Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame^] | 1 | .\" $OpenBSD: ssh-add.1,v 1.55 2010/10/28 18:33:28 jmc Exp $ |
| 2 | .\" |
| 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | .\" All rights reserved |
| 6 | .\" |
| 7 | .\" As far as I am concerned, the code I have written for this software |
| 8 | .\" can be used freely for any purpose. Any derived versions of this |
| 9 | .\" software must be clearly marked as such, and if the derived work is |
| 10 | .\" incompatible with the protocol description in the RFC file, it must be |
| 11 | .\" called by a name other than "ssh" or "Secure Shell". |
| 12 | .\" |
| 13 | .\" |
| 14 | .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. |
| 15 | .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. |
| 16 | .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. |
| 17 | .\" |
| 18 | .\" Redistribution and use in source and binary forms, with or without |
| 19 | .\" modification, are permitted provided that the following conditions |
| 20 | .\" are met: |
| 21 | .\" 1. Redistributions of source code must retain the above copyright |
| 22 | .\" notice, this list of conditions and the following disclaimer. |
| 23 | .\" 2. Redistributions in binary form must reproduce the above copyright |
| 24 | .\" notice, this list of conditions and the following disclaimer in the |
| 25 | .\" documentation and/or other materials provided with the distribution. |
| 26 | .\" |
| 27 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
| 28 | .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
| 29 | .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
| 30 | .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
| 31 | .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 32 | .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 33 | .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 34 | .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 37 | .\" |
| 38 | .Dd $Mdocdate: October 28 2010 $ |
| 39 | .Dt SSH-ADD 1 |
| 40 | .Os |
| 41 | .Sh NAME |
| 42 | .Nm ssh-add |
| 43 | .Nd adds private key identities to the authentication agent |
| 44 | .Sh SYNOPSIS |
| 45 | .Nm ssh-add |
| 46 | .Op Fl cDdLlXx |
| 47 | .Op Fl t Ar life |
| 48 | .Op Ar |
| 49 | .Nm ssh-add |
| 50 | .Fl s Ar pkcs11 |
| 51 | .Nm ssh-add |
| 52 | .Fl e Ar pkcs11 |
| 53 | .Sh DESCRIPTION |
| 54 | .Nm |
| 55 | adds private key identities to the authentication agent, |
| 56 | .Xr ssh-agent 1 . |
| 57 | When run without arguments, it adds the files |
| 58 | .Pa ~/.ssh/id_rsa , |
| 59 | .Pa ~/.ssh/id_dsa , |
| 60 | .Pa ~/.ssh/id_ecdsa |
| 61 | and |
| 62 | .Pa ~/.ssh/identity . |
| 63 | After loading a private key, |
| 64 | .Nm |
| 65 | will try to load corresponding certificate information from the |
| 66 | filename obtained by appending |
| 67 | .Pa -cert.pub |
| 68 | to the name of the private key file. |
| 69 | Alternative file names can be given on the command line. |
| 70 | .Pp |
| 71 | If any file requires a passphrase, |
| 72 | .Nm |
| 73 | asks for the passphrase from the user. |
| 74 | The passphrase is read from the user's tty. |
| 75 | .Nm |
| 76 | retries the last passphrase if multiple identity files are given. |
| 77 | .Pp |
| 78 | The authentication agent must be running and the |
| 79 | .Ev SSH_AUTH_SOCK |
| 80 | environment variable must contain the name of its socket for |
| 81 | .Nm |
| 82 | to work. |
| 83 | .Pp |
| 84 | The options are as follows: |
| 85 | .Bl -tag -width Ds |
| 86 | .It Fl c |
| 87 | Indicates that added identities should be subject to confirmation before |
| 88 | being used for authentication. |
| 89 | Confirmation is performed by the |
| 90 | .Ev SSH_ASKPASS |
| 91 | program mentioned below. |
| 92 | Successful confirmation is signaled by a zero exit status from the |
| 93 | .Ev SSH_ASKPASS |
