Annotation of src/usr.bin/ssh/ssh-add.1, Revision 1.70
1.70 ! djm 1: .\" $OpenBSD: ssh-add.1,v 1.69 2019/01/21 12:53:35 djm Exp $
1.1 deraadt 2: .\"
3: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: .\" All rights reserved
6: .\"
1.17 deraadt 7: .\" As far as I am concerned, the code I have written for this software
8: .\" can be used freely for any purpose. Any derived versions of this
9: .\" software must be clearly marked as such, and if the derived work is
10: .\" incompatible with the protocol description in the RFC file, it must be
11: .\" called by a name other than "ssh" or "Secure Shell".
12: .\"
13: .\"
1.22 deraadt 14: .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
15: .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
16: .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
1.17 deraadt 17: .\"
18: .\" Redistribution and use in source and binary forms, with or without
19: .\" modification, are permitted provided that the following conditions
20: .\" are met:
21: .\" 1. Redistributions of source code must retain the above copyright
22: .\" notice, this list of conditions and the following disclaimer.
23: .\" 2. Redistributions in binary form must reproduce the above copyright
24: .\" notice, this list of conditions and the following disclaimer in the
25: .\" documentation and/or other materials provided with the distribution.
1.1 deraadt 26: .\"
1.17 deraadt 27: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.1 deraadt 37: .\"
1.69 djm 38: .Dd $Mdocdate: January 21 2019 $
1.2 deraadt 39: .Dt SSH-ADD 1
40: .Os
41: .Sh NAME
42: .Nm ssh-add
1.53 djm 43: .Nd adds private key identities to the authentication agent
1.2 deraadt 44: .Sh SYNOPSIS
45: .Nm ssh-add
1.69 djm 46: .Op Fl cDdkLlqvXx
1.61 djm 47: .Op Fl E Ar fingerprint_hash
1.33 markus 48: .Op Fl t Ar life
1.70 ! djm 49: .Op Fl S Ar provider
1.2 deraadt 50: .Op Ar
1.26 jakob 51: .Nm ssh-add
1.50 jmc 52: .Fl s Ar pkcs11
1.26 jakob 53: .Nm ssh-add
1.50 jmc 54: .Fl e Ar pkcs11
1.67 djm 55: .Nm ssh-add
56: .Fl T
1.68 jmc 57: .Ar pubkey ...
1.12 aaron 58: .Sh DESCRIPTION
1.2 deraadt 59: .Nm
1.53 djm 60: adds private key identities to the authentication agent,
1.2 deraadt 61: .Xr ssh-agent 1 .
1.28 djm 62: When run without arguments, it adds the files
1.43 djm 63: .Pa ~/.ssh/id_rsa ,
1.53 djm 64: .Pa ~/.ssh/id_dsa ,
1.59 naddy 65: .Pa ~/.ssh/id_ecdsa ,
1.28 djm 66: and
1.63 jmc 67: .Pa ~/.ssh/id_ed25519 .
1.52 djm 68: After loading a private key,
69: .Nm
70: will try to load corresponding certificate information from the
71: filename obtained by appending
72: .Pa -cert.pub
73: to the name of the private key file.
1.11 aaron 74: Alternative file names can be given on the command line.
1.52 djm 75: .Pp
1.11 aaron 76: If any file requires a passphrase,
1.2 deraadt 77: .Nm
1.12 aaron 78: asks for the passphrase from the user.
1.25 stevesk 79: The passphrase is read from the user's tty.
1.23 markus 80: .Nm
81: retries the last passphrase if multiple identity files are given.
1.2 deraadt 82: .Pp
1.40 matthieu 83: The authentication agent must be running and the
84: .Ev SSH_AUTH_SOCK
85: environment variable must contain the name of its socket for
1.2 deraadt 86: .Nm
1.1 deraadt 87: to work.
1.2 deraadt 88: .Pp
89: The options are as follows:
90: .Bl -tag -width Ds
1.36 markus 91: .It Fl c
92: Indicates that added identities should be subject to confirmation before
1.38 jmc 93: being used for authentication.
1.62 jmc 94: Confirmation is performed by
95: .Xr ssh-askpass 1 .
96: Successful confirmation is signaled by a zero exit status from
97: .Xr ssh-askpass 1 ,
98: rather than text entered into the requester.
1.42 jmc 99: .It Fl D
100: Deletes all identities from the agent.
101: .It Fl d
1.46 jmc 102: Instead of adding identities, removes identities from the agent.
1.45 djm 103: If
104: .Nm
1.57 djm 105: has been run without arguments, the keys for the default identities and
1.58 jmc 106: their corresponding certificates will be removed.
1.45 djm 107: Otherwise, the argument list will be interpreted as a list of paths to
1.57 djm 108: public key files to specify keys and certificates to be removed from the agent.
1.45 djm 109: If no public key is found at a given path,
110: .Nm
111: will append
112: .Pa .pub
113: and retry.
1.61 djm 114: .It Fl E Ar fingerprint_hash
115: Specifies the hash algorithm used when displaying key fingerprints.
116: Valid options are:
117: .Dq md5
118: and
119: .Dq sha256 .
120: The default is
121: .Dq sha256 .
