NAME¶
ssh-add —
adds private key identities
to the authentication agent
SYNOPSIS¶
ssh-add |
[-cDdkLlXx]
[-t life]
[file ...] |
DESCRIPTION¶
ssh-add adds private key identities to the authentication
agent,
ssh-agent(1). When run without arguments, it adds the
files
~/.ssh/id_rsa,
~/.ssh/id_dsa,
~/.ssh/id_ecdsa and
~/.ssh/identity. After
loading a private key,
ssh-add will try to load
corresponding certificate information from the filename obtained by appending
-cert.pub to the name of the private key file. Alternative
file names can be given on the command line.
If any file requires a passphrase,
ssh-add asks for the
passphrase from the user. The passphrase is read from the user's tty.
ssh-add retries the last passphrase if multiple identity
files are given.
The authentication agent must be running and the
SSH_AUTH_SOCK
environment variable must contain the
name of its socket for
ssh-add to work.
Any keys recorded in the blacklist of known-compromised keys (see
ssh-vulnkey(1)) will be refused.
The options are as follows:
- -c
- Indicates that added identities should be subject to
confirmation before being used for authentication. Confirmation is
performed by the
SSH_ASKPASS
program mentioned
below. Successful confirmation is signaled by a zero exit status from the
SSH_ASKPASS
program, rather than text entered into
the requester.
- -D
- Deletes all identities from the agent.
- -d
- Instead of adding identities, removes identities from the
agent. If ssh-add has been run without arguments, the
keys for the default identities will be removed. Otherwise, the argument
list will be interpreted as a list of paths to public key files and
matching keys will be removed from the agent. If no public key is found at
a given path, ssh-add will append .pub
and retry.
- -e
pkcs11
- Remove keys provided by the PKCS#11 shared library
pkcs11.
- -k
- When loading keys into the agent, load plain private keys
only and skip certificates.
- -L
- Lists public key parameters of all identities currently
represented by the agent.
- -l
- Lists fingerprints of all identities currently represented
by the agent.
- -s
pkcs11
- Add keys provided by the PKCS#11 shared library
pkcs11.
- -t
life
- Set a maximum lifetime when adding identities to an agent.
The lifetime may be specified in seconds or in a time format specified in
sshd_config(5).
- -X
- Unlock the agent.
- -x
- Lock the agent with a password.
ENVIRONMENT¶
DISPLAY and
SSH_ASKPASS
- If ssh-add needs a passphrase, it will
read the passphrase from the current terminal if it was run from a
terminal. If ssh-add does not have a terminal associated
with it but
DISPLAY
and
SSH_ASKPASS
are set, it will execute the program
specified by SSH_ASKPASS
and open an X11 window to
read the passphrase. This is particularly useful when calling
ssh-add from a .xsession or related
script. (Note that on some machines it may be necessary to redirect the
input from /dev/null to make this work.)
SSH_AUTH_SOCK
- Identifies the path of a
UNIX-domain socket used to communicate with the
agent.
FILES¶
- ~/.ssh/identity
- Contains the protocol version 1 RSA authentication identity
of the user.
- ~/.ssh/id_dsa
- Contains the protocol version 2 DSA authentication identity
of the user.
- ~/.ssh/id_ecdsa
- Contains the protocol version 2 ECDSA authentication
identity of the user.
- ~/.ssh/id_rsa
- Contains the protocol version 2 RSA authentication identity
of the user.
Identity files should not be readable by anyone but the user. Note that
ssh-add ignores identity files if they are accessible by
others.
EXIT STATUS¶
Exit status is 0 on success, 1 if the specified command fails, and 2 if
ssh-add is unable to contact the authentication agent.
SEE ALSO¶
ssh(1),
ssh-agent(1),
ssh-keygen(1),
ssh-vulnkey(1),
sshd(8)
AUTHORS¶
OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu
Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt
and Dug Song removed many bugs, re-added newer features and created OpenSSH.
Markus Friedl contributed the support for SSH protocol versions 1.5 and
2.0.