| 94 | program, rather than text entered into the requester. |
| 95 | .It Fl D |
| 96 | Deletes all identities from the agent. |
| 97 | .It Fl d |
| 98 | Instead of adding identities, removes identities from the agent. |
| 99 | If |
| 100 | .Nm |
| 101 | has been run without arguments, the keys for the default identities will |
| 102 | be removed. |
| 103 | Otherwise, the argument list will be interpreted as a list of paths to |
| 104 | public key files and matching keys will be removed from the agent. |
| 105 | If no public key is found at a given path, |
| 106 | .Nm |
| 107 | will append |
| 108 | .Pa .pub |
| 109 | and retry. |
| 110 | .It Fl e Ar pkcs11 |
| 111 | Remove keys provided by the PKCS#11 shared library |
| 112 | .Ar pkcs11 . |
| 113 | .It Fl L |
| 114 | Lists public key parameters of all identities currently represented |
| 115 | by the agent. |
| 116 | .It Fl l |
| 117 | Lists fingerprints of all identities currently represented by the agent. |
| 118 | .It Fl s Ar pkcs11 |
| 119 | Add keys provided by the PKCS#11 shared library |
| 120 | .Ar pkcs11 . |
| 121 | .It Fl t Ar life |
| 122 | Set a maximum lifetime when adding identities to an agent. |
| 123 | The lifetime may be specified in seconds or in a time format |
| 124 | specified in |
| 125 | .Xr sshd_config 5 . |
| 126 | .It Fl X |
| 127 | Unlock the agent. |
| 128 | .It Fl x |
| 129 | Lock the agent with a password. |
| 130 | .El |
| 131 | .Sh ENVIRONMENT |
| 132 | .Bl -tag -width Ds |
| 133 | .It Ev "DISPLAY" and "SSH_ASKPASS" |
| 134 | If |
| 135 | .Nm |
| 136 | needs a passphrase, it will read the passphrase from the current |
| 137 | terminal if it was run from a terminal. |
| 138 | If |
| 139 | .Nm |
| 140 | does not have a terminal associated with it but |
| 141 | .Ev DISPLAY |
| 142 | and |
| 143 | .Ev SSH_ASKPASS |
| 144 | are set, it will execute the program specified by |
| 145 | .Ev SSH_ASKPASS |
| 146 | and open an X11 window to read the passphrase. |
| 147 | This is particularly useful when calling |
| 148 | .Nm |
| 149 | from a |
| 150 | .Pa .xsession |
| 151 | or related script. |
| 152 | (Note that on some machines it |
| 153 | may be necessary to redirect the input from |
| 154 | .Pa /dev/null |
| 155 | to make this work.) |
| 156 | .It Ev SSH_AUTH_SOCK |
| 157 | Identifies the path of a |
| 158 | .Ux Ns -domain |
| 159 | socket used to communicate with the agent. |
| 160 | .El |
| 161 | .Sh FILES |
| 162 | .Bl -tag -width Ds |
| 163 | .It Pa ~/.ssh/identity |
| 164 | Contains the protocol version 1 RSA authentication identity of the user. |
| 165 | .It Pa ~/.ssh/id_dsa |
| 166 | Contains the protocol version 2 DSA authentication identity of the user. |
| 167 | .It Pa ~/.ssh/id_ecdsa |
| 168 | Contains the protocol version 2 ECDSA authentication identity of the user. |
| 169 | .It Pa ~/.ssh/id_rsa |
| 170 | Contains the protocol version 2 RSA authentication identity of the user. |
| 171 | .El |
| 172 | .Pp |
| 173 | Identity files should not be readable by anyone but the user. |
| 174 | Note that |
| 175 | .Nm |
| 176 | ignores identity files if they are accessible by others. |
| 177 | .Sh EXIT STATUS |
| 178 | Exit status is 0 on success, 1 if the specified command fails, |
| 179 | and 2 if |
| 180 | .Nm |
| 181 | is unable to contact the authentication agent. |
| 182 | .Sh SEE ALSO |
| 183 | .Xr ssh 1 , |
| 184 | .Xr ssh-agent 1 , |
| 185 | .Xr ssh-keygen 1 , |
| 186 | .Xr sshd 8 |
| 187 | .Sh AUTHORS |
| 188 | OpenSSH is a derivative of the original and free |
| 189 | ssh 1.2.12 release by Tatu Ylonen. |
| 190 | Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
| 191 | Theo de Raadt and Dug Song |
| 192 | removed many bugs, re-added newer features and |
| 193 | created OpenSSH. |
| 194 | Markus Friedl contributed the support for SSH |
| 195 | protocol versions 1.5 and 2.0. |