1.49 markus 122: .It Fl e Ar pkcs11
1.51 markus 123: Remove keys provided by the PKCS#11 shared library
1.49 markus 124: .Ar pkcs11 .
1.56 djm 125: .It Fl k
1.57 djm 126: When loading keys into or deleting keys from the agent, process plain private
127: keys only and skip certificates.
1.42 jmc 128: .It Fl L
129: Lists public key parameters of all identities currently represented
130: by the agent.
131: .It Fl l
132: Lists fingerprints of all identities currently represented by the agent.
1.66 jmc 133: .It Fl q
134: Be quiet after a successful operation.
1.49 markus 135: .It Fl s Ar pkcs11
1.51 markus 136: Add keys provided by the PKCS#11 shared library
1.49 markus 137: .Ar pkcs11 .
1.70 ! djm 138: .It Fl S Ar provider
! 139: Specifies a path to a security key provider library that will be used when
! 140: adding any security key-hosted keys, overriding the default of using the
! 141: .Ev "SSH_SK_PROVIDER"
! 142: environment variable to specify a provider.
1.68 jmc 143: .It Fl T Ar pubkey ...
1.67 djm 144: Tests whether the private keys that correspond to the specified
145: .Ar pubkey
146: files are usable by performing sign and verify operations on each.
1.42 jmc 147: .It Fl t Ar life
148: Set a maximum lifetime when adding identities to an agent.
149: The lifetime may be specified in seconds or in a time format
150: specified in
151: .Xr sshd_config 5 .
1.69 djm 152: .It Fl v
153: Verbose mode.
154: Causes
155: .Nm
156: to print debugging messages about its progress.
157: This is helpful in debugging problems.
158: Multiple
159: .Fl v
160: options increase the verbosity.
161: The maximum is 3.
1.42 jmc 162: .It Fl X
163: Unlock the agent.
164: .It Fl x
165: Lock the agent with a password.
1.2 deraadt 166: .El
1.9 markus 167: .Sh ENVIRONMENT
168: .Bl -tag -width Ds
169: .It Ev "DISPLAY" and "SSH_ASKPASS"
1.1 deraadt 170: If
1.2 deraadt 171: .Nm
1.1 deraadt 172: needs a passphrase, it will read the passphrase from the current
1.11 aaron 173: terminal if it was run from a terminal.
174: If
1.2 deraadt 175: .Nm
1.1 deraadt 176: does not have a terminal associated with it but
1.2 deraadt 177: .Ev DISPLAY
1.8 markus 178: and
179: .Ev SSH_ASKPASS
180: are set, it will execute the program specified by
181: .Ev SSH_ASKPASS
1.62 jmc 182: (by default
183: .Dq ssh-askpass )
1.11 aaron 184: and open an X11 window to read the passphrase.
185: This is particularly useful when calling
1.2 deraadt 186: .Nm
187: from a
1.41 jmc 188: .Pa .xsession
1.11 aaron 189: or related script.
190: (Note that on some machines it
1.2 deraadt 191: may be necessary to redirect the input from
192: .Pa /dev/null
193: to make this work.)
1.31 markus 194: .It Ev SSH_AUTH_SOCK
1.47 sobrado 195: Identifies the path of a
1.48 sobrado 196: .Ux Ns -domain
197: socket used to communicate with the agent.
1.70 ! djm 198: .It Ev SSH_SK_PROVIDER
! 199: Specifies the path to a security key provider library used to interact with
! 200: hardware security keys.
1.16 itojun 201: .El
1.39 jmc 202: .Sh FILES
203: .Bl -tag -width Ds
1.43 djm 204: .It Pa ~/.ssh/id_dsa
1.64 naddy 205: Contains the DSA authentication identity of the user.
1.53 djm 206: .It Pa ~/.ssh/id_ecdsa
1.64 naddy 207: Contains the ECDSA authentication identity of the user.
1.59 naddy 208: .It Pa ~/.ssh/id_ed25519
1.64 naddy 209: Contains the Ed25519 authentication identity of the user.
1.43 djm 210: .It Pa ~/.ssh/id_rsa
1.64 naddy 211: Contains the RSA authentication identity of the user.
1.39 jmc 212: .El
213: .Pp
214: Identity files should not be readable by anyone but the user.
215: Note that
216: .Nm
217: ignores identity files if they are accessible by others.
1.54 jmc 218: .Sh EXIT STATUS
1.29 markus 219: Exit status is 0 on success, 1 if the specified command fails,
220: and 2 if
221: .Nm
222: is unable to contact the authentication agent.
1.39 jmc 223: .Sh SEE ALSO
224: .Xr ssh 1 ,
225: .Xr ssh-agent 1 ,
1.62 jmc 226: .Xr ssh-askpass 1 ,
1.39 jmc 227: .Xr ssh-keygen 1 ,
228: .Xr sshd 8
1.18 aaron 229: .Sh AUTHORS
1.19 markus 230: OpenSSH is a derivative of the original and free
231: ssh 1.2.12 release by Tatu Ylonen.
232: Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
233: Theo de Raadt and Dug Song
234: removed many bugs, re-added newer features and
235: created OpenSSH.
236: Markus Friedl contributed the support for SSH
237: protocol versions 1.5 and 2.0.