[gssapi-openssh.git] / openssh / ssh-add.1

.\"	$OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $
.\"
.\"  -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\"                    All rights reserved
.\"
.\" As far as I am concerned, the code I have written for this software
.\" can be used freely for any purpose.  Any derived versions of this
.\" software must be clearly marked as such, and if the derived work is
.\" incompatible with the protocol description in the RFC file, it must be
.\" called by a name other than "ssh" or "Secure Shell".
.\"
.\"
.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd September 25, 1999
.Dt SSH-ADD 1
.Os
.Sh NAME
.Nm ssh-add
.Nd adds RSA or DSA identities to the authentication agent
.Sh SYNOPSIS
.Nm ssh-add
.Op Fl cDdLlXx
.Op Fl t Ar life
.Op Ar
.Nm ssh-add
.Fl s Ar reader
.Nm ssh-add
.Fl e Ar reader
.Sh DESCRIPTION
.Nm
adds RSA or DSA identities to the authentication agent,
.Xr ssh-agent 1 .
When run without arguments, it adds the files
.Pa ~/.ssh/id_rsa ,
.Pa ~/.ssh/id_dsa
and
.Pa ~/.ssh/identity .
Alternative file names can be given on the command line.
If any file requires a passphrase,
.Nm
asks for the passphrase from the user.
The passphrase is read from the user's tty.
.Nm
retries the last passphrase if multiple identity files are given.
.Pp
The authentication agent must be running and the
.Ev SSH_AUTH_SOCK
environment variable must contain the name of its socket for
.Nm
to work.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl c
Indicates that added identities should be subject to confirmation before
being used for authentication.
Confirmation is performed by the
.Ev SSH_ASKPASS
program mentioned below.
Successful confirmation is signaled by a zero exit status from the
.Ev SSH_ASKPASS
program, rather than text entered into the requester.
.It Fl D
Deletes all identities from the agent.
.It Fl d
Instead of adding the identity, removes the identity from the agent.
.It Fl e Ar reader
Remove key in smartcard
.Ar reader .
.It Fl L
Lists public key parameters of all identities currently represented
by the agent.
.It Fl l
Lists fingerprints of all identities currently represented by the agent.
.It Fl s Ar reader
Add key in smartcard
.Ar reader .
.It Fl t Ar life
Set a maximum lifetime when adding identities to an agent.
The lifetime may be specified in seconds or in a time format
specified in
.Xr sshd_config 5 .
.It Fl X
Unlock the agent.
.It Fl x
Lock the agent with a password.
.El
.Sh ENVIRONMENT
.Bl -tag -width Ds
.It Ev "DISPLAY" and "SSH_ASKPASS"
If
.Nm
needs a passphrase, it will read the passphrase from the current
terminal if it was run from a terminal.
If
.Nm
does not have a terminal associated with it but
.Ev DISPLAY
and
.Ev SSH_ASKPASS
are set, it will execute the program specified by
.Ev SSH_ASKPASS
and open an X11 window to read the passphrase.
This is particularly useful when calling
.Nm
from a
.Pa .xsession
or related script.
(Note that on some machines it
may be necessary to redirect the input from
.Pa /dev/null
to make this work.)
.It Ev SSH_AUTH_SOCK
Identifies the path of a unix-domain socket used to communicate with the
agent.
.El
.Sh FILES
.Bl -tag -width Ds
.It Pa ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of the user.
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
.El
.Pp
Identity files should not be readable by anyone but the user.
Note that
.Nm
ignores identity files if they are accessible by others.
.Sh DIAGNOSTICS
Exit status is 0 on success, 1 if the specified command fails,
and 2 if
.Nm
is unable to contact the authentication agent.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
.Xr sshd 8
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
Theo de Raadt and Dug Song
removed many bugs, re-added newer features and
created OpenSSH.
Markus Friedl contributed the support for SSH
protocol versions 1.5 and 2.0.
Commit	Line	Data
665a873d	1	.\" $OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $
3c0ef626	2	.\"
	3	.\" -- nroff --
	4	.\"
	5	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
	6	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	7	.\" All rights reserved
	8	.\"
	9	.\" As far as I am concerned, the code I have written for this software
	10	.\" can be used freely for any purpose. Any derived versions of this
	11	.\" software must be clearly marked as such, and if the derived work is
	12	.\" incompatible with the protocol description in the RFC file, it must be
	13	.\" called by a name other than "ssh" or "Secure Shell".
	14	.\"
	15	.\"
	16	.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
	17	.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
	18	.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
	19	.\"
	20	.\" Redistribution and use in source and binary forms, with or without
	21	.\" modification, are permitted provided that the following conditions
	22	.\" are met:
	23	.\" 1. Redistributions of source code must retain the above copyright
	24	.\" notice, this list of conditions and the following disclaimer.
	25	.\" 2. Redistributions in binary form must reproduce the above copyright
	26	.\" notice, this list of conditions and the following disclaimer in the
	27	.\" documentation and/or other materials provided with the distribution.
