xref: /netbsd-src/crypto/external/bsd/openssh/dist/ssh-add.1 (revision e89934bbf778a6d6d6894877c4da59d0c7835b0f) 
1.\"	$NetBSD: ssh-add.1,v 1.11 2016/12/25 00:07:47 christos Exp $
2.\"	$OpenBSD: ssh-add.1,v 1.62 2015/03/30 18:28:37 jmc Exp $
3.\"
4.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
5.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6.\"                    All rights reserved
7.\"
8.\" As far as I am concerned, the code I have written for this software
9.\" can be used freely for any purpose.  Any derived versions of this
10.\" software must be clearly marked as such, and if the derived work is
11.\" incompatible with the protocol description in the RFC file, it must be
12.\" called by a name other than "ssh" or "Secure Shell".
13.\"
14.\"
15.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
16.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
17.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
18.\"
19.\" Redistribution and use in source and binary forms, with or without
20.\" modification, are permitted provided that the following conditions
21.\" are met:
22.\" 1. Redistributions of source code must retain the above copyright
23.\"    notice, this list of conditions and the following disclaimer.
24.\" 2. Redistributions in binary form must reproduce the above copyright
25.\"    notice, this list of conditions and the following disclaimer in the
26.\"    documentation and/or other materials provided with the distribution.
27.\"
28.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
29.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
30.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
31.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
32.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
33.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
34.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
35.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38.\"
39.Dd March 30 2015
40.Dt SSH-ADD 1
41.Os
42.Sh NAME
43.Nm ssh-add
44.Nd adds private key identities to the authentication agent
45.Sh SYNOPSIS
46.Nm ssh-add
47.Op Fl cDdkLlXx
48.Op Fl E Ar fingerprint_hash
49.Op Fl t Ar life
50.Op Ar
51.Nm ssh-add
52.Fl s Ar pkcs11
53.Nm ssh-add
54.Fl e Ar pkcs11
55.Sh DESCRIPTION
56.Nm
57adds private key identities to the authentication agent,
58.Xr ssh-agent 1 .
59When run without arguments, it adds the files
60.Pa ~/.ssh/id_rsa ,
61.Pa ~/.ssh/id_dsa ,
62.Pa ~/.ssh/id_ecdsa ,
63.Pa ~/.ssh/id_ed25519
64and
65.Pa ~/.ssh/identity .
66After loading a private key,
67.Nm
68will try to load corresponding certificate information from the
69filename obtained by appending
70.Pa -cert.pub
71to the name of the private key file.
72Alternative file names can be given on the command line.
73.Pp
74If any file requires a passphrase,
75.Nm
76asks for the passphrase from the user.
77The passphrase is read from the user's tty.
78.Nm
79retries the last passphrase if multiple identity files are given.
80.Pp
81The authentication agent must be running and the
82.Ev SSH_AUTH_SOCK
83environment variable must contain the name of its socket for
84.Nm
85to work.
86.Pp
87The options are as follows:
88.Bl -tag -width Ds
89.It Fl c
90Indicates that added identities should be subject to confirmation before
91being used for authentication.
92Confirmation is performed by
93.Xr ssh-askpass 1 .
94Successful confirmation is signaled by a zero exit status from
95.Xr ssh-askpass 1 ,
96rather than text entered into the requester.
97.It Fl D
98Deletes all identities from the agent.
99.It Fl d
100Instead of adding identities, removes identities from the agent.
101If
102.Nm
103has been run without arguments, the keys for the default identities and
104their corresponding certificates will be removed.
105Otherwise, the argument list will be interpreted as a list of paths to
106public key files to specify keys and certificates to be removed from the agent.
107If no public key is found at a given path,
108.Nm
109will append
110.Pa .pub
111and retry.
112.It Fl E Ar fingerprint_hash
113Specifies the hash algorithm used when displaying key fingerprints.
114Valid options are:
115.Dq md5
116and
117.Dq sha256 .
118The default is
119.Dq sha256 .
120.It Fl e Ar pkcs11
121Remove keys provided by the PKCS#11 shared library
122.Ar pkcs11 .
123.It Fl k
124When loading keys into or deleting keys from the agent, process plain private
125keys only and skip certificates.
126.It Fl L
127Lists public key parameters of all identities currently represented
128by the agent.
129.It Fl l
130Lists fingerprints of all identities currently represented by the agent.
131.It Fl s Ar pkcs11
132Add keys provided by the PKCS#11 shared library
133.Ar pkcs11 .
134.It Fl t Ar life
135Set a maximum lifetime when adding identities to an agent.
136The lifetime may be specified in seconds or in a time format
137specified in
138.Xr sshd_config 5 .
139.It Fl X
140Unlock the agent.
141.It Fl x
142Lock the agent with a password.
143.El
144.Sh ENVIRONMENT
145.Bl -tag -width Ds
146.It Ev "DISPLAY" and "SSH_ASKPASS"
147If
148.Nm
149needs a passphrase, it will read the passphrase from the current
150terminal if it was run from a terminal.
151If
152.Nm
153does not have a terminal associated with it but
154.Ev DISPLAY
155and
156.Ev SSH_ASKPASS
157are set, it will execute the program specified by
158.Ev SSH_ASKPASS
159(by default
160.Dq ssh-askpass )
161and open an X11 window to read the passphrase.
162This is particularly useful when calling
163.Nm
164from a
165.Pa .xsession
166or related script.
167(Note that on some machines it
168may be necessary to redirect the input from
169.Pa /dev/null
170to make this work.)
171.It Ev SSH_AUTH_SOCK
172Identifies the path of a
173.Ux Ns -domain
174socket used to communicate with the agent.
175.El
176.Sh FILES
177.Bl -tag -width Ds
178.It Pa ~/.ssh/identity
179Contains the protocol version 1 RSA authentication identity of the user.
180.It Pa ~/.ssh/id_dsa
181Contains the protocol version 2 DSA authentication identity of the user.
182.It Pa ~/.ssh/id_ecdsa
183Contains the protocol version 2 ECDSA authentication identity of the user.
184.It Pa ~/.ssh/id_ed25519
185Contains the protocol version 2 Ed25519 authentication identity of the user.
186.It Pa ~/.ssh/id_rsa
187Contains the protocol version 2 RSA authentication identity of the user.
188.El
189.Pp
190Identity files should not be readable by anyone but the user.
191Note that
192.Nm
193ignores identity files if they are accessible by others.
194.Sh EXIT STATUS
195Exit status is 0 on success, 1 if the specified command fails,
196and 2 if
197.Nm
198is unable to contact the authentication agent.
199.Sh SEE ALSO
200.Xr ssh 1 ,
201.Xr ssh-agent 1 ,
202.Xr ssh-askpass 1 ,
203.Xr ssh-keygen 1 ,
204.Xr sshd 8
205.Sh AUTHORS
206OpenSSH is a derivative of the original and free
207ssh 1.2.12 release by Tatu Ylonen.
208Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
209Theo de Raadt and Dug Song
210removed many bugs, re-added newer features and
211created OpenSSH.
212Markus Friedl contributed the support for SSH
213protocol versions 1.5 and 2.0.
214