xref: /freebsd/crypto/openssh/ssh-add.1 (revision d5b0e70f7e04d971691517ce1304d86a1e367e2e)
1.\"	$OpenBSD: ssh-add.1,v 1.84 2022/02/04 02:49:17 dtucker Exp $
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\"                    All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose.  Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
13.\"
14.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
15.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
16.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
17.\"
18.\" Redistribution and use in source and binary forms, with or without
19.\" modification, are permitted provided that the following conditions
20.\" are met:
21.\" 1. Redistributions of source code must retain the above copyright
22.\"    notice, this list of conditions and the following disclaimer.
23.\" 2. Redistributions in binary form must reproduce the above copyright
24.\"    notice, this list of conditions and the following disclaimer in the
25.\"    documentation and/or other materials provided with the distribution.
26.\"
27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\"
38.Dd $Mdocdate: February 4 2022 $
39.Dt SSH-ADD 1
40.Os
41.Sh NAME
42.Nm ssh-add
43.Nd adds private key identities to the OpenSSH authentication agent
44.Sh SYNOPSIS
45.Nm ssh-add
46.Op Fl cDdKkLlqvXx
47.Op Fl E Ar fingerprint_hash
48.Op Fl H Ar hostkey_file
49.Op Fl h Ar destination_constraint
50.Op Fl S Ar provider
51.Op Fl t Ar life
52.Op Ar
53.Nm ssh-add
54.Fl s Ar pkcs11
55.Nm ssh-add
56.Fl e Ar pkcs11
57.Nm ssh-add
58.Fl T
59.Ar pubkey ...
60.Sh DESCRIPTION
61.Nm
62adds private key identities to the authentication agent,
63.Xr ssh-agent 1 .
64When run without arguments, it adds the files
65.Pa ~/.ssh/id_rsa ,
66.Pa ~/.ssh/id_ecdsa ,
67.Pa ~/.ssh/id_ecdsa_sk ,
68.Pa ~/.ssh/id_ed25519 ,
69.Pa ~/.ssh/id_ed25519_sk ,
70and
71.Pa ~/.ssh/id_dsa .
72After loading a private key,
73.Nm
74will try to load corresponding certificate information from the
75filename obtained by appending
76.Pa -cert.pub
77to the name of the private key file.
78Alternative file names can be given on the command line.
79.Pp
80If any file requires a passphrase,
81.Nm
82asks for the passphrase from the user.
83The passphrase is read from the user's tty.
84.Nm
85retries the last passphrase if multiple identity files are given.
86.Pp
87The authentication agent must be running and the
88.Ev SSH_AUTH_SOCK
89environment variable must contain the name of its socket for
90.Nm
91to work.
92.Pp
93The options are as follows:
94.Bl -tag -width Ds
95.It Fl c
96Indicates that added identities should be subject to confirmation before
97being used for authentication.
98Confirmation is performed by
99.Xr ssh-askpass 1 .
100Successful confirmation is signaled by a zero exit status from
101.Xr ssh-askpass 1 ,
102rather than text entered into the requester.
103.It Fl D
104Deletes all identities from the agent.
105.It Fl d
106Instead of adding identities, removes identities from the agent.
107If
108.Nm
109has been run without arguments, the keys for the default identities and
110their corresponding certificates will be removed.
111Otherwise, the argument list will be interpreted as a list of paths to
112public key files to specify keys and certificates to be removed from the agent.
113If no public key is found at a given path,
114.Nm
115will append
116.Pa .pub
117and retry.
118If the argument list consists of
119.Dq -
120then
121.Nm
122will read public keys to be removed from standard input.
123.It Fl E Ar fingerprint_hash
124Specifies the hash algorithm used when displaying key fingerprints.
125Valid options are:
126.Dq md5
127and
128.Dq sha256 .
129The default is
130.Dq sha256 .
131.It Fl e Ar pkcs11
132Remove keys provided by the PKCS#11 shared library
133.Ar pkcs11 .
134.It Fl H Ar hostkey_file
135Specifies a known hosts file to look up hostkeys when using
136destination-constrained keys via the
137.Fl h
138flag.
139This option may be specified multiple times to allow multiple files to be
140searched.
141If no files are specified,
142.Nm
143will use the default
144.Xr ssh_config 5
145known hosts files:
146.Pa ~/.ssh/known_hosts ,
147.Pa ~/.ssh/known_hosts2 ,
148.Pa /etc/ssh/ssh_known_hosts ,
149and
150.Pa /etc/ssh/ssh_known_hosts2 .
151.It Fl h Ar destination_constraint
152When adding keys, constrain them to be usable only through specific hosts or to
153specific destinations.
154.Pp
155Destination constraints of the form
156.Sq [user@]dest-hostname
157permit use of the key only from the origin host (the one running
158.Xr ssh-agent 1 )
159to the listed destination host, with optional user name.
160.Pp
161Constraints of the form
162.Sq src-hostname>[user@]dst-hostname
163allow a key available on a forwarded
164.Xr ssh-agent 1
165to be used through a particular host (as specified by
166.Sq src-hostname )
167to authenticate to a further host,
168specified by
169.Sq dst-hostname .
170.Pp
171Multiple destination constraints may be added when loading keys.
172When attempting authentication with a key that has destination constraints,
173the whole connection path, including
174.Xr ssh-agent 1
175forwarding, is tested against those constraints and each
176hop must be permitted for the attempt to succeed.