	28	.\"
	29	.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	30	.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	31	.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	32	.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	33	.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	34	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	35	.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	36	.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	39	.\"
	40	.Dd September 25, 1999
	41	.Dt SSH-ADD 1
	42	.Os
	43	.Sh NAME
	44	.Nm ssh-add
	45	.Nd adds RSA or DSA identities to the authentication agent
	46	.Sh SYNOPSIS
	47	.Nm ssh-add
996d5e62	48	.Op Fl cDdLlXx
f5799ae1	49	.Op Fl t Ar life
3c0ef626	50	.Op Ar
	51	.Nm ssh-add
	52	.Fl s Ar reader
	53	.Nm ssh-add
	54	.Fl e Ar reader
	55	.Sh DESCRIPTION
	56	.Nm
	57	adds RSA or DSA identities to the authentication agent,
	58	.Xr ssh-agent 1 .
e9a17296	59	When run without arguments, it adds the files
665a873d	60	.Pa ~/.ssh/id_rsa ,
665a873d	61	.Pa ~/.ssh/id_dsa
e9a17296	62	and
665a873d	63	.Pa ~/.ssh/identity .
3c0ef626	64	Alternative file names can be given on the command line.
	65	If any file requires a passphrase,
	66	.Nm
	67	asks for the passphrase from the user.
	68	The passphrase is read from the user's tty.
	69	.Nm
	70	retries the last passphrase if multiple identity files are given.
	71	.Pp
cdd66111	72	The authentication agent must be running and the
	73	.Ev SSH_AUTH_SOCK
	74	environment variable must contain the name of its socket for
3c0ef626	75	.Nm
	76	to work.
	77	.Pp
	78	The options are as follows:
	79	.Bl -tag -width Ds
6a9b3198	80	.It Fl c
	81	Indicates that added identities should be subject to confirmation before
	82	being used for authentication.
	83	Confirmation is performed by the
	84	.Ev SSH_ASKPASS
	85	program mentioned below.
	86	Successful confirmation is signaled by a zero exit status from the
	87	.Ev SSH_ASKPASS
	88	program, rather than text entered into the requester.
996d5e62	89	.It Fl D
	90	Deletes all identities from the agent.
	91	.It Fl d
	92	Instead of adding the identity, removes the identity from the agent.
3c0ef626	93	.It Fl e Ar reader
	94	Remove key in smartcard
	95	.Ar reader .
996d5e62	96	.It Fl L
	97	Lists public key parameters of all identities currently represented
	98	by the agent.
	99	.It Fl l
	100	Lists fingerprints of all identities currently represented by the agent.
	101	.It Fl s Ar reader
	102	Add key in smartcard
	103	.Ar reader .
	104	.It Fl t Ar life
	105	Set a maximum lifetime when adding identities to an agent.
	106	The lifetime may be specified in seconds or in a time format
	107	specified in
	108	.Xr sshd_config 5 .
	109	.It Fl X
	110	Unlock the agent.
	111	.It Fl x
	112	Lock the agent with a password.
3c0ef626	113	.El
3c0ef626	114	.Sh ENVIRONMENT
	115	.Bl -tag -width Ds
	116	.It Ev "DISPLAY" and "SSH_ASKPASS"
	117	If
	118	.Nm
	119	needs a passphrase, it will read the passphrase from the current
	120	terminal if it was run from a terminal.
	121	If
	122	.Nm
	123	does not have a terminal associated with it but
	124	.Ev DISPLAY
	125	and
	126	.Ev SSH_ASKPASS
	127	are set, it will execute the program specified by
	128	.Ev SSH_ASKPASS
	129	and open an X11 window to read the passphrase.
	130	This is particularly useful when calling
	131	.Nm
	132	from a
996d5e62	133	.Pa .xsession
3c0ef626	134	or related script.
	135	(Note that on some machines it
	136	may be necessary to redirect the input from
	137	.Pa /dev/null
	138	to make this work.)
f5799ae1	139	.It Ev SSH_AUTH_SOCK
	140	Identifies the path of a unix-domain socket used to communicate with the
	141	agent.
3c0ef626	142	.El
0fff78ff	143	.Sh FILES
0fff78ff	144	.Bl -tag -width Ds
665a873d	145	.It Pa ~/.ssh/identity
0fff78ff	146	Contains the protocol version 1 RSA authentication identity of the user.
665a873d	147	.It Pa ~/.ssh/id_dsa
0fff78ff	148	Contains the protocol version 2 DSA authentication identity of the user.
665a873d	149	.It Pa ~/.ssh/id_rsa
0fff78ff	150	Contains the protocol version 2 RSA authentication identity of the user.
	151	.El
	152	.Pp
	153	Identity files should not be readable by anyone but the user.
	154	Note that
	155	.Nm
	156	ignores identity files if they are accessible by others.
e9a17296	157	.Sh DIAGNOSTICS
	158	Exit status is 0 on success, 1 if the specified command fails,
	159	and 2 if
	160	.Nm
	161	is unable to contact the authentication agent.
0fff78ff	162	.Sh SEE ALSO
	163	.Xr ssh 1 ,
	164	.Xr ssh-agent 1 ,
	165	.Xr ssh-keygen 1 ,
	166	.Xr sshd 8
3c0ef626	167	.Sh AUTHORS
	168	OpenSSH is a derivative of the original and free
	169	ssh 1.2.12 release by Tatu Ylonen.
	170	Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
	171	Theo de Raadt and Dug Song
	172	removed many bugs, re-added newer features and
	173	created OpenSSH.
	174	Markus Friedl contributed the support for SSH
	175	protocol versions 1.5 and 2.0.