Annotation of src/usr.bin/ssh/ssh-add.1, Revision 1.74
1.74 ! jmc 1: .\" $OpenBSD: ssh-add.1,v 1.73 2019/11/14 21:27:30 djm Exp $
1.1 deraadt 2: .\"
3: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: .\" All rights reserved
6: .\"
1.17 deraadt 7: .\" As far as I am concerned, the code I have written for this software
8: .\" can be used freely for any purpose. Any derived versions of this
9: .\" software must be clearly marked as such, and if the derived work is
10: .\" incompatible with the protocol description in the RFC file, it must be
11: .\" called by a name other than "ssh" or "Secure Shell".
12: .\"
13: .\"
1.22 deraadt 14: .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
15: .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
16: .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
1.17 deraadt 17: .\"
18: .\" Redistribution and use in source and binary forms, with or without
19: .\" modification, are permitted provided that the following conditions
20: .\" are met:
21: .\" 1. Redistributions of source code must retain the above copyright
22: .\" notice, this list of conditions and the following disclaimer.
23: .\" 2. Redistributions in binary form must reproduce the above copyright
24: .\" notice, this list of conditions and the following disclaimer in the
25: .\" documentation and/or other materials provided with the distribution.
1.1 deraadt 26: .\"
1.17 deraadt 27: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.1 deraadt 37: .\"
1.74 ! jmc 38: .Dd $Mdocdate: November 14 2019 $
1.2 deraadt 39: .Dt SSH-ADD 1
40: .Os
41: .Sh NAME
42: .Nm ssh-add
1.53 djm 43: .Nd adds private key identities to the authentication agent
1.2 deraadt 44: .Sh SYNOPSIS
45: .Nm ssh-add
1.69 djm 46: .Op Fl cDdkLlqvXx
1.61 djm 47: .Op Fl E Ar fingerprint_hash
1.71 jmc 48: .Op Fl S Ar provider
1.33 markus 49: .Op Fl t Ar life
1.2 deraadt 50: .Op Ar
1.26 jakob 51: .Nm ssh-add
1.50 jmc 52: .Fl s Ar pkcs11
1.26 jakob 53: .Nm ssh-add
1.50 jmc 54: .Fl e Ar pkcs11
1.67 djm 55: .Nm ssh-add
56: .Fl T
1.68 jmc 57: .Ar pubkey ...
1.12 aaron 58: .Sh DESCRIPTION
1.2 deraadt 59: .Nm
1.53 djm 60: adds private key identities to the authentication agent,
1.2 deraadt 61: .Xr ssh-agent 1 .
1.28 djm 62: When run without arguments, it adds the files
1.43 djm 63: .Pa ~/.ssh/id_rsa ,
1.53 djm 64: .Pa ~/.ssh/id_dsa ,
1.59 naddy 65: .Pa ~/.ssh/id_ecdsa ,
1.72 naddy 66: .Pa ~/.ssh/id_ecdsa_sk ,
1.28 djm 67: and
1.63 jmc 68: .Pa ~/.ssh/id_ed25519 .
1.52 djm 69: After loading a private key,
70: .Nm
71: will try to load corresponding certificate information from the
72: filename obtained by appending
73: .Pa -cert.pub
74: to the name of the private key file.
1.11 aaron 75: Alternative file names can be given on the command line.
1.52 djm 76: .Pp
1.11 aaron 77: If any file requires a passphrase,
1.2 deraadt 78: .Nm
1.12 aaron 79: asks for the passphrase from the user.
1.25 stevesk 80: The passphrase is read from the user's tty.
1.23 markus 81: .Nm
82: retries the last passphrase if multiple identity files are given.
1.2 deraadt 83: .Pp
1.40 matthieu 84: The authentication agent must be running and the
85: .Ev SSH_AUTH_SOCK
86: environment variable must contain the name of its socket for
1.2 deraadt 87: .Nm
1.1 deraadt 88: to work.
1.2 deraadt 89: .Pp
90: The options are as follows:
91: .Bl -tag -width Ds
1.36 markus 92: .It Fl c
93: Indicates that added identities should be subject to confirmation before
1.38 jmc 94: being used for authentication.
1.62 jmc 95: Confirmation is performed by
96: .Xr ssh-askpass 1 .
97: Successful confirmation is signaled by a zero exit status from
98: .Xr ssh-askpass 1 ,
99: rather than text entered into the requester.
1.42 jmc 100: .It Fl D
101: Deletes all identities from the agent.
102: .It Fl d
1.46 jmc 103: Instead of adding identities, removes identities from the agent.
1.45 djm 104: If
105: .Nm
1.57 djm 106: has been run without arguments, the keys for the default identities and
1.58 jmc 107: their corresponding certificates will be removed.
1.45 djm 108: Otherwise, the argument list will be interpreted as a list of paths to
1.57 djm 109: public key files to specify keys and certificates to be removed from the agent.
1.45 djm 110: If no public key is found at a given path,
111: .Nm
112: will append
113: .Pa .pub
114: and retry.
1.61 djm 115: .It Fl E Ar fingerprint_hash
116: Specifies the hash algorithm used when displaying key fingerprints.
117: Valid options are:
118: .Dq md5
119: and
120: .Dq sha256 .
121: The default is
122: .Dq sha256 .
