1180740SdesSSH-ADD(1) OpenBSD Reference Manual SSH-ADD(1) 2180740Sdes 3180740SdesNAME 4218767Sdes ssh-add - adds private key identities to the authentication agent 5180740Sdes 6180740SdesSYNOPSIS 7239844Sdes ssh-add [-cDdkLlXx] [-t life] [file ...] 8204861Sdes ssh-add -s pkcs11 9204861Sdes ssh-add -e pkcs11 10180740Sdes 11180740SdesDESCRIPTION 12218767Sdes ssh-add adds private key identities to the authentication agent, 13180740Sdes ssh-agent(1). When run without arguments, it adds the files 14262566Sdes ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and 15262566Sdes ~/.ssh/identity. After loading a private key, ssh-add will try to load 16262566Sdes corresponding certificate information from the filename obtained by 17262566Sdes appending -cert.pub to the name of the private key file. Alternative 18262566Sdes file names can be given on the command line. 19180740Sdes 20204861Sdes If any file requires a passphrase, ssh-add asks for the passphrase from 21204861Sdes the user. The passphrase is read from the user's tty. ssh-add retries 22204861Sdes the last passphrase if multiple identity files are given. 23204861Sdes 24214979Sdes The authentication agent must be running and the SSH_AUTH_SOCK 25214979Sdes environment variable must contain the name of its socket for ssh-add to 26214979Sdes work. 27180740Sdes 28180740Sdes The options are as follows: 29180740Sdes 30180740Sdes -c Indicates that added identities should be subject to confirmation 31180740Sdes before being used for authentication. Confirmation is performed 32214979Sdes by the SSH_ASKPASS program mentioned below. Successful 33214979Sdes confirmation is signaled by a zero exit status from the 34214979Sdes SSH_ASKPASS program, rather than text entered into the requester. 35180740Sdes 36180740Sdes -D Deletes all identities from the agent. 37180740Sdes 38180744Sdes -d Instead of adding identities, removes identities from the agent. 39214979Sdes If ssh-add has been run without arguments, the keys for the 40248613Sdes default identities and their corresponding certificates will be 41248613Sdes removed. Otherwise, the argument list will be interpreted as a 42248613Sdes list of paths to public key files to specify keys and 43248613Sdes certificates to be removed from the agent. If no public key is 44248613Sdes found at a given path, ssh-add will append .pub and retry. 45180740Sdes 46204861Sdes -e pkcs11 47204861Sdes Remove keys provided by the PKCS#11 shared library pkcs11. 48180740Sdes 49248613Sdes -k When loading keys into or deleting keys from the agent, process 50248613Sdes plain private keys only and skip certificates. 51239844Sdes 52214979Sdes -L Lists public key parameters of all identities currently 53214979Sdes represented by the agent. 54180740Sdes 55180740Sdes -l Lists fingerprints of all identities currently represented by the 56180740Sdes agent. 57180740Sdes 58204861Sdes -s pkcs11 59204861Sdes Add keys provided by the PKCS#11 shared library pkcs11. 60180740Sdes 61180740Sdes -t life 62180740Sdes Set a maximum lifetime when adding identities to an agent. The 63214979Sdes lifetime may be specified in seconds or in a time format 64214979Sdes specified in sshd_config(5). 65180740Sdes 66180740Sdes -X Unlock the agent. 67180740Sdes 68180740Sdes -x Lock the agent with a password. 69180740Sdes 70180740SdesENVIRONMENT 71180740Sdes DISPLAY and SSH_ASKPASS 72180740Sdes If ssh-add needs a passphrase, it will read the passphrase from 73180740Sdes the current terminal if it was run from a terminal. If ssh-add 74180740Sdes does not have a terminal associated with it but DISPLAY and 75180740Sdes SSH_ASKPASS are set, it will execute the program specified by 76180740Sdes SSH_ASKPASS and open an X11 window to read the passphrase. This 77180740Sdes is particularly useful when calling ssh-add from a .xsession or 78180740Sdes related script. (Note that on some machines it may be necessary 79180740Sdes to redirect the input from /dev/null to make this work.) 80180740Sdes 81180740Sdes SSH_AUTH_SOCK 82204861Sdes Identifies the path of a UNIX-domain socket used to communicate 83180740Sdes with the agent. 84180740Sdes 85180740SdesFILES 86180740Sdes ~/.ssh/identity 87180740Sdes Contains the protocol version 1 RSA authentication identity of 88180740Sdes the user. 89180740Sdes 90180740Sdes ~/.ssh/id_dsa 91180740Sdes Contains the protocol version 2 DSA authentication identity of 92180740Sdes the user. 93180740Sdes 94218767Sdes ~/.ssh/id_ecdsa 95218767Sdes Contains the protocol version 2 ECDSA authentication identity of 96218767Sdes the user. 97218767Sdes 98262566Sdes ~/.ssh/id_ed25519 99262566Sdes Contains the protocol version 2 ED25519 authentication identity 100262566Sdes of the user. 101262566Sdes 102180740Sdes ~/.ssh/id_rsa 103180740Sdes Contains the protocol version 2 RSA authentication identity of 104180740Sdes the user. 105180740Sdes 106180740Sdes Identity files should not be readable by anyone but the user. Note that 107180740Sdes ssh-add ignores identity files if they are accessible by others. 108180740Sdes 109218767SdesEXIT STATUS 110180740Sdes Exit status is 0 on success, 1 if the specified command fails, and 2 if 111180740Sdes ssh-add is unable to contact the authentication agent. 112180740Sdes 113180740SdesSEE ALSO 114180740Sdes ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8) 115180740Sdes 116180740SdesAUTHORS 117180740Sdes OpenSSH is a derivative of the original and free ssh 1.2.12 release by 118180740Sdes Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 119214979Sdes de Raadt and Dug Song removed many bugs, re-added newer features and 120214979Sdes created OpenSSH. Markus Friedl contributed the support for SSH protocol 121180740Sdes versions 1.5 and 2.0. 122180740Sdes 123264377SdesOpenBSD 5.5 December 7, 2013 OpenBSD 5.5 124