, and 2 if
190     ssh-add is unable to contact the authentication agent.
191

AUTHORS

196     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
197     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
198     de Raadt and Dug Song removed many bugs, re-added newer features and cre‐
199     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
200     versions 1.5 and 2.0.
201
202BSD                            February 4, 2022                            BSD