1.49 markus 123: .It Fl e Ar pkcs11
1.51 markus 124: Remove keys provided by the PKCS#11 shared library
1.49 markus 125: .Ar pkcs11 .
1.56 djm 126: .It Fl k
1.57 djm 127: When loading keys into or deleting keys from the agent, process plain private
128: keys only and skip certificates.
1.42 jmc 129: .It Fl L
130: Lists public key parameters of all identities currently represented
131: by the agent.
132: .It Fl l
133: Lists fingerprints of all identities currently represented by the agent.
1.66 jmc 134: .It Fl q
135: Be quiet after a successful operation.
1.70 djm 136: .It Fl S Ar provider
137: Specifies a path to a security key provider library that will be used when
138: adding any security key-hosted keys, overriding the default of using the
1.74 ! jmc 139: internal USB HID support.
1.71 jmc 140: .It Fl s Ar pkcs11
141: Add keys provided by the PKCS#11 shared library
142: .Ar pkcs11 .
1.68 jmc 143: .It Fl T Ar pubkey ...
1.67 djm 144: Tests whether the private keys that correspond to the specified
145: .Ar pubkey
146: files are usable by performing sign and verify operations on each.
1.42 jmc 147: .It Fl t Ar life
148: Set a maximum lifetime when adding identities to an agent.
149: The lifetime may be specified in seconds or in a time format
150: specified in
151: .Xr sshd_config 5 .
1.69 djm 152: .It Fl v
153: Verbose mode.
154: Causes
155: .Nm
156: to print debugging messages about its progress.
157: This is helpful in debugging problems.
158: Multiple
159: .Fl v
160: options increase the verbosity.
161: The maximum is 3.
1.42 jmc 162: .It Fl X
163: Unlock the agent.
164: .It Fl x
165: Lock the agent with a password.
1.2 deraadt 166: .El
1.9 markus 167: .Sh ENVIRONMENT
168: .Bl -tag -width Ds
169: .It Ev "DISPLAY" and "SSH_ASKPASS"
1.1 deraadt 170: If
1.2 deraadt 171: .Nm
1.1 deraadt 172: needs a passphrase, it will read the passphrase from the current
1.11 aaron 173: terminal if it was run from a terminal.
174: If
1.2 deraadt 175: .Nm
1.1 deraadt 176: does not have a terminal associated with it but
1.2 deraadt 177: .Ev DISPLAY
1.8 markus 178: and
179: .Ev SSH_ASKPASS
180: are set, it will execute the program specified by
181: .Ev SSH_ASKPASS
1.62 jmc 182: (by default
183: .Dq ssh-askpass )
1.11 aaron 184: and open an X11 window to read the passphrase.
185: This is particularly useful when calling
1.2 deraadt 186: .Nm
187: from a
1.41 jmc 188: .Pa .xsession
1.11 aaron 189: or related script.
190: (Note that on some machines it
1.2 deraadt 191: may be necessary to redirect the input from
192: .Pa /dev/null
193: to make this work.)
1.31 markus 194: .It Ev SSH_AUTH_SOCK
1.47 sobrado 195: Identifies the path of a
1.48 sobrado 196: .Ux Ns -domain
197: socket used to communicate with the agent.
1.70 djm 198: .It Ev SSH_SK_PROVIDER
199: Specifies the path to a security key provider library used to interact with
200: hardware security keys.
1.16 itojun 201: .El
1.39 jmc 202: .Sh FILES
203: .Bl -tag -width Ds
1.43 djm 204: .It Pa ~/.ssh/id_dsa
1.64 naddy 205: Contains the DSA authentication identity of the user.
1.53 djm 206: .It Pa ~/.ssh/id_ecdsa
1.64 naddy 207: Contains the ECDSA authentication identity of the user.
1.72 naddy 208: .It Pa ~/.ssh/id_ecdsa_sk
209: Contains the security key-hosted ECDSA authentication identity of the user.
1.59 naddy 210: .It Pa ~/.ssh/id_ed25519
1.64 naddy 211: Contains the Ed25519 authentication identity of the user.
1.43 djm 212: .It Pa ~/.ssh/id_rsa
1.64 naddy 213: Contains the RSA authentication identity of the user.
1.39 jmc 214: .El
215: .Pp
216: Identity files should not be readable by anyone but the user.
217: Note that
218: .Nm
219: ignores identity files if they are accessible by others.
1.54 jmc 220: .Sh EXIT STATUS
1.29 markus 221: Exit status is 0 on success, 1 if the specified command fails,
222: and 2 if
223: .Nm
224: is unable to contact the authentication agent.
1.39 jmc 225: .Sh SEE ALSO
226: .Xr ssh 1 ,
227: .Xr ssh-agent 1 ,
1.62 jmc 228: .Xr ssh-askpass 1 ,
1.39 jmc 229: .Xr ssh-keygen 1 ,
230: .Xr sshd 8
1.18 aaron 231: .Sh AUTHORS
1.19 markus 232: OpenSSH is a derivative of the original and free
233: ssh 1.2.12 release by Tatu Ylonen.
234: Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
235: Theo de Raadt and Dug Song
236: removed many bugs, re-added newer features and
237: created OpenSSH.
238: Markus Friedl contributed the support for SSH
239: protocol versions 1.5 and 2.0.