177For example, if key is forwarded to a remote host,
178.Sq host-b ,
179and is attempting authentication to another host,
180.Sq host-c ,
181then the operation will be successful only if
182.Sq host-b
183was permitted from the origin host and the subsequent
184.Sq host-b>host-c
185hop is also permitted by destination constraints.
186.Pp
187Hosts are identified by their host keys, and are looked up from known hosts
188files by
189.Nm .
190Wildcards patterns may be used for hostnames and certificate host
191keys are supported.
192By default, keys added by
193.Nm
194are not destination constrained.
195.Pp
196Destination constraints were added in OpenSSH release 8.9.
197Support in both the remote SSH client and server is required when using
198destination-constrained keys over a forwarded
199.Xr ssh-agent 1
200channel.
201.Pp
202It is also important to note that destination constraints can only be
203enforced by
204.Xr ssh-agent 1
205when a key is used, or when it is forwarded by a
206.Sy cooperating
207.Xr ssh 1 .
208Specifically, it does not prevent an attacker with access to a remote
209.Ev SSH_AUTH_SOCK
210from forwarding it again and using it on a different host (but only to
211a permitted destination).
212.It Fl K
213Load resident keys from a FIDO authenticator.
214.It Fl k
215When loading keys into or deleting keys from the agent, process plain private
216keys only and skip certificates.
217.It Fl L
218Lists public key parameters of all identities currently represented
219by the agent.
220.It Fl l
221Lists fingerprints of all identities currently represented by the agent.
222.It Fl q
223Be quiet after a successful operation.
224.It Fl S Ar provider
225Specifies a path to a library that will be used when adding
226FIDO authenticator-hosted keys, overriding the default of using the
227internal USB HID support.
228.It Fl s Ar pkcs11
229Add keys provided by the PKCS#11 shared library
230.Ar pkcs11 .
231.It Fl T Ar pubkey ...
232Tests whether the private keys that correspond to the specified
233.Ar pubkey
234files are usable by performing sign and verify operations on each.
235.It Fl t Ar life
236Set a maximum lifetime when adding identities to an agent.
237The lifetime may be specified in seconds or in a time format
238specified in
239.Xr sshd_config 5 .
240.It Fl v
241Verbose mode.
242Causes
243.Nm
244to print debugging messages about its progress.
245This is helpful in debugging problems.
246Multiple
247.Fl v
248options increase the verbosity.
249The maximum is 3.
250.It Fl X
251Unlock the agent.
252.It Fl x
253Lock the agent with a password.
254.El
255.Sh ENVIRONMENT
256.Bl -tag -width Ds
257.It Ev "DISPLAY", "SSH_ASKPASS" and "SSH_ASKPASS_REQUIRE"
258If
259.Nm
260needs a passphrase, it will read the passphrase from the current
261terminal if it was run from a terminal.
262If
263.Nm
264does not have a terminal associated with it but
265.Ev DISPLAY
266and
267.Ev SSH_ASKPASS
268are set, it will execute the program specified by
269.Ev SSH_ASKPASS
270(by default
271.Dq ssh-askpass )
272and open an X11 window to read the passphrase.
273This is particularly useful when calling
274.Nm
275from a
276.Pa .xsession
277or related script.
278.Pp
279.Ev SSH_ASKPASS_REQUIRE
280allows further control over the use of an askpass program.
281If this variable is set to
282.Dq never
283then
284.Nm
285will never attempt to use one.
286If it is set to
287.Dq prefer ,
288then
289.Nm
290will prefer to use the askpass program instead of the TTY when requesting
291passwords.
292Finally, if the variable is set to
293.Dq force ,
294then the askpass program will be used for all passphrase input regardless
295of whether
296.Ev DISPLAY
297is set.
298.It Ev SSH_AUTH_SOCK
299Identifies the path of a
300.Ux Ns -domain
301socket used to communicate with the agent.
302.It Ev SSH_SK_PROVIDER
303Specifies a path to a library that will be used when loading any
304FIDO authenticator-hosted keys, overriding the default of using
305the built-in USB HID support.
306.El
307.Sh FILES
308.Bl -tag -width Ds -compact
309.It Pa ~/.ssh/id_dsa
310.It Pa ~/.ssh/id_ecdsa
311.It Pa ~/.ssh/id_ecdsa_sk
312.It Pa ~/.ssh/id_ed25519
313.It Pa ~/.ssh/id_ed25519_sk
314.It Pa ~/.ssh/id_rsa
315Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
316authenticator-hosted Ed25519 or RSA authentication identity of the user.
317.El
318.Pp
319Identity files should not be readable by anyone but the user.
320Note that
321.Nm
322ignores identity files if they are accessible by others.
323.Sh EXIT STATUS
324Exit status is 0 on success, 1 if the specified command fails,
325and 2 if
326.Nm
327is unable to contact the authentication agent.
328.Sh SEE ALSO
329.Xr ssh 1 ,
330.Xr ssh-agent 1 ,
331.Xr ssh-askpass 1 ,
332.Xr ssh-keygen 1 ,
333.Xr sshd 8
334.Sh AUTHORS
335OpenSSH is a derivative of the original and free
336ssh 1.2.12 release by Tatu Ylonen.
337Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
338Theo de Raadt and Dug Song
339removed many bugs, re-added newer features and
340created OpenSSH.
341Markus Friedl contributed the support for SSH
342protocol versions 1.5 and 2.0.
343